Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Many Antivirus Tools Fail in LinuxWorld Test

CowboyNeal posted more than 6 years ago | from the survival-of-the-fittest dept.

Security 234

talkinsecurity writes "In a public, side-by-side test conducted last night at LinuxWorld, ten antivirus products were confronted with 25 known viruses. The results were surprisingly disparate. Only three of the products caught all of the viruses; three only caught 61 percent, and one caught an abysmal 6 percent. The test, which wasn't particularly complicated, proves that there still are wide differences in the effectiveness of AV tools. A lot of people think all AV tools are the same — they're not!"

cancel ×

234 comments

The winners: (5, Informative)

RichPowers (998637) | more than 6 years ago | (#20177373)

From TFA:

Kaspersky, Symantec, and Clam AV: 100% caught

FProt and Sophos: 94%

McAfee: 89%

GlobalHauri, Fortinet, and SonicWall: 61%

WatchGuard's Linux AV: 6%

And a graph of the results plus links to some of the test viruses: http://virus.untangle.com/ [untangle.com]

Re:The winners: (5, Interesting)

alx5000 (896642) | more than 6 years ago | (#20177397)

What's even funnier:

WatchGuard disputes the test results, stating that it uses ClamAV -- one of the products that caught all of the viruses -- in its own product. "We don't see how the results could be valid -- our product uses ClamAV," a spokesman says.

Re:The winners: (4, Funny)

careykohl (682513) | more than 6 years ago | (#20177975)

Well then, all WatchGuard needs to do now is back it up with some source code showing how they managed to fuck it up so bad it misses 94% of the viruses now.

Re:The winners: (4, Interesting)

flu1d (664635) | more than 6 years ago | (#20178263)

I guess that really all depends if they're using ClamAV's definition updates or not. The anti-virus engine is useless without a good list of definitions. ClamAV is pretty sweet due to the fact that you can create your own definition for a 0 day and submit it back to ClamAV while using the new definition.

Re:The winners: (5, Insightful)

Anonymous Coward | more than 6 years ago | (#20177405)

I must have missed something. How, with 25 different viruses can one catch 6%? My math skillz tell me that it should be divisible by 4.

Re:The winners: (5, Funny)

Anonymous Coward | more than 6 years ago | (#20177429)

Duh, it detected a virus and a half! Do I have to explain everything to you??

Re:The winners: (1)

porl (932021) | more than 6 years ago | (#20177803)

maybe your feeble human-maths says so, but bistro-maths is becoming much more in vogue these days....

Re:The winners: *Direct* Quote (5, Informative)

quadra23 (786171) | more than 6 years ago | (#20178607)

One product, WatchGuard's Linux AV tool, caught fewer than 6 percent of the viruses sent to it. "We're not exactly sure what the problem with WatchGuard is," says Morris. "The test was set up the same way for all of the vendors."

This number quoted by the original poster missed the section in bold, it was technically < 6%, which could mean either 0 or 1 virus (funny how everything always works out to binary in some way or another :). My question would be which is it? Either way, my system would be compromised by either 24 or 25 viruses -- neither of which is a good scenario especially in regards to well-known viruses (according to the article no 0-day exploits were accepted).

AVG (3, Informative)

DigiShaman (671371) | more than 6 years ago | (#20177411)

What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.

Re:AVG (4, Informative)

Southpaw018 (793465) | more than 6 years ago | (#20177583)

They left out Eset NOD32 as well. Symantec and McAffee are the AV old guard: still strong, but also bloated, slow, and weakening. And they have the occasional health problems.

Kaspersky and Eset seem to be the two main up and comers, and they left one out!

Re:AVG (1, Funny)

cp.tar (871488) | more than 6 years ago | (#20177913)

Kaspersky and Eset seem to be the two main up and comers, and they left one out!

Well, I haven't noticed a NOD32 for Linux... have you?

Re:AVG (3, Informative)

schwaang (667808) | more than 6 years ago | (#20178741)

NOD32 Antivirus for File Servers runs seamlessly on all mainstream Linux distributions (RedHat, Mandrake, SuSE, Debian and others) and FreeBSD. The small footprint and fast performance makes NOD32 optimally suited for real-time or on-demand protection of your Unix File System Servers.


http://www.eset.com/products/linux.php [eset.com]

Re:AVG (3, Informative)

Kymermosst (33885) | more than 6 years ago | (#20177659)

What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.


Test them yourself. The virus samples they used are found here [untangle.com] .

Re:AVG (3, Informative)

omeomi (675045) | more than 6 years ago | (#20177855)

I've had good experiences with AVG. Unfortunately, on the rare occasions that I have had to deal with a virus, I've had to go through just about every single virus scanner that I can find before I'm able to completely eliminate the virus. Last time around, AVG was the one that correctly identified the virus, allowing me to find some special utility that somebody had written specifically to delete that particular virus. I think it was still a fairly new virus, which might explain why the major brands weren't able to clean my system, but I've been somewhat surprised in the past that it's so difficult to remove a virus/worm with commercial virus scanners.

Re:AVG (3, Informative)

Feyr (449684) | more than 6 years ago | (#20178417)

my experience mirrors yours. based on many dozens of PCs running AVG: it's excellent at detection but once a virus does get past it you're fucked

Six percent? (1)

Harmonious Botch (921977) | more than 6 years ago | (#20177577)

There were 25 viruses. How does something catch six percent? Eight or four, sure. But six?

Re:Six percent? (0)

Anonymous Coward | more than 6 years ago | (#20177635)

Maybe they used multiple machines or tests to increase the sample base?

Re:Six percent? (1)

EveLibertine (847955) | more than 6 years ago | (#20177827)

Maaaaybe it blocked all of the viruses but 1, but that one that got through infected it 100 times, of which the software then found and cleaned 6.
Alternatively, maybe it really did only get 4%, but they gave it an extra two points for effort. and a star sticker too.
Ok, so probably not. I'm going to guess that maybe the test wasn't as thorough as the article makes it out to be.

Re:Six percent? (1)

tkiesel (891354) | more than 6 years ago | (#20178063)

I was wondering that myself.

Maybe they used two (or a multiple thereof) different infection venctors per virus? That'd make 6% a possible score if a particular virus were detected only via some vectors but not others.

LinuxWorld? Is that still relevant? (0)

Anonymous Coward | more than 6 years ago | (#20177379)

I don't know anyone who is going to LinuxWorld this year. Is it still relevant? Are they still shoving GNU, Debian & other OSS projects to the back room?

I registered for LinuxWorld (the free pass). 3 friggen times (God their registration website is miserable).

I never received any sort of email or postal-mail conformation, like I do for other conferences.

Since I never got any sort of confirmation, I completely forgot about LinuxWorld. Now, LinuxWorld is almost over. Oh well, I guess I won't attend (representing our 50 linux machines, and a million dollars worth of hardware).

Maybe I'm not their target audience anymore. My hair isn't pointy enough.

Re:LinuxWorld? Is that still relevant? (1)

JamesRose (1062530) | more than 6 years ago | (#20177387)

I know they can pick up alot of information when you connect to their website, IP, location, but hair pointiness?

viruses on linux - a big deal anyway? (3, Funny)

pddo (969282) | more than 6 years ago | (#20177389)

are viruses on linux a overflow from WINE?

Re:viruses on linux - a big deal anyway? (5, Informative)

adam.dorsey (957024) | more than 6 years ago | (#20177431)

Linux mail directors/servers/etc. often run AV to scan mail for their more vulnerable cousins from Redmond.

Re:viruses on linux - a big deal anyway? (5, Informative)

archen (447353) | more than 6 years ago | (#20177741)

And this is especially good news for those of us utilizing CLAM. You COULD spend a heap of cash adding on tons of crap to an exchange server and hope that it doesn't implode under the weight... or you could have a postfix mail gateway with Clam AV and some simple spam blocking techniques for only the cost of time and hardware. It's also good in a way that not only do you not get viruses IN, but you can keep them from going out as well. You've obviously got issues at that point, but at least you're not spreading the plague. All thanks to open source goodness.

Re:viruses on linux - a big deal anyway? (3, Informative)

JeffSh (71237) | more than 6 years ago | (#20178029)

Another viable option are the managed services i.e. messagelabs and postini. they are becoming increasingly popular and are alot simpler to implement for small business.

Re:viruses on linux - a big deal anyway? (1)

deniable (76198) | more than 6 years ago | (#20178589)

We did that for years. We had an Exchange Server sitting behind a debian relay running spamassassin and clamav. We still had virus checkers on the Exchange box but they didn't get a lot of work.

Re:viruses on linux - a big deal anyway? (1)

alx5000 (896642) | more than 6 years ago | (#20177445)

You seem to be missing an important issue: Linux workstations are often used as mail, web, ftp, etc. servers, and as firewalls and gateways as well. Being able to scan files that come in and out your network can sometimes prove indispensable.

These had to be Windows viruses being tested.. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20177467)

I assume the virus software was running on Linux but the viruses being detected were Windows viruses. You might want this type of virus software running on a Linux mail server or Samba server so Windows machines can't spread their viruses to other Windows machines through you. Of course we know they couldn't have come up with 25 Linux viruses, or even 1 for that matter.

Re:viruses on linux - a big deal anyway? (1)

justkeeper (1139245) | more than 6 years ago | (#20177481)

From TFA:

Untangle first conducted the AV "fight club" two years ago, when it was trying to decide which AV tool to include in its network gateway,
These anti-virus products are probably used in the gateways to inspect packets passing through them and stop malicious contents to spread into Windows machines in the internal networks.

Re:viruses on linux - a big deal anyway? (5, Funny)

cp.tar (871488) | more than 6 years ago | (#20177925)

Actually, I remember an article about the lack of compatibility between Windows and WINE.

Of the four viruses thrown at it, WINE couldn't run one properly.

Truly, Wine Is Not an Emulator.

Slashdot Users: (-1, Troll)

alfs boner (963844) | more than 6 years ago | (#20177395)

I would never socialize with a Slashdot user! Sorry guys :(

Blame yourselves.

I came to moderate! (1)

cdn-programmer (468978) | more than 6 years ago | (#20177399)

Not much here.

The story could have shown a list of the tested viruses verses the AV software being tested. A simple table would have conveyed a great deal more information than the druel the fellow wrote. Yes I RTFA and as I said - it is not very informative.

Re:I came to moderate! (3, Funny)

shystershep (643874) | more than 6 years ago | (#20177639)

druel

Is that a cross between drivel and drool? Maybe some gruel thrown in for flavor?

Re:I came to moderate! (2, Informative)

Kymermosst (33885) | more than 6 years ago | (#20177641)

The story could have shown a list of the tested viruses verses the AV software being tested. A simple table would have conveyed a great deal more information than the druel the fellow wrote. Yes I RTFA and as I said - it is not very informative.

You RTFA and then sadly don't do any research. Why would they bother to list the tested viruses when provide the actual viruses [untangle.com] (see "Test Set")?

Re:I came to moderate! (1)

JackieBrown (987087) | more than 6 years ago | (#20178259)

Can you open the zip and tell me what they are?

Re:I came to moderate! (1)

compro01 (777531) | more than 6 years ago | (#20178327)

why open it? most any competant antivirus program can scan within a ZIP file.

Re:I came to moderate! (1)

JackieBrown (987087) | more than 6 years ago | (#20178403)

But the above asked for a list.

Re:I came to moderate! (3, Informative)

JackieBrown (987087) | more than 6 years ago | (#20178423)

000_eicar.com
001_eicarcom2.zip
002_eicar_com.zip
003_eicar.rar
004_eicar.zip.bad_extension
005_eicar_big.zip
010_18_04_2005.exe
011_abuselist.zip
012_fullstory.exe
013_image.jpg.exe
014_message.pif
015_mntrup.exe
016_patch-6143.zip
017_photo.pif
018_q347558.exe
019_scan_check.jpg.exe
020_test.zip
021_The_taxation.zip
100_8.zip
101_scan.jpg
102_Syndony.zip
103_Update-KB8136
104_Attachement.scr
105_image.jpg.exe
106_Info.exe
107_Please-confirm-pay
108_virus_87
109_virus_88
110_vvzh.scr
111_xxx.com
112_untangle1.zip
113_untangle21.zip
114_untangle22.zip
115_untangle3.zip
116_untangle4.zip

math question (2, Interesting)

jeebee (229681) | more than 6 years ago | (#20177419)

How does i/25 not equal 4*i%? Were some of the 25 viruses half-caught, or one-quarter caught?

Re:math question (0)

Anonymous Coward | more than 6 years ago | (#20177513)

It is not a math question but a biological question: were the statistics pulled out of a dog ass or a horse ass?

Re:math question (3, Insightful)

seriesrover (867969) | more than 6 years ago | (#20177545)

thats exactly what I was thinking...how can you have 25 viruses and get anything other than 4%, 8%, 12% etc. The article refers to 6%, 61% and 89%...bizarre - I can only reason that they weighted the severity of each virus.

Re:math question (3, Insightful)

VirusEqualsVeryYes (981719) | more than 6 years ago | (#20177971)

Additionally, they could have calculated the type of virus (by entry method, severity (as you mentioned), spread method, mode of attack, age, etc.) and weighed their percentages in the wild. It's also possible that the programs perhaps prevented some of the damage of some of the virusus, thus meriting partial credit.

It's also possible I'm wrong, but either way, the article is omitting some information we're supposed to know.

Re:math question (1)

mhall119 (1035984) | more than 6 years ago | (#20177893)

From the article (emphasis mine):

One product, WatchGuard's Linux AV tool, caught fewer than 6 percent of the viruses sent to it.
Obviously WatchGuard only caught 4% (or maybe 0%), and they were just trying not to embarrass them too much, you insensitive clod.

Re:math question (1)

glitch23 (557124) | more than 6 years ago | (#20177961)

How does i/25 not equal 4*i%? Were some of the 25 viruses half-caught, or one-quarter caught?

Maybe some were caught but identified incorrectly.

Re:math question (5, Informative)

Bibz (849958) | more than 6 years ago | (#20178051)

Because the summary isn't right.

They used 18 test cases, Watchguard got only one : 1/18 = 5.55%, rounded = 6%

All from the spreadsheet available at http://virus.untangle.com/ [untangle.com]

Re:math question (0)

Anonymous Coward | more than 6 years ago | (#20178163)

I'm more interested in how you got imaginary viruses.

Re:math question (1)

AlanS2002 (580378) | more than 6 years ago | (#20178517)

Multiple runs of the tests, perhaps.

Odd numbers. (4, Interesting)

DerekLyons (302214) | more than 6 years ago | (#20177421)

Something seems a little strange here. With 25 test cases, and a binary outcome (either the virus was detected or it was not), the %caught should proceed in even step of 4%. There's some number massaging going on somewhere.
 
Hmm... the Fight Club Website [untangle.com] lists 35 test cases, not 25. It's not clear if there is any overlap between the various test cases. In fact, there's not any discussion of the testing methodology (let alone what precisely was tested) at all. Just "here's our numbers - believe them or infect your own machine and find out for yourself".
 
Now, while I admire the 'do it yourself' hacker ethos as much as the next guy - this is taking it a bit too far.

Re:Odd numbers. (5, Informative)

Bibz (849958) | more than 6 years ago | (#20177865)

Well examining the Excel sheet here http://virus.untangle.com/ [untangle.com] , they used 18 test cases, so they got 5.6% for Watchguard

The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...

Re:Odd numbers. (1)

g0at (135364) | more than 6 years ago | (#20178619)

The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...

Well, the average of 18 and 35 *is* 25 (within about 6%). :)

Online Scanners Considered... Bad? (5, Interesting)

eddy (18759) | more than 6 years ago | (#20177423)

For fun I downloaded an application where I suspected the "keygen" was trojanized. I was correct; the real keygen had been bundled with some, as it would turn out, Off The Shelf trojan. However, I didn't know what trojan so I scanned with F-Secure's online-engine, which didn't detect anything (neither did my active AVG installation). So I sent in the exectuable as a sample, explained what little I had to say; where I found the file, that it was pecompact2'ed, that their online scan didn't detect it. The process of submitting a file req. you to attach the scanner log.

Got the reply that "The file you submitted was found to be malicious, and is already detected as Trojan-Downloader.Win32.Delf.asz using the latest virus definitions." and "Please update your virus definition databases to properly detect the file".

Remember, I had scanned it using their latest online scanner and provided the log where the trojan was NOT detected.

So, maybe an extra warning for online scanning engines.

PS.
Shortly after I had submitted the file to f-prot, AVG started detecting it.

Re:Online Scanners Considered... Bad? (2, Funny)

ianare (1132971) | more than 6 years ago | (#20178185)

"The file you submitted was found to be malicious, and is already detected as Trojan-Downloader.Win32.Delf.asz using the latest virus definitions Please update your virus definition databases to properly detect the file".
Translation :
"Thanks for your submission, we analyzed the file and it's a new variant of Trojan-Downloader.Win32.Delf.asz that we hadn't seen before. Do an update to verify it's being detected properly by the client."

Re:Online Scanners Considered... Bad? (1)

MikeBabcock (65886) | more than 6 years ago | (#20178285)

I've had excellent results myself with submitting unknown suspicious files to McAfee. Sure, their software isn't what it used to be, but they've been very fast at getting back to me with virus definition "extra.dat" files to detect the virus/trojan in the field.

Re:Online Scanners Considered... Bad? (1)

r_jensen11 (598210) | more than 6 years ago | (#20178549)

A while ago, I purposely downloaded the Bagle virus from one of my old yahoo accounts. That's when I found out the media was messing up every time they refered to it as the Beagle virus. How did I find out it was really Bagel? Because I opened it in vi, vi went into hex mode, and I found a bunch of registry strings containing Bagle instead of Beagle. In order to download it (because the online filters caught it as a virus,) I had to supply the direct URL that bypassed Yahoo's antivirus. It wasn't hard, all I had to do was delete a section of the URL string.

Someone asked me to send them a copy of the virus because they wanted to have a look at it too. I think I just renamed it to something like Bagle.jpg or something along those lines. But then again, that was years ago.

ClamAV among top 3! (2, Insightful)

blind biker (1066130) | more than 6 years ago | (#20177451)

Nice to see opensource programs perform so well, so consistently. I only wish the author(s) maintained the ports and packages himself. The Win32 port seems a bit of an afterthought. Anyway, still a brilliant antivirus program.

(My other OS favourites include Audacity, CDex, The GIMP and OpenSolaris (you didn't expect that one coming, did you)).

Zombies (1)

Porchroof (726270) | more than 6 years ago | (#20177461)

It is understandable why there are so many zombies out here spewing spam 24 hours a day. Nobody has a clean machine and there is no way to obtain one without reformatting the hard drive and reinstalling the minimum.

I'm fairly knowledgable about home computers (I bought my first one in 1976) and I have a weird feeling in my gut that there is something on this computer that shouldn't be there. But all of the tools I've tried (antivirus, antispyware, etc.) have found nothing wrong.

I coined a word a while back: filthify, v., to give a computer access to the Internet.

Re:Zombies (5, Insightful)

bmo (77928) | more than 6 years ago | (#20177673)

If you suspect something is evil with your setup, you should go with your gut instincts. You are probably more right than you know.

You should get away from antivirus. Seriously. I'm going to sound like a salesman, but bear with me a bit.

Antivirus and anti-malware in general, on Windows machines, closes the barn door after every single horse has bolted. There is _no_ way to be sure your Windows computer is badware/zombieware free. To top this off, it often sucks up incredible amounts of cycles that turn the latest gamer machine into an XT.

There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze. What you do is establish a "ground state" for the machine by doing a bare metal install and then installing DeepFreeze. You then have certain areas for data that are unfrozen, but the rest is basically locked up tight.

Surf by an evil site and get a drive-by install? Laugh maniacally, and reboot. The evil bits are then...gone. The machine has returned to its ground state. To install software permanently, you must "unfreeze" the machine, install your software, and then refreeze. The refreezing can be automatic for the next reboot or specified for a certain number of reboots, like if you were doing a Windows update and have to suffer through the interminable reboots. So it also gives Windows "parental supervision" - even for the 9x machines that don't have the concept of an "administrator" account.

Evilware in the presence of DeepFreeze is about as sticky as snot to teflon. If you insist on staying with Windows, this will let you sleep at night.

I swear, Faronics should hire me.

--
BMO

Re:Zombies (3, Interesting)

ozzee (612196) | more than 6 years ago | (#20177955)

I actually do the same kind of thing. Whenever I get a new machine, I snaphot the HDD before I even boot it the first time. Then I run the auto updates from MS and snapshot it again. I then regularly wipe the machine by restoring a snapshot. (It also forces me to keep my data somewhere else that is safe.)

The only advantage of this over the DeepFreeze thing is that I can unfreeze to multiple prior states.

I think it should be a standard feature with these 100GB++ notebook drives.

Re:Zombies (5, Informative)

imemyself (757318) | more than 6 years ago | (#20178117)

There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze


Have you ever worked in a tech department that had to support frozen computers? It turns a project that would maybe take fifteen or twenty minutes per lab into something more like and hour long. The school district that I work for used Deep Freeze on most of the desktops at the high school up until about a year or two ago. Taking DF off made it a lot quicker to make minor changes to the computers during the year, and there hasn't been any significant problems. Students and teachers are also happier with it because it prevents stuff that people have saved in My Documents (yes, the kids are told over, and over again to save to their mapped home directories - but occasionally they don't) from being wiped out.

About the same time as that we also took students out of the Admin group (I'm not exactly sure why they were in there in the first place - no apps have had any problems with it), so that mitigated any significant problems as well. We also have McAfee managed AV and 8e6 web filtering, but AFAIK its fairly rare that any viruses or malware are found on the student computers. The laptops that the teachers have(and have admin rights on) are another story. But they would whine if they couldn't add weatherbug and have five different toolbars in IE. Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it. Students/regular non-admin users should not be able to cause damage to the OS. In a well run environment there shouldn't be tons of problems with malware. Yeah, there is going to be an occasional piece of malware that exploits a security vulnerability that could screw up the system. But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups.

Re:Zombies (4, Funny)

bmo (77928) | more than 6 years ago | (#20178281)

"Have you ever worked in a tech department that had to support frozen computers?"

A bit. It's a PITA, but for static setups that don't need touching and subject to "many hands" like in a library, it's not bad. Let's just say that students in a classroom are typically better behaved than many library patrons.

" Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it."

Well, I think the problem with that lies elsewhere, probably in a place called Redmond. All this stuff is just patches upon patches to keep Windows from eating itself.

"But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups."

Some would say that this should be the default, but "design and marketing decisions" prevent that.

"But they would whine if they couldn't add weatherbug and have five different toolbars in IE"

Nnnggghhh.... *puts on BOFH hat* "YOU GET THE POLICY OF DOOM! MUAHAHAHAHAHAH!!!!"

--
BMO

As a consultant or to replace all the users... (1)

msimm (580077) | more than 6 years ago | (#20178229)

Because I see 1) unfreeze 2) installed warez 3) refreeze 4) zombie. It's a great idea if you have a really good working understanding of an operating system (although I've seen some pretty tricky virii/malware) but for your regular users this is complicated and confusing. In fact I would say it would probably be easier to train a user to use an unprivileged account (and we all know how well that's gone).

DeepFreeze is an excellent tool for administrators or powerusers. But certainly no silver bullet.

Re:Zombies (1)

compro01 (777531) | more than 6 years ago | (#20178309)

i dunno about the not swear at part.

the IT dept at the local school district recently ditched it as they kept having problems where it wouldn't unfreeze properly to install updates and it would foul up their update schedules (they have it rigged so it's supposed to reboot to thawed, then check for and install updates for all the programs every day at 11pm or thereabouts, then reboot frozen), but sometimes for no appearent reason, it wouldn't thaw and all the updates would get fouled up and systems would go unupdated for days and they'd have to go out and do it manaualy once they discovered it.

these problems were happening on win xp pro, though on a single-user computer that should be not much of an issue as it is on a large network.

Re:Zombies (1)

MobyDisk (75490) | more than 6 years ago | (#20178547)

Wow, that's almost like having some sort of permissions, or access control list, that prevents applications from modifying certain files. What a concept! I'll invent it, and call it UNIX!

Re:Zombies (0)

Anonymous Coward | more than 6 years ago | (#20178215)

Um, i had my server running for over a year and I did all kinds of stuff to/with it, and finally installed SAV 10 on it and it found Nothing!

well, it deleted my rainbowrcrack exe, and some other important files, but It found no malicious stuff.

How did Microsoft Onecare do guys? (1)

Dude McDude (938516) | more than 6 years ago | (#20177491)

Guys????

Re:How did Microsoft Onecare do guys? (1)

caspper69 (548511) | more than 6 years ago | (#20177543)

Last I checked, OneCare did not run on Linux.

Onecare caught 0% (0)

Anonymous Coward | more than 6 years ago | (#20177767)

Due to lack of ability to actually execute.

Re:Onecare caught 0% (5, Funny)

Dude McDude (938516) | more than 6 years ago | (#20177869)

That would mean that it's performing just as well as it does in Windows. Good work Microsoft!

Hmm, no Trend (1)

afidel (530433) | more than 6 years ago | (#20177551)

We use Sophos on our Linux mail relays and Trend on the desktops, servers and web proxy. We've only had one small virus outbreak in 15 months. I guess Trend isn't covered since there is no Linux client, but it is in the top bracket on every shootout I have seen in the last couple years.

Re:Hmm, no Trend (1)

matazar (1104563) | more than 6 years ago | (#20177649)

i really wish they had done trend. i want to see one of these for windows based ones.

i always recommend kasperky, CA and trend. while i'm shocked that norton caught them all, it still doesn't change my stance on their crappy products. they don't allow control to the end user. you can't disable or change any settings without it bitching constantly until you turn it back on. it's bulky, it's the most targeted and you can turn it off if you want to.
/rant

Not surprising... (3, Informative)

SuperBanana (662181) | more than 6 years ago | (#20177579)

...considering that most of the antivirus programs were tricked when a new "variant" of one of the worms back around '99 or so. So kids- just insert random whitespace into your worms!

The change? The line endings in the VBS script changed. It probably wasn't even intentional- some broken mail server probably modified CR's into CRLF's. It sailed right past Trend Micro's email scanner and infected several dozen systems.

I was the first person to notice why it slipped by, and brought it to the attention of a big-name "security expert" who ran a mailing list which shall go unnamed. He thanked us for the research, passed along my findings to the list, and then promptly went around doing interviews with the press using the first person voice. "I discovered that...", blah blah was what I read the next day.

I would comment on this... (0)

Anonymous Coward | more than 6 years ago | (#20177611)

...but the first rule is do not talk about fight club!

I run Linux because... (5, Interesting)

BearRanger (945122) | more than 6 years ago | (#20177627)

Let me preface this by saying that I work in a Windows free environment. I understand that not everyone has this luxury.

Am I a bad citizen because I don't scan for Windows viruses on my Linux systems? It's almost like another Microsoft tax--you're expected to degrade your performance to prevent their victims, uh, customers (yeah, that's it) from infecting each other. Those folks need to be responsible for their own safety and not expect the rest of us to do it for them. They could start by holding Microsoft accountable and making other choices at purchasing time. To me, Windows isn't worth the hassle.

Re:I run Linux because... (1)

PenGun (794213) | more than 6 years ago | (#20177747)

I used to save em'. Had quite a collection at one time.

Re:I run Linux because... (3, Insightful)

n0dna (939092) | more than 6 years ago | (#20177977)

Ever consider that every virus infection stopped by anyone, target or not, could cut down on the bandwidth sucked away from all of us by the ever increasing botnets?

What about infected files that don't originate on your systems but are passed through it? If you send out an infected file, the recipient won't care where you think you got it, or how much you feel that it isn't your problem, you're the one who infected them.

You can piss and moan about trash on the sidewalk or you can just pick it up.

Re:I run Linux because... (0)

Anonymous Coward | more than 6 years ago | (#20178199)

What you could do, to be a good citizen at no noticeable cost to yourself, is - any time you send a file, to anyone, attach a note saying "This file has not been screened for viruses".

Lots of people attach notes saying "File scanned using Whizbang 3.335", and I just say "Oh goody" and scan it myself manually. A note saying "This file has not been scanned" would be a refreshing change of honesty, but would make no difference at all to the working procedures of someone who's even slightly security-conscious.

Re:I run Linux because... (1)

TheRealMindChild (743925) | more than 6 years ago | (#20178451)

Yeah... same idea as "My fucking legs work. Is it my fault that yours don't? Am I expected to forgo the luxury of an escalator because you are in a wheel chair?"

Inefficient AV testing methods (1)

beefcake1942 (996262) | more than 6 years ago | (#20177647)

The methods used to test AV products are simply bogus. I would really implore you all to read an article published on The Register today. As an ex-employee of one of the world's largest AV vendors, what it says is not only fact but something you should all take into consideration http://www.theregister.co.uk/2007/08/09/anti_virus _testing/ [theregister.co.uk]

Re:Inefficient AV testing methods (1)

swb (14022) | more than 6 years ago | (#20177763)

You mean corporate shills lie and cheat to get rich?

Interesting... (1)

rob1980 (941751) | more than 6 years ago | (#20177663)

Interesting that SonicWALL only caught 61% compared to McAfee catching 89%. The virus protection on our SonicWALL at work is powered by McAfee.

Rainbow Fonts (2, Interesting)

Tablizer (95088) | more than 6 years ago | (#20177695)

The charts used those damned ClearType sub-pixelation fonts in the image, which is not going to work right with many monitors since they have to be tuned per user. When I see that rainbowy tinge, at first I check to make sure I haven't drank too much c c c coffee again.

I have to question the validity of this test... (3, Informative)

RootWind (993172) | more than 6 years ago | (#20177729)

Not to knock Clam but there is something odd about these results (Besides the absurdly low testbed). TFA says Clam won two years ago (which meant Untangle would use it), and again now. However, just last May the results from AV-Test.org (a real trusted legitimate source) against a comprehensive testbed put ClamAV near the bottom of the heap: http://www.pcmag.com/article2/0,1895,2135053,00.as p [pcmag.com]
I can't help but think that Untangle is trying to justify their own choice, rather than have a real test. With a testbed of only 25-35, it is possible to pick a group of malware that can put any AV on top. Even the user submitted malware is suspect, especially when that testset is also so low. ClamAV is great against virus outbreaks, with one of the fastest signature responses, but it has pretty atrocious trojan and zoo detection, since there is not enough man-power to collect and create signatures for less prevalent and non-replicating malware.

ClamAV still does make a great second AV test (1)

mattb47 (85083) | more than 6 years ago | (#20177917)

I'm not sure I'd rely *only* on ClamAV for protecting incoming mail on my mail servers. But if you can hookup a way to check incoming mail against multiple AV providers, then definitely throw ClamAV into the mix. It's free and it works...

- Matt

Re:I have to question the validity of this test... (1)

armanox (826486) | more than 6 years ago | (#20178237)

PC Mag's test is done using Win32, whereas it would seem that this test was done on *NIX. So, ClamAV isn't good under Windows? Just a thought.

Re:I have to question the validity of this test... (0)

Anonymous Coward | more than 6 years ago | (#20178373)

wtf is a "zoo"? Is this a word you just made up?

Excel Results upped to Zoho Viewer (2, Informative)

Leemeng (970560) | more than 6 years ago | (#20177889)

For the Excel-averse, I have uploaded the Excel Results of the test to the Zoho Viewer website. So you needn't install Excel or OO. http://viewer.zoho.com/docs/edblaI [zoho.com]

Windows? (1)

ZeroFactorial (1025676) | more than 6 years ago | (#20177983)

The real question is, how many of these virus scanners detected and quarantined windows?

All joking aside, isn't it strange than with all of Microsoft's monopolistic tendencies, they haven't branched into the anti-virus market yet?

I recognize that this would be a paradox, but still....

All antivirus tools *are* the same (2, Insightful)

Anonymous Coward | more than 6 years ago | (#20178071)

All of them depend on guessing whether a file is good or bad.
All of them will have false negatives as well as false positives, most likely skewed to have fewer false positives to reduce the annoyance factor at the expense of missing real viruses - false negatives.
There are substantially better and computationally cheaper ways to protect your system than an anti-virus.

huh? (0, Redundant)

smitty97 (995791) | more than 6 years ago | (#20178111)

What's a virus?

signed,
Mac User

Re:huh? (2, Insightful)

ianare (1132971) | more than 6 years ago | (#20178265)

Something you get if you go online. Remember, you may not be infected by a virus, but you can still spread it. Signed, Computer User

Re:huh? (1)

swokm (1140623) | more than 6 years ago | (#20178561)

A thing you may receive in the near future, unless Apple finally gets around to implementing better handling of "safe" file types and Apple Mail attachments in 10.5...

61% of 25 viruses??? (0, Redundant)

dniq (759741) | more than 6 years ago | (#20178147)

How does one "capture" 15.25 (61% out of 25) viruses? Or 6% (1.5), for that matter?

Re:61% of 25 viruses??? (1)

KillerBob (217953) | more than 6 years ago | (#20178439)

See, I thought that until I tried to download the sample file and open it. Then I noticed that the sample was 7.5MB in size, and that there were multiple instances of some viruses. The weird numbers come from having a partial success rate in capturing Virus X. That is... if I send 12 instances of MyDoom.M at a virus scanner, and it only catches 7 of them.

Lunix fanboys cant blame this one on Microsoft! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20178269)

Scanning through the comments section of this article, I cant help but feel that there are a significant number of Lunix fanatics that blame Microsoft for everything wrong with Lunix. The article was about antivirus products and Linux. Nothing to do with the MS boogieman. Lunix too hard for office worker X? must be MS. App doesnt work on Lunix? All Bill Gates fault.

These purile conspiracy theories demonstrate that the attitude of the Lunix community is not serius enough for the corporate world, which is why my company has had such a success rate converting small business from red hat / ubuntu to windows.

Yeah! Go clamav (1)

xgr3gx (1068984) | more than 6 years ago | (#20178277)

ClamAV rules, I use it on my mailserver, as well as my Linux desktop. It's great, and it's not a resource hog.
I've even installed ClamWin on some Windows boxes for people. No compliants from them :).

What? (1)

RvLeshrac (67653) | more than 6 years ago | (#20178307)

GlobalHauri? Fortinet? Where are NOD32 and BitDefender?

I'd rather see commercially available AV tests, since that's what 99.9% of consumers use. I can (and have!) not use an AV scanner for 4 or 5 years and never see a virus, because I pay attention. How about Jimmy Bob Johnson who visits every porn and keygen site on the internet, but uses McAfee because his ISP bundles it?

Whatever... (0, Flamebait)

Kratisto (1080113) | more than 6 years ago | (#20178319)

... If you manage to catch a virus using Linux, you fail hard anyway. It's difficult with Windows if you're not stupid... or a woman.

Lame (1)

pravuil (975319) | more than 6 years ago | (#20178447)

Come on, an MCSE would expect those results.

Seriously, with a title like "Many Antivirus Tools Fail in LinuxWorld Test" you would expect something new. Well, I guess I was surprised. I didn't think Symantec had it in them. Kudos to them. ClamAV, no surprise there at all. Same goes for Kaspersky. You could've figured that out by using Google.

Abacus problem (1)

flyingfsck (986395) | more than 6 years ago | (#20178723)

I think their counting frame has a cracked bead...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...