Can we always trust all scan findings of Antivirus?

Discussion in 'other anti-virus software' started by sweater, Dec 23, 2005.

Thread Status:
Not open for further replies.
  1. sweater
    Offline

    sweater Registered Member

    I am a little worried and sometimes hesitates that maybe some anti-virus or Anti-spywares may make a mistakes of identifying a "good things" as bad. (Coz my experiences w some of the most trusted Registry cleaners made me more aware though that this can also will possibly happens to Anti-virus and Anti-spyware scanners).

    Aside from my main Antivirus Avast Home, I also uses several on-demand virus scanners like BitDefender 8, ClamWin, Dr.Web, and Kaspersky free just like I also uses several Anti-spyware scanners. :rolleyes:

    BitDefender can always find several viruses and ClamWin can sometimes find a Trojans in my pc. While some of my scanners couldn't.:(

    What's your personal opinion on this .. is it always ok to trust their findings or is it more better to always make settings to Quarantine their findings instead of automatically disinfecting or deleting them? :rolleyes: o_O
  2. Sputnik
    Offline

    Sputnik Registered Member

    All types of malware scanners will return false positives. It's to the end user to give the final judge. One scanner gives more fp's then the other tho.

    If you're not sure if a file is really "bad" you can always submit it to your vedors lab to let it checked :)
  3. KeepItSimple
    Offline

    KeepItSimple Registered Member

    Sweater and Stylewarz

    You both raise very valid points. Malware is getting more and more sophisticated by the minute (literally).

    I use Symantec and McAfee (on different PCs) plus a range of other security products like Adaware and Prevx.

    Challenges abound for all security products. Those using pure signatures like the AV companies can register false positives when a signature is weakened (yes weakened) to catch a wider range of derivatives. The weaker the signature the more it catches. This works for the virus but sometimes means that benign software is caught too.

    The behavioral products have there fair share of issues too with more and more 'clever' commerical software trying to grab more and more market share and legitimately exhibiting behavior that could easily and readily cause it to be detected as mailicious.

    So Sweater's question, which is brilliantly simple: Can we always trust all scan findings on antivirus? The simple and uncontestable answer is NO. There is NO silver bullet in the defence against malware (aside that is from no network or external drives and devices!). We all need to be vigillant.

    The days of the bright young teen writing a virus to display 'happy xmas' as it deletes your files are over. He/She has now grown up. Probably been given an MBA (on a scholarhip, more of this later...) and wants the fast car, the great house by the OCean and more. He/She is now in business. Stealth mode installs, silent data gathering. Numerous products to sell such as rootkit delivery mechanisms, bots for hire, you name it.

    Now let's return to scanners. Scanners are not a means of protection. They exist to detect and clean up prior infections. They are only as good as the database of known malware they rely on to identify what is bad.

    A short while ago, we all believed that the gap between a new virus being in the wild and the AV companies identifying it an zapping it was at worst a few days. Problem was we never had any other information to measure it. AV companies only told (tell) us about things when they have seen them and offer a cure. The re-scan is ther to find those things that have already infected your PC since the last signature update. My question is do we really know how long ago the thing actually infected our PCs. We assume since the last scan. In reality it is probably much much longer.

    I am currently concerned by the time lag between real infection and a cure being available for a great number of malware forms, particulary spyware like Apropos.c. According to the Symantec web site they put out a signature (cure) for Apropos.c (high threat) in late OCtober, McAfee early July. That is a period of 3+ months while Symantec's customers could be exposed.

    http://securityresponse.symantec.com/avcenter/venc/data/spyware.apropos.c.html

    http://vil.nai.com/vil/content/v_134133.htm

    I am not trying to have a go at Symantec here or to make a case for McAfee. there are many examples that show this is an industry problem. And it is getting much worse, much quicker than we ever imagined.

    To get a real view of the number of new malware programs emerging every day just take a look at http://research.prevx.com you will be amazed. Dig around this site to see when some of the programs referred to by the AV companies were actually first seen in the wild. It is staggering.

    No we should not trust Antivirus scans they only find what the vendor already knows about. The exposure is the sheer number of new malware entities freshly compiled every day by the commercial malware guys with huge IQs.

    The following link shows a sample of new malware detected each and every day:

    http://research.prevx.com/chalkboardinfo.asp?d=0&c=8

    This is scary but an important thing to see just to get things in perspective before we try and judge the efficiency of these products.

    Sweater, don't stop running the scans. They will detect and remove a ton of stuff. But don't think for one minute that means your PC is safe and your info is secure. the chances are they are not.

    http://virusinfo.prevx.com/pxparall.asp?PXC=8016754827

    KeepItSimple
Thread Status:
Not open for further replies.