Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Antivirus Software Performs Poorly Against New Threats

Soulskill posted about a year ago | from the also-can't-hold-its-own-against-the-protoss dept.

Security 183

Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


so its like the human immune system? (4, Interesting)

alen (225700) | about a year ago | (#42449493)

who would have thought?

Re:so its like the human immune system? (1)

tulcod (1056476) | about a year ago | (#42449631)

If the virus would've been picked up by the virus scanners, then they wouldn't have spread around the world like a virus.

In other news, a tautology has been shown to be a tautology.

Re:so its like the human immune system? (2)

spottedkangaroo (451692) | about a year ago | (#42449651)

It's much much worse than that... A human virus has to get really lucky and accidentally evolve features necessary to bind to our receptor sites. Virus authors, on the other hand, can use virustotal.com to see who can detect their stuff and evolve as necessary to avoid detection.

Re:so its like the human immune system? (5, Informative)

mcgrew (92797) | about a year ago | (#42449777)

Virus authors, on the other hand, can use virustotal.com to see who can detect their stuff and evolve as necessary to avoid detection.

Virus writers make their viruses evolve? Creationism, anyone? Computer viruses don't evolve, they are engineered/programmed. And viruses that attack animals (including humans) don't have to evolve features necessary to bind to our receptor sites, those features have already evolved. What they do is mutate so that the animal's immune system doesn't recognize it as a threat.

The animal immune system is nothing whatever like computer antivirus, and animal viruses are nothing like computer viruses. You guys are anthropomorphising WAY too much here.

Re:so its like the human immune system? (4, Informative)

GrumpySteen (1250194) | about a year ago | (#42450083)

Virus writers make their viruses evolve?

In a sense, yes. Viruses have been created which "evolve" by changing their code around in order to prevent signature based detection. Viruses that do that are referred to as polymorphic [wikipedia.org] viruses.

Polymorphic viruses are doing basically the same thing as a biological species that evolves into a different coloring that helps it hide from predators. The ones that don't evolve better camouflage get eaten by predators/cleaned by virus scanners. The ones that do evolve better camouflage spread.

Re:so its like the human immune system? (0)

dimeglio (456244) | about a year ago | (#42450161)

It seems virus/malware writers are doing more to help explain evolution and natural selection than we give them credit for.

At least there's one cure once the virus is discovered: format/re-install Windows and/or use a less vulnerable OS.

Re:so its like the human immune system? (2, Interesting)

Joce640k (829181) | about a year ago | (#42450933)

Nope. Computer viruses are intelligent design, not evolution.

Re:so its like the human immune system? (1)

LordLimecat (1103839) | about a year ago | (#42450163)

Computer viruses don't evolve, they are engineered/programmed.

Why not? Cant random bits be flipped in a virus (ie by cosmic radiation, or background noise) just as with an actual virus?

If I recall a virus genome is roughly the same size as a virus, too-- mimivirus for example has ~1million basepairs, which I guess would be about 125KB.

Re:so its like the human immune system? (1)

Joce640k (829181) | about a year ago | (#42450945)

Why not? Cant random bits be flipped in a virus (ie by cosmic radiation, or background noise) just as with an actual virus?

Um, no. That's not how computer code works.

Re:so its like the human immune system? (0)

Anonymous Coward | about a year ago | (#42451175)

That is how mutation works for both. The only difference is just the ratio between useless, improving and killing mutations. Not sure about computer programs but it was done successfully for fpga bitstreams in an experiment.

Re:so its like the human immune system? (0)

Anonymous Coward | about a year ago | (#42451019)

I believe he meant the the virus writers can evolve to creae viruses not deteced by the online scanners.

Re:so its like the human immune system? (1)

tinkerton (199273) | about a year ago | (#42450179)

It's not really like the immune system. The immune system works on several levels, but the main strategy is to start with a rough full coverage blacklist from which all the whitelist items have been removed. When you get in contact with antigens, there are instant matches with the blacklist but they aren't very powerful. You proceed by making variations around the matching blacklist items and upgrade the best matches till you get a good powerful response. This upgraded blacklist is then ready for a fast powerful reaction when the same virus hits again.

The attacking virus is always on your blacklist, only not in the degree that it triggers a massive response.

Re:so its like the human immune system? (1)

Impy the Impiuos Imp (442658) | about a year ago | (#42450301)

So it's like the US military, which famously is excellent at fighting the previous war?

Re:so its like the human immune system? (1)

Joce640k (829181) | about a year ago | (#42450975)

More like the TSA than the Army....only good at detecting previous threats. Move the bomb from the shoes to the underpants and you'll sail through.

It's a matter of time, stupid! (3, Insightful)

aglider (2435074) | about a year ago | (#42449519)

As the bad guys are always ahead! It's trivial!
The antivirus company can only react to new virus technologies. So the time to reaction is the actual measurement we need first. Only later we need the accuracy.

Re:It's a matter of time, stupid! (1)

Zero__Kelvin (151819) | about a year ago | (#42449967)

Actually, the bad guys are only somewhere in the middle:
  1. People who use a secure OS
  2. Bad Guys
  3. Low Security OS Users

Re:It's a matter of time, stupid! (1)

KitFox (712780) | about a year ago | (#42451201)

What secure OS? There are only Very Insecure OSes and Less Insecure OSes.

Re:It's a matter of time, stupid! (2)

bondsbw (888959) | about a year ago | (#42450139)

I'm not sure what "comprehensive solution" is being called for. Antivirus is an undecidable problem; the best we can ever do is check for what we know to date, and add some guesswork for finding future malware. But we will never have a perfect antivirus program.

The better solution has proven to be OS security locks. Like it or not, the walled-garden approach implemented by Apple in iOS--and more recently by Microsoft--has made it much more difficult for malware to actually do anything harmful to your data and device. (Then again, it has also made it much more difficult for goodware to actually do anything useful with your data and device.)

Even a good set of file permissions like in Linux, or in Windows Vista and 7, have been nearly as effective at blocking malware as what the antivirus industry has produced (and by that statement, I include the fact that many antivirus programs make the computer so unusable that people turn parts of them off). Of course, permissions tend to leave vulnerable anyone who is susceptible to social engineering.

Re:It's a matter of time, stupid! (1)

Anne Thwacks (531696) | about a year ago | (#42450485)

I'm not sure what "comprehensive solution" is being called for.

1) Use OpenBSD
2) Launch Rocket Propelled Grenades
3) ???
4) Prophet!

Re:It's a matter of time, stupid! (2)

ByOhTek (1181381) | about a year ago | (#42450275)

I thought I've seen some pattern detection stuff in AVs before, that was supposed to try to detect suspicious activity.

Problem is, there are a lot of legitimate things that look suspicious. Writing a predictive scanner is an even more difficult task than getting the base OS secure without losing too much performance, usability, or user friendliness.

Re:It's a matter of time, stupid! (4, Insightful)

TheLink (130905) | about a year ago | (#42450439)

Solving the AV problem is harder than solving the "Halting Problem", since you aren't given the full source and inputs. Sandboxing and similar is the better approach.

In many cases if you do things right (esp on servers), AV software is more likely to cause problems than viruses. Every now and then you hear of an AV software with a system crippling false positive or other big problem. So if you are sandboxing stuff, and not regularly adding 3rd party software to a server or browsing with it, installing AV software on servers is more likely to cause problems than it'll ever solve.

Re:It's a matter of time, stupid! (1)

Anonymous Coward | about a year ago | (#42450457)

Well, the bad guys might be less far ahead if it wasn't painfully, blatantly easy to get into people's computers.

Take for example a completely arbitrary, random website... Slashdot.

Why is it that "reputable" sites... of which Slashdot is arguably one... be hosting BLATANTLY OBVIOUS SCAM ADS, which since I'm not retarded enough to click on it, I assume will also jam your computer with malware.

I'm sorry, but seeing GIANT MOTHERFUCKING ADS for some "lowermybills" thing that claims I can save over a hundred thousand on house payments if I contact them... on Slashdot... just makes this site more of a fucking joke than it's been turning into for years. I think this most recent change for ultra-giant animated ads just came about in the last few days.

What's next... punch the monkey and Bonzi Buddy ads?

Of COURSE people are going to have viruses and malware if once trustworthy sites are given truckloads of cash to host links to malware. At least you'd BETTER be getting truckloads of cash for those, because if you're going to sellout SO hard that a site generally once thought of as one of the pinnacles of nerdy, computer-based news is now just an adware-serving, slashvertisement filled shithole of the internet, you damned well better be able to retire on it.

And websites get mad when people view their content for "free" while blocking ads and giving you no ad income. Gee, I wonder why blocking ads on ALL sites, even ones once respected, is mandatory nowadays.

On a related note, anyone know of any sites like Slashdot, but that haven't sold out so viciously hard yet? I wouldn't mind bailing on this place. Hope the paycheque you got from the obviously disreputable ad company was worth it.

Whiskey Tango Foxtrot????? (0)

Anonymous Coward | about a year ago | (#42449547)

How is this news? This has been the case for years!

Come on Slashdot! It's the second day of the new year, at least try to be better.

Re:Whiskey Tango Foxtrot????? (1)

Joce640k (829181) | about a year ago | (#42451025)

...and the antivirus marketers have been telling us they've been adding behavioral detection for years, too.

How's that working out for anybody?

Law (2)

SJHillman (1966756) | about a year ago | (#42449557)

We should just outlaw malware. Then we wouldn't have to worry about it anymore! >_>

Re:Law (1)

grantspassalan (2531078) | about a year ago | (#42450779)

We should just outlaw malware. Then we wouldn't have to worry about it anymore! >_>

which of course will work just as well as outlawing drugs or assault weapons.

What's the impact of those new viruses? (4, Interesting)

rvw (755107) | about a year ago | (#42449561)

In about 15 years I've seen (and fixed) about ten infections, all on computers from friends or colleagues. All those infections were with known viruses or rootkits. You might say that new viruses go unnoticed, but even if they have infected a computer, shouldn't an antivirus scanner detect it later? Yeah I know it "should", but will it? I never see anything about them. Anyway, how often do all these new viruses actually have an impact?

Re:What's the impact of those new viruses? (4, Insightful)

SJHillman (1966756) | about a year ago | (#42449589)

The "best" malware are the ones designed to be undetectable for years. Some even go so far as to play the role of an anti-virus to keep other infections out of its host. Given that most users don't bother to make sure their AV product is up to date (if working at all), it's no surprise these infections are never detected because they're actually making the computer run better (from the user's perspective) just so they can continue their own agenda undisturbed. The most advanced malware is more akin to a semi-benign parasite than a biological virus or bacteria.

Re:What's the impact of those new viruses? (3, Insightful)

iMouse (963104) | about a year ago | (#42449657)

I'm still finding systems with infected MBRs and hidden partitions loaded with TDSS.tdl4. How old is this rootkit now?

I think these AV companies need to figure out how to properly clean/repair a system that has already been compromised before trying to play the cat and mouse game with the malware developers. I find AV software far more useful if a late detection can be removed/repaired rather than have it sit on my system for years undetected.

Malware Anti-Bytes (0)

Anonymous Coward | about a year ago | (#42449563)

It's free and it's awesome. http://www.malwarebytes.org/

Also, my experience with anything by Symantec is that it slows down your system to the point of rendering it useless.

Re:Malware Anti-Bytes (1)

SJHillman (1966756) | about a year ago | (#42449601)

Malwarebytes isn't much different than other anti-virus products... as far as I'm aware, it uses pretty much the same methods to detect and remove. Also, the free version is only much use once the system is already infected (at least that was the case last time I checked) - you have to pay for any sort of real-time monitoring.

Re:Malware Anti-Bytes (0)

Anonymous Coward | about a year ago | (#42449773)

No, it's completely free for real-time monitoring. I use it as well.

Re:Malware Anti-Bytes (0)

Anonymous Coward | about a year ago | (#42449685)

MBAM doesn't detect shit anymore. It used to years ago, but not now.

Re:Malware Anti-Bytes (0)

Anonymous Coward | about a year ago | (#42449775)

MBAM doesn't detect shit anymore. It used to years ago, but not now.

The nose takes care of that perfectly well.

Film at 11... (5, Interesting)

whoever57 (658626) | about a year ago | (#42449575)

Seriously, how many people here at /. are not already aware how poorly anti-virus software works? This "study" is just a "slashvertisement". From TFA

Imperva, which sponsored the antivirus study, has a horse in this race. Its Web application and data security software are part of a wave of products that look at security in a new way.

Re:Film at 11... (1)

Anonymous Coward | about a year ago | (#42449843)

But you'd actually have to RTFA to see that. What's wrong with you?

Whitelist is old news (4, Interesting)

michaelmalak (91262) | about a year ago | (#42449603)

The article mentions whitelist technology as the next step beyond conventional signature-based blacklist systems. But that's what I used three years ago, with RegRun [greatis.com]. As soon as an executable is run that it doesn't recognize, RegRun pops up an alert asking you if it's legitimate. Of course, this is useful only for the technologically savvy.

But now instead of that, I employ the ultimate in virus recovery (albeit not virus control). Using the multi-boot software BootIt Bare Metal [terabyteunlimited.com] (like a commercial version of GRUB, GParted, and other utilities rolled into one), I keep a clean OS on a separate partition that I can copy over the main partition at any time. Of course, I keep data on fileservers instead of my local hard drive.

Re:Whitelist is old news (4, Funny)

SJHillman (1966756) | about a year ago | (#42449623)

"Of course, this is useful only for the technologically savvy."

That's the one huge, gaping security hole in most modern OSes... the user. Damn hard to patch too, although I have had some success with a crowbar.

Re:Whitelist is old news (1)

Zero__Kelvin (151819) | about a year ago | (#42449991)

"Of course, I keep data on fileservers instead of my local hard drive."

What makes you think that viruses can't live in data files?

Re:Whitelist is old news (0)

Anonymous Coward | about a year ago | (#42450135)

If data == non-executable, then a virus cannot live there. It needs to be executed.

However, Microsoft Office has been turning what should have been data files into files with embedded code for years, even though people were screaming that it was a bad idea when they came up with it. Of course it didn't take long before the first Word macro virus appeared.

Then there's the case of bugs in the software that reads the file, but that's no different than bugs in any other software receiving untrusted data. And once the bug is fixed (you do update your software, right?) that virus will no longer live, even though it's still hiding in the file.

Re:Whitelist is old news (1)

Zero__Kelvin (151819) | about a year ago | (#42450253)

"If data == non-executable, then a virus cannot live there"

Not only are you wrong, you subsequently point out how in direct contradiction to what you wrote:

"Then there's the case of bugs in the software that reads the file,"

All viruses take advantage of bugs or poor design in executing software, and the exploit is not necessarily the propagation vector. They can, and sometimes do live in non-executable data files. They can propagate via simple file copying.

Re:Whitelist is old news (2)

mcgrew (92797) | about a year ago | (#42450587)

It depends on what you call "data". You can hide a virus in a text file, but that virus will be harmless, as there's no way to execute it. But a Word file isn't just data, since you can insert a macro. IMO whoever thought of putting embedded macros in word processing documents was brain-dead stupid; a word processing document should NOT be able to infect a system. Even a spreadsheet should not be able to infect; there should be two files in a spreadsheet with macros, the data and the macros, just like a database has data (uninfectable) and code (which can BE infection).

Your MP3s are safe from viruses, your WMAs are not. WMA's DRM-friendliness make it a virus vector, while MP3s are safe. Anything subject to DRM can and most likely is infected or is an infection itself. On'y the ignorant use WiMP and WMA, they beg to have your system pwned.

Re:Whitelist is old news (1)

Bengie (1121981) | about a year ago | (#42450655)

I've seen some good review on Vipre anti-virus on how it loads applications into an extremely lightweight vm that monitors calls to certain system-modifying APIs and uses heuristics to detect "unknown" malware based on malicious patterns, which it then quickly cuts off access of the VM and the malware is rendered useless.

Of the few reviews I read many years back, Vipre had in the upper 80% detection rates for unknown malware while all of the others were more in the 20%-30% ranges, and Vipre had the least resource sapping performance.

Again, not first-hand, but based on reviews.

Re:Whitelist is old news (0)

Anonymous Coward | about a year ago | (#42450667)

For those users that are prone to infections and re-infections (and insist on using Windows) I set them up with Deep Freeze [faronics.com]. I setup the OS with all the software and settings they will need. I create a seperate partition for their Documents and Firefox/Chrome/Thunderbird profiles. I then "freeze" the C:\ drive. There is no A/V to annoy the user and generally slow everything down. If the computer becomes infected you just reboot and the infection is gone. Occasionally you will have to temporarily "thaw" the C:\ drive to add/remove software, install updates, or make changes.

Whitelist is a Joke (0)

Anonymous Coward | about a year ago | (#42450669)

The issue at hand is trust. The whole concept of trusted computing is flawed. UEFI is a whitelist technology. Why should I trust anyone's code - even if it was written by Bill Gates or Linus Torvalds?

The best solution to eliminating malware is open source. That way, anyone who is interested can actually read the code. Trust is no longer an issue.

Binaries need to be signed by something greater than MD5, and the signatures of a particular compile should be reproducible (build environments vary). That way, repositories can be monitored for malicious activity.

SVN can be used to monitor commits. This helps keep track of changes and will help expose malicious intent.

The problem is that closed source software companies make their living by leveraging their work for profit. Not that there is anything wrong with making a buck, but the end user is not empowered. The anti-virus software is therefore reduced to searching through binaries and RAM for some sign of malicious activity. It is no wonder that the malware writers are winning.

You may be thinking, what about Android malware? Think about it. Unsigned, corrupted, binaries hosted in malicious repositories. That is what happens when open source is removed from the equation.

Industry Incentives (4, Interesting)

Anonymous Coward | about a year ago | (#42449655)

While this is a classic arms-race (i.e. each has incentive to stay one step ahead) - I would argue that there is asymmetry in the incentives in the attackers (malware writers), and defenders (anti-virus, and computer security software writers). I believe the long-term outcome of this is that the window of exposure for popular platforms will continue to grow, despite advances in: patching hosts, general user education, availability of firewalls, etc

An illustration of the basic asymmetry is this:

A lone coder in an impoverished country has a lot more to gain by writing a single virus/piece of malware than does an anti-virus company to write detection for that single virus. Think: bread for your family vs. one more item crossed off in a list of tens (if not hundreds) of thousands.

Additionally, the virus only has to be active for a short time to make the labour worth it. Write a new one every month, by the time it gets to the a/v companies, cash is in the bank.

Multiply this by the number of coders that are out of work, in countries that have other things to worry about, and the increasing availability of tools and education for the job.

It is a losing battle, long term.

No Sh*t Sherlock (1)

wisnoskij (1206448) | about a year ago | (#42449693)

Heuristics are HARD, and if you spend 3 months developing a virus you test it against the major players to see if it actually does anything.
New viruses are designed to get past the current antiviruss. The only thing that a AV should guarantee is a minimal number of days until they have an update that will protect users.

Re:No Sh*t Sherlock (1)

Joce640k (829181) | about a year ago | (#42451089)

The only thing that a AV should guarantee is a minimal number of days until they have an update that will protect users.

It's 2013, if we have to wait 'days' for an update the virus will have already done its work (and a new variant is coded up and ready to roll).

Cautionary tale (3, Interesting)

Anonymous Coward | about a year ago | (#42449695)

I like to think of myself as being pretty good when it comes to security and AV protection. I've been using computers since the C64 era and I remember when Michelangelo was making waves, long before rootkits. I even wrote a small DOS virus in assember myself (never released it, just as a study). I don't run crap downloaded from torrent sites and all my software is licensed. I keep a Windows XP inside a VM for stuff I'm not sure about.

Last month I got infected. I got sloppy and I just run something from an unknown origin (not a crack or some crapware, a legitimate installer). Some alarm bells sounded right away in my brain (the installer should have been signed and I got a warning that Windows Security has been disabled). I spent the next 5 days running AV tests on the drive. I used Live CDs from Kaspersky and MS to boot clean. I pulled out the drive and scanned it on a clean computer. I run separate AV and Rootkit finders. They all said the system is clean but I still didn't feel right. Finally, I run Malwarebytes Anti-Rootkit and it found it! No false positive, it really was a trojan svchost.exe. Needless to say I nuked everything from orbit - repartitioned and reformatted the drive, installed everything fresh and restored my files from backup. I even changed all the passwords.

Re:Cautionary tale (1)

SJHillman (1966756) | about a year ago | (#42449767)

You went through all that trouble of finding it, only to nuke the OS anyway once you found something that actually picked it up?

Re:Cautionary tale (3, Interesting)

SScorpio (595836) | about a year ago | (#42450007)

He had an uneasy feeling and confirmed it. It's possible there was more to the infection that wasn't found. The only safe way to recover from a virus is a nuke from orbit and restore from backups.

Re:Cautionary tale (2)

jawtheshark (198669) | about a year ago | (#42450189)

Yes, that's why you nuke from orbit immediately when you have an uneasy feeling, without wasting so much time.

Re:Cautionary tale (1)

LizardKing (5245) | about a year ago | (#42449799)

I even wrote a small DOS virus in assember myself (never released it, just as a study).

I did an evening course in x86 assembler at a college in the UK many years ago. In our first lesson the tutor showed us how to write a boot sector virus for DOS - I thought it was quite an amusing way to motivate us!

Re:Cautionary tale (0)

Anonymous Coward | about a year ago | (#42449827)

I even wrote a small DOS virus in assember

Man, that must have hurt.

Hey Nicole (0)

Anonymous Coward | about a year ago | (#42449709)

Just because it's new to you, doesn't mean it's new.

The best way to stop a virus (0)

Anonymous Coward | about a year ago | (#42449731)

is to FIX the vulnerability...

And don't reintroduce the vulnerability with updates...

Re:The best way to stop a virus (2)

CSMoran (1577071) | about a year ago | (#42449831)

Does not work for PEBKAC.

Re:The best way to stop a virus (1)

Richy_T (111409) | about a year ago | (#42451001)

There are ways of mitigating that. Windows has typically been abysmal in this respect but even other operating systems could go a long way to improve things.

Re:The best way to stop a virus (1)

Nos. (179609) | about a year ago | (#42449869)

That doesn't really stop the virus once its already infected a host, and it does nothing until people actually apply the patch.

Hardly the "Best" way.

Actually it does. (0)

Anonymous Coward | about a year ago | (#42449939)

As it renders the virus useless.

And antivirus way "does nothing until people actually apply the " anti-virus update... And the anti-virus way also does nothing to an infected host that has reasonable backups either. Even then, the antivirus will not catch the next virus using the same vulnerability either.

Re:Actually it does. (1)

Wamoc (1263324) | about a year ago | (#42450745)

As it renders the virus useless.

No it doesn't. Viruses take advantage of a vulnerability to infect a system. Once it is on the system it doesn't use the vulnerability anymore.

Obligatory car analogy: You got a nail through a tire on your car. To take care of it you just don't drive on the road with nails on it where you got the first one. This doesn't fix it as the nail is still there making the tire deflate.

Honestly? (1)

mks99 (2806649) | about a year ago | (#42449749)

The world is surprised by the finding of those "researchers". What will the come up with next?
  • - Will their "research" show that snow is often white?
  • - Will their "research" show that the sun is hotter than the moon?
  • - Will their "research" show that one might get wet when walking in the rain?

Anyway, I guess the next scientific breakthrough is just around the corner...

Re:Honestly? (1)

Anne Thwacks (531696) | about a year ago | (#42450523)

I recall recent research at a University near me showed "Alcohol makes students drunk". You can find out anything if you try hard enough!

Well, maybe... (1)

Anonymous Coward | about a year ago | (#42449761)

... if everyone stopped using McAfee and Norton, we wouldn't be in such problems. I switched to MSE when it got released, and haven't gotten a virus since, including those fake anti-virus/security ones.

Re:Well, maybe... (2)

grahamm (8844) | about a year ago | (#42449981)

Part of the problem is that products that start off good and have a good reputation often lose their edge but people continue using them. I remember when Norton Utilities (or it competitor PC Tools from Central Point) was almost essential for 'power' users, and when McAfeee was amonst the best anti-virus toolkits.

This is asking the wrong questions (3, Insightful)

jbmartin6 (1232050) | about a year ago | (#42449771)

The question is, how well do these products protect their users? This study doesn't really help in that regard. Sure, we can dig up samples that the product doesn't detect. This is inevitable as pretty much everyone acknowledges.

A couple thoughts though. Looking at the PDF, they are deliberately going after obscure and experimental samples of malware. Fair enough, this was the purpose of the study. If they wanted to establish that AV products won't detect obscure and experimental malware samples, so far so good. But how likely is it that any normal user is going to encounter one of these? Probably very unlikely.

The AV vendors have to prioritize their time, so they will focus more on malware that a user is likely to encounter, so as to provide better protection.

Yes, the underlying point is still valid. Any automated detection technology is going to lag behind, that's a problem we will have to live with. Even products from Imperva will suffer from this, malware authors will simply run their samples through VirusTotal and all the other tools and keep tweaking until they have an approach that evades the detection.

Wisdom follows, pay attention! (0)

Anonymous Coward | about a year ago | (#42449783)

> analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF).

One thing they should not have neglected is F-Secure. That finnish antivirus company has DeepGuard tech and DG gen4 is probably the best and most pro-active tech out there. Kaspersky Lab is more about traditional retro-active detection, they publish very many signature updates every day.

On the other hand, even F-Secure's chief engineer Mikko Hypponen openly admitted in a webcast that if your organization is attacked by the likes of those secretive US/IL people behind Stuxnet/Duqu/Flamer, then you are toast (as a parallel, he mentioned how James Bond will manage to kill you, if he wants to). One variant of the Duqu malware was written and tested to fool, circumvent and suppress about 430 different vendor/version combinations of IT-security software. That "retro-virus routine" module alone must have cost a few million USD to develop and debug.

> the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached.

The thing is computer software of today is almost perfectly deterministic. Therefore IT-security software, including pro-active and unusual-spotting (IDS/IPS) defences can be tested in advance by an adversary and the malware code can be refined ad infinitum to circumwent, fool or supress defences. A dedicated attacker has a big budget of money or human work-hours and only needs to find a single security hole, while the defenders spend most of their biduget on industry, commerce or military and the IT-security aspect is just a fraction of their war chest, yet it would need to cover every line of code they run and every byte of firmware in their devices (not to mention the unknown possibility of in-hardware backdoors planted by US/CN gov't). Pretty hopeless situation.

> clean up systems once they have been breached

Stuxnet teaches us that such cleanup may literally be done by a mop post-infection. Who is to guarantee that more malware causing physical / hardware damage will not appear in the future? It would be better to prevent cybernetic infections in the first place, but there is little hope.

Internet Part II (1)

na1led (1030470) | about a year ago | (#42449801)

It will require a whole new Internet to keep bad guys out. One Internet with all the lock down measures in place, and one with all the free rain and dangers that come with it. I'm thinking this will all be done by companies like Google and Microsoft. They will probably have some options in the search engine to enable this.

Re:Internet Part II (1)

mcgrew (92797) | about a year ago | (#42450781)

One Internet with all the lock down measures in place, and one with all the free rain and dangers that come with it.

Dangers of free rain? Like floods and tornados? Nice pun there; rain is indeed like open source, it's free as in freedom and free as in free of cost, and it's hard to live without.

Although I believe you meant "rein" (as in steering a horse).

This isn't anything new. (1)

Seumas (6865) | about a year ago | (#42449807)

It's not like this has only started happening. Does anyone seriously give any weight to the advertisements for things like NOD32 and others, where they claim "so and so reports that they have never missed a virus in the wild in the last ten years"?

The real dirty secret (1)

Anonymous Coward | about a year ago | (#42449853)

The real dirty secret is that the antivirus companies are in cahoots with government and Big Content companies like Sony to prevent the detection of malware beneficial to their creators.

or (1)

Anonymous Coward | about a year ago | (#42449865)

we could finally start putting security before convenience, unnecessary bloat and crap and making a quick buck..
ie. Adobe reader, java, flash player, internet explorer (with its unholy deep system integration), unnecessary background services, even if they are meant for updating the program's (firefox, adobe: thanks, I am sure this will become a new attack vector)

As expected for a reactive protection system (0)

Anonymous Coward | about a year ago | (#42449885)

IMHO, current malware protection software is on the end of it's life, it's known for a long time now that the amount of malware out there has been increasing exponentially through the years, and it has achieved a very high level of complexity for reactive protection systems to be effective. I think in order to mantain our systems protected (100% secure is not possible, we all know it) operating systems have to change its philosophy and find a way to stop (or minimize) malware from entering the system instead of running third party tools to remove malware and fix the system.
2012 was a terrible year for Linux OSes in the matter of security, it has been hacked several times. Personally i think that it's due to (the beginning) of it's massification, where a lot of people begin set up Linux boxes without the correct security measures. Both Linux and Windows have a common problem, and it is the user.

Comodo malware protector? (2)

Clarious (1177725) | about a year ago | (#42449893)

What about Comodo's Defender? You can set it up to automatically sandbox any suspicious programs (unsigned for example) and any suspicious behaviours will be denied and reported. Certainly it is not a silver bullet but I have had good experience with it after it detected a malware hidden in my input method program (which wasn't detected by MSE). The developer site was breached and a modified version was uploaded, comodo alerts me that the program was trying to access the internet.

Re:Comodo malware protector? (1)

Anonymous Coward | about a year ago | (#42449913)

I use COMODO Internet Security, which is free, and includes AV, Firewall and Sandbox. It's the most complete of the free solutions for Windows i found, it's not 100% secure though, nothing is

This shit again? (2)

Sycraft-fu (314770) | about a year ago | (#42449935)

Seems like we had a story about this same shit a month ago. It is still basically just scare mongering.

Yes, virus scanners are not good at brand new threats. A threat must be identified, and an update sent out before it can be blocked. Virus scanners are not magic AI boxes that can evaluate code for its intent, nor is there an "evil bit" that is set in bad code.

However, it turns out not to matter since viruses spread like, well, viruses, and virus scanners are inoculation. It is a herd immunity thing. New threats aren't on any systems, they are put up in various places to try and infect systems. They start slowly spreading. They get identified and an update sent out, and their spread is limited as potential hosts are inoculated.

Virus scanners are NOT perfect, but then no defense is. Geeks need to stop living in this fantasy land where there is perfect security. There's not. Ever. There is only layers of defense, defense in depth, to try and keep threats out and eternal vigilance.

Virus scanners are a valuable tool to help strengthen a defense. For most people they'll catch most of the threats they are likly to encounter and that is not nothing.

No shit (3, Insightful)

A Friendly Troll (1017492) | about a year ago | (#42449973)

Back in 1997 I wrote a resident com/exe DOS infector, which couldn't be detected by F-Prot nor TBAV (remember those?), despite the infector not being encrypted, much less polymorphic.

I learned two valuable lessons back then:

1) If you're going to write an infector, make sure you write the cleaner first.

2) You are your own best AV on the PC. If you know what you're doing, the AV does nothing helpful, and if you get infected, it'll be by something that AV cannot detect.

So... (1)

symes (835608) | about a year ago | (#42450025)

we have a human analogy as a starting point. If I wanted to keep something, human or otherwise, free of infection I would stick it in an hermetically sealed container. Personally, I think (and I am most certainly not a security expert) the problem we have is that users are, by and large, allowed too much freedom by default. They can wander, like horny 16 year olds, the boudoirs and dark alleys of the internet without any form of protection what so ever. The iPhone is a nice example of a locked down system where there are very few, if any, threats. Why can't we have the default machine something like the iPhone with options to free things up a bit for those who know what they are doing? My guess is that a lot of users are increasingly in the "I just want it to work" category and wouldn't even notice significant loss of privileges. Unless it affected their access to pet tap zoo, or whatever it is called.

Déjà Vu (1)

UltraZelda64 (2309504) | about a year ago | (#42450053)

Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses.

Why do I get the sense that I've known this all along, and that I have in fact heard this same thing over a decade ago? Oh yeah--because I have, and things don't just magically change.

Software can't just catch 100% of everything that it was not designed to detect in the first place. How is this news? Same shit, different year (or would that more appropriately be decade?).

Purpose of Antivirus (1)

Dun Kick The Noob (904001) | about a year ago | (#42450103)

Not a security expert? But isn't antivirus software supposed to prevent against known viruses and not against new zero day exploits?? Firewalls, proper user rights, application hardening, recovery systems, monitoring etc An much as i hate to say it the os does play a part as to guiding human behavior

Bigger problem than imagined. (4, Insightful)

grahamlord86 (1603545) | about a year ago | (#42450123)

I run a local computer repair shop, and I can corroborate this story- modern AV does jack.

I haven't seen any really malicious malware in a while, but I see ransomware and scareware ones quite often, and every time the computer has up to date AV on it.
What's more, a lot of the time I've seen the virus in question several times, meaning it's been around for at least a fortnight, and still the AV guys haven't picked up on it.
I can appreciate that a social engineered drive-by exploit attack is difficult to defend from, when the customer asks me how to stop it happening again, it's a tough question to answer- but this doesn't change the fact that IMHO, all anti-virus is a waste of time and money at the moment.
I install MSE on customer laptops because I have to put SOMETHING there, but I have little faith that it will protect them.

Now I'm not fear-mongering here, I'm just being matter-of-fact. Three years ago when I stopped re-selling AVG, my account manager said 'Oh sorry to hear that, can I ask why?'
I said; 'Because it doesn't work. I am removing trojans and rootkits from computers every day, and many of them are running AVG, which has completely failed to save them.'

Make your anti-virus software work, and make it protect users from drive-by attacks on bad facebook links (without intrusive toolbars and link checkers please), and I will sell you hundreds of copies in my little shop alone.

Re:Bigger problem than imagined. (3, Insightful)

0123456 (636235) | about a year ago | (#42450199)

Um, the viruses you see infecting systems will, pretty much by definition, be the ones that get past the AV software. You won't be asked to remove a virus that the AV software on the machine will catch, because the AV software will catch it.

Re:Bigger problem than imagined. (2)

grahamlord86 (1603545) | about a year ago | (#42450677)

That's true, but-

A: My point about a virus that's been in the wild for at least two or more weeks is still not covered stands. AV corps bang on about research and monitoring so much, why are they so slow to keep up, especially when a lot of modern viruses are relatively easy to remove?

B: AV loves to harp on about how well it's protecting you, yet you never see positive virus removals in the logs. By your suggestion, I should be seeing disinfections and removals in the AV logs on most computers. The only time I get a hit on AV is on a system that's already infected, and the AV is quite unable to remove it.

Add sandboxing... (2)

JamesTRexx (675890) | about a year ago | (#42450215)

This is why I use Sandboxie on the Windws PC's I use. Great little tool and I bought a license some time ago after testing the free version for a few years.

Only problem is that it's no use for regular users. You need to know what you're doing.
BufferZone Pro might just be the right alternative but I've not tested it much.

In other words.. (1)

SCHecklerX (229973) | about a year ago | (#42450327)

You can't fix a human behavior problem by throwing more technology at it. Depending on AV for prevention of computer malware is like telling someone to slice themselves up with razor blades then jump into raw sewage. We have antibiotics, after all.

Time to... (3, Funny)

PPH (736903) | about a year ago | (#42450331)

... bring John McAfee out of retirement and put him to work on the problem.

Anti-Virus - scamming people since day 1.... (3, Interesting)

King_TJ (85913) | about a year ago | (#42450813)

IMO, this is all to be expected, and hints at the true, underlying problem. The entire concept of anti-virus software developed under false pretenses.

If you read Wired magazine's lengthy story on John McAfee, for example, you learn that the guy was little more than a scammer, ever since his college years. He started out giving away "free" magazine subscriptions that he lied and told people they won, and then convinced them to pay him a "shipping and handling" charge to receive them.

He only got the idea to form his anti-virus company after reading a few news stories about the successful spreading of the first virus programs (which were really developed as an experiment to see how far they'd replicate -- not to do any damage to systems). He thought it was really scary stuff (which he claims is largely because he was beat as a child by his dad, and the idea of a computer virus suddenly attacking a machine for no known/good reason was similar in his mind).

His company only become really financially successful after he fear-mongered to the media at every turn, trumping up relatively small virus infections as "liable to wipe out entire corporations!" and so forth. (Remember, in the beginning, McAfee actually gave his product away for free - knowing home users would start recommending and/or installing the product where they worked too, and the real money was in getting companies to pay for licensing.) Obviously, others saw the flow of money and wanted a piece of that action, so they, too, started anti-virus or "computer security" companies with similar strategies.

Don't get me wrong. I'm sure there really are people in the computer security or anti-virus business with good intentions. Some people out there really DO think they've "built a better mousetrap" and aren't just trying to sell a bill of goods for easy money. But at best, this stuff is a rapidly moving target. In fact, the traditional virus is hardly even a problem anymore, since most malicious software writers have moved on to malware as more effective for their purposes. (Why try to make complicated code that secretly attaches to valid files and replicates itself at every turn when you can just trick a clueless user into voluntarily downloading and running your destructive application instead?)

Over the years, I've watched companies spend huge money on dedicated appliances that purported to be "advanced firewalls" and "intrusion prevention systems" and the like -- only to become pretty much obsolete when a new "security" company popped up and offered up a replacement solution that was more clever and relevant to the latest variations of threats. Meanwhile, how much money was REALLY saved by having any of this? That's the beauty of the scam, of course... there's no way to quantify it. You can make up all sorts of pretend statistics!

Preventative software (0)

Anonymous Coward | about a year ago | (#42450899)

The best software to protect against malware is software which can isolates any other software from the rest of the system. In Windows it's Sandboxie, which allows you to install and run software in sandboxes which are separated from the real system. I had a virus running in there for 6 months and didn't know it. I made the mistake of running it out of the sandbox and it crippled my system. If used correctly though it's incredibly powerful. Windows should natively implement something like this but they won't because it would make it to easy to reinstall trial apps and cracked software.

Groundbreaking research (1)

kye4u (2686257) | about a year ago | (#42451125)

Who would have thought, since the bad guys can test their malware against the most up-to-date popular av software to ensure that the malware does not get detected

Virus too narrowly defined (1)

uncoveror (570620) | about a year ago | (#42451171)

The problem with every antivirus I have ever used in my computer business, not just Norton and McAfee, is that virus is too narrowly defined. Most miss spyware and all miss scamware, which they cannot tell from legitimate competing products and shakedowns like the FBI scam. Malwarebytes or Spybot while running in safe mode are the best bet for scamware and shakedowns.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account