Why Microsoft Doesn't Need Independent Antivirus Lab Tests

Why Microsoft Doesn't Need Independent Antivirus Lab Tests
http://securitywatch.pcmag.com/secu...-doesn-t-need-independent-antivirus-lab-tests

 

Lol . Priceless

 

When I understand big data mining story of MSMRT correctly:

1. MSMRT has a fingerprint list of prevalent malware and scans only once a month.

2. When MSE does not has these fingerprints (otherwise it would not fail the AV-tests mentioned in the artikel), it can't feed MSMRT

3. When MSE does not give those fingerprints to MSMRT, how does MSMRT gets them (when engine is same in all Ms AV products)?

4. How does Microsoft obtains these fresh samples when they do not participate in those tests (and VT is bought by Google)?

Am I missing something?

 

Is that meant to be sarcastic? I don't see reasoning for it from this article.

 

I did a bit of research on Microsoft security practices and as far as I understand

-Microsoft receives samples from computers running only microsoft security products (or any windows user, not sure about this one).
-Automated analysis of these samples provide signatures to mse and windows defender to an extent. The products also use heuristic analysis.
-Some of harder to detect malware are viewed by hand and definitions are added later, depending on how quickly the microsoft team processes the threats.
-At the end of any month microsoft determines the most widespread and malicious of these and push signatures of them with MSRT (including the hand processed ones)

And where I got stuck is ".... Yes, that means Microsoft can very clearly identify failures by specific antivirus products, including their own... " I'm OK with detecting other vendors failures but how the heck they can detect their own failures with MSRT?

Either MS does push handpicked malware to only MSRT (or to first MSRT so MSRT detects it before MSE/defender), or they shouldn't be able to spot their mistakes. And if they act by this principal (I highly doubt it), it is the definition of stupidity. OR maybe they can only remove some of these malware with only MSRT and not by MSE/defender.

If they count existing operational malware which they didn't find in the first place as fails fine but what does MSRT have to do with it.

My head was hurting thinking about these, then I remember the source of the article and I stopped thinking about the issue all together

Joke aside any insight on subject would be highly appreciated.

 

When you reverse calculate the number of people infected using data below, Infected MSE-users would rank 70th largest country by population

Infection data of Microsoft
https://www.microsoft.com/security/portal/mmpc/shared/protection.aspx

AV-Comparative tests
http://chart.av-comparatives.org/chart1.php

Market share Opswat
http://www.opswat.com/about/media/r...-2013#worldwide-antivirus-vendor-market-share

Number of surfers/internet users
http://www.internetworldstats.com/stats.htm

Population per country
https://www.cia.gov/library/publications/the-world-factbook/rankorder/2119rank.html


Real world protected is Microsoft own data x Protection level AV-comparatives, infected is the opposite (1-protected)

 

Microsoft claims they detect widespread malware, as that is what users need protection from.
But, AV-Test.org shows this:
Detection of widespread and prevalent malware discovered in the last 4 weeks (the AV-TEST reference set) Industry average: 99
Samples used: 22,517 in % 97 96 - detection rate.
So, MS isn't exactly doing that, either.
Industry average detection of widespread malware is 99%.
Maybe this is all FUD but facts are facts.

 

Don't forget that OPSWAT collects data from mostly the west half of the world since the apps they used to do so are only available in English. I would increase MSEland's population by quite a bit

 

Stil rank 70 by population with this calculation impresses me.

 

Given a month to find the malware they missed, they can then put them in MSRT and remove them.

 

They should be able to do the removal with MSE/Defender with pushing the same definitions, barring a few oddball malware but I already covered that possibility:
"OR maybe they can only remove some of these malware with only MSRT and not by MSE/defender."

 

What you don't detect in MSE you can't analyse OFFLINE, hence can't remove with MSMRT

 

Since MS collects data from other installed AVs, is that how they find some of what they missed on the first pass? And, do they collect from VirusTotal and like sites? And, how does MS build their malware date base?

 

Microsoft is a collaborator for Virustotal so they should get info from them. From virustotal fax
"In exchange for providing an antivirus solution you will receive all files submitted to VirusTotal that are not detected by your product and are detected by at least one other antivirus, along with their corresponding VirusTotal reports."

Collecting data from other installed AVs however would be data mining. I think the data they collect is what AV is installed and if it's up-to-date or not.

 

Does this sound like data mining?
"The MSRT runs briefly during Windows Update and then goes away, until the next month. As part of its job, it reports a collection of entirely non-personal system information back to Microsoft. By aggregating the many millions of reports thus generated, Microsoft can learn a lot. You can check out a limited summary of their results on the MMPC website, but internally they've got much, much more information."

 

Nope it doesn't sound like data mining to me.
Here is what they collect according to Microsoft and you agree to that when MSRT is run.

I think the data they collect is what AV is installed and if it's up-to-date or not, if it's protection is active and if a piece of malware detected by MSRT is running on the system, the knowledge of the said AV failing at that specific detection.

 

Has anyone ever seen MSRT report that it found anything? I will sometimes run a manual MSRT scan from Revo but it never shows anything. If it did, does it just silently remove the malware and go away, or should it announce what it has found?

 

It does display a warning AFAIK.

 

And at what point do you not stop to think that if the "industry average" according to AV-T is 99%, why are people getting infected?

Yeah, I wonder! Maybe because AV-T and their sub-par sample count is a load of nonsense?

Attaching a value of 100% detection to any AV product should be an instant dismissal of a test.

VT sends submitted files to all AV vendors AFAIK.

 

Not correct.

They have a back end service where u can purchase volumes of files from their library but it is monetized and certainly not a free delivery/sharing service.

 

Where did that description come from? Note that the "MSRT Privacy Statement @ http://www.microsoft.com/security/pc-security/msrt-privacy.aspx explicitly mentions that personal information may be hoovered up:

It subsequently goes on to mention other MSRT selected information that might be sent "only with your consent". So presumably, the above would be sent automatically and without the user having a chance to review/approve it.

 

Source?

 

plz do not mix AV-C with AV-T. (and plz read why the test reports to understand why % are so high).

 

https://www.virustotal.com/en/documentation/private-api/

So in short they charge companies for access to files uploaded to VT front end.

 

Fixed. Sorry, my brain thought AV-T but for some reason I typed AV-C.