What anti-virus will YOU use?

These two articles provide some very interesting insights on hacker trends.
Stealth virus warning sounded again
Triple-Barreled Trojan Attack Builds Botnets

In summary, organized crime will dominate the virus scene to create zombie networks for profit. This is really not new, but their tactics are thought-provoking.

In an attempt to foil anti-virus technology, largely based on signature recognition, they are infecting smaller sets of computers each with it´s own variant. This makes the task of hunting down signatures very hard as samples are less likely to be reported to anti-virus companies. When Sasser and Blaster hit the internet, anti-virus companies can respond swiftly since the attack is highly publicized. Not so with 5000-10000 infected computer sets.

This trend shows that next generation anti-virus will have to rely more on heuristic techniques. Kaspersky and NOD32 are among the top anti-virus products available today but the comparatives at AV-comparatives show that their strong points are different. Kaspersky has an unparalleled database of threats that are updated within hours thanks to a commited and highly skilled staff. NOD32 excels in detecting new/unknown viruses, probably due to advanced heuristic engine. As the war gets tougher who will you bet to keep you protected?

I just wished they were both one product!

 

Hi,

While early detection of malware will have to be considered the first line of defense, I think that the best way to go is to create a protective shield that prevents unauthorized programs from ever executing - e.g. ProcessGuard, WormGuard, and similar. Even products such as RegDefend and Prevx, while offering protection, are still "after-the-fact", that is the malware has already begun to execute. It should be interesting to watch how security products in this category of "system sentries" evolve.

Rich

 

Indeed. Particularly as any such application has to tread a very narrow path between alerting the user to threats and ensuring that the computer is still usable. There's little point in protecting against malware with apps that in reality generate more pop-ups than the worst adware... People will disable them only to become vulnerable or to replace them with less stringent protection which bothers them far less often, but then leaves them open to attack.

Getting that balance right isn't always easy - I got fed up with Jetico which is, after all, an excellent firewall, but pops up far too many alerts.

Just something to consider whilst pondering the "next generation" of malware defences.

 

Hey Rich, you're starting to sound like a broken record (LOL). Are you working for DiamondCS now?

I'm hearing what you're saying, though, and I know how strongly you believe in both the product and the approach, and I applaud the helpful and informative posts that you provide. I guess I just found it kinda funny that you seem to slip "Process Guard" into nearly every topic these days, even when someone asks about AV. Oh well, just messin't with ya.....have a good one

 

And don't forget KAV

Well nothing wrong with that. We all have our favourites. There are worse products to be hung up on, though I personally doubt if PG will protect you from the threats mentioned in the article (if you are vulnerable at all, which is a big IF).

The problem is, in many cases, such threats would fall into the "authorised processes" category (an attachment you chose to open for example or a trojanised freeware program you ran)

Evil 'unathorised' processes are much rarer ,then people would have you think.

The nice thing about 'antiX' products as Rmus calls them is that you can slip it into any discussion about any malware threat.

Of course, that alone should warn you to be suspicious of how useful that measure is. An answer that applies to all questions, isn't really much of a question.

 

Some are hung up on the idea of catching things as early as possible.

The problem is if your scanner does not recognise the malware, and you are commited to running the program, you will have to let the program run, and this is where the other behaviourial monitoring heuristics kicks in and warns you of suspicious behaviour.

That in many cases can be extremely useful, if you are in the habit of trialing lots of new programs.

PG's execution protection is useful in the following cases

1) You accidently start a program you don't want to
2) Some malware utilising a zero day exploit/bug in your email client,browser etc runs spontanously (very rare)

However for the more common case of software you run yourself , the "catch it as early as possible" routine doesn't work , you must run it at least "a bit" , and watch it's behaviour for it to tip it's hand..

This is where PG comes into it's own by watching hooks, driver installation etc IMHO. Regdefend, PrevX has its points as well and so do many other products which monitor various things.

Such measures are typically considered "proactive" because they don't rely on signatures and can help alert users to malware without updates.

Proactive doesn't mean only execution protection , it certainly doesn't mean catching malware as early as possible in the execution stream.