Why popular antivirus apps 'do not work'

Summary: Are less popular AV brands better at detecting new viruses?

By Munir Kotadia for Securify This! | July 21, 2006 -- 06:38 GMT (23:38 PDT)

Antivirus applications from Symantec, McAfee or Trend Micro -- the three leading AV vendors in 2005 -- are far less likely to detect new viruses and Trojans than the least popular brands.

This has nothing to do with the quality of the software or how long it takes the respective firms to update their clients with signatures and other malware countermeasures.

AV companies continue to refine their products and most will tell you they stopped relying on purely signature-based systems many years ago. These days they use all sorts of clever methods to try and detect suspicious behaviour but the problem is that malware authors are also very clever. Very, very clever.

On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.

"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.

However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.

"The most popular brands of antivirus on the market... have an 80 percent miss rate... So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram.

Although Ingram didn't mention any of the leading losers by name, Gartner's figures for 2005 show that Symantec is the clear leader with 53.6 percent of the market. McAfee and Trend own 18.8 percent and 13.8 percent of the market respectively.

One vendor Ingram did mention was Russian outfit Kaspersky, which in the same tests managed to block around 90 percent of new malware.

According to Gartner, Kaspersky's market share is a lowly 0.7 percent.

Most large firms already use more than one antivirus application but I wonder how many use two of the Symantec, McAfee and Trend trio?

If you do then I suggest investing in yet another -- but whatever you do, stay well away from the bestseller shelf.

Topics: Symantec, Malware, Security, AUSCERT

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

86 comments

Log in or register to join the discussion

Should we be supprised

I suppose we cant really consider that a supprise. It was only a matter of time

anonymous
21 July, 2006 11:13

Reply Vote
But there is more

While malware as described here might have better zero day exploit results, these companies are the quickest to release new signitures.

Additionally, running two virus scanners on a single system (especially if the combo is McAfee and Symantec) often causes an incredible loss of computing power because on access scanners are constantly scanning eachother and the files you touch. (VA1 scans file because you touched it, VA2 scans it because VA1 did, VA1 scans it because VA2 did, loop)

anonymous
21 July, 2006 15:53

Reply Vote
this article is misleading

This article does not specify what kinds of threats get missed. In addition, this article does not mention the way that malicious code is introduced into the system, both of which are factors that sometimes play a larger part in malware efficiency and damage than security software.

I think that this article does more to mislead than inform. and recommending that users will be "safer" by avoiding the best seller shelf is bad advice.

anonymous
21 July, 2006 19:53

Reply Vote
Is he a used car salesman?

While statistically sound, the logic here is absolutely ridiculous for anyone managing security for an enterprise. If it's not manageable, who cares how good it might be. Anyway, based on the logic of the author, it makes more sense to follow the loser. And when the loser becomes the winner (which will inevitably garner the attention of malware authors), just switch to another loser.

Sure... I'll propose this to my management. We'll see how fast I find myself on the street.

anonymous
21 July, 2006 20:19

Reply Vote
I whole heartedly agree . . .

I've been a Sys Admin for 7 years and also do a lot of contract work for home Users. In my experience Symantec and McAfee are an absolute waste of money. Not only do they not catch viruses, they usually slow your PC to an absolute crawl. Especially if you get the full blown versions with AV, Anti-Spyware, Firewall, etc. They cause so many more problems than they fix the first thing I tell people is to just blow it away completely and get a product that works. (I usually recommend Nod32 by ESET).

Go and read a write up on Symantec or McAfee's site about a virus, and on 90% of them, listed in their own write up the first thing virus writers do is disable the most popular AV programs.

I do understand Chris's comments about Enterprise manageability, something Symantec has really pushed and does a decent job of, but others are coming on board and there are definitely better products available that can be used in an Enterprise.

Would it be better to get a product that works and make a little more work for yourself, or try to explain to management why the entire forest has been down for two days because your AV product didn't catch the latest threat? Which of those do you think will lose you your job faster???

anonymous
21 July, 2006 22:32

Reply Vote
Malware and the BIG 3

Maybe you should use NOD32 antivirus, it is working for me and my clients. 100% effective, probably not,but way more effective then any of the BIG 3. Oh yes, it does have a built in spyware/malware scanner

anonymous
21 July, 2006 23:39

Reply Vote
What the?

What a load of rubish.

Advising people to go with lesser known software, not because it's superior, but because.. Its less known?

Here I was thinking we were past the point where main stream media pushed "Security through obscurity" as the way to go.. While we're changing our AV, perhaps we should switch all our machines to MAC and replace Office with Wordperfect?

anonymous
22 July, 2006 05:07

Reply Vote
Malware

If malware authors are indeed so very very clever, how can we be sure that some of them are not posing as antivirus or antimalware providers?

anonymous
22 July, 2006 05:51

Reply Vote
My antivirus experiencies

My first antivirus was Norton AV 2005 - I have received full 1/2 year version with my notebook ThinkPad - 3 months later ( sept. 2005 ) I have received e-mail - and the Windows was totally down - notebook was rebooting each 5 minutes.
After reinstall I have brought Symantec AV - after 1 month the same - virus destroyed my HDD.
After 2nd reinstall of WinXP, I was looking for some antivirus test - I founded 100% Virus Bulletin test - and the winner of this test was NOD32 - so I brought it - my experiences? 100% protected PC.

anonymous
22 July, 2006 07:41

Reply Vote
Exactly correct

The article says that you would be safer using two AV programs. However, almost every AV program tells you that you *cannot* run another AV program when you run theirs.

anonymous
22 July, 2006 22:19

Reply Vote
Real-life experience speaks volumes

I'm a computer repair shop manager for a mid-sized university, and believe me, I've seen it all. We provide SAV corporate edition for all faculty/staff/students. Occasionally, someone brings in their fairly new machine, claims it takes forever to load Windows and programs. One of the first things I check for is whether they're using a combo of SAV and McAfee. Those two rival programs are so completely incompatible with each other that they fight it out from the beginning and take your machine down in the process. After removing McAfee, the machine operates normally.

anonymous
23 July, 2006 13:03

Reply Vote
What the?

No, but you should switch Windows for Linux- and Office for OOO.

anonymous
23 July, 2006 18:42

Reply Vote
Kaspersky

I have to agree with the author from experience. I typically fix friends and familys computers which are bogged down usually with spyware and adware. The first thing I do is uninstall Norton and install Kaspersky. Upon installation it will usually detect hundreds of objects that NAV never saw. Also the preformace gain from the switch by itself is worth 5 times the price of the software.

anonymous
23 July, 2006 19:32

Reply Vote
Why popular antivirus apps 'do not work'

QA comes to virus writing.

(Two articles, 7/19 and 7/21):
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm
http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0,39033341,39264249,00.htm

It's OK (sort of) for an operating system to be full of holes.
Right? If every computer OWNER makes up for it with their own
time and money, and with personal diligence, "keeping their
antivirus package up to date"?

Yeah, right. Anyone who intends to write an exploit capable of
getting past antivirus programs can be certain of eventual success.
All they have to do is ... unit testing! "QA", as it's called in
the respectable world.

"Unit Test 0: check that your new code slips by McAfee."

Or Symantec. Or Trend Micro. Or several of them, or all
of them. You simply hold off releasing your virus until it
meets "minimum ship criteria".

There's no chance that the "antivirus" will stop you. Testing
PROVES that your virus will slip by. Users' machines are yours
for the taking, nyaahaaaa. You can run as many test trials it
takes. No one is watching; you have time. YOU have THEIR code
to test against. THEY don't know you're coming. And the best
part: the users will get the blame.

Graham Ingram, general manager, CERT Australia, writes:
"the bad guys, the criminals, are testing their malicious code
against the antivirus products to make sure they are undetectable."

(Oo. Are they allowed to do that?)

"the most popular brands of antivirus on the market...have an
80 percent miss rate."

Eighty percent miss! (But CERT should know -- it's what they do.)

"That is not a detection rate that is a miss rate."

It's not possible, obviously, to to develop an antivirus to detect
the signature or behavior of a virus which no one will see until
after it has begun its infection. The antivirus vendors don't stand
a chance. Analyses in the security literature show that a truly
effective virus can take over the monoculture part of the entire
Internet before the vendors have finished their coffee.

But vendors are not unhappy. THEY like things the way they are: bugs
are good for business. Customer anxiety is where dollars come from.
Not just antivirus vendors -- one OS vendor, too, has gone into the
antivirus business, turning bugs into a profit center. (How clever
is that?) Vendors are not about to tell customers that there's a
real fix, and that it's choosing non-buggy software.

"This is the dilemma that is building up here and the success
rate is becoming quite worrying"

What's should be "worrying" is that an expert could be surprised at
virus writers' "success". It couldn't be otherwise. Nothing could
be more certain than eventual defeat of any "antivirus" program which
you can bring into your own lab and test against, in privacy and under
conditions and a schedule of your choosing. Perhaps you have to be
clever to find a bug in the underlying operating system to exploit
in the first place (or maybe not), but you only need to be persistent,
to keep working, to prove that your exploit slips by so-called
"antivirus" programs before releasing it.

Eighty percent miss. Is there any business transaction other than
PC software in which customers can be led to expect (and put up with)
such gloomy results?
</essay>

One piece of good news. The miss rate will stop increasing in about
20 more points.

anonymous
23 July, 2006 20:43

Reply Vote
There is a difference between anti-virus and anti-spyware software

Yes, anti-virus software misses spyware. Go out and buy Mcafee or Symantec's anti-spyware software then. In the meantime, did anyone notice that using water in your gas tank is bad for your car?

anonymous
23 July, 2006 23:02

Reply Vote
dangerous article

To simple test a security software as a means of testing it's effectiveness against spyware seems strange to me. I use one of the big 3 security systems plus separate spyware removers. There are free one's available and others that can be aquired. It is recommended just about everywhere not to use one sole spyware remover. This article should recommend costomers of these big 3 also use other spyware removers and provide a list a recommended products. We don't all rely on one company to provide everything.

anonymous
24 July, 2006 06:17

Reply Vote
dangerous article

To simple test a security software as a means of testing it's effectiveness against spyware seems strange to me. I use one of the big 3 security systems plus separate spyware removers. There are free one's available and others that can be aquired. It is recommended just about everywhere not to use one sole spyware remover. This article should recommend costomers of these big 3 also use other spyware removers and provide a list a recommended products. We don't all rely on one company to provide everything.

anonymous
24 July, 2006 06:20

Reply Vote
dangerous article

If the reviewers goal is to test spyware protection then why are they only using these 3 security systems. I find it hard to believe that the article suggests us to throw away the baby because of one thing in the bath water. Anyone who reads up on reviews will know that you do not rely one one spyware remover. I am a customer of on of these 3 and I also have one free and one aquired spyware remover. So in reality I have 3 programs to cover some that may be missed by on. This article should be indicating that in the area of spyware protection these companies don't offer the best protection and recommend alternative spyware removers. Don't throw away your security system just because one area isn't as good as it should be, use an additional program for spyware.
What's worse is that they are recommending us to select obscure security software just because it's not one of the top 3. I expeted a higher standard from this web site

anonymous
24 July, 2006 06:34

Reply Vote
Traditional defense is out-to-date.

It was obvious that traditional ways of defense are out-to-date for at least one year. There are new and strong ways to be really protected from all the malware staff- sandbox HIPS. Thare are few realizations of this technique- DefenseWall, SandboxIE, GesWall, Bufferzone. It's defense rate is something about 100%.

anonymous
24 July, 2006 07:20

Reply Vote
Rational arguments always win

If you intended to give a hate reply, you've achieved your purpose. In the meantime, this article is misleading as the gentleman said. Please don't spam us with your hate replies, the Internet is so full of.

This article, and the one before that, "Eighty percent of new mallware defeats antivirus" are just BS, because the don't really argument their statements. Fair tests/benchmarks of the current AV software are done (couple of months interval) by Virus Bulletin - the famous VB100 Award. So how can you beat that. In the last test (June 2006 - Windows XP) McAfee, SAV and TrendMicro scored 100% detection. Then give me an reason to believe this author.

anonymous
24 July, 2006 10:38

Reply Vote