The sorry state of antivirus software

I've lost count of the number of times I've come across an 'expert' telling some poor soul who's had their PC trashed by malware that it was all their fault and that the problem could have been easily prevented by installing an antivirus package, and keeping that package up-to-date.If only life were that simple ...

I've lost count of the number of times I've come across an 'expert' telling some poor soul who's had their PC trashed by malware that it was all their fault and that the problem could have been easily prevented by installing an antivirus package, and keeping that package up-to-date.

If only life were that simple ...

My blogging buddy Ed Bott recently discovered a few malicious files lurking on his system despite having antivirus installed. Now Ed's a clever guy, so if he can have nasties lurking on his system, that should act as a warning to us all.

Note: Let's not turn this debate into a Windows vs. Mac vs Linux argument. I'm talking here specifically about security of the Windows platform.

Now, I don't have any specifics on Ed's setup, but I think that his story serves to demonstrate the sorry state of antivirus software. Let's break it down:

I’ve had Microsoft Security Essentials (MSE) installed on my main working PC for most of the past year. Mostly, I use it for real-time protection. I typically disable the scheduled virus scans on my PCs and instead occasionally do a manual scan just to confirm that nothing out of the ordinary has snuck through. Last month I decided to perform a scan using the Full option. Because I have 2.5 terabytes of hard disk space, with roughly 40% of it in use, I knew the scan would take a long time. So I scheduled it to run while I was out running errands.

[poll id="575"]

First problem - scheduled virus scans take too long and hammer the system too heavily. Most antivirus solutions are designed with a "megabyte" mindset while many of us live in a "gigabyte" or even "terabyte" world. Part of the problem here is thinking of a system scan as a discrete thing that you run daily, weekly, monthly or whatever. This seems counter-intuitive to me and a better solution would be to have scanning done piecemeal during "screensaver" time. Priority could be given to certain file types but the goal would be to sweep the entire system on a regular basis.

I'll come back to why this is important later.

But is relying on one antivirus solution good enough? No, it isn't.

Only 17 of 43 antivirus products detected this as a threat. The full results page showed the identification, if any, for each product on the list. Microsoft, Symantec, Avast, and F-Secure were among the engines that flagged the file. But the majority didn’t.

Now, you can run multiple antivirus solutions on a system, but it's not recommended because you can run into all sorts of issues. Antivirus software embeds itself pretty deep into a system, so you can end up with two programs fighting it out. Another problem is the system resources consumed by multiple security applications.

So what's the solution? Well, we live in hard times and I'm pretty cheap, but what I'd like to see is a situation where the antivirus signatures are separate to the application itself so I could run a generic scanner and choose to subscribe to multiple signature services (a bit like how Virustotal.com works, only real-time). This way I could pick and choose the signatures used to scan my system. I like this idea of greater redundancy for two reasons:

  • First, greater protection. Effectively I'd have more eyes looking at my files for nasties.
  • Secondly, greater redundancy. Having multiple signatures scanning files would lower the risk of false-positives, or at least give me the option of investigating files that are picked up by only one set of signatures further.

[poll id="576"]

Let me go back to my first point again, and the need for regular system scans of ALL files. Let's examine the chronology of Ed's story:

I’ve had Microsoft Security Essentials (MSE) installed on my main working PC for most of the past year.

...

... occasionally do a manual scan just to confirm that nothing out of the ordinary has snuck through.

...

Last month I decided to perform a scan using the Full option.

...

According to the scan results, this threat was first identified in definition 1.85.1774.0, which was released by Microsoft on July 9, 2010.

So, unless I'm missing something, Ed has had MSE installed on the system for "most of the past year." He admits to running occasional scans, and since the threat identified was added to MSE on July 9, 2010, I assume that Ed must have acquired this nasty before this date and has not run a full scan since. Moral of the story - just because something gets past your antivirus scanner today, don't assume that it's clean.

Now, given the information that Ed has supplied, it's pretty clear that his system was immune to the malware on his system because, being a smart guy, Ed updates his system. But it goes to show how malware can creep onto a system and lurk despite having security software installed.

Bottom line, antivirus software as a whole is in a sorry state and it's failing to provide even experienced customers with the sort of security they need (and deserve). The widespread availability of free antivirus software might help reinvigorate the security industry and make them rethink how security should be done, rather than put more effort into generating hype.