AusCERT: AV Programs "don't work"

Discussion in 'other anti-virus software' started by phasechange, Jul 20, 2006.

Thread Status:
Not open for further replies.
  1. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    http://www.zdnet.com.au/news/securi...efeats_antivirus/0,2000061744,39263949,00.htm
    and

    http://www.zdnet.com.au/news/securi..._being_defeated_/0,2000061744,39257227,00.htm

    This sounds like rubbish to me or does he mean 80% of previously unknown malware?

    What do you think?

    Fairy
     
  2. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    The speech was made at a breakfast meeting hosted by a email security vendor. So there's a change that the percentages are a bit over the top.

    But it wouldn't surprise me if there is a large truth in that 80% statement. Malware is only detected when it is "known" by the scanning engine. And most signatures are based on catching a sample of the malware and disecting it.
     
  3. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    He is talking about new malware. If you look at the last av-comparatives retroactive test, it reflects this findings with many AV programs only catching less than 30% of unknown malware. Even the products with good heuristic detection don't get above 60% detection.
    So that's what you need a behaviour blocker for, to protect the end user when the virus scanners on the gateways failed to detect the malware.
     
  4. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I have to wonder who gets these type of attacks. Literally all families that I know have at least one computer, and many have kids. The AVs that they use are Norton, McAfee, and AVG free.
    The only person I know that ever got infected and mentioned it was one who did not update Windows or his AV.

    I have more on my computer than anyone I personally know. None of them ever heard of NOD or KAV.

    I do not want to ridicule security, as it is very important, but if I had everything that is recommended I am not sure my system would operate. At the least I would be asking for help constantly.

    I admit that those I know do not visit risky sited, and also I do not. Maybe that is the difference.

    Best,
    Jerry
     
  5. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    QFT! I don't visit risky sites (unless testing a new bit of security software, whic I realise is asking for trouble) and I never have any problems. I do irregular checks to see if my AV has missed anything and it doesn't. I wonder how many people get virus problems who:

    1. don't download crackz/warez/keygens
    2. don't run P2P file sharing programs
    3. don't use IE
    4. don't open executable email attachments
    5. have a firewall

    I'd imagine the answer is very very few. The last bit of malware that got me was when they started bundling spyware with MessengerPlus. I fixed that problem quickly enough and learned another healthy behaviour which is to pay close attention to installers for bundled apps.

    So to get back to the original post, I agree that for novel threats the detection rates are as low as he said. I often wonder if novel threats are the most important measure of an AVs effectiveness as it's the novel stuff that tends to spread quickly and the performance on the ITW list tends to be almost universally good.

    Fairy
     
Loading...
Thread Status:
Not open for further replies.