Test of 16 Anti-Virus Products Says None Rates "Very Good"

← Back to Stories (view on slashdot.org)

Test of 16 Anti-Virus Products Says None Rates "Very Good"

Posted by timothy on Saturday November 7, 2009 @03:20PM from the keeps-the-av-people-in-business-though dept.

An anonymous reader writes "AV-Comparative recently released the results of a malware removal test in which they evaluated 16 anti-virus software solutions. The test focused only on the malware removal/cleaning capabilities, therefore all the samples used were ones that the tested anti-virus products were able to detect. The main question was if the products were able to successfully remove malware from an already infected/compromised system. None of the products performed at a level of 'very good' in malware removal or removal of leftovers, based on those 10 samples."

67 of 344 comments (clear)

I use Microsoft anti-virus and love it by Anonymous Coward · 2009-11-07 15:22 · Score: 3, Funny

BuY H3rB@l V1agaRa t0Day!!!
1. Re:I use Microsoft anti-virus and love it by Anonymous Coward · 2009-11-07 21:02 · Score: 2, Insightful
  
  BuY H3rB@l V1agaRa t0Day!!!
  I know you are going for funny with a shot at Microsoft (will that work around here I wonder? :), but you did notice that Microsoft Security Essentials was one of the best in the test? ;->
2. Re:I use Microsoft anti-virus and love it by baptiste · 2009-11-08 00:41 · Score: 4, Insightful
  
  BuY H3rB@l V1agaRa t0Day!!!
  I know you are going for funny with a shot at Microsoft (will that work around here I wonder? :), but you did notice that Microsoft Security Essentials was one of the best in the test? ;->
  No kidding. I am not an MS fanboi by any stretch, but when they released Security Essentials, I gave it a whirl and have now swapped out AVG for it on everything I run AND recommend it to many of my clients (who usually are complaining about how slow their computer is since they installed NORTON 360 or they have a paid AV that expired years ago) It's lightweight, easy to us, has a very easy to understand user interface that isn't so graphical (*cough* N360), and it just works. Nice to see it garner some of the higher ratings in this test.
  What amazes me is how much like Malware Norton, McAffee, and CA can be. Uninstalling them doesn't remove them completely. You HAVE to use their removal tool. I had to remove CA ISS the other day and it was painful. Had to remove it in pieces AND run a fix on the registry permissions which had been completely locked down to the point that 'Administrator' couldn't add/remove programs. So yeah - any time systems come into my shop, I recommend they drop whatever paid AV they're using and run MSE. No nag screens like AVG and it doesn't talk to you like Avast :) My only fear is that in a year they'll let it stagnate OR try to bloat it like the others. But if they keep it simple and go for the majority of infection vectors, hats off to them. Still won't make me use IE, but it's nice to see something like this come out of Redmond, even if they bought part of it.
  
  --
  Top Most Bizarre/Disturbing Error Messages
Security... by xanadu113 · 2009-11-07 15:23 · Score: 5, Insightful

Security is a process, not a product.

--
-Myke
1. Re:Security... by sopssa · 2009-11-07 15:30 · Score: 2, Insightful
  
  Since you seem so confident and intelligent, how do you plan to teach that to a "normal person"?
  And on real slashdot style, a car analogy; we dont care how the taxi works or how its supposed to secure us, we just want to get around conveniently. Without getting killed. Now the taxi driver might care more about his systems and how the inners of car work, but we just couldn't care less. It's the same thing when casual people use computers, and you're pretty ignorant if you dont understand why it is so or why they "just want it to work" so they can do whatever they want to. Like with every other hobby or thing, only those interested in computers and security are, others are not.
2. Re:Security... by davester666 · 2009-11-07 15:47 · Score: 5, Insightful
  
  It's like a piece of wood, a tape measure and a saw. If the person doesn't use the tape measure properly, and saws the wood too short, there isn't any magic that can fix the problem. Even buying a new piece of wood and a new fancy tape measure will still have the same problem if the user can't be bothered to learn how it works.
  And a computer is only slightly more complicated than a tape measure...
  
  --
  Sleep your way to a whiter smile...date a dentist!
3. Re:Security... by Jurily · 2009-11-07 16:02 · Score: 3, Interesting
  
  Here's another analogy for you: don't rely on the police to catch the robbers. Use houses with locks on them and learn how to use it.
4. Re:Security... by engun · 2009-11-07 16:03 · Score: 2, Insightful
  
  Exactly. This is why I don't use any AV product at all. As long as you're reasonably careful not to download and install unknown programs, there's no way to justify incurring a huge performance hit on a daily basis. For example, I once "fixed" a friend's PC in which she had installed two AV programs - Avira and McAfee - for additional protection and security as I heard. File copying had dropped to something like 150Kb/sec between two hard drives because both anti-viruses were scanning it. Disabling one increased the speed to about 1.5Mb/Sec. Disabling both improved it to about 6Mb/Sec (figures according to rough recollection, to be taken with a pinch of salt). I eventually left one on since she wasn't an experienced user and needed some anti-virus program, "just-in-case".
  
  But experiences like these over the years have convinced me that the wisdom about adjusting your process is far more valid than having an army of products. I haven't had a single virus infection for as long as I can recall and if I did, that was because I'd been careless and run some program off the net without finding out what it was. Also, I don't think AV programs offer any meaningful protection against things like browser flaws. If someone decides to exploit say a buffer overflow vulnerability in your browser and you simultaneously decide to browse to that very site which does so, well, so sad, too bad. Might as well wait for the browser vendor to release a patch which fixes that flaw and use a more secure browser like Chrome to browse dodgy sites, rather than pray an ineffective AV magically detects it with its "heuristics". Most often, all that DLL injection and the like result in an unstable browser, rather than providing any real protection.
  
  Having said all that, I do see the utility in being able to do an occasional on-demand scan on an executable. I also see why AV vendors are going for the nanny philosophy to deal with the armies of inexperienced users who have no idea about the "process" behind security. But for those with a reasonable idea of it, it's probably better to suffer the rare virus infection than endure a crawling system on a daily basis thanks to some overzealous AV product.
5. Re:Security... by Kratisto · 2009-11-07 16:12 · Score: 5, Insightful
  
  No, see, it's like a computer and a user and antivirus software. The user expects the antivirus software to either protect him from getting a virus to begin with, or to remove it swiftly if it fails. Unfortunately, the antivirus software isn't very good in the latter situation, and because the user is an idiot, no antivirus software can help him in the first situation.
  
  --
  Conscience is the inner voice which warns us that someone may be looking.
6. Re:Security... by Darkness404 · 2009-11-07 16:33 · Score: 3, Insightful
  
  Which is fine until that one virus manages to get through by accident. I ran my machine AV-free for a long time until that happened, and the cleanup was unpleasant - the preventive features of AV software are far superior their cleanup ones. :S
  
  Yes, but think about it this way. Lets say your computer runs at half its speed with an anti-virus. You run your machine for 365 days without an AV for 30 mins doing routine work that would be slowed down by the AV (file copying, plus additional maintenance for the AV itself, etc) so it would take an hour. That is 182.5 hours per year you use it for maintenance without an AV. With an AV that doubles to 365 hours. Even if you add in a entirely long clean up process of 48 hours, you still come out ahead. And unless you get a nasty virus that somehow corrupts everything you can just restore from backup (you do have a backup of everything important right?) and if you don't have a backup you can usually boot from a Linux disk (most can read NTFS just fine) and copy things to an external HDD. So unless that machine was really mission critical (such as, if its down for 2 days you are out of lots of money) not having an AV and having a long clean up may actually save you time.
  
  --
  Taxation is legalized theft, no more, no less.
7. Re:Security... by Afforess · 2009-11-07 16:39 · Score: 2, Insightful
  
  I find it interesting though that Microsoft Security Essentials was one of the top three AV tested, with two "good" ratings. It also happens to be free. Maybe Microsoft is learning lessons from the past?
  
  --
  If our elected representatives no longer represent us, do we still live in a Democracy?
8. Re:Security... by Leekle2ManE · 2009-11-07 16:46 · Score: 4, Insightful
  
  I've been reading slashdot for a while and I've avoided commenting because... I'm not a nerd. I'm a geek. Which my friend always find annoying because 'back in his day' nerd and geek were the same thing.
  
  I've been into computers for over 10 years now and while I know far more than the average user, I don't know enough to hold a flame to many nerdier folk.
  
  However. I've dealt with enough real life cases in computer security/maint to know that the average user doesn't care about a process. They don't want to hear about it being a process. They view the computer as a glorified telephone/television combo. They just want to be able to power up, do what they want and log out. The average user these days isn't going to spend time to learn about how to properly protect themselves online because they have other things to do.
  
  To expand on a car analogy someone else used...
  Likening computer security to a car would mean comparing it to car security. While some people might take their cars to a car audio shop to get a security system installed, most will just buy their car from the dealer and just want to push the button and have their car secured. Even if they won't always push the button. Unless they're in an 'unsafe' neighborhood.
  
  What the average user doesn't understand is that every time the get online they're in an unsafe neighborhood. They don't know it and they're not going to do the research to find out. They're not reading /. They don't see comments about Security being a process and not a product. They just want to start up the computer and feel safe that their security system is working. They're not going to search online to find the best anti-virus product(s) available. They're not going to look for reviews of 16 anti-virus programs reviewed. They quite simply don't care and don't feel that they should have to care.
  
  What good is firewall software if the user has no clue whether to allow a process access to the internet or not, but since it just popped up while they were installing something new, they allow it anyways? The firewall/software does nothing for them.
  
  And before someone brings up the Linux solution. I love Linux. I use it. It is NOT user friendly though. With all the different flavors around, the *cough* average user would just rub their temples in frustration and stick with Macrohard products. And if they did pick a Linux distro, they would have to pray that all the components in their computer are compatible. I've installed linux on multiple systems (which previously ran some variation of winblows) and every system has had at least one piece of hardware that didn't have a driver available.
  
  So, to make a long story short (TOO LATE) computer security for the average person will never happen. The only way to make computers secure for the average user to make the internet secure. The only way to make the internet secure is to allow your local ISP to start white-listing/black-listing sites, thus dictating where you can and can not go. And that's never going to happen. Or at least, we hope it doesn't.
9. Re:Security... by similar_name · 2009-11-07 16:50 · Score: 2, Insightful
  
  People still have to learn how drive. It doesn't just work. I can go into oncoming traffic and head end a semi. Cars don't 'just work'. The best security product is never going to keep someone from running something stupid.
  
  they "just want it to work"
  My mom used to say 'Want in one hand and shit in the other and see which one fills up faster.'
10. Re:Security... by mysidia · 2009-11-07 16:57 · Score: 2, Insightful
  
  Yes, but malware is a product.
  AV/Anti-malware software should be a product that can expunge/protect against one type of security threat: rogue/malicious software.
  Nothing beyond the product should be required for expunging malware. If you are updating and the software maker is doing their job, that security threat is permanently dispensed with, and you can move on to other threat categories, if they ever become important to you.
  If not, you are secure, and done.
  Security is a process, not a product, refers to security in general, which is a lot harder than security against specific types of threats.
  Anti-malware won't stop an insider from offloading sensitive customer records to their USB stick and selling them off to some ID thief living in india.
  Well, you use another security tool for that: group policy. Configure all workstations so that removable media is allowed, and you no longer need to worry about USB sticks.
  Group policy won't protect against a hacker guessing your admin password, FTP'ing into your server, and pulling the files.
  There's a product for that too: A firewall. Which you install, and configure properly. Voila: hacker FTP'ing in is no longer a threat.
  Security is not just a process, but a bunch of products and proper configuration of those products.
  Probably one of the most important products is proper training and education of your staff, and proper configuration and choice of what issues to educate them about, and how you configure your organization's HUMAN security policies, for example, how you prevent random untrusted outsiders from pretending to be "maintenance" and gaining unescorted/unapproved access to your server room, from an employee @ front desk who knows where the key is.
11. Re:Security... by slarrg · 2009-11-07 17:09 · Score: 3, Insightful
  
  Even when people learn to drive, accidents still happen. That's why technology is developed to reduce the negative outcomes of those accidents (crumple zones, seat belts, airbags) or attempt to diminish the likelihood of an accident occurring in the first place (brake lights, mirrors, reflective road signs.) This is the same reason anti-virus software is developed and it's certainly appropriate to debate the effectiveness of these methods.
12. Re:Security... by similar_name · 2009-11-07 17:19 · Score: 2, Interesting
  
  it's certainly appropriate to debate the effectiveness of these methods
  I completely agree, but some people seem to think security software is going to prevent anything from happening to their computer. I don't think a seat belt, crumple zones etc are going to prevent anything from happening to me regardless of what I do. Or for that matter what another driver does. Why should I refuse to learn anything about using a computer?
13. Re:Security... by dmorris68 · 2009-11-07 17:21 · Score: 2, Informative
  
  Yes, but think about it this way. Lets say your computer runs at half its speed with an anti-virus.
  I wouldn't run any AV that causes my computer run at "half its speed."
  I used to be a huge Norton AV hater. But since v2009 they did a major overhaul to their AV engine and now it runs extremely well. 2009 and 2010 consume virtually NO detectable resources, update themselves literally every few minutes, and turn themselves off completely during gaming. Kaspersky 2010 is a bit worse performance-wise, but not terribly so. I've also installed MSE on a few PC's for people and have been impressed with its performance. None of these three slow your PC "by half" and of the three, I'd say Kaspersky is the biggest hog, but still far and away better than the Norton of old. AVG used to be lean and mean until v8 I think, then it bloated up and got slow too. Avira free was decent but the ads were too annoying, as was the mandatory annual registration renewal for it and Avast. I finally decided to pay, and have been quite satisfied.
  So based on my experience, for free AV (that doesn't bug you with ads) I'd recommend MSE. If you're willing to pay, Norton 2010. And if you shop around online, you can get some good deals. I got 3 PC's w/ 2 year subscription of Norton Internet Security 2009 (and free upgrade to 2010) for $60, and I've actually found it even cheaper since.
14. Re:Security... by ZosX · 2009-11-07 17:25 · Score: 2, Interesting
  
  Using it right now. It found a suspected trojan in my half life 1 install. It looked like a false positive, but who knows. I quarantined the file anyways. It was for opposing force. Anyone else have this detection? What was interesting was that it said it listed it as active. I was kind of surprised by this. Since I long lost my half life cds, it was a pirated copy, but usually they embed trojans in the installer exe or the cracked exe, which all tested out to be fine. Security essentials seems pretty good though and is relatively lightweight. I agree that it is about time that microsoft starts getting a lot more serious about security and vista/win7 and now this seems like steps in a good direction.
  
  --
  zosxavius photography
15. Re:Security... by v1 · 2009-11-07 17:34 · Score: 3, Interesting
  
  It's not a question of being or not being totally effective, you can make that argument from any direction and arrive at the same answer. No product is 100% effective. It looks like this review was just saying that none of the products tested met their expectations.
  So that either means that their expectations were unreasonable, or all the tested products stink.
  Or a combination of the two. That's where my money is. Regardless of topic, security is best handled from the inside, where your footing is solid and attacks only come from one direction. Problem is, the inside is not secure. At that point you require extraordinary external security, which either means you need to be very good at it yourself, or you have to find someone that's top-notch to make up for the problem. It's no surprise that so many of these products didn't fair well, they're defending the castle while standing outside the walls. And since you're already starting out with a handicap and are going against experts and people motivated by money, if you want the job done right, you're best to do it yourself. The human element of unpredictability along with knowing what's safe and what's not safe is the best defense, not software. If you're a computer noob, there simply isn't a "very good" solution, as this review basically concludes.
  
  --
  I work for the Department of Redundancy Department.
16. Re:Security... by Anonymous Coward · 2009-11-07 18:11 · Score: 3, Informative
  
  Your mom has a potty mouth.
17. Re:Security... by similar_name · 2009-11-07 18:25 · Score: 2, Interesting
  
  I'm not suggesting people learn how to program or even know the difference between their cpu and computer case. I'm not suggesting developing safeguards are worthless. I'm only saying relying *completely* on safe guards is naive. Very simple things like not downloading free screen savers/games or clicking on links in emails from 2342@235ja.com would go a long way. I'm not suggesting anyone needs a license to get a computer.
  
  Unless things have changed since I took the test to get a driver's license it doesn't ask how often you should change the oil in your car. But somehow most (not all) people figure that out. There are however still people who ignore their check engine light until their car dies and there will always be people who run shady software no matter how many times you make them enter in a password. Education is still important.
  
  I use Windows and Linux and I trash them both because I know how to fix it. I don't know much about my car so I change my oil when the speedometer matches the number on the little sticker on my windshield and get maintenance when the manual says to.
  
  Too sum up, all of the education and safegaurds in the world will not prevent sheer stupidity. However, education and safeguards are still worthwhile pursuits. There is an area between expert and completely ignorant.
18. Re:Security... by davester666 · 2009-11-07 18:31 · Score: 2, Insightful
  
  Except this is dealing with AFTER the system has been infected. From TFA, it seems as if virus checking was disabled, the system intentionally infected with various viruses, then virus removal was run. The AV software would have a reasonable chance of being able to revert your system to a pre-virus state IF it's running while the virus is being installed (which in itself shouldn't happen, but it should stop it before it's installed), but to say it should remove all trace of any given variant of any virus is ridiculous. Particularly system settings, as there are lots of changes that are completely valid for both virus and non-virus applications, that would potentially screw up 'real' applications and/or annoy the end user because they intentionally changed it, but the AV software "knew" better.
  Now, marketing for AV software may make dubious claims about virus removal (but offhand, surfing the Norton site didn't say much about virus removal, it was mostly focused on virus protection)...
  This seems kind of like a "we'll tie one arm behind your back and then see how well you can wrestle" test...
  
  --
  Sleep your way to a whiter smile...date a dentist!
19. Re:Security... by slarrg · 2009-11-07 18:58 · Score: 2, Insightful
  
  The primary problem that anti-virus software tries to protect against malicious activities of other people and not the actual computer user. The level of security to truly harden a networked computer from attack is incredibly high. Even the most sophisticated of us cannot guarantee 100% security of a networked system. Certainly my systems and your systems will have high levels of security but even we cannot guarantee 100% security of our own systems. Luckily, if you're in the top 50% of secure systems and you don't have military grade secrets, you're probably secure enough. Of course, that still leaves a lot of systems that are less than adequately secured. And, their users may be unlikely to become educated in the safe use of those machines
  This is not to say that we shouldn't try to educate them but we would certainly be lax if we didn't attempt to improve their security by installing systems that automatically improve the security of their systems. We do this in the real world, too. When you buy a car, it comes standard with a lock and key system to give a small amount of security. Many people in the industry can bypass those safeguards and steal your car. But still we don't keep someone from flattening your tires, cutting your battery leads or draining all your brake fluid. Most of these things could be done to a car that is locked and with the security system armed. Luckily, it's a rare enough event that we don't feel insecure as a result
  Likewise, our houses have locks on the doors. Many can still be breached through a window. Some have bars to prevent thatt. But many of those only stop a person from entering with a thin layer of siding, some fiberglass insulation, and a sheet of drywall; all of which could be breached in under a minute. So we develop automated warning systems that can quickly alert the homeowner (and paid security specialists) of a breach. Still they're not foolproof but we accept them as adequate.
  This is the equivalent of anti-virus software. Certainly we should attempt to educate people but we should also create systems that alert and notify people when their security has been breached. Likewise, we should have methods to help them remove invaders from their computer. In the real world, we have police to come in and remove criminals occupying a space illegally and it is appropriate to have software and services to do the same in a computer. The police should do the job of removing intruders regardless of whether the person forgot to lock their front door or didn't install a security system.
  I guess I'm just a little mystified as to why people always feel a need to start harping on the stupidity of the victims every time an article is written that evaluates the safeguards designed to enhance security. Education is important and certainly needs to be an ongoing effort on all security issues but in the end no one is ever completely secure and other improvements that are willing used by people to enhance their security should certainly be evaluated for effectiveness and reported on accordingly.
20. Re:Security... by shutdown+-p+now · 2009-11-07 20:26 · Score: 2, Insightful
  
  How does having the source code for the OS helps you in detecting viruses - written by someone else - located inside binaries belonging to software - also typically written by someone else?
  PE format (Win32 .exe/.dll) spec is open, by the way.
21. Re:Security... by interkin3tic · 2009-11-07 21:09 · Score: 4, Funny
  
  It's like a piece of wood, a tape measure and a saw. If the person doesn't use the tape measure properly, and saws the wood too short, there isn't any magic that can fix the problem.
  Ah muggles... you never cease to amuse me!
22. Re:Security... by interkin3tic · 2009-11-07 21:11 · Score: 4, Funny
  
  My mom used to say 'Want in one hand and shit in the other and see which one fills up faster.'
  Well? What were the results? How many times did you repeat the experiment?
23. Re:Security... by turing_m · 2009-11-07 21:33 · Score: 2, Interesting
  
  Horrible analogy. There isn't a lock out there that can't be picked/broken.
  It's really not. If other houses on your street don't bother with locks, a lock is all you need unless you have a dedicated adversary.
  
  --
  If I have seen further it is by stealing the Intellectual Property of giants.
24. Re:Security... by Alpha830RulZ · 2009-11-07 23:13 · Score: 2, Insightful
  
  Except that the user isn't interested in the wood, tape measure, or saw, he wants a table, and thought he bought one, thank you very much. Why does he have to know how the tape is made to put his plate on it?
  Computers are somewhat unique in the level of awareness that a user has to have in order to use one safely. Unfortunately, for a lot of users, the difference between computers and magic is not apparent to them.
  
  --
  I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
25. Re:Security... by TheLink · 2009-11-08 00:58 · Score: 4, Interesting
  
  Most popular operating systems can be analogous to a house with locks and a separate room for "maintenance personnel only" that's locked, and your personal room with a door and lock too (there may be similar rooms of other people with corresponding doors and locks).
  
  The trouble is when you invite a guest into your house, there is no guest room that _you_ can easily use, so you have to invite him into your personal room. The design of the house is such that you cannot usefully interact with the guest while the guest is in a different room from you.
  
  This means he has full access to your personal room. The geeks who don't understand the real world will say "Ah, but OS XYZ is secure because the "maintenance personnel only" room is locked and unaccessible". But who the fuck cares? You keep most of your stuff and valuables in your personal room! Insurance can take care of recreating the maintenance room stuff - not hard since the stuff in there is the same for every house of that model. They'll never be able recreate your personal documents.
  
  This is changing a bit with Vista and Windows 7, but it's still not good enough IMO. As for Linux, I don't see much help with what I'm talking about for the average desktop user yet. Apparmor is not "desktop ready" yet, and SELinux is barely even ready for average admins.
  
  This test of AV products is like inviting a crook/spy into your whole house, closing your eyes and letting him mess it up (plant bugs if he wants etc), and then get someone to try to clean everything up and restore stuff back to what it was.
  
  Yes it can be done in many cases. But it's foolish to expect the clean up to be 100% in all cases.
  
  If you really want to do that, you use a special house. Then you invite the crook into that special house. Then when he's done, you press a button and the house reverts back to its original state.
  --
  
  Too many replies beneath your current threshold
26. Re:Security... by mustafap · 2009-11-08 01:08 · Score: 3, Interesting
  
  >If the person doesn't use the tape measure properly, and saws the wood too short, there isn't any magic that can fix the problem.
  Use the other end of the piece of wood?
  Worked for me many times :o)
  "Measure twice, cut once"
  
  --
  Open Source Drum Kit, LPLC deve board - mjhdesigns.com
27. Re:Security... by gmagill · 2009-11-08 03:08 · Score: 2, Insightful
  
  Are you counting the time & troubles created by having a trojan-injected keylogger collecting all your bank and assorted other login passwords?
28. Re:Security... by Blakey+Rat · 2009-11-08 06:55 · Score: 2, Insightful
  
  To think that anybody on this community knows anything about the average user is ridiculous.
  
  --
  Comment of the year
Sign of the times... by unitron · 2009-11-07 15:28 · Score: 2, Interesting

Despite this being Slashdot, when I first saw the headline about "anti-virus" products, I immediately thought "stuff like Tamiflu".

--
I see even classic Slashdot is now pretty much unusable on dial up anymore.
1. Re:Sign of the times... by buchner.johannes · 2009-11-07 17:43 · Score: 3, Interesting
  
  They took 16 flu shots from companies that produce flu products, and used several flu strains that all companies advertise their products for (influenza C, H1N1, H1N2, H3N1, H3N2, and H2N3). The study focused on creating the necessary antibodies and 'cleaning the system' from the flu. Unfortunately, none of them rated 'very good'.
  If you have a dark sense of humor, read on.
  399234 test subjects were used, and 4735 deaths recorded.
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
2. Re:Sign of the times... by buchner.johannes · 2009-11-07 20:46 · Score: 4, Funny
  
  I can't provide citations to stuff I just made up
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
dd by Anonymous Coward · 2009-11-07 15:32 · Score: 2, Funny

Guess they didn't try:
dd if=/dev/zero of=/dev/sda
Only sane way to remove viruses. Rates an "Excellent".
I guess the equivalent in Windows is to buy a new computer. Also, an "Excellent" method.
Browsing safely by Utopia+Tree · 2009-11-07 15:33 · Score: 5, Insightful

I don't think anyone sells common sense.
1. Re:Browsing safely by Tumbleweed · 2009-11-07 18:18 · Score: 5, Insightful
  
  I don't think anyone sells common sense.
  It wouldn't matter if they did; no one would buy it as everyone thinks they already have it.
On *NIX it is standard policy to format and by LukeCrawford · 2009-11-07 15:35 · Score: 2, Insightful

restore from a known good backup whenever the root account is compromised, be it compromised by a worm or a human, in part because it's impossible to tell the difference between a human pretending to be a worm and a worm, so it is quite difficult (perhaps impossible) to know what the attacker did, and how to undo the damage.
WRONG SITE! by Anonymous Coward · 2009-11-07 15:35 · Score: 5, Informative

They said AV-Comparative.org in the article. Try going there and see what happens. The correct site is av-comparatives.org.
if mearly loading a website compromises my by LukeCrawford · 2009-11-07 15:37 · Score: 2, Insightful

computer, my browser is completely broken.
1. Re:if mearly loading a website compromises my by GigaplexNZ · 2009-11-07 17:03 · Score: 2, Interesting
  
  Completely broken? No, it still functions correctly most of the time, so just partially broken. Writing bug free software is virtually impossible, so while blaming your browser might seem like a good idea, the only way to guarantee that you aren't using a broken browser is to not use any browser.
They tested Anti-virus software for malware by Jazz-Masta · 2009-11-07 15:45 · Score: 5, Insightful

How about testing some malware removal programs? Malwarebytes, Adaware, Spybot?
I find Malwarebyte's Anti-malware to work wonders. Paired with Avast home edition, it is a good free combination. I think most system administrators notice the difference between software primarily tailored for virus detection and removal, and ones tailored for malware detection and removal.
They tested these:
Avast Professional Edition 4.8
AVG Anti-Virus 8.5
AVIRA AntiVir Premium 9.0
BitDefender Anti-Virus 2010
eScan Anti-Virus 10.0
ESET NOD32 Antivirus 4.0
F-Secure AntiVirus 2010
G DATA AntiVirus 2010
Kaspersky Anti-Virus 2010
Kingsoft AntiVirus 9
McAfee VirusScan Plus 2009
Microsoft Security Essentials 1.0
Norman Antivirus & Anti-Spyware 7.10
Sophos Anti-Virus 7.6
Symantec Norton Anti-Virus 2010
Trustport Antivirus 2009
1. Re:They tested Anti-virus software for malware by dbIII · 2009-11-07 18:20 · Score: 2, Insightful
  
  I think most system administrators notice the difference between software primarily tailored for virus detection and removal, and ones tailored for malware detection and removal.
  I think all system administrators performing the job they are paid to do don't muck about with such things - guessing where the system has been compromised and what is in some hidden corner. Instead they wipe it and rebuild or restore from backups. Of course outside the job we are confronted by people that do not have backups or even install media (every raving MS windows fanboy I've met did not actually pay for the software), so then you have to muck about with "cleaning" things and hope you've got the lot.
  They are called 0wned for a reason, it's not your computer anymore you are better off wiping it and starting again.
2. Re:They tested Anti-virus software for malware by mysidia · 2009-11-07 18:23 · Score: 3, Informative
  Agreed...
  They should have instead tested:
  
  SUPERAntispyware
  PC Tools Spyware Doctor
  Malwarebytes Anti-Malware
  PrevX CSI
  Webroot Antispyware with AV and Firewall
  Spy Sweeper
  ThreatFire 4.5
  Vipre Antispyware 3.1
  CA Pestpatrol
  CounterSpy
  Trend Micro Security
  Tenebril SpyCatcher
  LavaSoft AdAware Pro 8.1
  McAfee Anti-Spyware
  Panda Internet Security
  AVG Anti-spyware (not anti-virus)
  Ashampoo Antispyware
  And then maybe considered testing some of the lesser-known or that I believe to be outdated and/or quite ineffective:
  
  Spybot Search and Destroy
  Crawler Spyware Terminator
  SPAMFighter Spyware Fighter
  Spyware X-Terminator
  Xblock X-cleaner
  Cyberdefender
  Spyware Terminator
  StopZilla
  SpyEraser
  GarbageClean
Stop with the recommendations by HermMunster · 2009-11-07 15:50 · Score: 4, Insightful

Stop recommending products. The tests demonstrate that av products don't perform well. It is right on. 80% of my day is spent cleaning malware. I have written here many times about how you need a combination of products. I've also emphasized the need to do the initial cleaning with the infected drive as the secondary in a second machine.
Until you do this day in and day out please stop with the recommendations, as you are not helping anyone one bit.

--
You can lead a man with reason but you can't make him think.
1. Re:Stop with the recommendations by mysidia · 2009-11-07 19:07 · Score: 2, Informative
  
  Instead i'm going to make lots of recommendations. Cleaning an infection is all about using lots of tools, since no one tool is perfect, every tool has a gap in what it can detect or clean. But when it comes to prevention as few tools as possible should be used, and low-overhead choices should be used, since every tool installed and running slows down the workstation, and big-footprint tools have a big negative effect on users' productivity.
  I've also emphasized the need to do the initial cleaning with the infected drive as the secondary in a second machine.
  I don't recommend this. Your scanner has no way of knowing the secondary drive is a complete system.
  Some malware/viruses make registry and system-level changes, and these registry changes can have serious long-term consequences. Get anti-malware on the system that can fix the registry in the proper removal process.
  In the extreme case, running the scan on the medium plugged into another system, can result in you rendering the disk you are scanning an unbootable OS.
  For cleaning process, I recommend having a bootable USB stick, with a hardware write-protect switch. Always set the physical write-protect switch to the read-only position when plugging into the system being cleaned.
  Then install anti-virus/anti-malware tools, I use:
  Avira Antivirus
  SUPERAntispyware
  Malwarebytes Anti-malware Technician Edition
  PC Tools Spyware Doctor
  PrevX Enterprise
  Lavasoft Adaware Business
  ESET NOD.32
  ComboFix
  HijackThis
  Copy tools installers to some innocuous folder on the hard drive, or have them installed to run from USB.
  Run a Malwarebytes quick scan first, if possible, since it's fastest. Since the USB stick MBAM is installed on is read-only, malware can't delete or tamper with mbam.exe. Sometimes it doesn't work: some malware detects specific cleaning tools.
  In that case, use a different program. Or, actually have various methods of stopping malware from detecting the program: things like hexediting strings in anti-malware executables to make the anti-malware "undetectable" by malware's naive procedures.
  Anyways, after the initial pass with some scanner, it will generally require a reboot, then another pass with the scanner to delete locked files. Do that.
  After all that, boot from a bootable USB stick, which is either an Avira, ESET, BitDefender, or Kaspersky rescue disk image, and run a full scan from rescue media.
  Then boot back into the system... and run a complete scan with all 6 anti-spyware tools (except HijackThis and Combofix, only use use once, pick only one AV tool to use. Only remove things with HijackThis if you understand what is not safe to remove).
  Otherwise: any time that a tool reports something found, I clean it, reboot, and note that when finished this round of scanning with the next tools, the spyware scans need to be done over again with all tools.
  Only after running a complete scan with all the anti-spyware tools and successfully getting "0 results found successively with each tool, can one reliably say "I think it's clean".
  Once you get that, uninstall all anti-spyware and AV tools that were installed on the system, and install the preferred End-Point preventative security tools.
  Many of the tools that are great for scanning aren't the ones good for prevention.
  HijackThis and Spybot can make for reasonable cleaning in some cases. But for prevention of malware, it's gotta be something like PrevX or Spyware Doctor.
  And virus prevention should be eEye Blink, or ESET + Trend Micro, with some sort of IDS and network-wide patch management in place, e.g. Shavlik NetChk.
  The major consideration with prevention of AV on user workstations, is that: realtime protection should be available, enabled, and configured properly. The footprint should be minimal. Users shouldn't notice any slowdown,
2. Re:Stop with the recommendations by HermMunster · 2009-11-08 04:18 · Score: 2, Informative
  
  Regarding my comment about using a second machine to do the initial cleaning. I would have to say that you are quite short sighted. If you think ahead you'll understand the reasoning. And, if you are wise you'll understand that I would not recommend using a Windows box as the second machine.
  You are correct in that there are parts of the infections that a scanning from a second machine can't get. I don't dispute that, but that's why I said "initial" cleaning. The purpose of the initial cleaning is to allow you to go into certain folders and to delete files that you know are common havens for malware. After doing that you can use any of the several native Linux anti-malware products that will detect and remove infections from NTFS drives attached to the system.
  Today's malware is good at what it does. This isn't saying that some of the malware writers are not idiots. If they were competent at what they were doing they'd have your system infected and you'd never know it. Instead they pop up ads and slow your computer down and alter permissions to folders/files/registry entries--all of which are tell tale signs of an infection. What I'm saying is that malware has become quite aggressive and the authors experienced, it's just that they are sometimes dumb as a post at how to get it done without alerting the users.
  There are some pitfalls to leaving the drive in the infected computer. Some of these are exploited by malware authors. Several examples would be: some malware products will attempt to delete any anti-malware product (including the installers when you try to execute them), some malware products will disable the ability to run certain anti-malware products (even if they were installed prior to the infection), some malware products will use the system (e.g., autorun on flash drives) to copy malware onto your flash drive in order to copy their infections to new machines.
  Yes, there will be missed traces of an infection when putting the drive into another computer. If you are any good at what you do then you'll know that you have removed the vast majority of the infection prior to putting it back into the original computer. You'll have deleted known malware folders, rogue programs, the temporary folders (go through your computer and count the number of \temp located under the OS and user areas), such as temporary Internet, prefetch, temp, history. At that time you then copy over the necessary software (anti-malware installers) that you'll use to do the cleaning. After putting the drive back in the original computer you then can begin the full process of cleaning.
  I do agree that you have to clean heavy and use only what's necessary to keep yourself clean (though that requires due diligence on the part of the user, which is an uncommon characteristic of their behavior). If you over compensate you'll end up with a machine that is worse than the infection--just as some popular commercial products do.
  I generally recommend using Linux as the secondary machine as it will allow you to bypass Windows security. Unlike XP, where you can get caught by Windows security but can get past it, Vista and Win7 really try to lock out user accounts from each other and that security can get in the way. Not to mention the fact that malware is often running and using the infected machine just prolongs the cleaning.
  
  --
  You can lead a man with reason but you can't make him think.
No Joke by Das+Auge · 2009-11-07 15:51 · Score: 5, Interesting

I've been working in the on-site support field for over a decade. I've seen the viruses get nastier and nastier.

It used to be that the virus got a hold of the system, maybe did a little damage or had a little fun. Sometimes it was pretty funny. Such as screwing with the mouse.

Then things started to get a little more serious. The virus would insinuate itself into the system folder and maybe IE. They stated doing tasks. Thus rose the botnets.

Then it became big business for people. The spreading of spam and fake anti-virus (that wanted you to purchase the "full version" so that you'd get rid of the virus they said you had) was the order of the day. They started blocking access to the run box, the task manager, and sites that might be able to help you (online virus scanners). They started killing the AV programs. They also replaced the explorer.exe and iexplore.exe files. Hell, they even go after Firefox, Chorme, and Opera.

They really get their hooks into in and don't want to let go because it means money. Big money. So I'm not surprised that AV programs are having a tough time getting rid of them. It hasn't been kiddies out for fun for a long time. Now it's all about professional programmers out to make an ill gotten buck.
1. Re:No Joke by d3ac0n · 2009-11-07 16:13 · Score: 5, Interesting
  
  Ain't that the truth.
  The kicker? Most of the infections I deal with on a regular basis are coming from AD BANNERS. I have literally had people get a brand new machine, sit down at it, open IE8 and browse to one of the major sports news sites (ESPN, TSN, MLB, NFL, etc.) and get IMMEDIATELY infected by a banner ad!
  There are few things worse than giving someone a brand new machine, and before you've even been able to get back to your cube and sit down your BB is buzzing and you are being told to get back there because they have a virus! ARGH!
  Honestly, it's gotten so bad that with most of the fake AV viruses we just freaking wipe the stupid PC immediately. Format and re-image and done. It's faster and easier.
  
  --
  Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
2. Re:No Joke by mlts · 2009-11-07 17:26 · Score: 3, Informative
  
  Its even past that. It used to be kids who were out to knock off someone's machine on a local BBS. Then it became the legion of professionals who went blackhat due to cash.
  Now, you have well heeled groups, from criminal organizations to whole governments who have immensely deep pockets who spend billions in order to search through every Windows and UNIX executable just to find the single buffer overrun, race condition, or other small goof that can be used in an elaborate attack. The payoff is big, and not just economics.
  Of course the attacks are nastier and nastier.
  Best defenses? After the obvious firewall and network IDS, two of the best system level out there are virtualization with a hardened hypervisor and jailing of apps. After that, an OS based IDS that can detect known signatures and unknown suspect activity. This way, something that gets access to the OS via an unjailed browser or plugin hole is stopped.
3. Re:No Joke by dangitman · 2009-11-07 17:26 · Score: 4, Insightful
  
  Most of the infections I deal with on a regular basis are coming from AD BANNERS. I have literally had people get a brand new machine, sit down at it, open IE8 and browse to one of the major sports news sites (ESPN, TSN, MLB, NFL, etc.) and get IMMEDIATELY infected by a banner ad!
  Hmmm... could a law suit (class-action or otherwise) be an idea here? After all, isn't it illegal to infect someone's computer with malware? How is it that these major websites are getting away with it?
  
  --
  ... and then they built the supercollider.
4. Re:No Joke by Antony-Kyre · 2009-11-07 18:51 · Score: 2, Insightful
  
  That is why we have to love how Google does their ads. Graphical ads just don't feel safe. But, maybe I'm paranoid. Maybe it's the flash ads that are the real offenders.
  So, either banner blocking software, or perhaps freeze software, so if someone is infected, a reboot brings it back to status quo.
5. Re:No Joke by xlsior · 2009-11-07 23:42 · Score: 2, Interesting
  
  They aren't. There's no way anyone is being infected by these sites.
  
  Don't be so sure -- there have been plenty of cases the last few years with major websites being duped into pushing out malware.
  For eample, the New York Times pushed out trojans recently: http://www.scmagazineus.com/New-York-Times-inadvertently-sold-ad-space-to-hackers/article/148990/
  
  Another one (a little longer back) revolved around .WMF files - an old printer image metafile format that can include executable code which windows ran without asking anything. Simply viewing the file in internet explorer ran the payload. Icing on the cake is that it still worked if the malicious .wmf files were renamed to .JPG thanks to the way IE handles the image rendering. Some entrepreneuring people spread a bunch of these on the major ad networks without getting caught, and there you go... Any website running ads from these networks now came with a malicious payload.
  http://www.dailykos.com/story/2006/1/1/235748/4675
  
  Now, hey may not have done so intentionally, but plenty of big, mainstream websites have indeed been caught unwittingly pushing out trojans and malware over the last few years. It's really not that far-fetched. These are just two examples, there have been plenty more over the years.
The usual suspects by EmagGeek · 2009-11-07 15:58 · Score: 5, Informative

Of course, half of the software they tested is not anti-Malware software (Avast, for example, is an AV, not an Anti-Malware).
They also did not test MalwareBytes, probably because it would make all of the others look bad.
1. Re:The usual suspects by BikeHelmet · 2009-11-07 22:23 · Score: 2, Informative
  
  Malwarebytes seems to detect everything nasty.
  Of course, in my experience, it also detects a lot of stuff that isn't nasty. Don't even bother running it on a drive from an old Win98 computer. It'll tell you there's 30 viruses from 2008/2009 installed on it, even if that computer had no internet access. :P
  But if you examine the results and use some deductive reasoning, it's an amazing tool.
Re:I Just switched to an interesting product .... by curmi · 2009-11-07 16:20 · Score: 2, Insightful

He was hardly an "ass", though maybe a troll. Certainly an entertaining post, but your response to it was wrong.
1) There are NO viruses for the Mac. There are trojans though, like any OS.
2) The Mac has long had the marketshare for viruses - pre-OS X there were plenty of Mac viruses. There have been none for OS X because it is more difficult to write them with the way the new OS is designed. Writing one for OS X is like a holy grail for virus writers.
3) Who is the "ass" calling OS X a "precious yuppie OS"?
all lame by Danzigism · 2009-11-07 16:32 · Score: 3, Informative

for the regular user, I can understand wanting the "feeling" that you're protected. however, when even the shittiest and lamest rogue-AV programs like WinAntiSpyware, Antivirus2009, System Protector Pro, Police Pro, and all the other bogus products can't be stopped by even the best of AV software, ya gotta think. these scanning programs don't do shit and make you feel like they have. so, understand how your system works. use Sysinterals Autoruns to see what shit is being loaded on your system. and become familiar with our dear friend combofix provided by Bleeping Computer. It is the only tool worth a damn that can also get rid of severe rootkits. Sometimes for the real bad ones you'll need to use the Windows Recovery Console to delete files hidden from the Windows API as well as disable infected drivers/services. AV will still be a joke since the bottom line is, you can still get infected. especially if you are prone to getting viruses anyway due to your browsing habits.

--
*plays the Apogee theme song music*
Expeted Linux fanboy response. by Hurricane78 · 2009-11-07 16:34 · Score: 2, Insightful

*whispers*
"Shall I?"
(whisperwhisper)
"Why me??"
(whisperwhisper)
"Ok, damnit! I'll do it! But you owe me one!"
*steps forward into the spotlight*
*loud*
"Well, I found a better combination:"
*louder*
"JUST INSTALL GNU/LINUX!"
*normal voice*
"Thank you, thank you! I will be here..." *dodges flying chair and Granny Smith with bite mark* "... all night!"
(P.S.: I use Linux as my main Desktop. And Windows for the games. No hard feelings here. :)

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Also by Sycraft-fu · 2009-11-07 16:37 · Score: 3, Informative

Testing online (meaning running the removal program on a running, infected, system) removal seems kinda silly. You are fighting a war there and the malware has the upper hand being there first. On a compromised system you generally want to work on it offline. You either boot a live CD or take the hard disk to another computer. That way the malware can't be running. You can then use tools to track it down and remove it.
Running a scanner on a live system is more of a preventative measure and a detection measure. You have a realtime scanner looking for threats coming in. If it finds them, it can block them before they have a chance to do anything. This is 99.9% of the good a virus scanner does. It stops them before they ever infect the system. It can then also help in terms of alerting you if a system is infected.
However counting on one to be good at removal on a live system seems silly. Take the system offline, fix it, and bring it back up.
Wipe It by Talisman · 2009-11-07 17:57 · Score: 4, Insightful

Imaging products have become so good and fast that I no longer bother with 'scrubbing' a computer clean when it gets a virus. I can reimage the machine in less time; 15 minutes from start to finish, and I don't have to worry about viral remnants in the registry or some deeply buried hidden folder with a time bomb inside.
I keep our company's image file up-to-date, and when something goes wrong with a computer (drive crash, corrupt registry, malware, whatever) they are back online in 15 minutes. Screw scouring the web for a utility to remove a particular virus that may or may not work, and screw relying on an all-in-one product to save you from malware.
I have come to terms with the absolute fact that users are stupid and careless and aside from rare individual who bother to be responsible, they will always be stupid and careless, no matter how much I wish they would change.
In a business environment, imaging is the way to go.
(I use a Mac at home and don't have to worry about such things)

--

"Study your math, kids. Key to the universe." -The Archangel Gabriel
1. Re:Wipe It by Turzyx · 2009-11-08 00:28 · Score: 3, Insightful
  
  I use a Mac at home and don't have to worry about such things
  http://it.slashdot.org/article.pl?sid=09/04/16/2327246 I was with you up until the very end. Why ruin a perfectly good comment with overconfidence and arrogance?
Common sense was left out of the program by dbIII · 2009-11-07 18:02 · Score: 3, Insightful

If you had more than a passing familiarity with Microsoft's products and the elaborate pile of stuff on top that makes it even more insecure you would be aware that you need more than that. Large numbers of viruses and worms have spread with no user interaction at all, and others that required intervention have spread via things that appear to be quite innocent to the user (banner advertisement on Australia's Telstra white pages telephone number search page one day for instance). Then of course there is downloading that program that the user assumes is only going to give them an animated purple monkey, a weather report or little images of smiles to decorate their emails. They don't know that they system has no way of protecting them from such things being other than what they appear to be.
Don't fall for the copout of accusing the users of being idiots. Instead it's a long chain of events with stupidity at many steps on the part of some developers which gave us a house of cards which the user can upset so easily.
We can't just say "haha, user is an idiot" when we in the computer software industry can look in the mirror to see part of the real idiocy. Every time I make a user "admin" or "power user" so that they can run badly written software I add to the idiocy and create another potential node for a botnet or another chance at credit card fraud.
At one site I do work for EVERY user has to be "admin" so they can run an internally developed dotnet application that writes it's config file to the root of the system drive simply because that's where the developer wanted to put it. The developer has a string of certifications and years of experience but still carries on with such overtly STUPID actions, not because he is stupid but because a very large chunk of the industry is stupid and stupidity is standard operating procedure. Most of the new security options in Microsoft's products are rendered pointless when the applications on top come from such a culture of stupidity.
Offline isn't always best, actually. by RudeIota · 2009-11-07 18:42 · Score: 2, Informative

The offline approach worked fantastically in the year 2000, but now... the playing field has changed.

We have root kits that embed themselves into alternate data streams, utilize virtualization, employ self-encryption and password protection and randomize what would otherwise be easy-to-detect signatures etc.. Some root kits can *only* be reliably detected if they are actually *running* because they conceal themselves using these techniques. *Even then*, it requires a competent utility with things like stealth detection which look specifically for that behavior of concealing/unconcealing itself. As a result, some of these viruses don't show up in Safe Mode either...

Scanning offline is a good first step if the system is hosed. From my experiences though -- if the system can boot and mostly works -- do whatever scanning you can first while it is online. Use your best judgment as to whether you have mitigated the threat and THEN take it offline for the final clean up.

--
Fact: Everything I say is fiction.
Re:Kinda pointless by Le+Marteau · 2009-11-07 19:26 · Score: 2, Informative

Pointless? Not exactly. New viruses can appear on your systems before there are any patterns for them. It is then left to to a scan and a clean-up to deal with it.

--
Mod down people who tell people how to mod in their sigs
Test results are not exactly meaningful by rcamans · 2009-11-08 03:14 · Score: 2, Interesting

It was nice to see how various products did on the simple tests. However, several serious mistakes were made in the test methodology.
First, 10 virus samples for the test cannot give a statistically meaningful result. At least 31 different samples are necessary, as people who have had testing statistics and quality control education would know.
Second, and even worse, the tests were not performed under real world conditions. No system has ever been shown to have only one infection in the real world. The testing should have included detection / removal on systems with all malware installed. This is what real world users see.
Third, the "cleaned" systems should have been retested to see if infection would repeat under supposedly "cleaned" conditions. If the registry entries blocked reinfection (I seriously doubt it), then that would be seen. This would not have been a valid complaint if they had not brought it up in their article. (courtroom trial rules)
Fourth, with the anti-malware product running and protection fully enabled, would any of the malware be blocked from installing, or even downloading? This would not be a valid complaint if they only chose products which have no preventative methods (firewall, sandbox operation). Products which do not ahve adequate protective behavior are worse than worthless to the public, as they would have the idea that they are safe when using the product. That is the whole purpose of these products, to make the user believe he is in some way safe. But he is seriously not safe.
Fifth, using only non-damaging malware samples is also unrealistic. Performance against damaging malware is very important, and was untested. Performance against one small, safe, variety of malware does not indicate anything about the anti-malware product's usefulness to the public.
Sheesh, I could probably go on for a while, but I give up. We have surpassed the three strikes rule quite a bit already. This post is just an advertisement for AV-Comparative. Did someone get paid for this post? They should have.

--
wake up and hold your nose
Comment removed by account_deleted · 2009-11-08 03:26 · Score: 2, Interesting

Comment removed based on user account deletion