Malware Detection ( Important) Why Not Removal?.

While detection rates seem to get all the glory, why do removal rates get ignored.Since no AV currently on the market offers 100% protection, shouldn't removal of malware that does get by be equally important?.There are some good AV's out there with good detection rates that seem to have a tough time with removal.This is what i've seen on many different forums.If you were to look at the latest IBK test, the malware numbers are staggering.And while the percentages among the top AV'S appear minor, comparing it with the actual malware tested, it's not.For an example, lets look at the results from Kaspersky and Norton.The percentages don't seem alot but Norton allowed for possible infection almost 5000 instances more that Kaspersky.That's huge when you think about it.And while Norton is one of the better AV'S, it doesn't appear to be great in the removal department.Again, this is just based on my observations on the comments, postings in various forums.I would hope the next time IBK does testing, he would include the removal rates of the malware that was missed because the missed ones seem sooner or later to become detected.In choosing an AV, seeing removal rates along with detection rates would certainly make the informed decision much easier.( I used Kaspersky and Norton in this example because they get discussed alot on this forum).

 

Regardless of how good an AV is at malware removal, detection is more important than removal because removal can be done manually (and it really doesn't need much effort to do that), but it is really hard to know whether a file is infected without your scanner informing you.

Once the user knows what the problem is, the solution becomes a lot easier to find.

 

For the people that know what there doing, i agree with what your saying.But by the amount of hijackthis logs posted now adays, i would say more don't know what to do than those that do.And just like AV's these days are expected to do well with various types of malware, i think most people expect them to handle malware that has initially slipped by.Obviously not 100% but better than some of them are performing.Personally, i would take my chances with an AV whose detection rates are a few percentage points lower if it's removal rates were excellent.

 

I'm guessing that detection is a rather standardized process whereas removal varies from one bug to the next. An AV company that provided removal tools as part of the daily update would have to charge substantially more for the product.

 

Things have progressed so rapidly, i guess sometimes maybe i expect too much out of a product.For removal rates to keep pace with detection was apparently asking too much.I still feel though, its something important that gets overlooked.And i would take an AV that's very good with removal with say a 95% detection rate over an AV with a 98% detection rate that was lousy getting rid of them.Any day!.

 

Many AVs do provide effective removal process for various malware, its just that detection is given a higher priority. For example, Eset's NOD32 does registry cleaning of any malware it finds (whenever possible). Other AVs also do it, like eScan (and possibly KAV too), McAfee, ArcaVir, Trend Micro (with additional plugin, I think) and some others.

Basically it boils down to what the company chooses. If they choose to include removal, then its well and good. Or else, we just have to make do.

What is lacking, however, is a test that determines the effectiveness of malware removal by various AVs. But this is not a priority, as removal can be done by the user once the info about the malware has been looked up (most AV vendors provide effective analysis and removal procedures for such threats). And due to the fact that info about the threat and removal procedures is found easily, it is not a priority to include malware removal in an AV as well.

 

tobacco

You are abslolutely right ! Of course ALL Anti whatever should be capable of not just detecting things "correctly" but also removing Everything it finds "correctly ".

I really don't see the purpose of it being any other way !

A real world test of as many Apps as possible would be very welcome indeed. I think we might all be very surprised at the results, and which ones are more competent than the others. That would sort out the men from the boys, long time overdue i would say.


StevieO

 

AntiVir and avast! also clean registry when necessary.

Also it's better to detect malware and fail to remove it rather than being capable of removing it(theoretically), yet it doesn't detect it at all. What is better then?

 

Latest versions of NAV do too; you can see this in the Quarantined items: Highlight the item, then click Details, and under Areas Affected: it will list files, registry, etc.

The problem is when malware {for whatever reason} becomes resident, then all bets are off. Resident malware can do a lot of damage, can even entirely disable your realtime AV protection -- although, again, the latest versions of Symantec products have a very effective built-in Process Guard which is turned on by default {the setting is, "Protect Symantec Processes"}. Most all of the well-known products have hardened themselves against process termination by rogue programs & malware.

I agree with you that the USER is the best one to remove malware; it is very difficult to automate removal process since every variant will be different {may have a different filename, different regentry, etc. that needs to be removed}. An informed user and Vendor WebSite info will never be replaced by automated removal process IMHO, at least not in the near future.

In spite of the {IMHO somewhat fantastic} reports we hear from time to time, I personally do not think it is possible to always prevent malware {spyware in particular} from becoming resident, regardless of the vendor or brand of protection you choose -- especially on unattended PCs.

The best scenario is an attended PC with an intelligent user who has some idea how to react when notified by his resident AV of a problem or potential threat. An informed user, with access to the proper information and {if necessary} removal tools, is difficult to replace by any automated process.

I hope folks will not misunderstand my position in recent posting history. I do believe KAV is the best {signature-based} scanner and perhaps NOD would have the best heuristic {with very good and improving signatures}; neither of those excellent scanners would I concede are impregnable, but they are very good protection.

Norton has problems much of which are due to its popularity {ubiquity} and also I think Symantec has been late to the party sometimes, to include things like runtime unpackers, process protection, etc. In summary, of the two scanners you mentioned in opening -- despite the claims of some, KAV {although probably the best signature-based scanner we have} is not impregnable -- and Norton is not a porous honeypot for malware. The truth lies somewhere in between, I think.

I would possibly relabel the topic of discussion from "Malware Detection" to "Malware Prevention" -- it is better to "pre-empt", to incercept, threats before they become serious and do irrevocable damage, than to "react" to threats after they have become resident and done their damage.

Warmly, Ran

 

Hi,

I agree, the importance of Prevention cannot be overlooked, as it's much better not to allow anything to intrude in the first place.

However, as we all know some peoples PC's do get infected frequently, and will continue to do so for all sorts of reasons, even once is bad enough though, and depending what it is, could be disasterous, and a nightmare to get rid of !

So correct and full Removal in such events is very neccessary.

Experienced users may well be able to find out all the info etc they require to deal with these situations, should they be so careless. But your average users, which outnumber the rest of us by a long way, would more than likely we completely lost trying to effectively eliminate some nasty etc. So they must rely on an Anti - to do it for them, the more competent it is, the better, surely !


StevieO

 

I'd say one reason is because lots of the malware is beginning to "dig its roots" so deep into the operating system....it becomes such a big issue just to remove it. Now imagine your antivirus software having to have removal instructions for all of that malware out there..you know how big and cumbersome that would be? The definition updates? Some of the malwares out there are pretty much programs in themselves, installing files, services, registry entries, etc. Take Spysheriff or Smitfraud for example...some of the bigger pain in the butt adware/trojan programs to remove.

It would be nice...I just don't see how possible it would be, to have an antivirus program able to do all of this. It would have to be one huge program, with massive definition updates, and probably a massive performance hit.

 

Interesting.

Can someone tell me what the difference is between antispyware and antivirus beside the obvious targetting stuff? "Everyone knows" that antispyware is worse then antivirus, so you need more of the former, but when we say the former is worse, do we mean worse at detection or worse at removal or both?

My own limited experience seems to indicate both!

Another question, do all these AV tests include spyware type things? They should right? Yet the detection rate remains high... Why?

 

I think they should...yes. Lets remember though..."antivirus" as an industry is old, it's been around for a long time. Adware/Spyware...and these new types of "malware" in that family, is a relatively new thing. I believe it's important for "antivirus" applications to evolve and include this...as it's a relatively new type of "threat". But they need time to evolve also...they've only just gotten into the game of this relatively new threat.