Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Software Performs Poorly Against New Threats

Posted by Soulskill on from the also-can't-hold-its-own-against-the-protoss dept.

Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"

12 of 183 comments (clear)

  1. so its like the human immune system? by alen · · Score: 4, Interesting

    who would have thought?

    1. Re:so its like the human immune system? by mcgrew · · Score: 5, Informative

      Virus authors, on the other hand, can use virustotal.com to see who can detect their stuff and evolve as necessary to avoid detection.

      Virus writers make their viruses evolve? Creationism, anyone? Computer viruses don't evolve, they are engineered/programmed. And viruses that attack animals (including humans) don't have to evolve features necessary to bind to our receptor sites, those features have already evolved. What they do is mutate so that the animal's immune system doesn't recognize it as a threat.

      The animal immune system is nothing whatever like computer antivirus, and animal viruses are nothing like computer viruses. You guys are anthropomorphising WAY too much here.

      --
      Free Martian Whores!
    2. Re:so its like the human immune system? by GrumpySteen · · Score: 4, Informative

      Virus writers make their viruses evolve?

      In a sense, yes. Viruses have been created which "evolve" by changing their code around in order to prevent signature based detection. Viruses that do that are referred to as polymorphic viruses.

      Polymorphic viruses are doing basically the same thing as a biological species that evolves into a different coloring that helps it hide from predators. The ones that don't evolve better camouflage get eaten by predators/cleaned by virus scanners. The ones that do evolve better camouflage spread.

  2. What's the impact of those new viruses? by rvw · · Score: 4, Interesting

    In about 15 years I've seen (and fixed) about ten infections, all on computers from friends or colleagues. All those infections were with known viruses or rootkits. You might say that new viruses go unnoticed, but even if they have infected a computer, shouldn't an antivirus scanner detect it later? Yeah I know it "should", but will it? I never see anything about them. Anyway, how often do all these new viruses actually have an impact?

    1. Re:What's the impact of those new viruses? by SJHillman · · Score: 4, Insightful

      The "best" malware are the ones designed to be undetectable for years. Some even go so far as to play the role of an anti-virus to keep other infections out of its host. Given that most users don't bother to make sure their AV product is up to date (if working at all), it's no surprise these infections are never detected because they're actually making the computer run better (from the user's perspective) just so they can continue their own agenda undisturbed. The most advanced malware is more akin to a semi-benign parasite than a biological virus or bacteria.

  3. Film at 11... by whoever57 · · Score: 5, Interesting
    Seriously, how many people here at /. are not already aware how poorly anti-virus software works? This "study" is just a "slashvertisement". From TFA

    Imperva, which sponsored the antivirus study, has a horse in this race. Its Web application and data security software are part of a wave of products that look at security in a new way.

    --
    The real "Libtards" are the Libertarians!
  4. Whitelist is old news by michaelmalak · · Score: 4, Interesting

    The article mentions whitelist technology as the next step beyond conventional signature-based blacklist systems. But that's what I used three years ago, with RegRun. As soon as an executable is run that it doesn't recognize, RegRun pops up an alert asking you if it's legitimate. Of course, this is useful only for the technologically savvy.

    But now instead of that, I employ the ultimate in virus recovery (albeit not virus control). Using the multi-boot software BootIt Bare Metal (like a commercial version of GRUB, GParted, and other utilities rolled into one), I keep a clean OS on a separate partition that I can copy over the main partition at any time. Of course, I keep data on fileservers instead of my local hard drive.

    1. Re:Whitelist is old news by SJHillman · · Score: 4, Funny

      "Of course, this is useful only for the technologically savvy."

      That's the one huge, gaping security hole in most modern OSes... the user. Damn hard to patch too, although I have had some success with a crowbar.

  5. Industry Incentives by Anonymous Coward · · Score: 4, Interesting

    While this is a classic arms-race (i.e. each has incentive to stay one step ahead) - I would argue that there is asymmetry in the incentives in the attackers (malware writers), and defenders (anti-virus, and computer security software writers). I believe the long-term outcome of this is that the window of exposure for popular platforms will continue to grow, despite advances in: patching hosts, general user education, availability of firewalls, etc

    An illustration of the basic asymmetry is this:

    A lone coder in an impoverished country has a lot more to gain by writing a single virus/piece of malware than does an anti-virus company to write detection for that single virus. Think: bread for your family vs. one more item crossed off in a list of tens (if not hundreds) of thousands.

    Additionally, the virus only has to be active for a short time to make the labour worth it. Write a new one every month, by the time it gets to the a/v companies, cash is in the bank.

    Multiply this by the number of coders that are out of work, in countries that have other things to worry about, and the increasing availability of tools and education for the job.

    It is a losing battle, long term.

  6. Bigger problem than imagined. by grahamlord86 · · Score: 4, Insightful

    I run a local computer repair shop, and I can corroborate this story- modern AV does jack.

    I haven't seen any really malicious malware in a while, but I see ransomware and scareware ones quite often, and every time the computer has up to date AV on it.
    What's more, a lot of the time I've seen the virus in question several times, meaning it's been around for at least a fortnight, and still the AV guys haven't picked up on it.
    I can appreciate that a social engineered drive-by exploit attack is difficult to defend from, when the customer asks me how to stop it happening again, it's a tough question to answer- but this doesn't change the fact that IMHO, all anti-virus is a waste of time and money at the moment.
    I install MSE on customer laptops because I have to put SOMETHING there, but I have little faith that it will protect them.

    Now I'm not fear-mongering here, I'm just being matter-of-fact. Three years ago when I stopped re-selling AVG, my account manager said 'Oh sorry to hear that, can I ask why?'
    I said; 'Because it doesn't work. I am removing trojans and rootkits from computers every day, and many of them are running AVG, which has completely failed to save them.'

    Make your anti-virus software work, and make it protect users from drive-by attacks on bad facebook links (without intrusive toolbars and link checkers please), and I will sell you hundreds of copies in my little shop alone.

  7. Re:It's a matter of time, stupid! by TheLink · · Score: 4, Insightful

    Solving the AV problem is harder than solving the "Halting Problem", since you aren't given the full source and inputs. Sandboxing and similar is the better approach.

    In many cases if you do things right (esp on servers), AV software is more likely to cause problems than viruses. Every now and then you hear of an AV software with a system crippling false positive or other big problem. So if you are sandboxing stuff, and not regularly adding 3rd party software to a server or browsing with it, installing AV software on servers is more likely to cause problems than it'll ever solve.

    --
  8. Do NOT anthropomorphize Computer viruses by codewarren · · Score: 4, Funny

    Do NOT anthropomorphize computer viruses! They HATE that.