The End of Signature-Based Antivirus Software?

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

Virus proliferation

[QangMartoq]

It is almost amazing to me that most viruses (and other various forms of malware) continue to flourish in a computer culture where using a virus scanner is so common nowadays.

Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.

Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.

The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.

Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?

In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition is already available.

What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

Re:The problem isn't the software...

[Delphiki]

The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.

Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?

Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer? There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?

Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.

Re:Data from the article

[Baron+von+Leezard]

This is a meaningless test. I can write an AV program that will get 6/6 no matter what you feed it: it always returns positive. Is that actually helpful? Obviously not. The article mentions that the products that scored 6/6 have a higher false positive rate. Sounds harmless, but even the tiniest false positive rate renders a product completely unusable when the volume of scanned items is high. So what does this test actually reveal? Absolutely nothing. [BvL]