Wednesday, January 2, 2013

Antivirus products poor at catching new malware

The only thing new here is that it's being reported in the New York Times:
Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly.

...

A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.
It's getting worse, and very likely will continue to get worse.  Antivirus programs are really only a half step away from being security kabuki.

9 comments:

Anonymous said...

Hate to kick a dead horse, but the best antivirus I've found yet is Linux.

Borepatch said...

the best antivirus I've found yet is Linux

Win.

Dave H said...

How many 2+ year old viruses are still kicking around out there? The Internet never forgets. So an antivirus program is worth having just to protect against those. But it's easy to get complacent and forget that antivirus is like a flu shot - it (mostly) works against this year's bugs and it's worthless against next year's bugs.

Borepatch said...

Dave, Zeus for sure is still kicking around

Teke said...

I think serious consideration needs be be given by browser designers along with plug in designers on how to create a secure sandbox on your local machine around the browser. sure we can download an app but I would still think the majority of viruses come in attached to things we browse.

Dave H said...

I'm with Teke. The rush for ever more features to "improve the user experience" (i.e. shove more advertising into the user's brain) is leaving too many vulnerabilities in its wake. Security in that industry is something you do once you've been caught.

wolfwalker said...

Teke: "I think serious consideration needs be be given by browser designers along with plug in designers on how to create a secure sandbox on your local machine around the browser."

That already exists. Client-side (browser-side) scripts such as Javascript already run in such a sandbox. The bad stuff is invariably server-side, and most of it depends on you to do something foolish or careless that lets it in. Unfortunately, there are plenty of people who are willing to do exactly that.

Also, keep in mind that anyone who cares about security and observes Safe Computing rules is by definition not the malware-writers' preferred target. Remember the lion and the antelope. Lions don't bother chasing fast antelope, they target the slower ones. Malware-writers don't bother targeting you or me; they go after the poor schlemiel who thinks the one-year subscription to Norton Antivirus that came with their new PC two years ago is enough to protect them forevermore.

Stick a router between your computer and your cablemodem, run a software firewall on every PC, run regular sweeps with a good antivirus product like MalwareBytes, never run an unsecured webserver or any program with server capabilities, and be careful what you download and from where. I can't guarantee that you'll never be infected if you do these things, but I can tell you that these measures will cut your odds of infection by 95%. Or better.

chitown said...

+1 Linux

These articles are misleading because they only test AV, not real world activity. Almost all of the major companies use a whole suite to look at the malware coming in through web or physical drives/flash drives.
A lot of the web malware is memory resident so anything looking for transfer to disk is going to miss it.
Look at Dennis labs for real world testing results. There are very few things that get through the suites when heuristics and file reputation based lookup is turned on.
Fair notice, I work for a computer security company and if a customer is just using AV for protection I let them know there is a high probability they will be toast soon after they start internet access.
Wolfwalker has it right, there is no guarantee your system will be protected from malware even if you are disconnected from the internet, just look at stuxnet and the Iran nuke enrichment PLC programming.

Antivirus said...
This comment has been removed by a blog administrator.