Studies on the efficiency of ISS or AV

It’s difficult to make his judgments on AV or ISS (Internet security suites) from the tests of AV test companies, if you aren’t a computer scientist.

Does it exist studies on the damages caused by malwares (crash, loss of data, thefts, etc.) according the AV or ISS software used (studies controlled, of course, by the behavior of the computer owner) ?

Thanks

 

Not sure exactly what you're asking for. Are you asking for how effective antiviruses are or something else?

 

Yes, how effective antiviruses are, but not based on tests, but on real studies.

 

Real studies as in asking how many people would have died for disease XYZ when they were not vacinated with ABC?

** Flashback Botnet Infects Over Half A Million Macs **

** DocCrypt/Dorifel hits Dutch government and municipal organisations **
Dorifel is also the reason for the launch of the new HitManPro Endpont security https://www.wilderssecurity.com/showpost.php?p=2137726&postcount=4804

 

No. Studies which allow to compare different AV.

 

Personally, I think thats going to be a difficult task.

I say that because of user habits. A given AV being used by people doing the exact same thing could be compared. Being used by a million different people, each with different software installed like firewalls/scanners/hips/AE/etc would make it hard to know how the AV worked. That doesn't include whether UAC is on or off, whether users are LUA or Admin, nor the websites people visit. We could both use the same AV, and you might be infected a dozen times while I never even see an alert prompt come up.

The only tests I have ever seen that, to me, had any value were independent labs that had a collection of older and 0day virii, and used these as a test bed. The AV ratings are simply based on what they detect at the time of test. You are always left to find out for yourself whether your chosen AV will detect tommorrows new variants.

Sul.

 

A study like this could focus on too many aspects.

If you're looking for how easy it is to bypass an AV I can tell you that, with source code, I could do it in very little time. It's usually very simple, almost anyone could do it and bypass the majority of AVs just by copy/pasting code and with very very minor knowledge of programming and how function calls work. I've never actually tried though, actually - just going by guides I've read, which used very trivial methods (like encoding a string).

But is that effectiveness? In the wild a fully up to date AV can catch quite a bit of what's actually out there just because by the time a user runs into it it's often in the database.

You'd have to define effectiveness more strictly. Effective against what exactly? Targeted attacks? In the wild malware?

 

Yes, but statisticians know how to do.