Antivirus protection worse than a year ago

http://www.heise-security.co.uk/news/100900

 

What is worrying, however, is the fact that recognition rates of virus variants [were] created experimentally by c't also fell significantly.

 

Isn't that exactly what happens in real life?

Variants of malware, which are tweaked to bypass scanners, get created.

 

Yes, BUT this has been the topic of scrutiny before;
"Good guys" don't create viruses. Think the Consumer Reports article form last year or so and the newer one from ct'.

 

That's a moral argument, not a technical one. I don't see why this fact should discredit the testing measures as inaccurate.

 

Vesselin Bontchev from Frisk was not very happy with this test .

 

For the same reason IBK is worried, apparently.

Does anyone have any idea why this is supposed to invalidate the test?

 

Yes, it's being discussed here.

I think Mr. Bontchev should take a chill pill

 

http://www.avertlabs.com/research/blog/?p=71

 

http://blogs.authentium.com/virusblog/

 

I see him more when an av testing is done in an unethical way. Never seen a post attacking other AV companies.

 

He isn't happy because c't have created their own variants for the test, but even so, it appears F-Secure dealt with them well with their DeepGuard technology. Surely that's a good thing?

 

What surprised me most was his own reaction. Makes me wonder if there's something else between the lines

For me, yes.

 

I read that article and its related links. Its a real shocker because in effect it says that signature based scanning is of very limited usefulness. They did like the heuristic performance of Nod32 and Bitdefender at 68% and 48% respectively.

They try to justify creating new viruses as a testing tool. I believe that is a bad practice and agree with those that put forth retrospective testing as a scientific alternative.

One thing that bothers me is if malware writers are tweaking their stuff until it is undetectable, they likely are testing it against the most widely used AV's, Symantec McAfee, Trend and the free AVG. Its a scary thought as those four are on such a large proportion of all Windows computers.

 

Simply test different packers, packer combinations etc in few minutes against all scanners by uploading your newly created malware to jottis for example. Then release a variant that is undetectable by all.

 

But will the Virus-Scanner not scan the Files a second time after they are unpacked?
That could be not the reason.

 

Me too. Until I came across this blog from Kaspersky.
http://www.viruslist.com/en/weblog

Title: The darker side of online virus scanners
By: Aleks

 

Yes it does. I may not be a expert, but I would like a AV that could handle these zero day threats. Itsnt that what they should do. And it looks like DeepGuard did it. The one AV that has a proven HIPS included. I think these kinds of tests are very valid and "tell" alot.

 

Good point. We as an end-user would want the protection from zero day threats.

 

Now this is cheeky! (from your link)

AVCheck.ru - is a service checks your antivirus files. The main difference from the analogue is that we are not forwarding your files for analysis antivirus companies. We respect your right to property and privacy. AVCheck conceived as a convenient service to check files, including autonomous. The advantage which would be automated testing with detailed records in the mail or IM client. Let us check and sleep peacefully!

 

2008 and beyond would involve more sophistication. Poor AV staffs. Make sure to support these guys.

 

My approach to multi engine scanning is to use virtual machines. Its relatively easy to run 30 day trials of anything since at the end of the month the VM is deleted and a new clone is made and XYZ AV may be installed.

 

No doubt 'exploits and proof of concept' stories are flying thick and fast and one may despair.

Attend any security conference and the ‘respected experts’ from The IT/Computing/Security industry will spell every ‘doom and gloom’ story beyond imagination. The problem is not that the experts are wrong but rather that no one is honest to admit failure of a different kind – that many users are hell bent on visiting dodgy websites, porn sites, warez sites, crackz sites, illegal file sharing sites, games websites, downloading key generating software....add to that desire to click links, open attachments, use very weak passwords, and laziness to keep software updated, poorly configured firewalls or even a blatant refusal to install security software.

Now with all that going on malware writers do not need to be ‘that smart’. A lot of security forums are already infiltrated by users who argue perpetually about their favourite applications, constantly trash other products and so much misformation and sometimes outright lying is unchallenged. INHO i do not think AV are worse, they have never been better.

 

Potential misses due to new releases, altered old ones, or what have you is what drives security conscious users to apply layered approaches in addition to their choice of AV's. And is why HIPS is become the next best alternative to compliment AV's IMHO.

 

Seems that I have been accused of trashing some AV's. Actually, I use one of the majors that I feel may be more of a target for virus writers to test modifications.

Believe me, if I want to trash something, there would be no doubt that is what I am doing.

By the way {redacted} is a totally worthless AV.

Even if virus writers are using multi engine scanners to test their modifications, they will be most interested in beating the labs with the largest market share. If they happen to beat a few boutique products as well, they will just be all the merrier.

The concept of choosing the large target is well known. Its one reason why there are few Mac viruses. Just not enough market share to keep the crooks interested. The same goes for using alternatives to Internet Explorer.