Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Virus Effectiveness Down from Last Year

Posted by Soulskill on from the getting-worse-at-getting-better dept.

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

9 of 201 comments (clear)

  1. smitFraud by Freaky+Spook · · Score: 4, Interesting


    I've had a lot of people bring me infected PC's with smitFraud, that the big AV's have not even recognised or been able to properly remove, they have been pretty angry that the $90 or so they paid for a complete Internet Security product was not able to protect them.

    It causes windows to pretty much choak and die as it just consumes so many resources and provides so much irritation, but major products like Trend or Symantec have not been able to successfully protect or remove them, I have had to use custom written tools that you get off the net for free. They really dropped the ball with that one.

  2. My expectations are not that high... by RuBLed · · Score: 4, Informative

    I always assume an antivirus is only as good as its current signatures. Heuristics are good but nowadays, I could literally count with my fingers the number of times it did the job. The best defense is still knowing what you are running with or without an antivirus. Most of the annoyances I see are done by the local script / virus kiddies, their work rarely make it outside the country so the signatures against those are not a priority. (Although what I hate is that most of this local scripts/virii are just copycats of popular ones, yet popular AV's rarely detects them...)

  3. Re:yeah, but.. by _merlin · · Score: 5, Informative

    Considering how few viruses run on Linux, it's not as big a deal for Linux users. However, Linux machines that deliver content to Windows users (mail servers, usenet servers, bulletin boards, etc.) are a useful application for Linux virus scanners that detect viruses for other platforms. And the big names do function in this role: Kaspersky and AVG both have products for doing just this. And there's the free ClamAV as well, of course. The Linux versions of the big name products are probably no more or less effective than the Windows versions.

  4. running multiple antiviruses by improfane · · Score: 4, Insightful

    No one company has the resources to be aware of every virus. The standard advice is to run more than one.

    In Windows, if you wanna run more than one, you can only have the real time protection of a single anti-virus enabled or you get conflicts.

    Meaning you rely on the on-demand protection of every other anti-virus and have to manually run them regularly OR set up schedules. What kind of user will do that?

    --
    Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
  5. Just dont do it... by Dishevel · · Score: 4, Interesting

    Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  6. Re:yeah, but.. by allcar · · Score: 4, Interesting

    You make an excellent point.
    Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
    If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.

  7. The kind of targets by _merlin · · Score: 5, Insightful

    I disagree. I think the reason there are fewer pieces of malware floating around for Linux is because of the kind of roles Linux machines typically serve in. Most Linux machines are servers or enterprise workstations. In the case of a server, there will be a system administrator who is responsible for configuring the server, locking it down, and keeping it up. Chances are, they'll notice malware pretty quickly, and do something about it. Enterprise workstations aren't an attractive target, either: they're usually either a shared machine that's locked down hard, and under the eye of a sysadmin, or they're the pet of a tech-savvy user who wants his box in top condition so s/he can get stuff done.

    Malware is all about money these days, whether it's herding bots so you can sell spamming services, or getting paid to DDoS someone's competitor, sniffing credit card numbers to buy stuff, or sniffing personal details for identity theft. Remember that your attack isn't 100% reliable, so you want as many potential targets as possible, and you want to attack weak targets so as to get the highest possible success rate. All so you can make as much money as possible, of course.

    And what's the best target? Home Windows PCs, of course. No vigilant sysadmin monitoring the system; average Joe user doesn't grasp the concept of locking his box down, let alone have the m4d skillz to do it; Joe doesn't install patches regularly because he sees the downloads and restarts as nothing more than an annoyance; Joe doesn't really understand his computer, so he doesn't know how to look for the telltale signs of malware; Joe doesn't understand that he has to keep his virus scanner's definitions up to date, and turned off the annoying prompts; Joe doesn't understand a firewall, so he just clicks "Allow" to get rid of the warning message; the list goes on forever...

    Now that MacOSX is becoming more popular, we're seeing a bit of malware for it, too. Example, that thing that claimed to be a video codec, but was really a DNS redirector. Now this one is a very good example of how malware authors target uninformed users: in the standard OSX installer program, there is an option to show the files that will be installed; if you or I (as /. geeks) looked at the files that this "codec" was installing, we would see that it couldn't be a real codec at all, and we could cancel the install; but an uninformed user won't know to look at file listings, and won't know what looks right, and what doesn't. It wasn't a failing of the OS: it was a valid installer package that prompted for authorisation to run; it was all about users who don't know how to administer a system.

    Until Linux is popular in the hands of inexperienced, non-tech-savvy home users (as opposed to enterprise), it won't be an attractive target for malware authors, and we won't see its security put to the test. When it does become popular, I expect we will see Linux malware, and I expect it will be like OSX malware, in that it relies on failings of the user, rather than the system itself.

    For the record, I use OSX and Solaris at home, and develop for whatever I'm paid to develop for at work (which was, until recently, Windows, Linux, Solaris and OSX - looks like it will be just Solaris soon).

  8. Re:where are all the Linux server exploits .. by FireFury03 · · Score: 4, Informative

    If that were true, where are all the Linux server exploits being actively being used it the wild.

    Linux server exploits _are_ being actively used in the wild. If you don't keep your server patched up then you stand a pretty good chance of being rootkitted. However, Linux distros tend to be pretty hot on security updates, meaning that a fully up to date system has very few known security holes. I suspect there are also more "idiot" server admins in charge of Windows servers than Linux servers (that is not to say that Windows admins are idiots, I just suspect there is a higher proportion of clued up admins in the Linux world).

    However, the server world is very different from the desktop world - in the server world you can be relatively trustful that the admin won't go and install some random shiny new screensaver, etc. whereas on the desktop most people are not (and do not have access to) qualified admins.

    A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

    There are a couple of important points here though:

    1. Your average home user does _not_ have a dedicated sysadmin. When they want to install a package they (generally) need to become root to do it - that means that the numpties are equally capable of installing screensavers^Wmalware under Linux as they are under Windows. The thing the privilege separation gets you is that you can't _accidentally_ install something as root (e.g. via an exploit in your browser / mail client / whatever).

    2. Even without root, a user still usually has plenty of permissions to do some evil things. They can't do some particularly bad things like SYN floods but they can still send out millions of emails and compromise other hosts.

    3. Is the protection of the "core system" actually that important when you have a single user machine and so all the important data is owned by that user? The only thing this really gets you is the knowledge that your system binaries are probably safe (so you can trust that ps, netstat, etc are giving you accurate results rather than hiding the malware that is running).

    There may be some merit in mounting all the filesystems the normal user can write to as "noexec" so that malware can't just install itself and run as the normal user. But this may place too much of a limit on usability and most distros certainly don't do this by default today.

    --
    http://blog.nexusuk.org
  9. Re:where are all the Linux server exploits .. by GreggBz · · Score: 4, Interesting

    A user compromise on a Linux system would provide suitable functionality for today's typical malware.

    On my defualt, fully security patched Mandriva workstation:

    - I have full read write execute permission to my home directory.
    - I can run wget to download anything, and put it as an executable anywhere in my home directory.
    - I can use perl, awk, whois, grep, sed, whatever, to craft some pretty nasty scripts.
    - I can use telnet and I could write an expect script to send spam with telnet.
    - Or, I could just download a precrafted elf binary to run as a mini-mail server in my home directory.
    - It's not to hard to imagine that I could pop something in /tmp or elsewhere that would persist on the system even after the user had been deleted.
    - I could fire off a fork bomb that will crash the system instantly.

    I does not take to much imagination to figure out some suitably bad stuff that you could do as any old user.

    Of course, hiding yourself on the system and ensuring your survival could be difficult. It would be easy to find all the nasty services running as said user, since top, ps, etc.. would not have been compromised.