Stand alone vs suites + anti malware

Since some malware, like antivir, is not detected by AVs I am wondering about relative security between a suite and the same AV plus Firewall and an anti-malware application such as MBAM SAS , or a-aquared?

I had thought that AVs covered the anti-malware needs, but now know that is not true.

I don't want to go into things like sandboxie, but want to limit it to an AV (no names please) with AM and Firewall vs a suite with an AM. (anti-malware)

Thanks,
Jerry

 

For awhile antivirus technology has encroached in areas of detection that were once considered outside it's scope. I have not used a-squared before so will not directly comment on it, but sas and mbam are most often recognized as on-demand scanners. Seeing as they both offer free solutions, I do not feel there is an issue with running one or both of them alongside an antivirus suite or alongside a stand alone antivirus solution (from a cost, resource, and compatibility stand point). Correct me if I'm wrong about what you are asking as the comparison you list in your first sentence is slightly different from that of the third sentence.

But if one were to take it a step further and consider cloud/behavior based solutions (which I guess can also fall under anti malware), I think the question of overall better coverage might come into play. From my understanding... most developers of cloud/behavior based solutions lead one to believe that antivirus technology is not capable of responding to today's threats in a timely manner. The numbers of these threats alone are also ironically what make it so hard to verify how truly effective these solutions are when run alongside an antivirus.

I will use the graphs in Prevx's website as an example... one can see that a very large majority of its detections which antivirus technology has missed are that of "unclassified malware." Most of the "top" unclassified malware (that is listed by file names) are most likely malicious, but they only make up a rather small percentage of the total "unclassified malware." And towards the middle of that list the amounts of "time seen" drops considerably to 1 or 2 instances. So I am assuming that most of the "unclassified malware" is being seen only once or twice (correct me if I am wrong). To add to the confusion there are some instances where a file appears in both the "unclassified malware" and "malicious software" list... and perhaps in other lists as well (at least by file name). I for one do not know what methodology is used in labeling something as "unclassified malware" and what percentage of these files are actually malicious... considering that there is a distinction between the two (seeing as they have made 2 categories) and yet some files are listed in both lists while I am sure some are not.

In my most recent experience the antivirus I was using had detected a false positive in a pdf file that I exe encrypted with axcrypt. Prevx too also made the same false positive. Considering I had numerous pdf files encrypted in this manner I got a lot of warnings from my antivirus and Prevx before moving that folder into their exclusion list. But would this one instance have been deemed as "unclassified malware" or would the multiple instances be totaled and added to the "unclassified malware" list... I do not know.

To be clear, I am not picking on Prevx, I used them as an example mainly because it is so difficult in finding data on what is being detected in relation to what antivirus solutions detect; and even then the information is rather incomplete and the numbers are too large to actually parse.

I am not saying that antivirus solutions are the end-all, be-all either. I personally use various solutions, but also try to stay away from those that overlap coverage.
But to me I can't help but think that those in the camp of cloud/behavior based solutions do not feel one should "put all their eggs into one basket" which in a way conflicts with what most antivirus suites are likely trying to achieve. Of course almost all these cloud/behavior based solutions say they are complimentary to an antivirus, but in my opinon if they view their niche is in providing timely protection in the form of their solution's technology/community/resources, then I dont really see how even an antivirus suite fills the niche that these solutions believe they fill (not taking into account the firewall aspects of some antivirus suites). And even if it could... determining just what that difference is... will be quite a task.

 

If you are asking whether suites inherently provide better security than separate applications, then I have already given you my view on this in another thread, and the answer is no. Suites are convenient to use and generally have tighter integration between the various components but the overall level of security is not likely to be any better than well chosen separates. Nor is it necessarily true that paid is better than free. It's perfectly possible to make up a suite out of free applications that will rival expensive paid suites in terms of overall protection.

And the reason it's not true is because AV is based on blacklisting technology which has inherent limitations. AM is similar to AV in this respect and also has limitations in malware detection and prevention.

By ruling out complementary approaches such as sandboxing/virtualisation and policy restriction, you are refusing to look at some of the most powerful complementary additional layers that you could be adding. Having said that, if all you are looking for is a good AM to run alongside an existing AV or suite with minimal risk of conflict then you could consider the paid version of Prevx 3.0. Prevx 3.0 has been deliberately designed to work alongside existing AV's and can add a useful level of additional protection. It's all about perceived need and risk, and only you can make the assessment as to what's right for you. Your signature indicates that you probably have enough security applications already.

 

Thanks for the replies. I am going to take another look at the total picture as I can understand it.
Regards,
Jerry

 

.
FWIW the distinction between standalone apps and a suite is only valid up to a point. I think the issue is more a matter of self-protection. One of the arguments against suites is if malware disables the suite you lose everything, but if you have separate apps it's less likely malware will disable them all. Whether or not that's valid depends on the applications. Some AV and AS apps can be closed with a simple mouse click or have their processes terminated in the task manager - some cannot. For instance Prevx actually has a self-protection section in its' setup where you can choose different degrees of "hardness". Some apps offer an option to password protect settings to make it harder for malware to disable them - others don't. I think this is as important as detection rates.

 

Thanks, that is helpful. I have never seriously considered Prevx, but may give it another look.
Regards,
Jerry

 

If the suite includes an AV & FW & BehaviorBlocker/HIPS (BB/H), then it should offer better-rounded protection than a stand-alone AV & FW -- from the standpoint that a BB/H enhances zero-day protection.

As to MBAM as an adjunct to an AV -- AVs nowadays cover the full spectrum of malware, inclusive of malware-types covered by MBAM. However, MBAM might very well spot a nasty that any given AV might not spot, AND any given AV might very well spot a nasty that MBAM missed. IMO, this is pretty much true of ANY two signature-based apps, even assuming approximately equal overall quality.

As to your words: "such as MBAM ... or a-squared" -- A-squared is not really comparable to MBAM as to type/scope etc. In fact, A-squared is a multi-engine suite (AV + BB/H).

 

I'd say stand alone. If there was a major infection it could bring the entire suite down since its all tied to one program. Then your pretty much screwed. With stand alones you can still scan with some programs if the malware messes up others you have.

 

You are right of course, but then again it's not a like-for-like comparison. I imagine that if a separate BB/HIPS (e.g. Mamutu, Threatfire, etc.) were added to the mix of standalone AV & FW, the level of protection would, in principle, be similar to a suite offering the same features.

You make an important point, which I agree with, and which is partly why I personally prefer using separate applications to a suite.

Just to play devil's advocate for a moment and put the other side of the case though: With suites, if the components are well integrated they should co-operate to enable each component to work to maximum effectiveness. With separate applications, there is always the risk that they will in some way conflict, potentially reducing the capability of each application to protect.

Another reason, I prefer separate applications is that best of breed can be chosen in each category. Often with suites, the suite is based on a single application that has been integrated with other components - either developed by the same vendor or licensed from other vendors - to make a suite. This frequently means that the suite is not equally strong in all areas.

Also, speaking personally, I don't see the point in paying for a suite, when I can get equivalent protection from a mixture of paid and free standalone applications at a lower price.

 

FYI -- Similar discussions have occurred on other occasions in this forum: e.g., see this thread and this thread.

 

.
To advance this discussion any further we would have to start speaking about specific suites, though that would probably be "off topic" here and expose us to the danger of an A Vs B violation The same thing applies to price - it is certainly not the case that suites are always more expensive then a collection of standalone programs. I recently bought a one year/3 PC license for NIS 2010 which was free after rebate (OMG, I mentioned NIS).

 

And good riddance to any suite that allows a major infection. To such a suite I would say, "Thanks for nothing. Don't let the door hit you in the a*s on the way out."

In any event, the suites I have used in the past were (1) modular and (2) had excellent self-protection. Impregnable? Of course not. Is there any anti-malware app that IS?

By the way (appropos of nothing) be it known that I now use a stand-alone AV + classical HIPS + Sandbox, with an SPI/NAT router on-duty.

 

The initial price of a suite may be discounted, but the total cost of ownership of a suite in the medium to long term is still likely to be higher, as paid-for suites tend to operate on an annual subscription model. There are enough standalone programs that are either free or have a one-time payment to make it perfectly viable to achieve the same result using separate applications for little or no annual cost.

I'm not against suites per se and I agree that a discussion like this ultimately has nowhere to go without discussing the merits of specific programs. Given the title of this thread, the only valid comparison that can be made without getting into a pointless A vs B debate is to discuss the pros and cons of both approaches in general terms. I don't believe that either approach inherently provides better security than the other.

As always, each person has to weigh up for themself the pros and cons of different approaches when considering specific applications, and how that fits with their overall security strategy. IMHO, a well thought out security strategy based on an individual assessment of need and risk is what really matters, not the decision to use a suite or separate applications, both of which are perfectly valid choices.