AusCERT: AV Programs "don't work"

http://www.zdnet.com.au/news/securi...efeats_antivirus/0,2000061744,39263949,00.htm
and

http://www.zdnet.com.au/news/securi..._being_defeated_/0,2000061744,39257227,00.htm

This sounds like rubbish to me or does he mean 80% of previously unknown malware?

What do you think?

Fairy

 

The speech was made at a breakfast meeting hosted by a email security vendor. So there's a change that the percentages are a bit over the top.

But it wouldn't surprise me if there is a large truth in that 80% statement. Malware is only detected when it is "known" by the scanning engine. And most signatures are based on catching a sample of the malware and disecting it.

 

He is talking about new malware. If you look at the last av-comparatives retroactive test, it reflects this findings with many AV programs only catching less than 30% of unknown malware. Even the products with good heuristic detection don't get above 60% detection.
So that's what you need a behaviour blocker for, to protect the end user when the virus scanners on the gateways failed to detect the malware.

 

I have to wonder who gets these type of attacks. Literally all families that I know have at least one computer, and many have kids. The AVs that they use are Norton, McAfee, and AVG free.
The only person I know that ever got infected and mentioned it was one who did not update Windows or his AV.

I have more on my computer than anyone I personally know. None of them ever heard of NOD or KAV.

I do not want to ridicule security, as it is very important, but if I had everything that is recommended I am not sure my system would operate. At the least I would be asking for help constantly.

I admit that those I know do not visit risky sited, and also I do not. Maybe that is the difference.

Best,
Jerry

 

QFT! I don't visit risky sites (unless testing a new bit of security software, whic I realise is asking for trouble) and I never have any problems. I do irregular checks to see if my AV has missed anything and it doesn't. I wonder how many people get virus problems who:

1. don't download crackz/warez/keygens
2. don't run P2P file sharing programs
3. don't use IE
4. don't open executable email attachments
5. have a firewall

I'd imagine the answer is very very few. The last bit of malware that got me was when they started bundling spyware with MessengerPlus. I fixed that problem quickly enough and learned another healthy behaviour which is to pay close attention to installers for bundled apps.

So to get back to the original post, I agree that for novel threats the detection rates are as low as he said. I often wonder if novel threats are the most important measure of an AVs effectiveness as it's the novel stuff that tends to spread quickly and the performance on the ITW list tends to be almost universally good.

Fairy