Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can You Trust Anti-Virus Rankings?

Posted by CmdrTaco on from the of-course-not dept.

Slatterz writes "It seems nobody can agree on a universal set of tests for rating anti-virus software, with Eugene Kaspersky the latest to weigh in on the topic, criticizing the well-known Virus Bulletin 100. Kaspersky is one of several big anti-virus brands to fall foul of the VB100 tests, reportedly failing to pass a recent test of security software on Windows Server 2008, along with F-Secure and Computer Associates. At Kaspersky, bloggers have pointed out that they don't focus on detecting PoCs, calling it a 'dead end,' and saying their anti-virus database focuses on 'real threats and exploits.' 'I don't want to say it's rubbish,' Kaspersky told PC Authority. 'But the security experts don't pay attention to these tests. It doesn't reflect the real level of protection.'"

47 of 258 comments (clear)

  1. No. by Anonymous Coward · · Score: 2, Funny

    Next Question

    1. Re:No. by A+non-mouse+Coward · · Score: 5, Insightful

      Anti-Virus is outsourcing the problem of deciding what is good to execute on your computer to a vendor who works backwards and blind.

      It's "backwards", in that you don't tell them what is "good". They try to guess what would be on your "bad" list. As everyone here knows, it turns out that the "bad" list is much, much longer than the "good" list. In 2007 alone, F-Secure added more virus sigs to their products than the totality of sigs accumulated from the previous 20 years! And last I heard from them, 2008 was projected to double 2007. That sounds almost like quadratic growth to me ... and keeping up with that growth rate is not a game I'd want to play! My list of "good" software doesn't increase on a quadratic growth rate, does yours? If this were any other field of computation, the signature approach would have been laughed off the planet by now.

      It's "blind" in that they aren't seeing what is actually running on your computer. For privacy (and performance) reasons, nobody provides metrics back to AV vendors about all of the executables that weren't labeled "bad", and rarely do the metrics about what is labeled "OK" actually go back to them. The AV vendors have to take a shot in the dark. They can simulate what they think your computing environment looks like, but it's just a guess. They cannot know if you have custom or proprietary software that matches one of their AV sigs unless they actually test that particular program against their sigs (and you don't let them do that, hence the "blind" remark).

      Backwards and Blind is very problematic. Every once in awhile, we hear about fiascos like Symantec deciding an asian language DLL is a virus, killing all of their asian customers' windows installs for a day or two.

      The question the benchmark is really trying to answer is: Which vendor's product is best tuned for the least amount of false positives and false negatives? When we should really be asking the question: Do I know what is good to run on my computers? And if the answer to that is "yes", then we should be asking the question: Why can't these vendors make a product that only allows my "good" programs to execute and nothing else?

      --
      libertarian: (n) socially liberal, financially conservative; neither left, nor right.
    2. Re:No. by thePowerOfGrayskull · · Score: 4, Insightful

      Do I know what is good to run on my computers? And if the answer to that is "yes", then ...

      The problem with that, of course, is that the answer is "no" for most people.

    3. Re:No. by jimicus · · Score: 2, Insightful

      And if the answer to that is "yes", then we should be asking the question: Why can't these vendors make a product that only allows my "good" programs to execute and nothing else?

      Because such a product wouldn't need to be updated every year or require monthly subscriptions.

    4. Re:No. by _Sprocket_ · · Score: 3, Interesting

      Indeed; nor should we expect them to. The vast majority of computer users want to use the computer in the same way that they use any other appliance; and frankly, they /should/ be able to. Unfortunately, the only way to give them that experience is to a) line up all malware authors and shoot them; or b) provide them with locked-down machines that can only run Authorized Content in an Approved Manner.

      The problem with that is we've just spent the last 20+ years going through massive innovation because there's no particular approval to how this tech is used. Bolting on Approval could have ugly effects. Unless, of course, that approval is from the end user. Which puts us in the same place we are now.

      The other issue is that we're not dealing with a toaster. Nobody expects their toaster to also become a calculator, telephone, and TV on demand. We're dealing with a complex and powerful machine. A computer is not a toaster (or a truck - but I digress).

      That doesn't mean we shouldn't be trying to simplify the tech. After all, an automobile is also a pretty advanced piece of machinery as well. But the key to this is making really intelligent and sufficiently paranoid choices on how to go about doing this so the end user doesn't have to. Part of the problem is that some aspects of the industry like to portray their products as toasters while making poor design choices; a customer base of monkeys with machineguns.

    5. Re:No. by hairyfeet · · Score: 3, Insightful

      Actually as someone who has been working in Win PC repair more years than I can count,I'd say the biggest problem would be a simple fix for MSFT,but for some reason they haven't. And that is that file extensions are all or nothing. What I mean is this: either they can see file extensions,in which case the user can fuck up EVERY single file they touch,because it lets them wipe the file extension when they go to rename the file. Or you can't see the file extensions,in which case the nontechnical user get bit by the "OMG watch Britteny suck teh titties!".avi.exe malware.

      There should be a way to show file extensions but not change them unless you right click and explicitly choose "change file extension for this file" which would give the user a warning,like "This can cause the file not to open correctly. Are you SURE that you want to change the file extension?". If you did that,a whole damned lot of the infected machines that cross my desk weekly wouldn't be filled with malware. I don't suppose anyone knows of a freeware solution that does what I just described,do you?

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. I'm with Kaspersky by LibertineR · · Score: 4, Insightful
    I dont care about any tests, I care about what detects dangerous stuff on my network and what doesn't. Every client I have in on Kaspersky stuff, after Norton, McAfee, Trend and others FAILED to detect viruses that Kaspersky found straight away.

    Game over.

    1. Re:I'm with Kaspersky by AioKits · · Score: 3, Informative

      I'm with you on this one. I have had good experiences with Kaspersky in the past and got the package with three user licenses for like $50 or so off the website (this was back towards the beginning of 07). Two licenses for me and one for a friend who just runs around all day with his laptop.

      The real fun tho is when I run WAR it detects 'keylogger like behavior' from the software. Heheee.

      --
      "Quote me as saying I was mis-quoted." -Groucho Marx
    2. Re:I'm with Kaspersky by CopaceticOpus · · Score: 4, Funny

      I don't care about tests either, I only care about anecdotal evidence in random /. posts. If Kaspersky worked for this one guy, it's good enough for me.

      (Actually my only anti-virus protection is not using IE, and not running things that shouldn't be run. I've had no problems.)

    3. Re:I'm with Kaspersky by Bloodoflethe · · Score: 3, Funny

      Yeah, I've been pushing for Kapersky for a long time on my server, but The Dell Rep says that Symantec's is The Best AV Software out there. And he is clearly more knowledgeable about such things than a server jockey like me.

      --
      "Little is much when little you need."
  3. No more.... by TheNecromancer · · Score: 3, Interesting

    than I can trust the hackers that write these damn viruses that keep infecting my PC! Yeah, standards in this industry would be a start in the right direction, but right now ANY virus protection software is better than none!

    I use Norton Internet Security, and while it is passable, I find that it's a resource hog. I know there are other products out there that are less "intrusive", but I just don't want to take the chance (or time) with another product.

    --
    Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
    1. Re:No more.... by AceofSpades19 · · Score: 5, Insightful

      Norton is an utter piece of crap, it would be advisable to get rid of it now

    2. Re:No more.... by IceCreamGuy · · Score: 2, Informative

      Wow, solid, well supported argument right there.

    3. Re:No more.... by SatanicPuppy · · Score: 3, Informative

      Norton is itself a virus. It hogs resources, causes errors, and can't be removed without killing the host.

      For what you pay, you should get something that is better than cheaper or free products available on the web...I usually replace Norton with AVG, and while I'm not a huge fan of AVG, I've never had anyone complain.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    4. Re:No more.... by TheNecromancer · · Score: 2, Informative

      I've had a number of friends say this to me also, and I have been meaning to replace Norton with AVG (after my subscription runs out), but I haven't been able to get off my lazy ass and do it!

      I've had a good experience with Norton over the years, but recently the quality of their product (read: quality sucks now!) has gone way down. For me, I first noticed it when they removed parental control from their antivirus product, and made it a free "add-on" that you had to install separately. WTF??? Why did you remove functionality that was previously included, just so I have to install it separately?!?!? In addition, they made it so goddamn hard to find the install file that it was equivalent to spending a couple hours with a help desk technician in India!

      I'm sure I won't replace Norton until I get my full use of the subscription that I paid for. Or, when a virus kills my PC (knock on wood).

      --
      Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
    5. Re:No more.... by Ngarrang · · Score: 5, Insightful

      Wow, solid, well supported argument right there.

      Indeed, it is. Norton really is a load of crap. It is a resource hog of cpu, memory and hard drive. I believe the only reason it is found on anyone's PC is because Norton pays PC companies to install it by default. Because, frankly, you would have to literally know nothing about AV to choose Norton. As in, you did no research and picked the shiniest box off the shelf. At which point, I have lost sympathy for the user.

      My company relies on SOPHOS. In 12 years of working with SOPHOS, never has a virus had a chance to spread...despite the users best efforts.

      --
      Bearded Dragon
    6. Re:No more.... by noundi · · Score: 5, Funny

      but right now ANY virus protection software is better than none!

      That depends, do you walk around all day with a rubber on your weiner? No? Newsflash, niether does your computer, so stop putting it's dick everywhere.

      --
      I am the lawn!
    7. Re:No more.... by Welsh+Dwarf · · Score: 5, Informative

      Correction:

      The reason Norton is on any PCs is because Norton pays PC companies to install it by default AND IT IS ALMOST IMPOSSIBLE TO REMOVE.

      Cleaning viruses off by hand is easier than uninstalling Norton.

      --
      Ask 8 slackers a question, get 10 awnsers (a citation, but I can't remember from who)
    8. Re:No more.... by mhall119 · · Score: 2, Informative

      Common knowledge generally doesn't require a citation.

      --
      http://www.mhall119.com
    9. Re:No more.... by Ngarrang · · Score: 4, Insightful

      So Norton finally got their act together with the 2009 version? Good for them. But, they have a long road to travel to fix the perception that their product is bloated. Such a history is difficult to change overnight.

      --
      Bearded Dragon
    10. Re:No more.... by kimvette · · Score: 2, Interesting

      Would you consider using ZoneAlarm for your software firewall (or get a "hasbro" level appliance for home if you don't have one and don't bother with a software firewall if the PC isn't mobile), and then a F/OSS AntiVirus package that does AntiVirus and ONLY antivirus? If so, then check out Moon Secure AntiVirus. I run it on my Vista installation (which exists for gaming).

      On Linux, I don't worry about it. In fact, I submit bug reports to malware authors complaining that their crapware doesn't run on WINE and I feel left out. OH WOE IS ME!

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    11. Re:No more.... by AceofSpades19 · · Score: 2, Funny

      The Sky is blue [Citation Needed]

    12. Re:No more.... by jimicus · · Score: 4, Informative

      May I recommend the Norton Removal Tool

      It shouldn't need to exist in the first place, of course - the uninstall should work - but IME it works pretty well.

    13. Re:No more.... by ceoyoyo · · Score: 4, Funny

      It doesn't spread, so it's not a virus. More like a cancer. Or a birth defect, if it comes pre-installed.

    14. Re:No more.... by JustinOpinion · · Score: 3, Interesting

      Norton is ... ALMOST IMPOSSIBLE TO REMOVE.

      Which I found especially hilarious/frustrating when I was required to upgrade the version of Norton on a bunch of lab computers. The upgrade wouldn't work, and told me I had to uninstall the previous version. Turns out uninstalling the previous version was unbelievably difficult. The auto-uninstall didn't work. The Norton removal tool didn't work. Finally I had to follow a series of manual step-by-step instructions about what files to delete and what registry keys to modify.

      And after all this pain and suffering to remove Norton... I had to install a new version. (That I knew would be a pain to eventually uninstall or upgrade.)

      Needless to say I now avoid Norton like the plague. Yet I would argue that Norton/Symantec is widespread not only because of default installs--but because they seem to do a good job marketing to the higher-ups. They win large-scale deployment contracts, where the software annoys end users and many admins, but looks good and secure on paper, I guess.

    15. Re:No more.... by kimvette · · Score: 5, Funny

      Oh come on who are you kidding? It is easy to remove:

      1. Log in as administrator
      2. Open command prompt
      3. cd \Program Files\ and rmdir /s Symantec
      4. CD Common Files and rmdir /s Symantec
      5. Open the registry and go to the SERVICES key and delete all the Symantec services
      6. Open the registry and go to the RUN key and delete all the Symantec entries
      7. Reboot
      8. Install and run ccleaner, run the registry tool and let it clean up the now-broken library registrations
      9. Use the uninstaller tool in ccleaner to remove now-broken uninstallers (that don't really clean up Symantec's poop trail ANYHOW)
      10. Now try removing the directories again (steps 3 & 4) to remove the remaining Symantec poop

      There, now Symantec PoopWare is now completely uninstalled. Now, wasn't that easy?

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    16. Re:No more.... by UberMorlock · · Score: 3, Insightful

      Sure you can. Just like a wife would recommend against trusting her husband just because he stopped cheating on her THIS YEAR, but had cheated on her in each of the last 6 years. Just because a change has been implemented does not mean that the change is permanent. Likely, this edition of Symantec is just a temporary reprieve from the all-consuming nature of Symantec products.

    17. Re:No more.... by Anonymous Coward · · Score: 3, Informative

      >6. Open the registry and go to the RUN key and delete all the Symantec entries
      >7. Reboot

      Norton likes to hook into stuff like the ATAPI drivers. If you kill all of the Symantec registry entries, neither Windows XP nor vista will be able to start. Easy fix with Vista, but on XP you're just boned. I know this from personal experience.

      Just use the Norton Removal Tool provided by Symantec. It works really well, assuming your Norton isntall isn't completely FUBAR. If it is, well, you were probably due for a format anyway.

      On another note, when Norton is uninstalled or the subscription runs out, it sometimes completely destroys the computer's ability to network. As in you can't even get an IP address. I can't count the number of times that a PC had mysterious network problems that were solved by Norton Removal Tool. And this is in addition to NIS blocking legitimate traffic like Windows file sharing. There really is no excuse for running Norton anything, let along Norton Internet Security.

  4. Comment removed by account_deleted · · Score: 2, Interesting

    Comment removed based on user account deletion

  5. Tests need to evaluate _something_ by PhYrE2k2 · · Score: 5, Informative

    Take crash tests on new vehicles. Name me one that doesn't have a 5-star crash rating? The rating system is too easy, and needs to constantly be moved to achieve a new level of betterness. Not everybody should get A's. Once the majority of players reach a standard, the standard should be moved to motivate advancement in the field and show the better of the pack.

    For example, the 5-star front-impact crash rating is par for the course now... but nobody seems to advertise the offset crashes, such as the right half of your bumper hitting the left half of your 'opponents' bumper. Why? Because it's sad in comparison. It's also not pretty to watch.

    So all the power to making the standards hard to achieve. Yes this may not be the 'real world' threat, but it's a threat nonetheless. They're basically saying "Since England isn't going to declare war on the USA, any preparedness for receipt of an attack by the USA shouldn't be considered in overall military preparedness". That's of course rediculous. Protect only against the popular virus and the unpopular virus will begin to spread.

    --

    when you see the word 'Linux', drink!
    1. Re:Tests need to evaluate _something_ by thedonger · · Score: 4, Insightful

      In an unusual parallel, world famous rock climber Chris Sharma wanted to downgrade a rating on a climb - one of the hardest climbs of its type in the world. From what I gather, the reason was that you reach a point where the rating system becomes meaningless as higher and higher ratings are made, and you lose the context in which the previous ratings were assigned, and the foundation on which the rating system is based.

      --
      Help fight poverty: Punch a poor person.
  6. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  7. That's why I by svendsen · · Score: 3, Interesting

    I have different Anti virus product on each of my machines at home. I figure the gap of what they won't detect is smaller then what just having one product will detect.

    Bullet proof? Of course not.

    So far with Avast, AVG, (mind you one virus product per computer only) ZoneAlarm, FireFox, and some basic sense I haven't been hit.

    My only issues (sad enough) is when a windows update broke Zone Alarm and when AVG detected Zone Alarm as a virus (cause a new version came out) and shut it down.

    Now that i really think of it all the products designed to protect me have been the ones giving me all the trouble. HAHAHA (as I cry)

    1. Re:That's why I by IceCreamGuy · · Score: 2, Informative

      I deal with AVG Network edition (which is the same as the free edition but not free and with a semi-functional control center), and I can tell you that they put a lot of what I would consider legitimate software in their defs. Their newest version 8 does not remember your exceptions correctly, either.

    2. Re:That's why I by Ilgaz · · Score: 2, Interesting

      The new version of Kaspersky and couple of other vendors who spends money to development instead of animated ads tries to go with "white list" approach.

      For example, while it does very suspicious things (due to its function), Zonealarm is very known to the AV solution and once it is surely the ZA it trusts, it won't bother with it too much UNLESS it starts doing things which it isn't known to do. It adds lot to the performance and Kaspersky is the last vendor to blame about heuristics since its early versions. If they didn't do a lot of heuristics against unknown threats, they wouldn't be blamed for making it "slower" than free AVG and robbing the users.

      I can understand why Mr. Kaspersky is particularly touched by the claim of the test and the products failure against imaginary threat. Kaspersky was one of the first AV solutions to run a small virtual machine and emulate things before giving them go. It is also running way deeper than many on the market (ring 0) so that is why it may create horrible slowness with hypervisor, emulation type of Windows. E.g. on Virtual PC 7, it is plain suicide to run it.

  8. Trust anti-virus ratings? by olddotter · · Score: 2, Insightful

    I'd just like to be able to trust anti-virus software.

    http://arstechnica.com/journals/apple.ars/2008/10/20/mac-malware-program-macguard-masquerades-as-antivirus-app

    I'm getting really paranoid about things. I find myself avoiding any web service that wants me to download a app or plug in I'm not very familiar with.

    --
    Think Deeply. ...
  9. Not a fan by apharas · · Score: 2, Informative

    I have been solidly unimpressed with the results from most of the main stream anti-virus vendors. There are of course huge trade offs between speed, usability and accuracy. I also don't like having programs think for me without giving me a viable option to change the way it's handling a situation on the fly. For my machines I've switched all windows machines to ESET's NOD32. All my personal linux boxes I have on F-Prot. -- a

  10. TLAs by pjt33 · · Score: 2, Funny

    My guess was that it's a politer version of PoS.

  11. Re:PoCs by SatanicPuppy · · Score: 2, Informative

    Proof of Concept; sad, but in Securityville this is actually used often enough that it would be considered a "normal" acronym. The debate usually revolves around the fact that a lot of PoC's are completely esoteric and can't be made into actual workable mass-market exploits.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  12. Re:PoCs by grcumb · · Score: 2, Funny

    Is there an acronym for "woooosh"?

    IMHO: no. YMMV.

    HTH HAND

    8^)

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  13. industry created whole by QX-Mat · · Score: 2, Informative

    Proof of concepts are tangible vectors to infection. By not including and rigerously detecting such methods, they AV companies will allow more viral products into the market. This is a very self-serving stance.

    I actually see problem of trust emerging. Once upon a time KAV was a brilliant peice of software that ran in DOS well enough to remove the plague of Win95 Marburg infections that hit the UK gaming community after a bad cover CD. That was a time when viruses existed, and you had to stop them infecting you. The prospect of new and novel viruses infecting you wasn't really an issue as home Internet penetration was small. As such, AV software wasn't marketed as the only thing you needed to stop all viruses forever, but as a tool that will detect more than its competitor more reliably. The money you paid was for a good huristics engine that was fast, efficient and more importantly, updated reguarly.

    Now I see AV products as nothing more than 'ineffective-ware'. If AV programs claim to prevent the infection of known viruses, and reduce to risk of infection from emerging viruses, I'd probably have more faith in the industry. But they don't... in subscribing the "we can protect you from everything" marketing hype, almost every AV company has asked us to put faith in their product to stop "unknown" viruses... and we expect them to.

    They don't. It's a computational nightmare.

    KAV are in a past mindset. They have to change. They have to consider that what people really want is reliability - they want software guarantees. If any peice of AV software is going to help the market rather than hinder it, it is going to be reliable. What is the most reliable part of an infection? The vector, not the virus itself.

    The truth is really in the pudding. Viruses have changed. Almost all now are polymorphic and highly reentrant. A few lines of code will change a signature making it undetectable. Fnfection is detectable at the point of entry. If the research is put into proof of concept code in making a system vulnerable, then the AV response should be to track and thwart that success.

    Matt

  14. Process - Not Product by Exanon · · Score: 3, Informative

    Call me a Schneier fanboy, but I practice security on my home network like a process, not as in buying a product and be done with it.

    Security for me begins with sensible configuration of the router and the PC's on the network, then it moves to access rights and regular patching of said computers.
    This includes regular checkups and glancing at logs every three days or so to look for obviously suspicious traffic. Finally, after all of these steps, I use Kaspersky (since I had heard good things about it) together with rootkit detector. (Oh, and Firefox with NoScript)

    All of this prevents pretty much all the scriptkiddies from getting in (I hope), but then again, the best thing you can do is to not download anything you don't know what it is.

  15. Re:My favorite AV software: by hAckz0r · · Score: 2, Insightful
    That's very strange. Then someone should go tell VirusList.com that because when I do a query for "linux" I get 1156 hits. Ok, so maybe they are not all technically viruses because the first 306 are classified as backdoors, then came the denial of services, then... I didn't look at the rest because I just got tired of clicking the next page button.

    Virus or not, there is plenty of malware out there so it is still prudent to be regularly check your system and be aware of these threats, even on Linux. [c|k]lamav, chkrootkit, and rkhunter are your friends and don't mind working late at night while you sleep. Setting up ipfilter to to default deny for outgoing services is also a good idea. I like firestarter because it lets you monitor what apps are connected to the net on what ports to catch some types of covert channels and back doors.

  16. Used Many AV over the years by GlassHammer · · Score: 2, Informative

    My Progression in AV software went: Mcafee-> Norton AV -> AVG -> AVG + No script + Zone Alarm -> Linux (Fedora 9)with Clam AV -> Linux F-Secure (trying it out) What sparked the changes in AV was always "Computer Performance". Some of the above devoured my computer and left me with little reasources.

  17. Re:My favorite AV software: by mcgrew · · Score: 2, Interesting

    You are correct; as I just told another guy, a trojan will work on any platform, and the only unhackable computer is a broken computer.

    Backdoors, trojans, and DoSes are not "technically" viruses any more than a window is not "technically" a door and a screw is not "technically" a nail. And I doubt very seriously that Linux has 300 back doors; I'd be surprise dit it had one. If your source calls a trojan a "backdoor" your source is ignorant.

    And yes, it's prudent to be vigilant. But with Windows, vigilance isn't enough. A Windows computer can be compromised before it can even be patched.

    I see someone modded it "overrated", but there are a lot of microsoft employees on slashdot. I expected some asshat to mod it "flamebait" or "troll".

    --
    Free Martian Whores!
  18. Your brief review is possible shilling by TravisO · · Score: 4, Insightful

    You do realize that's it's possible, albeit likely Norton encouraged them to write the review?

    I believe this is tangent to the point of the /. article: not only are tests flawed, but you should inherently not trust any major news source to unbiasedly review a product.

    - Why do they only compare it to Kaspersky?
    - Why do they mention ram but not a speed comparison (I'd gladly give up 15mb of more ram just to have better performance in my AV, ram is dirt cheap)
    - If NIS2009 is so "lite", why don't they mention the specs in comparison to older NIS (only Norton would want to cover up their old specs, which is a core issue that makes me suspect this is a shill article).

    Not to mention I never trust any online news source, including tech sites, to have somebody savvy enough to know how to test an AV properly, which, as the /. article points out, not even the AV "experts" have figured that out, much less some tech site.

  19. NOD32 * by x102output · · Score: 2, Insightful

    NOD32 FTW!