Testing Free English Anti-Malware On Non-English Threats

An anonymous reader writes "Brazilian technology news site O Globo posted an interesting comparison on how free anti-malware behaves against non-English threats (Google translation of Portuguese original). By using a database of over 3000 samples from Brazil's Security Incident Contact Center, the numbers are quite different from all US anti-malware reviews. While Avira achieved the best score, 78%, Microsoft Security Essentials stopped less than 14%. This can be a headache for some large multinational corporations, whose IT departments deploy US anti-malware on the entire network, but have network segments outside US with many 'unknown' threats roaming around. I wonder what the results would be in other countries."

What about

[Aerorae]

paid solutions?

Re:What about

[MrEricSir]

In my experience, the vendor makes more difference than whether you get the paid or free version.

Generally the free version is for home use only, whereas the paid version is for commercial use and comes with support.

However, some vendors offer more frequent updates with the paid versions than with the free versions. This might play a role here, but probably not; chances are the location of the R&D lab and the language spoken by the virus submitters makes a larger difference.

Re:What about

[_0xd0ad]

Still, some vendors get left out entirely. I use ESET. Since they don't have a free version, they weren't included. I'd like to know how they measure up, though... hell, whoever's testing could just install their 30-day trial and not even have to buy it.

Interesting...

[fuzzyfuzzyfungus]

It isn't really news that AV products rely fairly heavily on canned signatures and that heuristic detection of evil lags behind evil by a fair margin.

What does surprise me, though, about these results, is that they suggest a fairly high level of geographic discrimination in the customization and targeting of malware. My (naive) expectation would have been that, aside from trivial stuff like trying to get the language of your spam/phishing/social engineering emails correct, the market for good exploits, well-crafted viruses, and so forth would be a fairly global one. Also, given that some malware attempts to propagate itself, rather than being delivered by a bugged website or other external mechanism, I would expect a fair amount of "splash" from malware spreading to any vulnerable hosts it can find, not bothering with any sort of geolocation, or from expats who live in country A, but still visit websites from home country B.

I would have expected a much more homogeneous(from the perspective of the mechanics of the exploit mechanism, evasion techniques, and payload) worldwide population of malware.

Blacklisting is a losing battle

[Mathinker]

This only proves what people have been saying since day 1: fighting malware via blacklisting is a losing battle.

Eventually some company will come up with a business plan which is the opposite: if you are interested to run an application, you can pay them to do a security review on it. If the company worked on a "we do the review once $X dollars have been raised" basis, popular applications would be reviewed for small change per user, and niche applications would be expensive to have reviewed.

Unfortunately, that's also a losing battle because of the noncomputablity of the stopping problem, but it's less so --- developers who want their application to be reviewed quickly would supply source code to the reviewing company and the developers would have an interest to have the code be as "clean"-looking as possible, raising the bar for slipping in "underhanded" side effects (and hopefully making malware with complex behavior difficult to pass muster).

Re:Blacklisting is a losing battle

[CosmeticLobotamy]

This idea is so insanely bad and competition-murdering that I'm surprised Microsoft hasn't quietly spun off some security firm to make this happen.

Re:Blacklisting is a losing battle

[mlts]

What antivirus/antimalware is good at is stopping the stuff after the first wave, and the companies get updates out. However, the blackhats know this, so they know their moneymaking is during the 0 day wave, before Patch Tuesday and the Malicious Software Removal Tool is run.

True resistance to malware requires a defense in depth philosophy, and until recently, this was not implemented in a significant fashion. For example, the usual setup of Windows XP would give Admin rights to any process by default that would get on as a user. This can be fixed, but most users wouldn't create limited users, nor run the Web browser with the Run As... command.

In reality, there needs to be a number of levels before malware gets to execute with a root/admin context. The first starts with browser add-ons, the browser, the OS's security in a jail or other restricted context. Ideally there should be a HIPS present in the OS that can catch unknown intrusions, but a HIPS does cost CPU cycles and can give false positives.

Ultimately, what one group can secure, another can break. However, OS and program design that is in primary use now can really be made much better. AppArmor, SELinux, and having app profiles built into every program telling the minimum, best, and maximum privs it should have would go a long way into isolating issues.

Re:Blacklisting is a losing battle

[CosmeticLobotamy]

This bears no resemblance to the Apple App Store. Apple doesn't audit for security, they audit for boobies and giving the user the ability to run software they didn't audit for boobies and take 30% of.

Re:Blacklisting is a losing battle

[afidel]

Stop it before it ever gets to the client, IDS/IPS and an intelligent filtering proxy running a different engine than the desktop. It's not foolproof but it blocks the vast, vast majority of threats. Same with email (though that seems to be dying as a vector) use a different AV engine on the email gateway than you run on the desktop and servers.

Re:Blacklisting is a losing battle

[mlts]

This makes me wonder about having NICs with an embedded firewall OS. Of course, this can be a target for remote flashing of malware, but this can be minimized with both signatures, and having a DIP switch that has to be physically pressed before a write to the OS can be done.

With the NIC handling the IDS/IPS capability, as well as being able to handle enterprise network configurations, the OS can be isolated and happily think it is receiving a DHCP address while in reality, an enterprise server has it on a static IP. This way, someone compromising the OS can't get another IP, or change the subnet mask.

The NIC with this capability can be also used on the enterprise for security, regardless of the OS running on the machine. The enterprise admin or an IPS can tell the box not to connect to the corporate net for "x" amount of time, or if it does connect, route all traffic to a remediation server. Perhaps (with enough flash space) it can even store an image of the OS, so re-imaging the box can happen quickly without any network traffic.

What about the other way around?

[_133MHz]

In my experience it's pretty easy to spot malware when English menu options and stuff start appearing on a non-English Windows installation, such as "Open" or "Open folder to view files" for thumbdrives while the rest of the options show up in the local language, sometimes malware can even bork the system because of it (like in the olden days of Windows 9x when installing IE in a different language caused all sorts of havoc in the OS)

Even with such a blatant language mismatch most users simply won't notice anything wrong with their systems until it bites them really hard.

A few corrections

[Leafheart]

O Globo is one of the biggest newspapers on the country. But it is not a technology news site as the summary implies. Although yes, this was posted on the tech area of the site, it is hardly the focus of the newspaper.

Regarding the testing itself. This is just a report on a test made by an external firm (www. clavis.com.br) which was commissioned by the site. The test focused on the quality of free antivirus only. With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article). Besides that, the test is devoid of crucial information. The database they used is a great one, the CAIS is maintained by our best scientific network, RNP (site in English: http://www.rnp.br/en/), so I trust the info there. But nowhere does it say that the threats are in Portuguese.

They used a list of 3.269 threats among virus, trojan horses, spywares, keyloggers, and etc. We don't know how many of each. Before the article they praise pay security suites, because they are a suite and not an antivirus only. There is no data on these threats, nor how many of each type, how old each one was, nor how they have threats which are not on the known list of each antivirus. Much less the language of the code.

Let me repeat it: NOTHING on the test implies that antivirus have a problem with non-English threats. It only said that those antivirus had that percentage of correct matches on either Heuristics or non-threads. But we don't know the exactly content of the database or the code used to test it. Much less the quality of the test.

Again: Language was not a part of the test!!!

Re:They don't even remove the biggest US threat

[Enter+the+Shoggoth]

Actually the installer for OS/2 (warp iirc) would do a virus scan before installing and would come up with the messge

"windows found, remove: (y/y)?"

so someone at IBM shares your sense of humor... or maybe it was you?

Re:Jumping to conclusions

[mlts]

I don't see any multinational company doing this because of what you said (no ability to manage/audit workstations), plus the EULA would be violated as MSE is for personal/home use and defines it.

This is what Forefront is for. Forefront is essentially MSE, but it has enterprise-level features, as well as that MS advertised that a few years ago that it can deter zombie invasions. Just the fact that the undead won't be attacking the workplace alone makes Microsoft's offering worth getting on an enterprise level.

Re:Jumping to conclusions

[afidel]

MSSE and Forefront Endpoint Protection are the same base engine and since MS is giving it away to companies with an enterprise agreement you can bet companies are at least considering it.

Re:They don't even remove the biggest US threat

[mlts]

Devil's advocate here:

I beg to differ, especially with Windows 7. Windows has its issues, but its security features are on par with everyone else.

The problem oftentimes is with the third party developers which don't allow the OS to enforce DEP, much less ASLR. Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.

Of course, Windows has problems, but saying it is fundamentally insecure isn't accurate.

Comodo

[Neil+Boekend]

I can't read the article: blocked by company policy.
But I would like to know whether they tested with Comodo in the "auto sandbox" setting. Since the virus would run sandboxed, it should not matter what the language was.
I am thinking of switching from MSSE to Comodo, and if they tested it and it failed then Comodo would not be an option for me.