Is Anti-Virus Passe?

When security firm Imperva checked more than 80 unreported viruses against several anti-virus solutions, it found that none of the tested programs were able to detect previously unreported viruses and that 75 percent of solutions took a month or more to update their signatures.

Image (1) Security.jpg for post 1552That isn’t good news, and while Imperva obviously has some self-interest here, their November Hacker Intelligence report, Assessing the Effectiveness of Anti-Virus Solutions, is worthy of a closer read nonetheless. What it means is that we have to depend on a variety of protective solutions to keep our computers safe and infection-free. As the bad guys get more sophisticated with their attacks, we have to get more sophisticated with our defenses.

Let’s look more closely at the tests that were done. First, the team at Imperva collected 82 viruses from various evil places. As the authors state, “A number of sources which assisted us in getting our hands on no small amount of relatively new viruses were forums in Russian, whose purpose was to enable hackers to discuss viruses and obtain assistance in developing them. The availability of malicious code and viruses in these forums was extremely high. Any kid could build a virus by themselves or download one ready-made.” That is pretty scary, but nothing new if you have been following security news postings over the past few years.

They then made sure that none of them had signatures that were already on their books or could be accounted for by their competitors, through a service called VirusTotal. This notion of signature-matching is becoming obsolete, anyway. A number of virus construction kits that are readily available online can customize a virus for each particular desktop, meaning that each virus has a separate and unique signature.

Finally, they ran these viruses through the various anti-virus products and noted which ones were correctly identified, and which weren’t. A sample results table from the report is shown below. So what did they find out?

av

Lag times are long. Imperva found that it can take typical anti-virus solutions three weeks to update their databases to recognize one of the viruses in their collection, and some took a month or even longer. As the authors state, “The rate of update for their signature databases is very slow, and even viruses that are already known to most anti-virus products are still not identified by these insufficient products.”

Freeware is best. Imperva found the most optimal protection included two freeware anti-virus products, Avast and Emsisoft. Of commercial products, both McAfee and Symantec also excelled in detecting their set of viruses.

Behavior instead of signature detection is needed. Imperva doesn’t recommend completely eliminating anti-virus from an effective security posture. Instead, the company suggests that “security teams should focus on detecting abnormal behavior such as unusually fast access speeds or large volume of downloads, and adjust its security spend on modern solutions to address today’s threats.”

So what are the key take-aways for security teams?

First of all, if all you have is anti-virus software, then you are exposed and you should quickly start to add additional protective technologies. Focus more on detecting badly behaved apps, looking at those situations where you are doing massive downloads or fast flux conditions. Next, look for network-level intrusion detection and prevention products, and also beef up your desktop-based firewalls. Some of the more popular security products from Symantec and others have these features included in their desktop AV products too.

Finally, don’t be complacent: Security is a continuous process, and it’s a constant challenge to stay ahead of the bad guys.

Related Links

Comments

  1. BY Wo'O Ideafarm says:

    Call me skeptical. The anti-virus industry is focused on instilling fear into as many computer illiterate people as possible and then harvesting them. That is the essence of the business. It’s not about actually defeating viruses. That’s why the lists take so long to get updated.

    Anyone who knows how computers and viruses work can do just find without anti-virus software. It just takes some common sense and street sense. Perhaps, once in ten years, your computer might get infected because some web site that you decided to trust wasn’t worthy of it. If that ever happens, just restore your computer to factory and then restore your data.

    • BY James says:

      The key words there are ‘computer illiterate’. As in VP’s CEO’s and other such acronyms who can’t set up their own email accounts or even remember where they saved a file. These are highly educated people. They are educated in a certain field which happens to not be computer science. Even with an advanced degree in computer science you can be fooled by social engineering tactics such as forged web sites. If you are going to be in the computer security industry you need to have a more rounded education and get to know human psychology before declaring that smart people are the solution. I could go on to draft my own e-book on the subject but I don’t have the ambition to do so. Just read Thinking Fast and Slow by D. Kahneman to get you started.

      • BY Wo'O Ideafarm says:

        My remark isn’t the whole truth, and I’ve already been corrected appropriately by a mother of teenagers. But I stand by my remark. People who download and run programs from sites that they have no reason to trust deserve to suffer consequences so that they learn a basic, universal, and timeless lesson that all humans, indeed all creatures, throughout the history of the world have had to learn. Life exists in a hostile environment, and idiots do and should be killed.

        If this sounds harsh, consider the harshness of the alternative. The history of traffic deaths illustrates the point. The more government spends to make roads safer, the STUPIDER and more CARELESS drivers become. There seems to be an equilibrium level of carnage.

  2. BY ParanoidAsNecessary says:

    That’s all fine if you don’t have any hormone crazed teenage boys, or mega-socializing girls in your household. You can talk until your blue in the face to them about how to prevent infections, but it will land on deaf ears. Infections occur MUCH faster than every ten years in that kind of household. I’ll stick with Avast and Comodo on the household computers, thank you very much.

    • BY Wo'O Ideafarm says:

      I stand totally corrected. Wasn’t thinking about children or teenagers! You are quite right, although I’d still vote for the ultimate solution: compterless childhood.

  3. BY oldgray says:

    Recently I was infected with a rootkit despite having a major anti-virus program fully updated (it insisted that ‘Your computer is safe’. . One component was a DNS redirector. This would have been easy to detect if the anti-virus program had done more than look for signatures of known viruses. The whole approach has to change.

    • BY Wo'O Ideafarm says:

      >> The whole approach has to change.

      I agree, but not the way that you mean. The root problem is that you have all become selfish people. A moral transformation in society is needed. Individuals need to publicly declare, in a way that makes them accountable, that they are committed to living unselfishly. Then those people need to separate themselves from the selfish people and build an autarkic society that exists on the planet independently of, and well defended against, the defiled masses.

      That is the essence of the IdeaFarm ™ City plan. Click my name for more information.

      • BY ParanoidAsNecessary says:

        I really don’t want to know what you’re smoking, or for how long you’ve been doing it. And no, I don’t think I will click your name, because my computer might become infected with an undetectable virus. ;-)

        • BY Wo'O Ideafarm says:

          Imagine a time when computers are simple and extremely exciting and intellectually engaging, and when everyone that is involved with computers along with you is a nice person who would never do anything antisocial.

          That is the way that computerdom was in 1974, when I first programmed a computer. The world of computers was collegial. There were only a few thousands of us, and almost all of us were highly educated, which means that we were thoroughly indoctrinated in ethics. Highly educated people aren’t better than other people, but they are nicer, because they can be. They don’t have to worry about money the way that most people do, so they can keep their hands cleaner.

          IOW, I remember a world that was much nicer, much simpler, much more exciting, and in which it was much easier to get work done. There is no reason why this cannot be so again. I have a plan for achieving it. If my plan succeeds, there will be no need for anti-virus software.

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>