Friday, June 8, 2007

How does your Virus Scanner stack up?

If you ask me, virus detection the way it's traditionally done (via pattern, or signature detection) is a losing battle the same way IDS is. If you think it through it makes sense. You first have a threat emerge, ravage a significant amount of systems before someone isolates the threat, finds a pattern and writes a signature to detect it. Once the threat changes slightly (heaven forbit we encounter a polymorphic threat) - our detection is crap and the whole cycle starts over.

That being said, it's always interesting to see how virus scanners stack up against today's threats of viruses, malware, spyware, and other 'non-wanted' things on your system which are potentially malicious. The problem is that we have so many blended threats now, from drive-by installs to viruses which can trigger no anomalous activity and act as root-kits.

There is a place on the web that does nothing but compare anti-virus vendors and their ability to protect you. If you're interested in the AC-Comparatives results, you can check them out at this link HERE.

Allow me to summarize what's in the most recent report. The latest report published on May 2007 investigated Proactive/Retrospective testing of on-demand detection of viruses and malware. They also included the False-positive testing and some tests for scanning speed determination. Here are some notes from the test report:
  • A total of 17 products tested (including every one I've ever heard of and then some)
  • Only 1 product earned the prestigious Advanced+ certification (NOD32 Anti-Virus)
  • Microsoft's OneCare is no longer the bottom-feeder (dead last) as it was on the last report - it got a "Standard" rating this time
  • AVG AntiVirus is dead last in detection (ouch)
  • The highest A/V scanner detected just about 84% of new backdoors, trojans and other yet-unidentified malware (AVG scored 10%... ouch)
  • The highest detection rate of "all new samples" was AVIRA & Fortinet at 71%, AVG got 8%
  • Fortinet rules the false-positive arena with >1,000+ false positives (the best was Symantec with zero), the next highest was Dr. Web with 36fp's
  • The fastest scanner was AVIRA, at around 7.49MB/sec, the slowest was TrustPort at 1.21MB/sec

[ Please read the full report for more details, etc that I've omitted in summarizing ]

So - what does this all tell us? For me, it tells me all virus scanners are crap, and the A/V companies are lying through their teeth to get us to buy their products. Next time you see a virus scanner claiming to detect 100% of the known and unknown threats... LAUGH, then cry a little.

1 comment:

Anonymous said...

Spot on, they are all crap at getting new threats... But that isn't what they are bought for. Thay're bought for a couple main reasons:

1. People keep punching the monkey, opening Osama_Captured_With_Paris_Hilton.jpg.exe, browsing for free porn, mistyping URLs, etc. Systems adminstrators keep leaving netbios shares wide open, neglecting patches, etc. So, there's tons of old stuff out there that everyone is vulnerable to, and AV bandages that.

2. CYA. Something gets infected? Wasn't my fault, boss, I'm going to go beat up Symantec, Trend, etc.

So yeah, it serves a purpose, just not the one advertised.