The great signature-based anti-virus program swindle

Over the past couple of months, I have tried an experiment whereby I tested various anti-virus programs hosted on http://www.virustotal.com

I would take a freshly-received spam email and follow the links in it to get to a download. I would download the file (usually an executable) and rename it (to make it harmless), and then upload it to Virustotal. I would then get an HTML page report of what anti-virus programs made of the file.

In three separate uploads chosen at random from spam emails, ALL anti-virus programs hosted at Virustotal failed to spot at least one of them. That includes latest versions of NOD32, Symantec, Sophos, Kaspersky and Microsoft AV products with up-to-date signatures.

Submitting the same files a fortnight later, most of them would be spotted, but the latency of a fortnight seems far too long in my opinion. It would be far too late if you have already clicked on the various links in an email you just received. With IE6, one email I got (about Britney Spears and from somewhere in Hungary) had a link, which, if clicked, instantly and without prompting, downloaded 2 trojans onto the PC and attempted to patch them into the registry's auto-run keys.

The security program I use, which is behaviour-based, spotted all three samples I sent (http://www.jacobsm.com/mjsoft.htm#rgwtchr), and prevented the Hungarian link from doing anything bad to my PC (it quarantined the files, one of which I uploaded to Virustotal, where again, many popular AVs failed to see it as a threat!).

That is why I reckon anyone using a signature-based AV product is being conned out of their hard-earnt money.

 

Rely on other security rather than blacklists or heuristics here.Just been reading about a very nasty virus.

http://forum.piriform.com/index.php?showtopic=12348

 

I've been swindled!

 

For a minute or so, it sounded like you discovered this wonderful software that you were recommending to all of us, and not that you actually wrote and sell that software. (Donations for licenses is still "selling" by the way.)

So, there is no chance that you are making a self serving (spam) post there in order to get people to give up antivirus software in favor of your own package, right?

 

Good point, but actually not true in this instance. I was just reporting my own (personal) experiences, and it was not meant to be an "advert" for MJRW. Sorry for the confusion, but I feel this failing of AV software needs some attention. I believe people are being ripped off, unless there's some behaviour-based analysis going on too. Signature-based is woefully inadequate because signatures come out after the "bad guys" appear in the wild.

 

Discussed Here

 

To call sig-based AVs a "swindle" is a little extreme... all you're really saying is that AVs alone aren't always enough today...

 

Hello,
Well, he has a point ...although I think the cure is a bit different...
But signature-based apps are problematic. They belong to the innocent world predating today's mayhem.
Mrk

 

I'm saying that the inadequacies of signature-based AV programs are so obvious, that anyone can prove their scanner has a hole in it by responding to a few current email scams. Now, that's really bad, IMO.

 

AVs aren't supposed to watch over or catch "email scams" per se... they should however catch any nasty file attached and that sort of thing...

 

Sniff...Sniff... Hmmmmm...

 

OK. I did this one the other day :-

EMail received Wednesday 26 September 2007 8:44 am from Beverly Jackson <ilithyia.danby@webra-austria.at>, had attachment image.zip and inside was image.exe which I submitted to Virustotal. EMail read :-

Good afternoon, man!
Nude Holly Berry ! Watch in your attachment!
Regards.​

Virustotal results :-

{VT results snipped per forum policy - Blue}

So, only 7 out of 32 AVs found it. That is my point! What a scam AVs are!

 

AV's is only one more way to protect our systems!

The users should also make their work to prevent that malware infect their systems!

 

Then precisely what is the post above, a non-advert advert? Sheesh

Obviously you have a point in that a signature - any type - can't exist until the malady is defined, and that can't happen until the malady exists, ergo, blacklisting of any type lags appearance.

Unfortunately, average users really have no a priori basis to make operational decisions regarding uncharacterized malware/events, particularly if any sort of automated updating/desired to try new content/etc. occurs on their machine. So there's a pragmatic quandry, which is currently best solved using the expert analysis and advice provided by a standard AV package.

If you don't think it's the best solution for you, fine, but get a clue that the mass market isn't starting from the same knowledge base as yourself, or most members of this forum for that matter - and most of the latter could still benefit from the expert analysis and advice of an AV package.

Blue

 

IMHO, it's a fair point, up to a point, but one could also say that locks are a ripoof, since any competent burglar can defeat most of them, and any dtermined burglar will simply find another way in, but I presume you have locks on ur house and car, and lock them both dutifully. Not everyone will encounter malware "hot off the press" so to speak, many will encounter it, if at all, at a much later date. I don't think the problem lies so much with the AV's, as with your expectations of them. They are merely one weapon in the fight.

 

This is based on the assumption that the AV is the only line of defense! And when you assume, you make...... not me!

 

It's all very logical and predictable, if you think long enough about it. This is old news for me.
My goal is to remove viruses, that don't even exist yet, viruses of 2008, 2009, 2010, ...

 

I think your language is a little flamboyant.... What you're trying to say in normal English is: AVs are imperfect.

 

An Anti Virus program has always and will always play a key role in my layered security setup.
Nothing is perfect.Nothing will stop/catch everything.
That is the beauty of the layered approch, what one misses another could very well catch/stop.
IMO an Anti Virus is still an important part of any security setup.

 

"The great signature-based anti-virus swindle"?
That's extreme!

I think LoneWolf summed it up best.
Layered security is the way to go.

 

Haven't used any blacklist scanners here in a long time but I will admit that they are needed for cleaning up infections for people that don't want a format/reinstall along with a bit of of education in using Sandboxie, Returnil and images.

Using your head along with Sandboxie, Returnil, Image backups makes blacklists redundant, for me anyways.

Also think of the speed increase with not having anything checking a webpage before opening.

I even have "Tell me if a site is a suspected forgery" in Firefofox security options unticked.

Like that peanut said, "Bring it on "!

 

That's the whole point. We should be looking at what these nasties are trying to do to the PC systems, and prevent that from happening. The fruitless pursuit of trying to instantly recognise threats from their ever-growing databases of signatures, means that all PCs using these AVs will get slower and slower, unless you keep upgrading the hardware. It is a ridiculous state of affairs, IMO.