Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Can You Trust Anti-Virus Rankings?

CmdrTaco posted more than 5 years ago | from the of-course-not dept.

Security 258

Slatterz writes "It seems nobody can agree on a universal set of tests for rating anti-virus software, with Eugene Kaspersky the latest to weigh in on the topic, criticizing the well-known Virus Bulletin 100. Kaspersky is one of several big anti-virus brands to fall foul of the VB100 tests, reportedly failing to pass a recent test of security software on Windows Server 2008, along with F-Secure and Computer Associates. At Kaspersky, bloggers have pointed out that they don't focus on detecting PoCs, calling it a 'dead end,' and saying their anti-virus database focuses on 'real threats and exploits.' 'I don't want to say it's rubbish,' Kaspersky told PC Authority. 'But the security experts don't pay attention to these tests. It doesn't reflect the real level of protection.'"

cancel ×

258 comments

Sorry! There are no comments related to the filter you selected.

No. (2, Funny)

Anonymous Coward | more than 5 years ago | (#25481101)

Next Question

I really could care less (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25481165)

I use *nix systems. Get with the program world!!

Re:I really could care less (0, Offtopic)

iamapizza (1312801) | more than 5 years ago | (#25481405)

By our assessment, your reply was irrelevant. However, this slashdot post proves that our definition of 'irrelevant' is wrong. Please consider any negative marks you receive as a positive.

Re:I really could care less (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25481685)

I really could care less

The fact that you could care less than you currently do suggests that you do in fact care. However, this conclusion doesn't quite fit with the general tone of your post. Could you clarify, do you or do you not in fact care?

Re:I really could care less (1)

pmbasehore (1198857) | more than 5 years ago | (#25481769)

That's all fine and good for personal use, but very few businesses can be 100% *nix. Anti-virus software exists for Linux and Mac because they are often networked with Windows machines.

Anything networked to a Windows machine can send a virus to that machine, regardless of the operating system.

Re:I really could care less (1)

somersault (912633) | more than 5 years ago | (#25482151)

Damn. I knew I should have shelled out extra for the anti-virus option on my toaster.

Re:No. (2, Interesting)

404 Clue Not Found (763556) | more than 5 years ago | (#25481201)

Ok. Then what can we trust?

The guy himself pointed out the issue at the end of the interview:
"The problem is that in the industry there's no other complete tests," says Kaspersky.

Without some sort of test, however imperfect, how is the average home user supposed to choose?

Re:No. (5, Insightful)

A non-mouse Coward (1103675) | more than 5 years ago | (#25481459)

Anti-Virus is outsourcing the problem of deciding what is good to execute on your computer to a vendor who works backwards and blind.

It's "backwards", in that you don't tell them what is "good". They try to guess what would be on your "bad" list. As everyone here knows, it turns out that the "bad" list is much, much longer than the "good" list. In 2007 alone, F-Secure added more virus sigs to their products than the totality of sigs accumulated from the previous 20 years! And last I heard from them, 2008 was projected to double 2007. That sounds almost like quadratic growth to me ... and keeping up with that growth rate is not a game I'd want to play! My list of "good" software doesn't increase on a quadratic growth rate, does yours? If this were any other field of computation, the signature approach would have been laughed off the planet by now.

It's "blind" in that they aren't seeing what is actually running on your computer. For privacy (and performance) reasons, nobody provides metrics back to AV vendors about all of the executables that weren't labeled "bad", and rarely do the metrics about what is labeled "OK" actually go back to them. The AV vendors have to take a shot in the dark. They can simulate what they think your computing environment looks like, but it's just a guess. They cannot know if you have custom or proprietary software that matches one of their AV sigs unless they actually test that particular program against their sigs (and you don't let them do that, hence the "blind" remark).

Backwards and Blind is very problematic. Every once in awhile, we hear about fiascos like Symantec deciding an asian language DLL is a virus, killing all of their asian customers' windows installs for a day or two.

The question the benchmark is really trying to answer is: Which vendor's product is best tuned for the least amount of false positives and false negatives? When we should really be asking the question: Do I know what is good to run on my computers? And if the answer to that is "yes", then we should be asking the question: Why can't these vendors make a product that only allows my "good" programs to execute and nothing else?

Re:No. (4, Insightful)

thePowerOfGrayskull (905905) | more than 5 years ago | (#25481743)

Do I know what is good to run on my computers? And if the answer to that is "yes", then ...

The problem with that, of course, is that the answer is "no" for most people.

Re:No. (1)

_Sprocket_ (42527) | more than 5 years ago | (#25481931)

Do I know what is good to run on my computers? And if the answer to that is "yes", then ...

The problem with that, of course, is that the answer is "no" for most people.

Not only do they not know - they likely don't have the wherewithal [wikipedia.org] to make that determination.

Re:No. (1)

Thelasko (1196535) | more than 5 years ago | (#25481943)

Why can't these vendors make a product that only allows my "good" programs to execute and nothing else?

I think you just described the Advanced Packaging Tool. [wikipedia.org]

Re:No. (2, Insightful)

jimicus (737525) | more than 5 years ago | (#25482159)

And if the answer to that is "yes", then we should be asking the question: Why can't these vendors make a product that only allows my "good" programs to execute and nothing else?

Because such a product wouldn't need to be updated every year or require monthly subscriptions.

Re:No. (1)

doti (966971) | more than 5 years ago | (#25481705)

Ok. Then what can we trust?

Free open source anti-virus?

ClamAV is nice.

Re:No. (1)

Ilgaz (86384) | more than 5 years ago | (#25481895)

Some white hat guy coded RemoveWGA.exe which uninstalls the WGA check installed by Microsoft claiming to be unremovable. When you check it with Kaspersky, it says it is clean. You run trend's 'hijack this" and see what it does manually, it is clean too. You send it to Kaspersky engineer to check it once again, guy says it is really, really clean.

ClamAV detects it as a trojan, not a generic type, an actual one with name.
RemoveWGA.exe: Trojan.RemovWGA FOUND

I also took my time to tell them that it is obviously an abuse of their open source and community approach, they didn't respond or remove it from their list. You can easily guess who (or his friend) abused their sigs. The point is, as a OS X user who doesn't use windows except that horrible emulated Virtual PC 7, I sit and spare my time to handle the abuse.

If there are people blaming companies going with pricey solutions, they should spare time to it. I am not even commenting about the horrible false detections regarding Symbian OS.

I'm with Kaspersky (4, Insightful)

LibertineR (591918) | more than 5 years ago | (#25481115)

I dont care about any tests, I care about what detects dangerous stuff on my network and what doesn't. Every client I have in on Kaspersky stuff, after Norton, McAfee, Trend and others FAILED to detect viruses that Kaspersky found straight away.

Game over.

Re:I'm with Kaspersky (3, Informative)

AioKits (1235070) | more than 5 years ago | (#25481171)

I'm with you on this one. I have had good experiences with Kaspersky in the past and got the package with three user licenses for like $50 or so off the website (this was back towards the beginning of 07). Two licenses for me and one for a friend who just runs around all day with his laptop.

The real fun tho is when I run WAR it detects 'keylogger like behavior' from the software. Heheee.

Re:I'm with Kaspersky (1)

Spazztastic (814296) | more than 5 years ago | (#25481253)

I'm with you on this one. I have had good experiences with Kaspersky in the past and got the package with three user licenses for like $50 or so off the website (this was back towards the beginning of 07). Two licenses for me and one for a friend who just runs around all day with his laptop.

I'm going to push the institution I work for to use Kaspersky in the future because having Symantec on these machines is detrimental. I had a good experience with Kaspersky in my home network of several machines and at clients households when they want proprietary anti-virus.

Re:I'm with Kaspersky (1)

IceCreamGuy (904648) | more than 5 years ago | (#25481585)

Now I've never actually used any of Symantec's AV software, but I usually hear from peers that their enterprise solution is actually pretty lightweight, unobtrusive and generally decent software.

having Symantec on these machines is detrimental

Again, I really don't have any experience, but would you feel like elaborating?

Re:I'm with Kaspersky (1)

Spazztastic (814296) | more than 5 years ago | (#25481649)

I ran it at the small business I worked for which primarily worked in programming digital signal processing algorithms. Regularly it would slow down the machines as they were compiling, and it would use up a lot of background memory.

The current institution I work for uses it and it's been a bit of a headache personally, it didn't like nmap. Or a handful of Cygwin utilities I tried to install.

If any other readers have personal experiences, share them. I've just become favorable of Kaspersky in the past from my personal use.

Re:I'm with Kaspersky (1)

IceCreamGuy (904648) | more than 5 years ago | (#25481715)

Heh, if it doesn't like nmap or windows rsync, then damn, it's out of consideration already for me. Thanks!

Re:I'm with Kaspersky (1)

sqlrob (173498) | more than 5 years ago | (#25482027)

Also netcat, which is a "hacker tool", immediately deleted by our policy.

I work on proxy software. Netcat is one of those things I need on a regular basis.

Re:I'm with Kaspersky (1)

Tridus (79566) | more than 5 years ago | (#25482145)

I haven't used their enterprise stuff. But the home stuff is awful. Every time someone asks me to troubleshoot a weird computer problem for them, my first question is "do you have Norton?"

If they say yes, my first answer is "uninstall it and try again." Thus far, that has never failed to fix the problem.

It doesn't matter what the problem is. Windows not going into standby? Uninstalling Norton fixed it. Onboard RAID not working? Somehow, Norton was buggering it up. World of Warcraft not running properly? You guessed it.

In my experience, it causes far more problems then it solves, given how backwards AV protection really is and how poorly it works.

Re:I'm with Kaspersky (1)

quarrel (194077) | more than 5 years ago | (#25481245)

If it didn't have so many false positives I'd agree with you.

However Kaspersky seems far and away the most prone to them.

From random image false positives, to objecting to "hacking" tools, otherwise known as network discovery tools...

--Q

Anti-virus products (1)

UberMorlock (1391949) | more than 5 years ago | (#25481629)

The last anti-virus program I had on my Windows install was BitDefender. I felt the program protected me well and also didn't use anywhere near the same amount of resources as Norton or McAfee do. At this point, I don't even bother paying for anti-virus programs for my Windows install anymore. I'm just not logged into Windows enough for it to be worthwhile and, even when I am logged into Windows, I have its network access blocked unless I specifically need something from the Internet (Windows updates, primarily). After that, I re-block its network access. All my web surfing, updates to my wife's website, and stuff like that is all done from within Linux. Windows is probably only booted for about 2 hours a month.

Re:I'm with Kaspersky (4, Funny)

CopaceticOpus (965603) | more than 5 years ago | (#25482107)

I don't care about tests either, I only care about anecdotal evidence in random /. posts. If Kaspersky worked for this one guy, it's good enough for me.

(Actually my only anti-virus protection is not using IE, and not running things that shouldn't be run. I've had no problems.)

No more.... (3, Interesting)

TheNecromancer (179644) | more than 5 years ago | (#25481135)

than I can trust the hackers that write these damn viruses that keep infecting my PC! Yeah, standards in this industry would be a start in the right direction, but right now ANY virus protection software is better than none!

I use Norton Internet Security, and while it is passable, I find that it's a resource hog. I know there are other products out there that are less "intrusive", but I just don't want to take the chance (or time) with another product.

Re:No more.... (0)

Anonymous Coward | more than 5 years ago | (#25481229)

what is this "Norton Internet Security" of which you speak? Does it run on Linux?

Re:No more.... (5, Insightful)

AceofSpades19 (1107875) | more than 5 years ago | (#25481317)

Norton is an utter piece of crap, it would be advisable to get rid of it now

Re:No more.... (2, Informative)

IceCreamGuy (904648) | more than 5 years ago | (#25481355)

Wow, solid, well supported argument right there.

Re:No more.... (5, Insightful)

Ngarrang (1023425) | more than 5 years ago | (#25481537)

Wow, solid, well supported argument right there.

Indeed, it is. Norton really is a load of crap. It is a resource hog of cpu, memory and hard drive. I believe the only reason it is found on anyone's PC is because Norton pays PC companies to install it by default. Because, frankly, you would have to literally know nothing about AV to choose Norton. As in, you did no research and picked the shiniest box off the shelf. At which point, I have lost sympathy for the user.

My company relies on SOPHOS. In 12 years of working with SOPHOS, never has a virus had a chance to spread...despite the users best efforts.

Re:No more.... (1)

IceCreamGuy (904648) | more than 5 years ago | (#25481627)

My company relies on SOPHOS

Now that is something I would really love to use. I've read really great things about them, and their demo really impressed me. They even offered to craft a custom installer that would remove our current AV at no extra cost. Sadly, the higher-ups didn't go for the price because they're used to AVG. :`(

Re:No more.... (5, Informative)

Welsh Dwarf (743630) | more than 5 years ago | (#25481641)

Correction:

The reason Norton is on any PCs is because Norton pays PC companies to install it by default AND IT IS ALMOST IMPOSSIBLE TO REMOVE.

Cleaning viruses off by hand is easier than uninstalling Norton.

Re:No more.... (0)

Anonymous Coward | more than 5 years ago | (#25481977)

I have eventually formatted my C drive clean and reinstalled XP from scratch to get rid of the damn thing.

Re:No more.... (4, Informative)

jimicus (737525) | more than 5 years ago | (#25481979)

May I recommend the Norton Removal Tool [symantec.com]

It shouldn't need to exist in the first place, of course - the uninstall should work - but IME it works pretty well.

Re:No more.... (1)

darien (180561) | more than 5 years ago | (#25481775)

It is a resource hog of cpu, memory and hard drive.

I fear you're not up to speed with Norton's current line-up. Yes, some older versions were very resource-hungry, but the new 2009 edition adds only a few seconds to boot time and has a RAM footprint of just a few tens of megabytes when idle. Here's a brief review of it [pcpro.co.uk] with a few facts and figures.

Re:No more.... (4, Insightful)

Ngarrang (1023425) | more than 5 years ago | (#25481815)

So Norton finally got their act together with the 2009 version? Good for them. But, they have a long road to travel to fix the perception that their product is bloated. Such a history is difficult to change overnight.

Re:No more.... (1)

Rogerborg (306625) | more than 5 years ago | (#25481359)

[Your implicitly suggested alternative] is an utter piece of crap, it would be advisable to get rid of it now.

Citation required.

Re:No more.... (0)

Anonymous Coward | more than 5 years ago | (#25481541)

Dude, what are you talking about, he got modded informative.

"Norton is a piece of crap, oh wow, I didn't know that!"

Re:No more.... (2, Informative)

mhall119 (1035984) | more than 5 years ago | (#25481675)

Common knowledge generally doesn't require a citation.

Re:No more.... (2, Funny)

AceofSpades19 (1107875) | more than 5 years ago | (#25481975)

The Sky is blue [Citation Needed]

Re:No more.... (1)

RootWind (993172) | more than 5 years ago | (#25481821)

In the past I would agree, but Symantec has really turned it around with their 2009 line. This is likely their first real overhaul in 7+ years, and they have come back with a vengeance. They finally fixed the two biggest annoyances of heavy resource use, and slow updates (pulse updates). Though I'm still an Avira, and Kaspersky guy, I can't recommend against Symantec any longer.

Re:No more.... (3, Informative)

SatanicPuppy (611928) | more than 5 years ago | (#25481381)

Norton is itself a virus. It hogs resources, causes errors, and can't be removed without killing the host.

For what you pay, you should get something that is better than cheaper or free products available on the web...I usually replace Norton with AVG, and while I'm not a huge fan of AVG, I've never had anyone complain.

Re:No more.... (2, Informative)

TheNecromancer (179644) | more than 5 years ago | (#25481473)

I've had a number of friends say this to me also, and I have been meaning to replace Norton with AVG (after my subscription runs out), but I haven't been able to get off my lazy ass and do it!

I've had a good experience with Norton over the years, but recently the quality of their product (read: quality sucks now!) has gone way down. For me, I first noticed it when they removed parental control from their antivirus product, and made it a free "add-on" that you had to install separately. WTF??? Why did you remove functionality that was previously included, just so I have to install it separately?!?!? In addition, they made it so goddamn hard to find the install file that it was equivalent to spending a couple hours with a help desk technician in India!

I'm sure I won't replace Norton until I get my full use of the subscription that I paid for. Or, when a virus kills my PC (knock on wood).

Re:No more.... (1)

kesuki (321456) | more than 5 years ago | (#25481601)

avg is a product that was last good in 2002. maybe it was still passable in 2003. but by 2006 it was so far behind everything except clam av that it was equivalent to not having any real protection from hackers.

real security comes in 2 parts. 1 part firewall 1 part anti virus/malware/etc. if you're going to push a 'free' product at least pus one that includes a firewall, like comodo. version 3 of their firewall includes a very vistay popup style security against code execution. annoying, yes, but if you have to in addition to run the program click through a popup that tells you everything the program is trying to do.... well there is a chance that you'll see 'replace cmd.exe?' and wonder why fluffybunny.swf needs to replace cmd.exe.

personally, i don't even trust comodo, i have a hardened half-open hardware firewall. sometime next year, i'm getting a hardened firewall, that runs each service in a hardened sandboxed VM. so even if there is an exploit in dns caching the worst a hacker can get access to is the dns virtual machine, which i can restore from hd image the second noscript warns me or a site that i clicked a link on doesn't work the way i expect. but ya know, that's a little more secure than the department of homeland security, and a drop shy of how paranoid the millitary is. i don't inspect my hardwares firmwares before plugging them into my network.

Re:No more.... (1)

maxume (22995) | more than 5 years ago | (#25481851)

Windows XP, as of service pack 2, provides all the software firewall that an average user needs.

Re:No more.... (1)

MBaldelli (808494) | more than 5 years ago | (#25481827)

I usually replace Norton with AVG, and while I'm not a huge fan of AVG, I've never had anyone complain.

Allow me to be the first to complain. My experience with AVG is that it treated a patch to a game as a root-kit (false positive with every other AV software I've used since). And arbitrarily removed necessary DLLs for the phone software that I installed effectively rendering the interface unusable until I uninstalled AVG. (Another false positive).

Because of it misbehaving and not wanting to risk another false positive arbitrary removal, I have since moved over to ESET's NOD32.

Re:No more.... (4, Funny)

ceoyoyo (59147) | more than 5 years ago | (#25482017)

It doesn't spread, so it's not a virus. More like a cancer. Or a birth defect, if it comes pre-installed.

Re:No more.... (5, Funny)

noundi (1044080) | more than 5 years ago | (#25481543)

but right now ANY virus protection software is better than none!

That depends, do you walk around all day with a rubber on your weiner? No? Newsflash, niether does your computer, so stop putting it's dick everywhere.

Re:No more.... (1)

mhall119 (1035984) | more than 5 years ago | (#25481731)

It's crude, but a wonderfully accurate analogy. These conversations are like arguing over which condom gives you the best protection when screwing hookers, when the right answer is to just stop screwing hookers.

Re:No more.... (1)

antique future (1339361) | more than 5 years ago | (#25481589)

I use avast and will probably use it until I come across something that infects me with avast running. I've used avg and avast and I prefer avast because it has detected orkut where others failed and I like the price and I like the update rate. http://blog.shankarganesh.com/2007/11/07/avg-vs-avast/ [shankarganesh.com]

Re:No more.... (1)

darien (180561) | more than 5 years ago | (#25481793)

until I come across something that infects me with avast running

Don't assume you'll know about it...

Re:No more.... (2, Interesting)

kimvette (919543) | more than 5 years ago | (#25481819)

Would you consider using ZoneAlarm for your software firewall (or get a "hasbro" level appliance for home if you don't have one and don't bother with a software firewall if the PC isn't mobile), and then a F/OSS AntiVirus package that does AntiVirus and ONLY antivirus? If so, then check out Moon Secure AntiVirus. [moonsecure.com] I run it on my Vista installation (which exists for gaming).

On Linux, I don't worry about it. In fact, I submit bug reports to malware authors complaining that their crapware doesn't run on WINE and I feel left out. OH WOE IS ME!

2009? (1)

antdude (79039) | more than 5 years ago | (#25481939)

Have you tried 2009 versions? 2009 version is a total rewrite from scratch. Installs and uninstalls can take about a minute on a fast computer. Low memory usages (no hogs).

VB100? (1)

iammani (1392285) | more than 5 years ago | (#25481211)

Wow i thought VB was destroyed after VB6, and now there is a VB100?

Re:VB100? (0)

Anonymous Coward | more than 5 years ago | (#25481445)

You're behind on the times, old geezer!

Tests need to evaluate _something_ (5, Informative)

PhYrE2k2 (806396) | more than 5 years ago | (#25481243)

Take crash tests on new vehicles. Name me one that doesn't have a 5-star crash rating? The rating system is too easy, and needs to constantly be moved to achieve a new level of betterness. Not everybody should get A's. Once the majority of players reach a standard, the standard should be moved to motivate advancement in the field and show the better of the pack.

For example, the 5-star front-impact crash rating is par for the course now... but nobody seems to advertise the offset crashes, such as the right half of your bumper hitting the left half of your 'opponents' bumper. Why? Because it's sad in comparison. It's also not pretty to watch.

So all the power to making the standards hard to achieve. Yes this may not be the 'real world' threat, but it's a threat nonetheless. They're basically saying "Since England isn't going to declare war on the USA, any preparedness for receipt of an attack by the USA shouldn't be considered in overall military preparedness". That's of course rediculous. Protect only against the popular virus and the unpopular virus will begin to spread.

Re:Tests need to evaluate _something_ (4, Insightful)

thedonger (1317951) | more than 5 years ago | (#25481383)

In an unusual parallel, world famous rock climber Chris Sharma wanted to downgrade a rating on a climb - one of the hardest climbs of its type in the world. From what I gather, the reason was that you reach a point where the rating system becomes meaningless as higher and higher ratings are made, and you lose the context in which the previous ratings were assigned, and the foundation on which the rating system is based.

Re:Tests need to evaluate _something_ (1)

PainKilleR-CE (597083) | more than 5 years ago | (#25482103)

Take crash tests on new vehicles. Name me one that doesn't have a 5-star crash rating?

Most cars do not have 5-star crash ratings across the board (in fact, very few do). They might have a 5-star rating in one or two of the tests, but the reality is that in advertising if you get 1 5-star rating you advertise it, and if you don't, you just don't mention your crash ratings at all (just your number of air-bags and other safety features).

They also manage to advertise it even if only one package of several received a 5-star rating. Of course, your point still stands in one way: very few cars receive 3-star or less ratings, and it's not a required test to begin with...

For example, the 5-star front-impact crash rating is par for the course now... but nobody seems to advertise the offset crashes, such as the right half of your bumper hitting the left half of your 'opponents' bumper. Why? Because it's sad in comparison. It's also not pretty to watch.

Actually, it's two different groups doing the tests. 5-star ratings come from NCAP, which doesn't do offset tests. Offset tests are done by IIHS, and most cars receive a "Good" rating on offset tests, which is the highest rating they give. Further, when the IIHS releases their "Top Safety Pick" awards, they are usually advertised by the recipients, and the vehicle has to have received a "Good" rating in all the overall categories they test. Yes, the tests need to be better and the ratings need to be harder to achieve, but the IIHS has been pointing out that in the just over 10 years they've been doing the offset tests the industry has improved significantly in its results.

The rating systems on crash tests are based on hard numbers, and they list what those numbers are on their respective websites. If they change those numbers over time they remain relevant, though I'm not aware of them changing those numbers in any significant way recently. Of course, you do have to question whether or not it's really possible to get significantly better than a 10% chance of serious injury (a 5-star rating) in a crash test with current technology. They should probably increase the speeds on the tests rather than messing with the survival rates.

So all the power to making the standards hard to achieve. Yes this may not be the 'real world' threat, but it's a threat nonetheless. They're basically saying "Since England isn't going to declare war on the USA, any preparedness for receipt of an attack by the USA shouldn't be considered in overall military preparedness". That's of course rediculous. Protect only against the popular virus and the unpopular virus will begin to spread.

Actually, the tests they failed on were non-threats. Yes, I agree that they should detect breaches of vulnerabilities in the system (though I also agree with them that a known vulnerability should be patched), but the fact is that the reason they weren't detected is because there was no payload.

These tests are like doing the crash tests without actually causing a crash. We usually call those tests crash avoidance or brake tests, not crash tests, and there's a valid reason for both types of testing. You don't give someone a 1-star crash test rating when the car can't avoid a crash but still manages to prevent injuries to the driver and passengers most of the time. Similarly, you don't rate them well for braking and crash avoidance just because everyone can walk away when the car doesn't stop.

Re:Tests need to evaluate _something_ (1)

barzok (26681) | more than 5 years ago | (#25482143)

Name me one that doesn't have a 5-star crash rating?

Well, here's one [safercar.gov] .

Also keep in mind that when you see car ads saying "5-star saftey rating", the fine print typically says that it was for only one or two of the half-dozen test the NHSTA does. If you want a car that gets 5 stars across the board, that's not as common as cars which get a single 5-star rating.

NHSTA has one set of standards that all makers must conform to. The IIHS is NOT a government entity and is much harsher on vehicles.

Understand first, then pick sides.... (3, Interesting)

Kr1ll1n (579971) | more than 5 years ago | (#25481247)

What Kaspersky is bitching about is that the testing involves Proof of concept, meaning, if it is a known exploit, will your AV protect you, even without there being a virus payload. If they can't, I would hope that they would fail these tests. It all boils down to heuristics. If it seems malicious, block and/or report.

Re:Understand first, then pick sides.... (1)

Ilgaz (86384) | more than 5 years ago | (#25481729)

I suspect the imaginary threats they fail is like the usual wintrolls argument "So do you think Linux/OS X is secure? Run rm -rf / and see what happens." They run a test which no actual virus/worm author (it is a money making industry) will bother to code and they blame real life solution failing to detect it.

Couple of worms actually install pirate Kaspersky with a special setting to ignore them so they are sure they are the only malware they are running. That is the prestige of Kaspersky for you and state of current threats. Virus/Worm writing as way beyond the amateur sickos writing malware now. It is a huge industry in black hat terms.

Re:Understand first, then pick sides.... (1)

guruevi (827432) | more than 5 years ago | (#25481995)

Technically, your operating system should protect you against that in the first place. I don't even know why there are still antivirus programs in this world. We had virusses back in the day of DOS when memory was accessible by anyone and everyone had the same permissions (even back then, OS/2 and other OS'es had better functionality without virusses) but nowadays, the only reason your box should be rooted is because of an exploit in a misconfigured box and nothing can protect you against that.

I was going to say: Anti-Virus programs, how quaint but then again, there is still an OS out there that is criminally retarded.

That's why I (3, Interesting)

svendsen (1029716) | more than 5 years ago | (#25481255)

I have different Anti virus product on each of my machines at home. I figure the gap of what they won't detect is smaller then what just having one product will detect.

Bullet proof? Of course not.

So far with Avast, AVG, (mind you one virus product per computer only) ZoneAlarm, FireFox, and some basic sense I haven't been hit.

My only issues (sad enough) is when a windows update broke Zone Alarm and when AVG detected Zone Alarm as a virus (cause a new version came out) and shut it down.

Now that i really think of it all the products designed to protect me have been the ones giving me all the trouble. HAHAHA (as I cry)

Re:That's why I (2, Informative)

IceCreamGuy (904648) | more than 5 years ago | (#25481471)

I deal with AVG Network edition (which is the same as the free edition but not free and with a semi-functional control center), and I can tell you that they put a lot of what I would consider legitimate software in their defs. Their newest version 8 does not remember your exceptions correctly, either.

Re:That's why I (2, Interesting)

Ilgaz (86384) | more than 5 years ago | (#25481647)

The new version of Kaspersky and couple of other vendors who spends money to development instead of animated ads tries to go with "white list" approach.

For example, while it does very suspicious things (due to its function), Zonealarm is very known to the AV solution and once it is surely the ZA it trusts, it won't bother with it too much UNLESS it starts doing things which it isn't known to do. It adds lot to the performance and Kaspersky is the last vendor to blame about heuristics since its early versions. If they didn't do a lot of heuristics against unknown threats, they wouldn't be blamed for making it "slower" than free AVG and robbing the users.

I can understand why Mr. Kaspersky is particularly touched by the claim of the test and the products failure against imaginary threat. Kaspersky was one of the first AV solutions to run a small virtual machine and emulate things before giving them go. It is also running way deeper than many on the market (ring 0) so that is why it may create horrible slowness with hypervisor, emulation type of Windows. E.g. on Virtual PC 7, it is plain suicide to run it.

Re:That's why I (1)

kesuki (321456) | more than 5 years ago | (#25481745)

well, i like comodo as a firewall far better than zone alarm. there ARE ways zone alarm can be replaced with a trojan that simply turns off all the firewall abilities of zone alarm. I've seen it happen in the wild, and was the primary reason i stopped trusting zone alarm. that was when i learned about comodo. free as in beer, and it includes code execution prevention on top of inbound and out bound firewall. yeah i know vista has code execution prevention, but it just says 'program x needs to to be run as admin and Bleep you up the ass'

comodo tells you what the program was trying to do, be it modify the registry (and even the key it's about to jack) if it's creating a file or directory, or replacing one, or even if god forbid it's trying to erase a file or directory. complete with file names and directories. hell it event ells you when iu's trying to open a port as a server, unless you mark a program as 'trusted'

does your firewall do that? why not?

Re:That's why I (1)

svendsen (1029716) | more than 5 years ago | (#25481879)

off topic to the main article ...

Comodo sounds really interesting will have to do more research. How is it telling you information about programs asking for internet access?

For example in zone alarm it will say XXX.exe wants access. When you click for more info it tells you jack (except a program wants access...duh) and you have to research it yourself? Is comodo better at this (I hope so)

The other thing I hate about zone alarm is every program gets added to the program list when you run it. So imagine a clean list and I open notepad, guess what notepad is now on the zonealarm list it isn't given access but it makes managing stuff a pain.

I will do my own research of course but you seem to really like it so figure get some second opinions.

Re:That's why I (1)

kesuki (321456) | more than 5 years ago | (#25482131)

i'm not booted into windows at the moment, but off hand it tells you in flat percentages the amount of bandwidth used by each active process, it has a full process tree of every running process and every file it's got allocated in memory, sadly programs that use svchost.exe still show up as svchost.exe but with the process map you can tell if say rundll32 is running svchost.exe and that's a big red flag right there.

it only warns you of specific ports when they're creating a 'listen' stack on the tcp/ip stack, so it's clearly monitoring the tcp/ip stack for new connections inbound and outbound although on outbound it only tells you the program.

oh yeah i forgot, it tells you when a program hooks in the keyboard or mouse, and it has a paranoid mode where it will give you more popups and allow finer grained control. it doesn't add every program (except for the active process map, but that's only active processes) and it logs activity it finds suspicious, and can even submit files to comodo if they're not on a whitelist of trusted apps, or ar anew different version.

i know comodo made the program for it's core business as security consultants so it really, really has a lot of awesome cutting edge features. anything a customer wants, goes on the feature list.

Re:That's why I (1)

jimicus (737525) | more than 5 years ago | (#25482057)

I have different Anti virus product on each of my machines at home. I figure the gap of what they won't detect is smaller then what just having one product will detect.
[....]
So far with Avast, AVG, (mind you one virus product per computer only) ZoneAlarm, FireFox, and some basic sense I haven't been hit.

I bought a Mac.

Re:That's why I (1)

thePowerOfGrayskull (905905) | more than 5 years ago | (#25482113)

So far with Avast, AVG, (mind you one virus product per computer only) ZoneAlarm, FireFox, and some basic sense I haven't been hit.

Somehow with some basic common sense, no antivirus software*, and a hardware router/firewall, the last time I was hit was in 1988 - a non-destructive variant of Stoned which was transferred to my PC by infected floppy. In my experience so far, Antivirus is only necessary if you don't verify your file sources; and/or are in the habit of opening things without thinking. (Or allowing applications to do so for you automatically.) Common sense alone suffices to keep you safe.

I'm not saying that there isn't a need for antivirus - hordes of computer users rightfully don't /want/ to have to constantly worry about what is safe to open. This isn't their fault, any more than it's my fault when I expect my refrigerator to keep my food cold. My point is only that if you're knowledgeable about computers, and are willing to exercise some minimal caution, AV is a ripoff and a waste of system resources.

* I do periodically run various rootkit detectors, and ClamAV from a linux partition -- probably once a month or so, just to confirm that I'm still virus-free.

Trust anti-virus ratings? (2, Insightful)

olddotter (638430) | more than 5 years ago | (#25481273)

I'd just like to be able to trust anti-virus software.

http://arstechnica.com/journals/apple.ars/2008/10/20/mac-malware-program-macguard-masquerades-as-antivirus-app [arstechnica.com]

I'm getting really paranoid about things. I find myself avoiding any web service that wants me to download a app or plug in I'm not very familiar with.

Re:Trust anti-virus ratings? (1)

kesuki (321456) | more than 5 years ago | (#25481925)

as a very paranoid person i have a few suggestions.

first off, there is noscript, no script only runs on gecko browsers, so you really only have firefox, icecat, ice weasel, and ephiphany, and whatever other gecko based browsers are out there... noscript is sexy, and was the first program to protect from clickjacking.

secondly i recommend getting a hardened firewall running on some cheap dumpster grade pentium 1-2,3 system, dumpster grade systems are easy to find, and if you cant' find one, there is always the option of hitting pricewatch.com and grabbing the cheapest 'no os' complete desktop, with the oldest, cheapest parts. for a beginner, smoothwall is pretty easy to learn. http://www.smoothwall.org/ [smoothwall.org]

i suggest going with half-open, and getting a crash course in what ports need to be opened for whatever you use besides web browsing.

then, you can worry about anti virus, and code execution protection, and outbound application level blocking on your native os. if your network isn't secure, then the best anti virus in the world isn't going to help you a lick.

Re:Trust anti-virus ratings? (-1, Flamebait)

theaveng (1243528) | more than 5 years ago | (#25482073)

I thought Macs were supposed to be immune from viruses and malware? (cough)

Not a fan (2, Informative)

apharas (1258484) | more than 5 years ago | (#25481279)

I have been solidly unimpressed with the results from most of the main stream anti-virus vendors. There are of course huge trade offs between speed, usability and accuracy. I also don't like having programs think for me without giving me a viable option to change the way it's handling a situation on the fly. For my machines I've switched all windows machines to ESET's NOD32. All my personal linux boxes I have on F-Prot. -- a

Re:Not a fan (0)

Anonymous Coward | more than 5 years ago | (#25481509)

I switched my XP machine to ESET NOD32 as well. It isn't the "best" one, but is light on resources and has good polymorphic virus detection.

What's a PoC? (0)

Anonymous Coward | more than 5 years ago | (#25481281)

ok... anonymous coward for obvious reasons...

TLAs (2, Funny)

pjt33 (739471) | more than 5 years ago | (#25481423)

My guess was that it's a politer version of PoS.

Re:What's a PoC? (1, Informative)

Anonymous Coward | more than 5 years ago | (#25481573)

Proof of Concept.

They can all kiss my ass (1)

GuloGulo (959533) | more than 5 years ago | (#25481283)

I have yet to find an anti-virus solution that doesn't

a) slow my computer down
b) continuously download crap
c) works as advertised
d) doesn't crash randomly
e) I'm sure there's a few other things I forgot.

When it came down to it, I got so tired of the hassle I installed Ubuntu to dual boot, and only boot into windows when I need to use the work related software I have.

And no, I don't use any anti-virus, as I'm never in windows more than a few minutes anyway.

So you can keep your apparently useless anti-virus ratings, and your anti-virus software too.

Re:They can all kiss my ass (0)

Anonymous Coward | more than 5 years ago | (#25481391)

NOD32....

did you even look?

Re:They can all kiss my ass (1)

OrangeTide (124937) | more than 5 years ago | (#25481497)

I had all sorts of troubles trying to install AVG on a heavily infected system. But once I installed it on a fresh system it was fine. If the virus scanner is blowing up, something is probably attacking it.

And yes, running Linux is a lot less of a hassle. And you don't have to buy a new $40-80 AV license every year or so. Also you can install ClamAV on Linux, it's pretty handy if you're allowing Windows users to upload/share files with your Linux computer. Also helpful if you're one of those poor saps that has to run Wine.

Re:They can all kiss my ass (0)

Anonymous Coward | more than 5 years ago | (#25481917)

I have yet to find an anti-virus solution that doesn't
c) works as advertised

Ever tried Norton? I'm not sure you could say that works in any way, let alone as advertised.

PoC == Proof of Concept (0)

Anonymous Coward | more than 5 years ago | (#25481295)

I've never seen "Proof of Concept" abbreviated PoC, but there you have it.

Universal measurement (1)

noundi (1044080) | more than 5 years ago | (#25481297)

That's what happens when you stupify data, you loose data. Anyway Kaspersky don't give a rats ass about any tests, if it was them up there at the top of the list they would have nodded their heads and opened their pockets wide. And I wouldn't be surprised if someone fiddled with the software to the advantage of others, or even worse, fiddled with the logic. The anti-virus industry is ironicly equal to the medicine industry, same overadvertising unnecessary medication using scare tactics. It's simple folks, keep your fucking shit together, don't put your dick wherever it fits and then complain when it falls off because you eat 30 vitamines every day.

Re:Universal measurement (1)

gardyloo (512791) | more than 5 years ago | (#25481533)

That's what happens when you stupify data, you loose data. Anyway Kaspersky don't give a rats ass about any tests, if it was them up there at the top of the list they would have nodded their heads and opened their pockets wide. And I wouldn't be surprised if someone fiddled with the software to the advantage of others, or even worse, fiddled with the logic. The anti-virus industry is ironicly equal to the medicine industry, same overadvertising unnecessary medication using scare tactics. It's simple folks, keep your fucking shit together, don't put your dick wherever it fits and then complain when it falls off because you eat 30 vitamines every day.

Well, that about speaks for itself . . ..

PoC = PoC (Proof of Concept) (0)

Anonymous Coward | more than 5 years ago | (#25481375)

would have been nice if the submitter/reviewer put that in the description...

PoCs (1)

the_other_chewey (1119125) | more than 5 years ago | (#25481401)

OMG - I really know lots of IT and CS related TLAs (and even longer ones, only very few are shorter AFAIK),
but couldn't resolve "PoC" without RTFAing.

WTF is this, some kind of trick to make us read TFA?

Re:PoCs (2, Informative)

SatanicPuppy (611928) | more than 5 years ago | (#25481493)

Proof of Concept; sad, but in Securityville this is actually used often enough that it would be considered a "normal" acronym. The debate usually revolves around the fact that a lot of PoC's are completely esoteric and can't be made into actual workable mass-market exploits.

Re:PoCs (1)

the_other_chewey (1119125) | more than 5 years ago | (#25481581)

Is there an acronym for "woooosh"?

Re:PoCs (2, Funny)

grcumb (781340) | more than 5 years ago | (#25481623)

Is there an acronym for "woooosh"?

IMHO: no. YMMV.

HTH HAND

8^)

Re:PoCs (1)

the_other_chewey (1119125) | more than 5 years ago | (#25481669)

Is there an acronym for "woooosh"?

IMHO: no.

ITYM "AFAIK"

Open Source and Free (1)

speroni (1258316) | more than 5 years ago | (#25481549)

I've had good luck with a combination of Firefox with the No Script addon and Clamwin, and maybe just a little common sense.

I don't see why this is so hard.. (1)

ethana2 (1389887) | more than 5 years ago | (#25481587)

sudo apt-get purge virus

My favorite AV software: (0, Flamebait)

mcgrew (92797) | more than 5 years ago | (#25481599)

Mandriva. Suse's pretty good too. Haven't tried Ubantu.

I have my home PC (and PCs of friends who want me to support them) dual boot, with networking disabled on the Windows side. As there are NO LINUX VIRUSES a setup like this needs no AV software.

This makes computing a brain-dead simple, and supporting friends' computers almost as easy. Without the need for AV the thing works faster, too.

Now mod me down, astroturfers. My karma can take it, even if the truth hurts you.

Re:My favorite AV software: (0)

Anonymous Coward | more than 5 years ago | (#25481983)

Don't forget to turn off USB mass storage, Bluetooth, firewire, CDROM drive and floppy on the Windows side. maybe HHD too for extra security !

You'll be left with a safe, but almost unusable setup. The virus has got you, double backward. DUH !

Why start from the back? (1, Interesting)

AnalPerfume (1356177) | more than 5 years ago | (#25481677)

Why stick to an OS which is fully virus compatible? I know Microsoft try their hardest to be incompatible with everyone else to lock people into their systems but they do have the market sewn up on malware compatibility.

The whole anti-malware market exists to fit one purpose.....to plug the holes Microsoft's incompetence leaves behind.

The moral of the story is that if you insist on (or have to because of some proprietary software you need) using Windows you're never gonna be secure, no matter how many anti-malware programs you use because the underlying OS is a piece of shit.

Switching away from Windows to UNIX / Linux / OSX will give you a huge head start on security before you even start thinking of what else you can do to stay secure.

It's like choosing the back row as your starting point in a race, knowing you don't have a snowballs chance in hell of catching the pack, let alone overtaking them.

industry created whole (2, Informative)

QX-Mat (460729) | more than 5 years ago | (#25481689)

Proof of concepts are tangible vectors to infection. By not including and rigerously detecting such methods, they AV companies will allow more viral products into the market. This is a very self-serving stance.

I actually see problem of trust emerging. Once upon a time KAV was a brilliant peice of software that ran in DOS well enough to remove the plague of Win95 Marburg infections that hit the UK gaming community after a bad cover CD. That was a time when viruses existed, and you had to stop them infecting you. The prospect of new and novel viruses infecting you wasn't really an issue as home Internet penetration was small. As such, AV software wasn't marketed as the only thing you needed to stop all viruses forever, but as a tool that will detect more than its competitor more reliably. The money you paid was for a good huristics engine that was fast, efficient and more importantly, updated reguarly.

Now I see AV products as nothing more than 'ineffective-ware'. If AV programs claim to prevent the infection of known viruses, and reduce to risk of infection from emerging viruses, I'd probably have more faith in the industry. But they don't... in subscribing the "we can protect you from everything" marketing hype, almost every AV company has asked us to put faith in their product to stop "unknown" viruses... and we expect them to.

They don't. It's a computational nightmare.

KAV are in a past mindset. They have to change. They have to consider that what people really want is reliability - they want software guarantees. If any peice of AV software is going to help the market rather than hinder it, it is going to be reliable. What is the most reliable part of an infection? The vector, not the virus itself.

The truth is really in the pudding. Viruses have changed. Almost all now are polymorphic and highly reentrant. A few lines of code will change a signature making it undetectable. Fnfection is detectable at the point of entry. If the research is put into proof of concept code in making a system vulnerable, then the AV response should be to track and thwart that success.

Matt

Process - Not Product (3, Informative)

Exanon (1277926) | more than 5 years ago | (#25481703)

Call me a Schneier fanboy, but I practice security on my home network like a process, not as in buying a product and be done with it.

Security for me begins with sensible configuration of the router and the PC's on the network, then it moves to access rights and regular patching of said computers.
This includes regular checkups and glancing at logs every three days or so to look for obviously suspicious traffic. Finally, after all of these steps, I use Kaspersky (since I had heard good things about it) together with rootkit detector. (Oh, and Firefox with NoScript)

All of this prevents pretty much all the scriptkiddies from getting in (I hope), but then again, the best thing you can do is to not download anything you don't know what it is.

obligatory (1)

Luke_22 (1296823) | more than 5 years ago | (#25481767)

Xkcd [xkcd.org] explains it all.

I don't care (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25482091)

I don't care, I use virus free computers (Mac's).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>