The truth about viruses

Discussion in 'malware problems & news' started by stormbyte, Feb 12, 2005.

Thread Status:
Not open for further replies.
  1. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    http://securityresponse.symantec.com/avcenter/vinfodb.html#threat_list

    Please visit that site and read about last 10 virus threats. For most of them number of infections is between 0 - 49 which means that most of the viruses are simply toys that will never infect your computer.
    Yet there are many sites that test antivirus software with thousands of viruses.
    What is the point? Why not create antivirus that will fight only those real threats? It would be faster, more reliable, smaller in size and it would give you the protection you need.

    Would you want to buy software that protects you only from those viruses and pay $10.00 for it. Your computer would be running faster, and you would still be protected. Or are you rather pay $40.00 and have antivirus with a huge database of nothing more then "ghost threats"?

    Mariusz
     
  2. Mephisto

    Mephisto Guest

    That would work out nicely until the next Nimda, Sasser, Nachi, MyDoom ...etc. hits the net. I look at it from a military standpoint - just because you haven't had a world war in 60+ yrs is no reason to disband the military.

    Personally i feel the detection of RAT's, keyloggers, and rootkits is alot more important to me than virus detection. Hard drives are cheap compared to somebody getting your credit card info.
     
  3. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    Well but I did not say that this antivirus would not be updated.
    So if there is new Nimda or any other virus that is a real threat then would be protected.

    Mariusz
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    :D :D Interesting that you would say that, since I note there are two new Mydoom variants near the top of the list quoted:
    http://securityresponse.symantec.com/avcenter/vinfodb.html#threat_list

    All the commercial AVs are expanding the threats they detect, to include more of what you are speaking of. I basically agree with you, more detection is better. I don't think it makes much of a performance hit, the size of the database, if the AV realtime monitor is designed efficiently. ;)
     
  5. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    The former. :)

    I believe SB is advocating adding current threats to the av database, guys. :)

    In almost 4 years of monitoring over 200 PC's protected by Symantec AV, on a college student network--comprising hundreds of snagged nasties every year--I have yet to see SAV pick up a single zoo nasty.

    I will certainly post at Wilder's the moment this happens. :D
     
  6. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Hmmm .. that depends on what you define as "Zoo", Jim. It ceases to be "Zoo" to me when/if it infects me. Besides, the "other side" to this discussion is not advocating inclusion of "junk" or non-malware just to bloat numbers in a database. I think we advocate ITW first, then expanded threats such as what Mephisto mentioned. Really there isn't that much of a disagreement; it doesn't hurt to cover one's bases, as I said, if the AV-RTM is designed efficiently it won't matter -- and ITW will of course always be covered. What is the objection to that? ;)

    Permit me to add that, as one who has submitted hundreds of samples to SARC -- Symantec is *very* conservative about what they accept for detection; they have to be convinced it is malicious code or they won't accept your submission. I guess, the original poster's choice of Symantec's list of new threats {added detections} is not a good one, IMHO -- if by that y'all are implying that SARC accepts junk and non-malware for inclusion in its database. The reality is they are quite strict about what they accept for inclusion. ;)

    That said, I don't disagree with the idea of focussing on ITW first, of course you must do that; bear in mind that Symantec has only a slightly worse VB100% success than ESET, so it isn't as if they are overflooking ITW detection.

    A better example of "Kitchen Sink" approach would be Kaspersky, currently 118190 records.and climbing: http://www.kaspersky.com/updates.html {that includes the extended and 'x' bases as well as the normal bases}. However, Kaspersky's database and RTM is well designed, so even in their case, I don't think their extensive malware coverage causes a performance hit.

    If one is concerned only about cost, then I guess the free AVs {AVG, AVAST, and AntiVir} provide very decent coverage and close to 100% ITW detection, so if that is what the O.P. had in mind, I have no argument with that; he can go for a free one if cost is the only concern.

    Warmly, Ran
     
    Last edited: Feb 13, 2005
  7. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada

    The size of the AV database has little to do with the "performance hit". KAV and NOD32 are good examples of AVs with much more extensive databases than Symantec - guess which has more of a "performance hit"!?!
     
Loading...
Thread Status:
Not open for further replies.