Why popular antivirus apps 'do not work'

Why popular antivirus apps 'do not work'

Summary: Are less popular AV brands better at detecting new viruses?


Antivirus applications from Symantec, McAfee or Trend Micro -- the three leading AV vendors in 2005 -- are far less likely to detect new viruses and Trojans than the least popular brands.

This has nothing to do with the quality of the software or how long it takes the respective firms to update their clients with signatures and other malware countermeasures.

AV companies continue to refine their products and most will tell you they stopped relying on purely signature-based systems many years ago. These days they use all sorts of clever methods to try and detect suspicious behaviour but the problem is that malware authors are also very clever. Very, very clever.

On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.

"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.

However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.

"The most popular brands of antivirus on the market... have an 80 percent miss rate... So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram.

Although Ingram didn't mention any of the leading losers by name, Gartner's figures for 2005 show that Symantec is the clear leader with 53.6 percent of the market. McAfee and Trend own 18.8 percent and 13.8 percent of the market respectively.

One vendor Ingram did mention was Russian outfit Kaspersky, which in the same tests managed to block around 90 percent of new malware.

According to Gartner, Kaspersky's market share is a lowly 0.7 percent.

Most large firms already use more than one antivirus application but I wonder how many use two of the Symantec, McAfee and Trend trio?

If you do then I suggest investing in yet another -- but whatever you do, stay well away from the bestseller shelf.

Topics: Symantec, Malware, Security, AUSCERT

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Should we be supprised

    I suppose we cant really consider that a supprise. It was only a matter of time
  • But there is more

    While malware as described here might have better zero day exploit results, these companies are the quickest to release new signitures.

    Additionally, running two virus scanners on a single system (especially if the combo is McAfee and Symantec) often causes an incredible loss of computing power because on access scanners are constantly scanning eachother and the files you touch. (VA1 scans file because you touched it, VA2 scans it because VA1 did, VA1 scans it because VA2 did, loop)
  • this article is misleading

    This article does not specify what kinds of threats get missed. In addition, this article does not mention the way that malicious code is introduced into the system, both of which are factors that sometimes play a larger part in malware efficiency and damage than security software.

    I think that this article does more to mislead than inform. and recommending that users will be "safer" by avoiding the best seller shelf is bad advice.
  • Is he a used car salesman?

    While statistically sound, the logic here is absolutely ridiculous for anyone managing security for an enterprise. If it's not manageable, who cares how good it might be. Anyway, based on the logic of the author, it makes more sense to follow the loser. And when the loser becomes the winner (which will inevitably garner the attention of malware authors), just switch to another loser.

    Sure... I'll propose this to my management. We'll see how fast I find myself on the street.
  • I whole heartedly agree . . .

    I've been a Sys Admin for 7 years and also do a lot of contract work for home Users. In my experience Symantec and McAfee are an absolute waste of money. Not only do they not catch viruses, they usually slow your PC to an absolute crawl. Especially if you get the full blown versions with AV, Anti-Spyware, Firewall, etc. They cause so many more problems than they fix the first thing I tell people is to just blow it away completely and get a product that works. (I usually recommend Nod32 by ESET).

    Go and read a write up on Symantec or McAfee's site about a virus, and on 90% of them, listed in their own write up the first thing virus writers do is disable the most popular AV programs.

    I do understand Chris's comments about Enterprise manageability, something Symantec has really pushed and does a decent job of, but others are coming on board and there are definitely better products available that can be used in an Enterprise.

    Would it be better to get a product that works and make a little more work for yourself, or try to explain to management why the entire forest has been down for two days because your AV product didn't catch the latest threat? Which of those do you think will lose you your job faster???
  • Malware and the BIG 3

    Maybe you should use NOD32 antivirus, it is working for me and my clients. 100% effective, probably not,but way more effective then any of the BIG 3. Oh yes, it does have a built in spyware/malware scanner
  • What the?

    What a load of rubish.

    Advising people to go with lesser known software, not because it's superior, but because.. Its less known?

    Here I was thinking we were past the point where main stream media pushed "Security through obscurity" as the way to go.. While we're changing our AV, perhaps we should switch all our machines to MAC and replace Office with Wordperfect?
  • Malware

    If malware authors are indeed so very very clever, how can we be sure that some of them are not posing as antivirus or antimalware providers?
  • My antivirus experiencies

    My first antivirus was Norton AV 2005 - I have received full 1/2 year version with my notebook ThinkPad - 3 months later ( sept. 2005 ) I have received e-mail - and the Windows was totally down - notebook was rebooting each 5 minutes.
    After reinstall I have brought Symantec AV - after 1 month the same - virus destroyed my HDD.
    After 2nd reinstall of WinXP, I was looking for some antivirus test - I founded 100% Virus Bulletin test - and the winner of this test was NOD32 - so I brought it - my experiences? 100% protected PC.
  • Exactly correct

    The article says that you would be safer using two AV programs. However, almost every AV program tells you that you *cannot* run another AV program when you run theirs.
  • Real-life experience speaks volumes

    I'm a computer repair shop manager for a mid-sized university, and believe me, I've seen it all. We provide SAV corporate edition for all faculty/staff/students. Occasionally, someone brings in their fairly new machine, claims it takes forever to load Windows and programs. One of the first things I check for is whether they're using a combo of SAV and McAfee. Those two rival programs are so completely incompatible with each other that they fight it out from the beginning and take your machine down in the process. After removing McAfee, the machine operates normally.
  • What the?

    No, but you should switch Windows for Linux- and Office for OOO.
  • Kaspersky

    I have to agree with the author from experience. I typically fix friends and familys computers which are bogged down usually with spyware and adware. The first thing I do is uninstall Norton and install Kaspersky. Upon installation it will usually detect hundreds of objects that NAV never saw. Also the preformace gain from the switch by itself is worth 5 times the price of the software.
  • Why popular antivirus apps 'do not work'

    QA comes to virus writing.

    (Two articles, 7/19 and 7/21):

    It's OK (sort of) for an operating system to be full of holes.
    Right? If every computer OWNER makes up for it with their own
    time and money, and with personal diligence, "keeping their
    antivirus package up to date"?

    Yeah, right. Anyone who intends to write an exploit capable of
    getting past antivirus programs can be certain of eventual success.
    All they have to do is ... unit testing! "QA", as it's called in
    the respectable world.

    "Unit Test 0: check that your new code slips by McAfee."

    Or Symantec. Or Trend Micro. Or several of them, or all
    of them. You simply hold off releasing your virus until it
    meets "minimum ship criteria".

    There's no chance that the "antivirus" will stop you. Testing
    PROVES that your virus will slip by. Users' machines are yours
    for the taking, nyaahaaaa. You can run as many test trials it
    takes. No one is watching; you have time. YOU have THEIR code
    to test against. THEY don't know you're coming. And the best
    part: the users will get the blame.

    Graham Ingram, general manager, CERT Australia, writes:
    "the bad guys, the criminals, are testing their malicious code
    against the antivirus products to make sure they are undetectable."

    (Oo. Are they allowed to do that?)

    "the most popular brands of antivirus on the market...have an
    80 percent miss rate."

    Eighty percent miss! (But CERT should know -- it's what they do.)

    "That is not a detection rate that is a miss rate."

    It's not possible, obviously, to to develop an antivirus to detect
    the signature or behavior of a virus which no one will see until
    after it has begun its infection. The antivirus vendors don't stand
    a chance. Analyses in the security literature show that a truly
    effective virus can take over the monoculture part of the entire
    Internet before the vendors have finished their coffee.

    But vendors are not unhappy. THEY like things the way they are: bugs
    are good for business. Customer anxiety is where dollars come from.
    Not just antivirus vendors -- one OS vendor, too, has gone into the
    antivirus business, turning bugs into a profit center. (How clever
    is that?) Vendors are not about to tell customers that there's a
    real fix, and that it's choosing non-buggy software.

    "This is the dilemma that is building up here and the success
    rate is becoming quite worrying"

    What's should be "worrying" is that an expert could be surprised at
    virus writers' "success". It couldn't be otherwise. Nothing could
    be more certain than eventual defeat of any "antivirus" program which
    you can bring into your own lab and test against, in privacy and under
    conditions and a schedule of your choosing. Perhaps you have to be
    clever to find a bug in the underlying operating system to exploit
    in the first place (or maybe not), but you only need to be persistent,
    to keep working, to prove that your exploit slips by so-called
    "antivirus" programs before releasing it.

    Eighty percent miss. Is there any business transaction other than
    PC software in which customers can be led to expect (and put up with)
    such gloomy results?

    One piece of good news. The miss rate will stop increasing in about
    20 more points.
  • There is a difference between anti-virus and anti-spyware software

    Yes, anti-virus software misses spyware. Go out and buy Mcafee or Symantec's anti-spyware software then. In the meantime, did anyone notice that using water in your gas tank is bad for your car?
  • dangerous article

    To simple test a security software as a means of testing it's effectiveness against spyware seems strange to me. I use one of the big 3 security systems plus separate spyware removers. There are free one's available and others that can be aquired. It is recommended just about everywhere not to use one sole spyware remover. This article should recommend costomers of these big 3 also use other spyware removers and provide a list a recommended products. We don't all rely on one company to provide everything.
  • dangerous article

    To simple test a security software as a means of testing it's effectiveness against spyware seems strange to me. I use one of the big 3 security systems plus separate spyware removers. There are free one's available and others that can be aquired. It is recommended just about everywhere not to use one sole spyware remover. This article should recommend costomers of these big 3 also use other spyware removers and provide a list a recommended products. We don't all rely on one company to provide everything.
  • dangerous article

    If the reviewers goal is to test spyware protection then why are they only using these 3 security systems. I find it hard to believe that the article suggests us to throw away the baby because of one thing in the bath water. Anyone who reads up on reviews will know that you do not rely one one spyware remover. I am a customer of on of these 3 and I also have one free and one aquired spyware remover. So in reality I have 3 programs to cover some that may be missed by on. This article should be indicating that in the area of spyware protection these companies don't offer the best protection and recommend alternative spyware removers. Don't throw away your security system just because one area isn't as good as it should be, use an additional program for spyware.
    What's worse is that they are recommending us to select obscure security software just because it's not one of the top 3. I expeted a higher standard from this web site
  • Traditional defense is out-to-date.

    It was obvious that traditional ways of defense are out-to-date for at least one year. There are new and strong ways to be really protected from all the malware staff- sandbox HIPS. Thare are few realizations of this technique- DefenseWall, SandboxIE, GesWall, Bufferzone. It's defense rate is something about 100%.
  • Rational arguments always win

    If you intended to give a hate reply, you've achieved your purpose. In the meantime, this article is misleading as the gentleman said. Please don't spam us with your hate replies, the Internet is so full of.

    This article, and the one before that, "Eighty percent of new mallware defeats antivirus" are just BS, because the don't really argument their statements. Fair tests/benchmarks of the current AV software are done (couple of months interval) by Virus Bulletin - the famous VB100 Award. So how can you beat that. In the last test (June 2006 - Windows XP) McAfee, SAV and TrendMicro scored 100% detection. Then give me an reason to believe this author.