Microsoft Fails Antivirus Certification Test (Again), Challenges the Results

redletterdave writes "For the second time in a row, Microsoft's Security Essentials failed to earn certification from AV-Test, the independent German testing lab best known for evaluating the effectiveness of antivirus software. Out of 25 different security programs tested by AV-Test, including software from McAfee, Norman, Kaspersky, and others, Microsoft's Security Essentials was just one out of three that failed to gain certification. These results are noteworthy because Microsoft Security Essentials is currently (as of December) the most popular security suite in North America and the world."

This is why

[LordLimecat]

For anyone who didnt get why bundling MSSE with Win8 was a terrible idea, this is it. I guarentee it is now the very first thing malware authors test against prior to release, and the number one target for circumvension. Previously McAfee and Norton were heavily targetted for circumvention, and had correspondingly bad scores; now its MSSEs turn.

Really, its eerie how perfectly the timing corresponds with Win8's release.

Hooray monoculture! Hooray killing off a previously viable AV option!

Re:This is why

[bmo]

So whatever next comes out on top for market share will be the target. So what?

You don't even need to have the top 10 virus scanners installed even locally, there are websites that will happilly test your particular malware against the top 10 for you, automagically.

I don't see the point of your message, honestly.

--
BMO

Re:This is why

Hooray monoculture! Hooray killing off a previously viable AV option!

As long as the popularity of that monoculture reduces the ROI of targeting my Linux distro with malware to nothing, I'm happy for others to embrace it wholeheartedly.
Oh, and sucks to be them.

Re:This is why

[smpoole7]

I'm anything but a Microsoft lover, but I have to defend them.

About a million years ago, back during the DOS era, a friend and I wrote an anti-virus suite (the ARF Antivirus, maybe you can still find it online, though I don't recommend that you use it!). It was quite effective; we used the file integrity approach, and stored the integrity information in the files themselves. (We were up front about it; some people don't like that, so we said, hey, you don't like it, just don't use our stuff. No hard feelings.)

Ergo, I think I can at least offer an opinion that's slightly above drooling moron status.

One of my biggest complaints about AV tests is that they're unrealistic. This has been years ago, now, so maybe it has changed, but back then, the folks who did the testing were arrogant and very hard to deal with. Your software had to produce a .TXT log file; it had to do this, it had to do that, or they would just fail it outright.

Once you made them happy, then they tested it against every virus they could find, including some that WERE NOT (and never would be) in the wild.

Bottom line, and to make a long story short: the people who were writing AV software back then were writing it for these tests, and not for the real world. I don't know if that's the case nowadays; I just don't know. (For that matter, maybe Microsoft's stuff really does suck. Given how badly their stuff worked back in the DOS era, it wouldn't surprise me. But I just don't know.)

But fair is fair. I ran from that circus after about a year of endless arguments with the pompous egotists in Compuserve's Anti Virus forum. I don't know if it's still that way, but I haven't used anyone else's anti virus stuff in years (I protect my stuff a different way, primarily by using secured Linux with good backups, and with periodic integrity checks).

Re:This is why

As long as the popularity of that monoculture reduces the ROI of targeting my Linux distro with malware to nothing

linux doesn't have the masses of stupid users that windows does. that is the very biggest security hole in the world - dumb, ignorant, uninformed users who can't be bothered to do a little reading.

Re:This is why

[morcego]

I guarantee it is now the very first thing malware authors test against prior to release, and the number one target for circumvention.

That is a good thing, as far as I'm concerned. Forces the company to improve its products.

We don't need more security through obscurity.

Re:This is why

For anyone who didnt get why bundling MSSE with Win8 was a terrible idea, this is it. I guarentee it is now the very first thing malware authors test against prior to release, and the number one target for circumvension. Previously McAfee and Norton were heavily targetted for circumvention, and had correspondingly bad scores; now its MSSEs turn.

Really, its eerie how perfectly the timing corresponds with Win8's release.

Hooray monoculture! Hooray killing off a previously viable AV option!

I'm sorry...but the main reason MSSE was successful in gaining marketshare wasn't simply a matter of it having microsoft's branding... it was the least obtrusive, most user-transparent, comparatively fast, full-featured and free. For years, AV/security companies have been churning out new products with more, heavy, useless "features" that just create more bloat....some of them even add entirely programs that the user gets to install and have *always* running in the background.

People want security, but they don't want security at the expense of obscene performance losses. This is where the popular AV/security companies should have taken notice and met customer demands...rather than trying to bundle all this "value" shit and obtuse flashy menu and window designs. Lots of quality products typically end up as bloatware when they increase in popularity (i.e., AVG, AVAST).

With MSSE, Microsoft gave people an acceptable level of protection with none of the baggage that its competitors were plagued with.

Re:This is why

[LordLimecat]

The point is that MSSE was basically the best AV because it has no financial interest in bugging the user to upgrade to a pro version or to use scare tactics. Now that MSSE is out of the race, we're back to "OK" avs with complicated interfaces and upgrade prompts all over the place.

Users tended to love MSSE because it shut up and did its job, unlike most of the alternatives.

Re:This is why

[LordLimecat]

It wont matter is MS improves, before the new daily compile of TDSS or whatever malware is released, it will be scanned with latest MSSE defs and heuristics. The malware will then be tweaked to get around it.

This isnt new, whats new is that whereas before the malware author had to try to bypass 5-10 different heuristics and defs lists, now it goes for one and hits 80% of the market.

Re:This is why

[LordLimecat]

That was my point, but its now irrelevant as MS has just made their own software useless. What idiot would release a virus that gets caught by the built in AV of its target OS?

Re:This is why

[smpoole7]

Proof that I'm an old timer: my used of the term "anti virus." It's not called that nowadays. It's Malware Detection, Security Software and Shields and Bad Guy Blockers(tm). I must update my terminology and get with the times. :)

Re:This is why

Sure.

That and decades of really shitty security practices.

Re:This is why

Perfect post...and explains why I use MSSE on my windows boxen.

Now someone crack the whip to get Balmer's Boys to clean up the litter box!

Re:This is why

[mark-t]

Except, I think, that the point of the article is that MSSE *WASN'T* doing its job.

Or at least not doing it well.

Re:This is why

[icebike]

The point is that MSSE was basically the best AV because it has no financial interest in bugging the user to upgrade to a pro version or to use scare tactics. Now that MSSE is out of the race, we're back to "OK" avs with complicated interfaces and upgrade prompts all over the place.

Users tended to love MSSE because it shut up and did its job, unlike most of the alternatives.

If you read Microsoft's response, they are concentrating on anything that exists in the wild, not absolutely everything in the world.
I rune MSSE and also do a weekly scan with another paid virus scanner, and neither has detected anything that the other missed, other than
Avira has found several false positives.

Re:This is why

[mark-t]

...won't ever get even close to 1% adoption rate.

0.8% is pretty close to 1%. Just FYI. If you had said 2 or 3%, then yeah... you'd probably have been more accurate.

Re:This is why

Except, I think, that the point of the article is that MSSE *WASN'T* doing its job.

Or at least not doing it well.

I don't think you actually read the article, did you? Naturally this Slashdot "write-up" is sensationalist.

Re:This is why

[Sir_Sri]

No, it *was* it just isn't anymore. Maybe that means it hasn't been doing a great job for a few months or the like, but certainly for a couple of years it was the way to go.

And it's still a good idea. Even if it's only the bad (or old) viruses being caught, it's still better than nothing, or something that users can't figure out and don't keep up to date which would be equally bad.

Re:This is why

[Sir_Sri]

At least with MSSE it will silently update, millions of users running security software that isn't up to date isn't doing them any favours either.

Re:This is why

That was my point, but its now irrelevant as MS has just made their own software useless. What idiot would release a virus that gets caught by the built in AV of its target OS?

An idiot with an up to date system who knows most people aren't up to day? Was that a trick question?

Re:This is why

Because it's not just viruses that threaten us, and it's not just viruses that the aforementioned software fights off any more. Makes sense to upgrade the terminology. I like Bad Guy Blockers(tm). Has a badass vibe to it, like a maverick cop TV series.

Re:This is why

[sa1lnr]

"Compuserve"

That was the proof for me. :)

Re:This is why

[mark-t]

Did I somehow imply with my use of "wasn't", that I was implying never? Is there some form of past tense that is specific to the recent past only? Because I only know of the one.

Re:This is why

[GigaplexNZ]

It doesn't silently update for me. I checked to see what Windows Updates were available on my Win 8 machine the other day (Win 8 no longer has the nagging system tray, there's just a small bit of text on the login screen and I don't log out often) and there were definition updates that were over 2 weeks old.

Re:This is why

[Luckyo]

MSSE does its job, and does it well. The main point where it "fails" is detecting zero day stuff or stuff that is rarely or never detected outside the labs.

Zero day stuff is detected with heuristics. Heuristics are the main cause for massive amount of false positives. MSSE has it set to low on purpose - to minimize constant "I've detected something that sorta, kinda, might possibly, maybe, be something that remotely resembles a virus" that many other AV suites tend to get.

So unless you're being actively targeted by zero day virii (and these tend to be costly, so private person is highly unlikely to be a target), MSSE is probably the best option on the market. It's free, it doesn't have overly right heuristics engine telling you that compressed executables are potential viruses, it's fast because it doesn't do those intensive heuristics scans.

And it detects most non-zero day stuff just fine.

And that's the reality of it. If you're a company, or a person in need of some extra chance of detecting zero day threats at expense of significant loss of system resources as well as dealing with false positives, you should look elsewhere. If you're just a home user with sane security policy, MSSE is likely the best choice for you.

I strongly recommend you read microsoft's answer. It's very through in why the entire "certification" is basically yet another attempt to scare people into buying anti-malware suite.

Below are the main bullet points of MS's answer in addition to factor mentioned above:

      1. AV-Test reports on samples hit/missed by category. We report (and prioritize our work) based on customer impact.
      2. AV-Test's test results indicate that our products detected 72 percent of all "0-day malware" using a sample size of 100 pieces of malware. We know from telemetry from hundreds of millions of systems around the world that 99.997 percent of our customers hit with any 0-day did not encounter the malware samples tested in this test.
      3. AV-Test's test results indicate that our products missed 9 percent of "recent malware" using a sample size of 216,000 pieces of malware. We know from telemetry that 94 percent of these missed malware samples were never encountered by any of our customers.

Re:This is why

[Luckyo]

Actually, you just summarized microsoft's answer there. They even provide accurate numbers to back up your point along with making your point.

Re:This is why

[s.petry]

You missed the biggest reason people use MS Security essentials. It's bundled, and people don't know any better. We want to think that most users are smart, but most end users are not smart. They use IE because it's there and they don't understand what Firefox is, or Chrome is. They use the MS Security tools because it's there and you don't need to know anything about security to have "security" (no matter how poor it is, the name is what matters).

Have end users gotten smarter? Maybe, but I think it's my own wishful thinking.

Re:This is why

Yes, you did imply that. This is harder to explain in words than I thought it would be when I started typing it up, but I'll try.

The discussion was about how users loved it because it did its job without getting in its way, but it was a bad idea to deploy it widely because then it would stop doing its job. Then, in the recent past, it was deployed widely and as predicted it stopped doing its job.

Your counter, that it wasn't working, implies you are talking about before the time of wide deployment. If you didn't, then your use of the word "except" was broken, because that's not an exception to what he just said.

Not sure whether I agree or disagree ultimately. This is not that much different from the argument that Windows had more malware than other OSes because it was more widely deployed. People have varying opinions on that, though with malware scanners the "security by obscurity" shoe is on the other foot.

Re:This is why

Depends on your autoupdate settings. You probably cranked them down.

Re:This is why

End Users aren't idiots either. Okay, some are, but not all of them. When you go to google.com and it says, "hey, there's a thing called Chrome, here's a video/tour/explanation of it, why not give it a shot", you'll notice quite a few people install it. I've actually been blown away by the number of people I've come across using it that I have always thought as tech-challenged.

I've recommended MSE to plenty of people because it's lightweight, works well, and stops 99.9% of stuff an average user would do, and probably about 90% of stuff an idiot user would do. I can't really even remember the last time I've had to help a family member, friend, colleague, etc with a computer problem related to viruses/malware, and a lot of that probably has to do with MSE, Chrome, and the average user just getting smarter.

Re:This is why

[mister_playboy]

Security Essentials is bundled with Windows 8, but most users aren't using Windows 8 yet.

If MSE is on any of these other computers, it got there via user action.

Re:This is why

[mark-t]

Right... but it still is the past.... however recent. I'll concede the point that it may have been less ambiguous to use the present tense, but I was actually only trying to imitate the style of this comment:

Users tended to love MSSE because it shut up and did its job

Re:This is why

[Darby]

But it shut up!

Reminds me of how I saved the day at work one time. Backups were taking forever and killing I/O intensive processes. I redirected those puppies to /dev/null and user complaints stopped.
I got a new job not long after. Heard the old place went out of business soon after I left...something about failed DR incident. Rubes.

Re:This is why

yes its razor sharp perfect timing and there is obviously a conspiracy

4 fucking month delay

Re:This is why

[amiga3D]

I installed MSSE on every windows machine I cleaned up. Once I used it once I never could bring myself to use anything else. It works well enough and it actually doesn't take over the computer. All the other ones I used seemed as if the only purpose of the computer was to run the anti-virus software. I hate MS and mostly use linux or mac but my VM's have MSSE on them and so do the boxes I clean up for friends.

Re:This is why

What part of "Microsoft Product" did you not understand?

Re:This is why

[Smauler]

So unless you're being actively targeted by zero day virii (and these tend to be costly, so private person is highly unlikely to be a target), MSSE is probably the best option on the market.

I've run a home computer for about 20 years... I got hit by one virus running win2k back in 2005.

My policy is just to run a local (mostly hardware based) firewall, and not run anything stupid. It works.

I'm not sure why anyone uses antivirus software, especially consumers... it just annoys, and nothing else.

Re:This is why

"That's MISTER 73210,272 to you, son!"

Re:This is why

[Luckyo]

Because people do things like open files in emails from friends, have people they know stick USB thumb drives in their machines and so on. These are infection vectors that you can't really handle with a firewall.

Re:This is why

I work for a security company that produces anti-virus software. I can assure you that the game has not changed much at all over the years. We do add (and in some cases not remove) detections specifically for reviews/testing that we know offer no protection in the real-world -- and we have a fairly robust level of first-hand knowledge of what's out there from telemetry data coming from millions of computers.

Re:This is why

People who use the phase "I'm sorry, but" never are, so anyone who uses that phrase can safely be deemed dishonest.

Re:This is why

[Sir_Sri]

Only kinda. You clearly meant at some point in the past, but it's not obvious if you meant the last six months, or the last 2 years or something else.

Re:This is why

[mrprogrammerman]

It seems like telemetry will be the downfall of Microsoft. It's the same telemetry that told them to get rid of the Start Menu in Windows 8. I haven't seen one good decision come out of their insistence on making all decision by telemetry.

Re:This is why

[smpoole7]

I'm not surprised at all.

Our approach was to stop viruses before they got onto the computer. I remember Wolfgang(?) with Integrity Master (another system available at the time) complaining of the same thing we did: the "AV shootouts" focused entirely on scanners.

They were easy to test! Just turn them loose on a hard drive full of virus samples and see how well they did! But what about people like us that took a different approach?

Our ARF system not only "innoculated" the executable files, I can give away some of our secrets now. (Heh. Like it matters.) I actually became a DOS "guru" and figured out ways to hook into the OS itself. We watched the SHARE hooks, too -- an obvious vulnerability that everyone else ignored. We hooked all of the standard interrupts *inside the kernel* (we didn't just patch into the interrupt chain), we captured the "trace" interrupt to see if anyone was "tunneling," we did CRC "checksums" on the actual DOS code and other key areas.

I'm not boasting, but we never, ever found a virus that could get past us. The worst case, the system would get confused and hang, but there would be no infection. After reboot, the system was still clean.

Now ... how do you test that? How do you "shoot that out?" You don't. These so-called testers love scanners. SCANNERS! That's all they want to test.

That, combined with the fact that virtually no one registered it (and the additional fact that Windows 95 had come out), made us lose interest. I briefly worked on moving the blocker into a VxD, but it wasn't worth the bother.

Re:This is why

[smpoole7]

But I'll also add this condemnation of Microsoft. I haven't traced through their OS in many, many years, so to be fair to them, things like this may no longer be the case. But back in the day, they were *notorious* for repackaging the same code over and over and over. DOS was well-understood by that point and its vulnerabilities were well-known and easily exploited.

All because Microsoft couldn't even be bothered to reassemble or recompile key parts of the kernel.

For example, I did one of the first analysis (analysees?) of the so-called "antiexe" virus. DOS 5 through DOS 6.22 were so similar, the freakin' offsets in the kernel didn't even change(!). The entry point to the DOS kernel was in the same exact location in all. Antiexe simply looked up the DOS data segment address, then started poking in junk at the *fixed* (and known) offset of the entry point of the kernel. That way, it could bypass most current security software. (But not ours. Grin.)

Our system also addressed a killer bug (first discovered by Geoff Chappel) that Microsoft had known about, but had apparently not bothered to patch: if the partition table was recursive -- i.e., an extended table pointed back to itself -- the computer would hang during the boot. Even booting onto a floppy wouldn't work! As soon as the kernel on that floppy started trying to examine and mount the hard drive's partitions, it would loop forever. Hang tight.

I can't even imagine how many people carried their computers into a shop, only to have the tech tell them that their hard drive was defective. (I know of a couple of cases myself.)

So ... believe me when I say I'm anything but a Microsoft lover. Like I said, maybe they've improved now, but back in the day, they were making money hand over fist and couldn't even be bothered to address obvious stuff like this.

Re:This is why

Because people do things like open files in emails from friends, have people they know stick USB thumb drives in their machines and so on. These are infection vectors that you can't really handle with a firewall.

I haven't heard of a virus propagating by email for a loooooong time.

Re:This is why

[I)_MaLaClYpSe_(I]

Sorry, but last time I checked, which happened to be last weekend, MSSE found exactly one "threat" on my Win PC, which was EICAR(!).

Kaspersky detected 280+ threats, mainly Metasploit components but Kaspersky also found threats within the Quarantine of Symantec.

Re:This is why

So was there anything active?

Re:This is why

The point is that MSSE was basically the best AV...

Was it the best at detection rates? That's news to me.

That said, I still have it installed because it's so unobtrusive. But I'm certainly not relying on it, or on any AV for that matter.

Re:This is why

[allcoolnameswheretak]

Or it might have to do with the fact that today's malware doesn't wreck your computer or popups a window "U w3R h4ck3d by h4xxOr!!!", but instead sits there silently, doing its job.

Re:This is why

You could add an md5 metadata field to NTFS and then compare md5 values for the key files on a system with their official values (received with the file initially). Then you'll know at least if the file as been altered. A simple idea that stops a lot of attacks, but never implemented.

Re:This is why

Our system also addressed a killer bug (first discovered by Geoff Chappel) that Microsoft had known about, but had apparently not bothered to patch: if the partition table was recursive -- i.e., an extended table pointed back to itself -- the computer would hang during the boot. Even booting onto a floppy wouldn't work! As soon as the kernel on that floppy started trying to examine and mount the hard drive's partitions, it would loop forever. Hang tight.

Hey, give Microsoft some break. It took Bertrand Russell a lifetime and a cocky apprentice to get over the same problem.

-j

Re:This is why

Do you even know why MSSE failed? It's because it doesn't flag every damn thing even remotely suspicious and doesn't burn through resources like all hell. This isn't an issue with MSSE, this is an issue with the test.

Re:This is why

Agreed. Very rarely I've seen people automatically send me message with attachments that were generated by virus.

Most of the time it's just scams with malware attachments.

Re:This is why

No, unfortunately Linux does not have masses of users. On average they are probably as stupid as any other user, just no masses.

Re:This is why

Most linux users have actively chosen to run linux. That implies a greater level of awareness about operating systems than the bottom-of-the-barrel windows users have. So we're talking about cargo-cult optimizations dumb, not "MOAR_B00BIES_FOR_U.exe" dumb.

Re:This is why

[Jahta]

Well said! This is exactly why I stopped using other AV products on my machines and the machines of family and friends that I'm "tech support" for. All I wanted was a decent anti-virus solution, but every release of AVG etc. seemed to come with more new features I didn't want and be more in my face. MSSE does a good job and doesn't bug me.

Re:This is why

[wildstoo]

This is where the popular AV/security companies should have taken notice and met customer demands...rather than trying to bundle all this "value" shit and obtuse flashy menu and window designs.

The reason for this is simple: out of sight, out of mind. Why would you pay for something so transparent you didn't even know it was there?

If your AV software isn't constantly reminding you of the threat of viruses and malware, are you going to take it seriously when it comes to resubscription time?

The companies pushing paid AV software want the user to cough up again when the user gets the "Resubscribe or face the terrible consequences!" message. They want the user to think "Hm, well this thing bugged me constantly with stupid popups and warnings, but it sure did report finding a lot of 'maliciousy-wormy-trojany-malwares' (read: tracking cookies, false positives and other nonsense) and my computer is still kinda working. I guess I'd better pay up.".

The last thing they want the user thinking is "This thing didn't even report a single virus... so either I didn't get any, in which case I don't need it, or it just didn't detect them, in which case I don't want it."

Re:This is why

Below are the main bullet points of MS's answer in addition to factor mentioned above:

This means nothing. All this is saying is that MSSE's built in spyware is not reporting anyone being hit by malware that it can't detect.

Re:This is why

[SCHecklerX]

So what. AV crapware, regardless of vendor, is the wrong solution to the problem anyway.

Re:This is why

Literally none of these (or the responders to this post) problems with ESET NOD32 AV. It's pay-for, so that's a negative to many, but I've been using it for years and it's probably the fastest AV suite in the business. It also has no annoying bloat, and only tells you about potential threats when it actually finds something. It auto-updates without hooking into MS Update (a huge plus). The only reminder about licensing it has is one for your subscription running out, when they also give you a 30% discount on renewal (total of ~$30/year).

That said, I realize that most people do not want to pay for AV and MSSE is a decent option for many, but where it comes to my computers ESET is still a superior product. They've unfortunately been slipping in AV performance in the past couple of years though, so I might have to give Kaspersky a shot - that one's still a top dog pretty much.

Re:This is why

[WhatAreYouDoingHere]

I did read Microsoft's response, according to the article.
This part scared me:

“We were looking for files that slipped through because of gaps in our telemetry or file collection process. And we found that 2 percent of these files existed across 0.003 percent of our customers,” Blackbird said. “The other 94 percent of the samples don't represent what our customers encounter. When we explicitly looked for these files, we could not find them on our customers' machines.”

Personally, I'm not opted-in to the "Microsoft Active Protection Service" portion of MSSE, but nowhere in their terms did I find that they could explicitly look for files on my machine....

Re:This is why

[berashith]

to me this just proves that the anti-virus vendors are busy making malware to be detected. Microsoft is busy making other things, and isnt spending time making shit to prove that their AV is good enough.

Re:This is why

[Samizdata]

I know you and you know me, back from the old CompuServe/Bill Lambdin days. In fact, you actually sent me a floppy once with ARF on it.

Re:This is why

comparing two AV scanners in such a fashion is not particularly useful.

If you have access (say, due to job responsibilities) to a large number of systems and in particular to ones that have been compromised (which is basically never due to AV alerts, but rather due to various misbehavior such as command and control communication detected by an IDS or blatant abuse via the botnet -- scanning, DDoS participation, becoming a file server for bad guys, whatever) -- take the recovered malware and upload to virus total where it gets run by 40+ AV engines.

Then weep at the results and console yourself that running AV will (usually) block years old malware and forces the bad guys to take the fairly minimal effort of tweaking the malware to avoid detection.

Re:This is why

You're spending way too much time in the start menu, then.

Re:This is why

[a-zarkon!]

Drive-by download exploit of browser or browser helper applications is prevalent. Firewalls won't help with these, and AV software can struggle with this vector as well.

Also, for the pattern-matching component of AV software, this technology is pretty reliable once a new variant is discovered and the AV vendors know about it. There is usually a window of time when a new variant is released and infecting systems *before* the pattern is added to the AV software. This means that there are some lucky winners who have been infected. These are new variants and not necessarily targetting 0-day vulnerabilities.

Re:This is why

[s.petry]

With Windows update, most users received a pop-up on Win 7 also. It may not be shipped, but Windows update will give you an alert if you don't have it and have Win-Update enabled. And yes most computers that ship with Windows have Windows update enabled.

Re:This is why

[farble1670]

linux doesn't have the masses of stupid users that windows does.

stupid is spending your weekends trying to compile and installing drivers to get your peripherals to be recognized.

Re:This is why

[Maritz]

Yeah I recall our first email address when I was a kid was something like 3106052@compuserve.com (where you're not just a number, presumably). Ah, the Mosaic browser. Then came Almost On Line who allowed you to use actual letters/words in your email address..! I was appropriately impressed.

Re:This is why

[mysidia]

People want security, but they don't want security at the expense of obscene performance losses.

This is a problem... antivirus makers aren't actually selling security.

It's impossible to secure a computer against an insecure human with admin rights; who can be exploited by new threats not detected by the scanning, or new threats having so many diverse versions that antivirus can't effectively detect them..

Antivirus vendors are selling a FEELING or EMOTION of security. Their product is feeling that your computer is secure; to achieve that, they need to add a lot of B***S****, because the computer is not actually secure after installing their product (or just about anyone's product, that still lets the user use the computer, without taking away their admin access or ability to install/run unknown programs/web plugins/java applets after its done).

Re:This is why

[Smauler]

Because people do things like open files in emails from friends, have people they know stick USB thumb drives in their machines and so on. These are infection vectors that you can't really handle with a firewall.

Yup... those are things you should be careful doing. All I'm saying is that it's pretty simple not to get a virus or malware generally. User behavior is part of the problem, and anti-virus software does not prevent that.

My email is unfiltered - if I had it loading external resources by default, which some do (god knows why), I'd be hit by a little bit of a shitstorm every time I read it.

I don't care about educating ignorant users any more - I used to fight the good fight, but now I just leave them to their own devices.

Re:This is why

[Luckyo]

I think that makes for a fairly important emphasis. YOU can indeed afford to leave clueless users to their devices.

OS maker with a significant stake in getting herd immunity for their OS? Not so much.

Re:This is why

My nagging message on the login screen only allows for 2 days of nagging before it takes matters into it's own control and forces a restart. Perhaps it was a setting you made after not wanting evil microsoft to decide when to restart your machine.

fs

GROW UP >> "in North America and the world"

Popularity

It's likely one of the most popular due to:

Free
Least amount of bloatware

Norman? Norton!

WTF editors.

Re:Norman? Norton!

[amicusNYCL]

Norman

Re:Norman? Norton!

[slashmydots]

I bullshit you not, there's a Norman: Security Suite Pro 9.0. I seriously doubt that's what they meant to type though, given the context.

Re:Norman? Norton!

[morcego]

Actually, considering they are mentioning company names, and not products, I'm sure they meant Norman. "Norton" is the name of the product by Symantec, and Norman is listed on the tests.

Re:Norman? Norton!

[Intropy]

Saxon AV has always been better.

Re:Norman? Norton!

[Nyder]

I bullshit you not, there's a Norman: Security Suite Pro 9.0. I seriously doubt that's what they meant to type though, given the context.

Actually both Norman (it's real) and Norton passed. http://www.av-test.org/en/tests/home-user/windows-7/novdec-2012/

Lemmings..

[freeweaver]

When people have invested time and money into learning and deploying a technology, there is no argument, no matter how rational, that will persuade them to use something different.

It's a very sad state of affairs.

Re:Lemmings..

It's called investment. Both in time and money.
If you spent time and money developing something and then just scrap the whole idea, it is 100% waste and if you never use it you have 0 chance to make it make the money back.
Obviously something that doesn't do the job properly shouldn't be used...but this is business we're talking about :)

Re:Lemmings..

I only use it to placate the bosses. It doesn't have to work. I don't get viruses in the first place.

Popularity

[girlintraining]

Popularity shouldn't be based on the number of installs, but the number of people who use it, and how often they use it. Microsoft has more or less forced people to install Microsoft Security Essentials, so I don't think it's a fair comparison at all. I don't use it, but it's there and Windows Update gets psychotic with errors and alerts if it's uninstalled. More so than if it's not "genuine" even!

That site is BS

[slashmydots]

MSSE sucks, okay. That aside, AV-TEST is a fucking joke. Their top three products on their site are the worst overall products I've ever seen. Yes, they detect viruses. They also slow your system to a crawl, have awful user interfaces, are terribly priced, have bad scanning options, slow scanning engines, have false positives like crazy, and and generally terrible. They apparently didn't take much if any of THAT into consideration unfortunately. Obviously the tests were tailored towards certain products so the whole site is a giant joke/advertisement.

Re:That site is BS

If performance is your priority then don't use A/V.

Re:That site is BS

[AHuxley]

Well based on clicking the 31 producers on http://www.av-test.org/en/tests/home-user/
Reading the 2012/2013 results for Protection only:
BitDefender
F-Secure
Trend Micro
Get 6 out of 6.

Re:That site is BS

[LordLimecat]

They actually do test for performance under the usability category, and their results (bitdefender as top pick) matches the results from the well respected AV Comparatives, and the rest of their results arent much different-- those top 3 you mention are all AV Comparatives top picks ( http://www.av-comparatives.org/images/docs/avc_sum_201212_en.pdf )

Might have been nice if you actually did some research before spouting off.

Re:That site is BS

[rjr162]

I find it odd lavasoft shows a higher score than kerpasky for the home windows 7 group... yet their 3 (or 4 if you include useability) shows kerpasky being much better than lavasoft

Re:That site is BS

They didn't even test Vipre by GFI! Why? It's a popular solution among MSPs. That, and Trend Micro Worry Free Business which is superior to Officescan.

Re:That site is BS

Oh holy lol. Bitdefender is still a thing? I've had virus outbreaks with less negative impact than trying to roll out their software across a domain.

Re:That site is BS

[LordLimecat]

Home AV != business AV. Avast for example has been very good over the years with their free suite, but their business software historically has, honestly, been pretty bad. (I believe they were working on a rewritten management suite, so dont know if theyve gotten their act together)

Re:That site is BS

[mapsjanhere]

On the other hand, Avast gave very reasonable licensing options for their business offerings. I used them for years simply because you self-reported the number of users you had, paid your dues and got a key working unlimited for the duration. Unlike some others where you had to register each machine, and each machine turn-over or harddrive replacement required a new activation key.

North America and the world?

[Scorpyn]

Since when is North America not part of the rest of the world?

Re:North America and the world?

Since when is North America not part of the rest of the world?

You're not the only person posting here who can't seem to parse that sentence, so I'd say it could have been better written. What they mean is:

Microsoft Security Essentials is the most popular security suite in North America and also in the world.

Re:North America and the world?

[ohnocitizen]

A piece of software might be #1 in one market (the US), #1 overall (the world), but not #1 in other markets (like Europe, Japan, or South Africa).

Re:North America and the world?

[AaronLS]

That is not what it is saying at all. It is a compound sentence that is stating two things:

1) It is the most popular security suite in North America.
2) It is the most popular security suite in the world.

These things are not mutual, so it makes sense to state both. It could be the most popular in the N America, but some other AV product in China could be even more popular and hold the rank of "most popular in the World". Now I'm sure some people would say why then doesn't it fairly list off dozens of other countries, etc. I'm not going to get into all that.

Sigh.

Re:North America and the world?

There is a slight difference in meaning. There are several products that might be the most popular in the world but not in North America. I think the Sega Genesis was like that. Most popular in the world but Nintendo was most the popular in the North America. So saying 'most popular in the world' is not the same as 'most popular in North American and the world'. Since Slashdot is U.S. centric this is a more useful way to say it than just 'most popular in the world'

Re:North America and the world?

When looking at technology, statistics inside North America have a tendency to be different than every other part of the country. Things like the popularity of Macs, iphones, Symbian Mobile Devices, Blackberry usage, Linux Desktop usage, ect. More often than not there is a strong correlation, but I think here they were just emphasising that point.

Like if you're normally a great student, but get a bad grade it would be proper to say something like " Scorpyn and the entire class failed the math test" That isn't meant to imply that you are not part of the class, but that both categories ( you, and everyone including you) failed.

Re:North America AND the world?

They DO realize that North America is part of the planet, right?

Sad, but true.

Re:North America AND the world?

Face it. If they'd said "In the world", you'd be wondering about whether China's piracy rate (or something) was artificially inflating it. If they'd said "In North America" you'd be up in arms for forgetting the EU. The way it was written clearly shows that this suite is the most popular security suite in North America. Also, this suite is the most popular security suite in the world.

I'm rarely one to defend wording on /., but you guys are making a mountain out of a molehill.

Re:North America AND the world?

[AaronLS]

What if 100,000 people used in the North America, and that is more than any other AV product in North America, but in China 5,000,000 use Chinese National AV Protection service(I made the name up) and no one uses MSSE outside of N America. So then MSSE wouldn't hold the title of "in the world" now would it?

So they are stating:
1) It is the most popular security suite in North America.
2) It is the most popular security suite in the world.

These things are not mutual, so it makes sense to state both. They are independent, and one does not imply the other.

There's only one thing worse than a grammar Nazi, and that's a grammar Nazi that doesn't know grammar.

Re:North America and the world?

[LordLimecat]

We seceded, because we were tired of having to put up with everyone elses crap.

North America AND the world?

Microsoft Security Essentials is currently (as of December) the most popular security suite in North America and the world.

Sorry to nitpick, but seriously? Did it REALLY need to be specified that it's the most popular in North America AND the world?

They DO realize that North America is part of the planet, right?

Who cares

I don't even recommend to use any other AV because they mostly scare users, keeps reminding them that antivirus is updated, might be out of date and do another annoying stuff.

Classic

[YodasEvilTwin]

This is always the problem with testing AV software in a lab -- it's barely indicative of anything in the real world, and you can't truly test in the real world due to having no idea what you've missed (unless you go back and search as MS apparently did in this case).

So the question is whether Microsoft's reponse is correct or FUD. Did they perform better in the real world than on this test? Do they perform better in the real world compared to competitors who did well on the test? Those are super hard questions to answer.

I use MSE in large part because it's really lightweight. Norton is a pig and AVG never failed to fuck itself up on my system. And so far I've had no malware issues, so I'm inclined to believe them here even those my experience is anecdotal.

Re:Classic

[David_Hart]

I use MSE in large part because it's really lightweight. Norton is a pig and AVG never failed to fuck itself up on my system. And so far I've had no malware issues, so I'm inclined to believe them here even those my experience is anecdotal.

I used McAfee for the last 10 years, which tends to be a hog as well, but did a good job at protecting my system.

When I recently built my new Windows 8 system I considered using MSE, but the problem is that I still don't fully trust it. I did some research and decided to go with Avast! So far, I find it to be very lightweight and was happy to find that they also have a mobile Android version.

Re:Classic

I used a rock in my pocket for the last 10 years, which tends to be considered unorthodox, but did a good job at protecting my system. Honestly, I have never had one good reason to put A/V on my computer. I know what I'm doing. I know when I'm screwed. I backup. I limit my own access. I have one computer in particular that I use for unsafe browsing. Nothing is saved on it so a refresh is easy. Seriously, what are people running that this is really a problem. I hear about drive-by website downloading stuff. What, do they have every plug-in and active-x set to accept anything?

Re:Classic

[farble1670]

I considered using MSE, but the problem is that I still don't fully trust it

why? what exactly makes you trust it less than Avast!? your post is written like a (bad) sales pitch.

was happy to find that they also have a mobile Android version.

have you looked into what that android version actually does? the answer is: not much. it will alert you if you install a known malware application. that's it.

the android security model prevent prevents apps from reading the data of other apps, or from doing system level things like key logging or sniffing network packets. if you've rooted your device however then all bets are off (and your AV software isn't going to help).

"Independent"

I doubt this company tests all those AV suites out of the kindess of their own heart. A "test" commissioned by the for-profit AV industry is going to show their products in a favorable light. (Or you'll never see it published)

AV at this point is damn near snake oil. Well, at least anything beyond the coverage that MSE provides.It keeps old threats from spreading, which is good. It's damn foolish to be hit by a 2 year old virus. In the enterprise/buisness having an AV suite is just PR move. A CYA to show that you put a token of effort in to protecting your systems. (Hey! We had an AV suite. It's not our fault our network is riddled with worms)

But the real threat is still the new stuff. The bad guys still do quite well for themselves even if they have to write a new virus every few weeks. Who gives a wet fart about how well your signature based AV suite (which the all are) does against zero day threats? Nobody. Because it's impossible for a signature based AV suite to offer any kind of effective defense against unknown threats.

Return fire!

[slashmydots]

Aaaaaand AV-TEST responded already:
http://www.theregister.co.uk/2013/01/17/avtest_microsoft_test_dispute/

Re:Return fire!

[Frosty+Piss]

An interesting part of the El Reg story:

The AV-Test results show that Microsoft's twin security programs protected against 100 per cent of known threats, as did every other security suite. The two packages produce low rates of false positives in comparison to the competition and are significantly lighter on processor load during operations.

But where Redmond is falling down is in protecting against zero-day attacks. Security Essentials and Forefront both scored last in this regard among all the suites tested, getting 78 per cent of zero-days apiece. Blackbird said that AV-Test attached too much importance to the zero-day threat in its metrics, since that section of the testing accounts for 50 per cent of the final score, but Marx argued that zero-day performance was crucial to real-world threats.

Re:Return fire!

[AHuxley]

Ty, interesting comments.
You can get amazing results with a database of older, known threats.
Or you can work very hard and offer products that try to protect against zero-day malware.

Re:Return fire!

[TheLink]

But how do they test for effectiveness against zero-day attacks? Where do they get the zero-days from? If I'm a virus author I'd test my zero day with one of those websites ( http://www.makeuseof.com/tag/7-reliable-sites-quick-free-anti-virus-scan/ ) that scan for viruses with practically all the AV software in the market.

So the zero day when finally released will NOT be detected by ANY of them!

Maybe what an AV vendor could do is secretly work with these AV websites to detect suspicious activity..

Re:Return fire!

[stymy]

There seems to be an obvious reason for why MSE has a low detection rate for zero days. It has a very low false positive rate (I've yet to get one, while I've had several with other anti virus programs) but that comes with a lower rate of detection for malware that's unknown to it.

Re:Return fire!

[Luckyo]

Heuristics. Basically AV vendors set their software to look for something, anything that could be judged as "virus like" and flag it.

As a result, tester's top AV software picks are also top picks in hogging system resources, and tend to produce ridiculous amounts of false positives. Because that's what massively overly tight settings on heuristics engine will do. But AV vendors sell FEAR first and foremost. The more "scary stuff" their AV finds, the more likely user will think "oh this AV just saved me from losing my bank account!" and buy more.

MSSE has worst success in zero day detection because their heuristics engine is one of the more sane ones on the market. It's light on resources and rarely (in comparison to the top picks of that tests) produces false positives. As a result, it also has a higher chance of missing zero day stuff that might have been detected by extremely aggressive heuristics scanner.

Re:Return fire!

[Skuld-Chan]

Real World (TM) experience here - we use McAfee in our enterprise (happens to be a university) and if I had a dollar for every zero-day Virus that goes completely unchecked by McAfee I could quit my day job. McAfee went weeks on the Mac before it could even detect Flackback - as a good example.

Virus scanners only catch low hanging fruit - I wouldn't count on them for detecting zero-day attacks and vulnerabilities - because they don't work.

Re:Return fire!

[Ecuador]

And, that is the most relevant quote.
MSSE is as competent in known threads, while giving less false positives and being significantly lighter.
You don't have to be an anti-virus developer to realize that of the three desirable characteristics: "good at zero day", "few false positives", "light/fast" you can only get up to 2. And Microsoft does get 2 here and, according to that same test, they get those 2 pretty well.
And of those 3 characteristics, I have to say Microsoft bet on the right 2, since apart from the fact that they make for a MUCH less annoying product for the 99% of users (the only AV I recommend nowadays), Microsoft is at a disadvantage trying to be good at zero day: every malware maker has MSSE and can test it against his creation, making sure it can "pass".

Re:Return fire!

Well, it's already known that virustotal will pass your samples on to AV companies.

Re:Return fire!

[TheLink]

But where do they get the zero days from? Do they write them themselves?

In the real world why wouldn't a malware author make sure his/her malware passes all AV tests? Then that author's final released zero day wouldn't be detected by any of the AV software out there.

Re:Return fire!

[Alarash]

For computers I'll stick to MSSE - if they have a catch rate of 100% of known signatures without a big performance hit, it matches my need. For the rest I use an UTM (Fortigate, but it could be another kind - I just want the detection engine to be different than the heavy client on the computers).

People should know that you just cannot avoid a targeted attack - if RSA and their best-in-class network security can get infected because they were a specific target, you will too. If a Nuclear Power Plant (Narantz) can get fucked up by clever malware, you will too. It all comes down to mitigating the impact of being infected, and being able to tell very efficiently how, when and what leaked out of your network (most malware are used for data leaking).

Protecting against 0-day is very hard, and there should be reasonable effort for that. But if at least companies would patch their vulnerabilities in a timely fashion (hello Oracle/Adobe) we'd have to rely less on 0-day detection - they would be mostly for targeted attack, and you need a whole different kind of protection against that.

Re:Return fire!

Years after love-letter, one of my colleagues tried downloading and executing the virus. I've never seen anyone unplug a network cable, as when he realized that McAfee still did not catch it.

Several weeks is nothing.

Re:Return fire!

The problem is forefront is not the latest revision of that product. Its now system center endpoint Protection

Re:Return fire!

I can't claim to know how they do it, but if I were going to test this, I'd just grab all the viruses that are new in the last six months and test them against a copy of each antivirus that hasn't been updated in six months. Then, if they detect the virus, they would have detected it when it was first released as well.

Re:Return fire!

[makomk]

They do more than look for things that are "virus like". At least in the case of Avast!, they now block any application that's new or obscure just in case it might be zero-day malware, and I believe other antivirus companies do the same thing. This means they're 100% effective against new malware at the cost of having a 100% false positive rate on new or exotic software. Doesn't even have to be that obscure either - I've had Avast block a moderately well-known game off Steam because not enough people run it to be sure it's safe.

In pratice, I expect most users either just click "Yes" reflexively or turn off that part of the scanner altogether, so it provides very little actual protection against threats - but it sure looks good in the benchmarks.

My response in 3 words

[s.petry]

Ha Ha Ha!

Does anyone else remember Microsoft DOS 6 with AV built in? It was defeated by every virus writer imaginable before it was released. Hell, even VCL (virus creation lab) had it circumvented before released.

Okay, but seriously. If anyone trusts a company with a known history of abuses to audit and secure themselves, PT Barnum had you pegged.

Re:My response in 3 words

[yuhong]

Of course, DOS 6 is almost 20 years old now. And AFAIK, this was licensed from Central Point, which continued to provide definition updates until 1996 or so.

Re:My response in 3 words

[smpoole7]

> Microsoft DOS 6 with AV built in ... was defeated by every virus writer

That's because MSAV included the classic, textbook example of "security through obscurity." Utilities like FORMAT and FDISK would do the same things as some malware, which would cause false alarms. The users would be terrified by this, so there was a solution: a "secret" (wink, wink!) system call in the OS that their utilities used to temporarily disable the alarms. (!!!)

It was top secret ... so naturally, everyone knew about it. A call to disable VSAFE became one thing that EVERY DOS virus writer put at the top of his code. Naturally. Of course.

Ah, you're bringing back memories now. :)

Re:My response in 3 words

DOS AV might have sucked but it was better than nothing when you pulled out a 2 year old diskette with the monkey virus on it. Most people weren't online and sneakernet viruses spread very slowly.

North America AND the world? Yes.

[DragonWriter]

Did it REALLY need to be specified that it's the most popular in North America AND the world?

Yes.

They DO realize that North America is part of the planet, right?

And yet, its quite possible for something to be the most popular in North America but not the most popular in the world, or vice versa. So, inasmuch as both "North America" and "the world" are interesting scopes of analysis, it is meaningful to identify that MSSE is the most popular in each of those scopes.

Correct you if you're wrong, but...

[VortexCortex]

So long as you keep your software updated then there's not really much of a point other than the chance you'll spread an infected file onward without being infected yourself.

Think. No, that's not good enough, think some more: Viruses (we are explicitly talking viruses here, says "Antivirus" right in the test and headline) exploit unpatched vulnerabilities (mistakes) in software. Patched software is immune to the prior vulnerabilities, so AV won't "protect" you from things you're immune to. It also won't protect you from viruses with signatures that it doesn't know about. So, What's the point of wasting all those CPU cycles scanning? Oh, maybe you got infected and it could remove it later? WRONG. Viruses actually mutate, say a malware author snags a virus, they reverse engineer how the payload is delivered and they change the payload to theirs and send it on its way -- The malware can even install other malware once it gets running. So, the (automated) removal options/instructions are probably not complete if the code has ever had a chance to run before. Ah, so now you may be thinking that it's exactly the reason why you'd waste CPU time on an AV scan, to detect infection so at least you'll know -- Except that's just silly. Think. If you were a spy and I asked you if you were a spy then would you say yes? An AV running in an infected machine can not reliably determine the state of the infected machine. AV: "Any Viruses here" Virus: "Nope!"

Often times I'll get people telling me, no matter which AV product they're using, that their machine is working strange, slower, showing adverts and wrong websites, and their AV will be chugging along saying everything is fine. You get more reliable warning from the malware itself! "You may have been Infected with 2042 viruses!" the scareware will prompt every boot, while Norton, or McAfee, or AVG, or ANY AV product I run across the infected machine says the coast is clear. You can't "remove" malware -- Nuke it from orbit, and re-install, it's the only way to be sure.

Look, people, hardware supports virtualization now. If you're NOT running your Windows boxen in a VM, then you're not concerned enough about security to benefit from an anti-virus anyway. Boot from a known clean state, maybe even a LiveCD/USB then do your virus scanning from there if you want to be able to detect anything with any degree of certainty, and even then it's questionable. If your data partition is separate from your (virtual) OS partitions then you can just always run (or restore) from a known good snapshot, and install updates to the known good snapshots, then make another snapshot before you do anything else.

I'm no Microsoft apologist, I don't have to worry about such things as much anymore because I use an OS that gets the patches out much faster than MS does, but I can certainly see where the people who understand the issues in Microsoft might realize that Antivirus isn't really the right option anyway, it's just a waste of time and there are other better solutions... Windows Steady State (or whatever it's called now), for example.

"Insanity: doing the same thing over and over again and expecting different results."
"The significant problems we face can not be solved at the same level of thinking we were at when we created them."
- Albert Einstein

Re:Correct you if you're wrong, but...

[phantomfive]

Yeap, if you care about security, virus protection is a joke.

Re:Correct you if you're wrong, but...

[futhermocker]

You are right on most parts. But not all viruses need a bug to be effective. Think ransomware, which might start encrypting your files.That is why a decent AV also has a heuritics engine, to detect unusual behavior based on known tricks and assumptions.

Re:Correct you if you're wrong, but...

[AaronLS]

If I am to understand that you are saying antivirus is pointless, then I disagree. I do agree with some of your points on other ways to mitigate risks. However, VM is not viable for majority of users because VMs haven't mastered the pass through needed for some important hardware. It is also a conceptual layer of abstraction that many lay users will find too confusing. Eventually everything they have is installed in the VM. You can't expect them to constantly make good decisions about how to separate programs into separate VMs They get a virus, and their VM is toast, well they used the VM all the time, so that's about the same as loosing everything on their computer anyway. Besides, many applications are already using app level visualization to isolate threats and render them ineffective. Not only do malware writers have to find a vulnerability in the browser, they also have to find a vulnerability in the sandboxing. Hence, when a vulnerability is released, it has limited effectiveness without also a vulnerability that allows breaking out of the sandboxing. Trying to find both in the same time period that are unknown/unfixed is more challenging. Same reason why flash is sandboxed in chrome. Java plugin, unfortunately, is not sandboxed, and thus recent exploits are not limited by sandboxing in Chrome.

This goes to why it is probably more important that vulnerabilities be patched quickly and effectively and provide encouraging channels for early private disclosure of vulnerabilities.

"while Norton, or McAfee, or AVG, or ANY AV product I run across the infected machine says the coast is clear."
You got to the fire too late. The house is already burned down. You can't reasonably expect AV to find a virus after the fact. Hence the reason scanners are usually ineffective. This is why most AV has hooks(AKA realtime protection) into low level OS where every file access/execute is monitored, to prevent the malware from even being executed and infecting the system. Once it infects a system and gains enough access, it can take a wide variety of steps to hide itself from other processes, and then after-the-fact scans won't find it. However, most scareware I've encountered, isn't that sophisticated. They don't make money off longterm infections the way botnets do. They only need to go as far as getting on the system and hoping the user is stupid enough to buy the scareware when they start getting prompts/reboots. They don't make the effort to hide, because to any trained individual, it's obvious from the prompts that it is infected. Run malwarebytes to remove it, and they never have a problem again.

This is like saying we should abolish all laws because some laws do not stop crime 100% of the time. Heck, laws, which are supposed to prevent things far worse than a computer virus, probably don't have the success rate of MSSE.

Now I'm not making excuses for MSSE, I think protecting against 0-day threats is indeed important, and it is a very challenging problem indeed. There was a time when heuristic analysis was not part of AV products. You simply hoped that they would release an update fairly quickly, and the automatic updates would pick it up before the 0-day made it to you.

Re:Correct you if you're wrong, but...

I dispute your premise. First, you assume that viruses do not take advantage of 0days. This is false. Second, you assume that software patches are released by the vendor immediately after the issue is known to the bad guys. This, again, is false. Just think of the full disclosure path (keep in mind that I am neither arguing for nor against FD, just pointing out a well known side effect) where the bad guy learns about the vuln at the same time as the good guy. The vendor needs to investigate and code up and test the patch, and that takes time - time which the virus writer can try to exploit the vuln. Third, you assume that patches are installed at the instant that they are released by the vendor. Again, untrue. There is lag time during which customers downlad the patch. Downtime often needs to be scheduled, so the patch may not be immediately installed. Patches often break other stuff, so in many engironments, patches must be toroughly tested before they can b installed in production. And some industries have freezes, during which it would take an act of god (or enormous penalties) for modifying production code - if the vuln comes out during freeze, it waits to be patched.

Re:Correct you if you're wrong, but...

[WhatAreYouDoingHere]

"Insanity: doing the same thing over and over again and expecting different results."

Whoever said this was an idiot. It is not possible to do the same thing more than once. The very fact that you have done something before will make it a different thing the next time.

Re:Correct you if you're wrong, but...

[WhatAreYouDoingHere]

"Insanity: doing the same thing over and over again and expecting different results."

Whoever said this was an idiot. It is not possible to do the same thing more than once. The very fact that you have done something before will make it a different thing the next time.

Re:Correct you if you're wrong, but...

As for the VM thing - you do know that you can boot directly to a VHD (Win7) and it has full hardware support -> http://technet.microsoft.com/en-us/video/windows-7-boot-from-vhd.aspx - giving you the benefits of a single file backup/restore (the vhd) as well as full hardware support. Just sayin.

Kind of funny.

[plebeian]

Does anyone else think it is kind of funny that the Microsoft response is (to paraphrase); We did not detect any of the software they say we could not detect. That being said they may have a real point that their software is designed to detect real world threats and not proof of concepts that never leave the lab. Without more in depth analyses than I am willing to do, I can do little more than jump to conclusions based upon my own personal bias.

Re:Kind of funny.

[Todd+Knarr]

Though, how often have we seen the statement "That's only a proof-of-concept, there's no need to worry about it because we haven't seen it in the wild." followed within weeks by announcements of that same malware appearing in the wild (and usually on a large scale)? I've long since filed "It's only a proof of concept." right alongside "What could possibly go wrong?" as a virtual guarantee that Murphy'll be visiting shortly.

Re:Kind of funny.

[v1]

A substantial part of their score was for things that very specifically were not actively being exploited. They were testing the heuristics to see if it could identify "virus and malware-like behavior". You can't rely on software updates and AV definition updates to protect you from zero-day's, that's 100% on the head of your AV software to keep you safe from.

And MS fails miserably at protecting users from zero-days. They flunked, and they deserved to flunk. There's just too many new viruses and malware being developed every day to try to function on a blacklist-only basis. Some behaviors need to be whitelist only, and quite a few need to be greylisted with heuristics so that your system survives long enough for the new exploit to get added to tomorrow's definitions file.

Re:Kind of funny.

Except the overwhelming majority of viruses zero-day viruses NEVER hit the overwhelming majority of users which is Microsoft's whole point.

Microsoft is basically taking the position, "If you're a private user, 99.9+% of you won't be hit by zero-day viruses so it doesn't matter. The 0.1% of you? Tough luck. If you're an enterprise/serious user, you should be rich/smart enough to be using serious anti-virus software anyway."

AV Test is basically saying, "You're not doing enough to protect the 0.1% and enterprise/serious users! You FAIL!"

Re:Kind of funny.

[Todd+Knarr]

Except that the reason so few get hit with the zero-day stuff is because of all the people running AV software that WILL detect it and report it so it can get added to the lists. If everybody were running MSE, the majority WOULD be getting hit with zero-day stuff because there wouldn't be any alerts for it until days or weeks after an infection started spreading. In infection-disease circles it's called "herd immunity": if a sufficiently large portion of the population is immune to a disease (through vaccination or natural immunity), those who aren't are protected simply by never coming in contact with any infected individuals. But as soon as the fraction of immune/protected individuals drops below that critical point, the protection rapidly disappears. And it's not a linear decline, it's almost an exponential drop-off in protection once you drop below the critical level. That's why, BTW, we're seeing outbreaks of diseases today that haven't been common since the 50s or earlier. Vaccinations virtually wiped them out mid-century, but now we've got generations who didn't get as consistently vaccinated because "That's all been wiped out, and anyway everyone's vaccinated so who's going to give it to my kid?". Herd immunity breaks down and hey presto, clusters of diseases that were supposed to have been wiped out start popping up.

Re:Kind of funny.

[Omestes]

They flunked, and they deserved to flunk.

And I'm still going to keep using it. It does detect 100% of viruses in the wild (or 99.99% according to MS and the AV testers), and it doesn't bog down my system with paranoia mode heuristics, or throw up a false positive every time I install something (or worse automatically kill, I've had Norton refuse to let me install a boxed copy of Office).

Re:Kind of funny.

[plebeian]

Ultimately the goal is to have a functional computer that does not unreasonably expose you to viruses. If we have a program that scan's all code against all known and potentially unknown vulnerabilities it would adversely impact the function of a computer system. Most of the products that do a halfway decent job of detecting viruses are the ones that cause the greatest impact to performance. The real question is what level of impact are you willing to put up with. I don't think any of the antivirus solutions built for windows offer a perfect solution. My largest gripe with current AV products is that they impact the functionality more than necessary. I would love to get the AV exec who said "Lets ad a firewall that is less functional that the one windows has built in" or "let's put an unnecessary toolbar in IE so that the people who are limited to a 1024x768 display can no longer properly view web-forms optimized for that size display" in a room.

Hardly matters.....

[Dega704]

Personally I think this is pretty much irrelevant. The antivirus model in general is extremely dated and innefective. I see infected machines left and right with every antivirus out there. I usually install Security Essentials simply because it is lightweight and has no leg-humping pop-ups every time you so much as scratch your nose. Otherwise the most effective protection is to remove every security hole-ridden piece of crapware and browser add-on that you don't use (yes that includes Java), install an ad-blocker, and don't be a freaking retard about what you click on and/or download. So long as people expect their antivirus to be a magic malware-blocking forcefield(and as long as the vendors continue advertising them as such), this problem will not get any better.

minor correction

AV-Test’s review looks at three key areas of security software, including protection, reparability, and usability of the whole computer based on the software’s impact. Across those three areas, Microsoft Security Essentials scored a 1.5 out of 6 on protection against viruses and worms, a 3.0 out of 6 on a reparability scale, and a 5.5 out of 6 on the usability scale, where “lower values indicate better results.” This is incorrect, higher values indicate better results, otherwise this article would be about how great MSE is at detecting viruses and worms, but how no one uses it because the usability is awful.

From the AV-TEST test results, it appears the issue with MSE doing poorly in this test is a poor score in protection against 0-day malware attacks (~70% vs an average of ~90% protected) and in detecting relatively newer malware "Detection of a representative set of malware discovered in the last 2-3 months" (~90% vs an average of ~97% detected). Although things like "representative sets" could potentially be used in a biased manner...

Shade of gray

[alexo]

If performance is your priority then don't use A/V.

How about: "If security is your priority then keep your computer powered off."

Obviously there are various trade-offs between these two extremes.

Re:Like I said...

Let me know once you've successfully installed Norton OS 5.0, AVG OS 3.2 or even AVAST! OS 13.5...

Glad we can trust these guys...

[Slyswede]

From the article:

“The other 94 percent of the samples don't represent what our customers encounter. When we explicitly looked for these files, we could not find them on our customers' machines.”

Or in other words: "Thank you for installing the software necessary to allow us to browse through the contents of your computer when we feel like it and report any interesting findings back to us..."

All in good faith, of course.

Re:Glad we can trust these guys...

[Scorpyn]

There are settings for whether they are allowed to check that though.

Re:Glad we can trust these guys...

[AaronLS]

Exactly, there is a pretty explicit step that involves allowing them this access when setting up MSSE. It is the same thing they use to collect information on new threats and improve the software.

Re:Glad we can trust these guys...

I got Windows 7 with my laptop. MSSE has never made a peep. I can see in Windows Updates that it is being updated all the damn time...I've never seen any settings or a scan go off though. It's just been dead silent...for a year.
I'm not even sure how to get to MSSE or if it does anything at all.

Re:Glad we can trust these guys...

[fluffy99]

There are settings for whether they are allowed to check that though.

Yup, you can check a box to allow MS to upload info about files it's unsure of. It's just uploading checksums and not the actual file. Other antivirus software such as Symantec Endpoint Protection does the exactly same thing.

Re:Glad we can trust these guys...

[Omestes]

It doesn't work, or you don't have any malware.

It is pretty silent on my PC too, and has been since I installed it when it came out. I generally do a full sweep once a year with a heavier program though, and it is always clear. I like this, Norton and Avast through up warning for innane things, like installing games, or MS Office. Avast even deleted some system files on mistake once, without letting me say no. Norton flat out refused to let me install Office once, a new, boxed, copy fresh from MS themselves.

Not Certified? Norman vs Norton?

[DERoss]

I went to the AV-Test Web site at http://www.av-test.org/en/home/. First of all, there is indeed a Norman Security Suite at http://safeground.norman.com/us/home_and_small_office. AV-Test listed Norton under Symantec. Yes, AV-Test evaluated both Norton and Norman.

For home users of Windows XP, Microsoft's Security Essentials has a AV-Test certified seal with a test date in August 2012. For corporate users of Windows XP, Microsoft's Forefront Endpoint Protection has a AV-Test certified seal with a test date also in August 2012. Neither product has the certified seal for Windows 8. But then how many corporate users have actually adopted Windows 8?

Besides AV-Test, there is also ICSA Labs at https://www.icsalabs.com/. ICSA Labs also reports on Norman.

ICSA Labs certifies Microsoft Security Essentials for home users of Windows XP and Microsoft Forefront Endpoint Protection for Windows 7 without any dates indicated. Apparently, ICSA has not certified any anti-virus applications for Windows 8.

I use AVG 2013 Free, which is certified by AV-Test but has not been evaluated by ICSA Labs since 2005 (many versions ago). I also prefer to go to the original sources of information on software -- AV-Test and ICSA Labs in this case -- not to news reports often written by reporters who might not understand the subject.

Too Bad

[epp_b]

Other than it's actual effectiveness, I guess, I really like MSE for its clean, no-nonsense UI -- as opposed to every other AV software maker has elected to use some batshit redarted-ass UI that changes on a daily basis because AV software is otherwise boring and unglamourous.

Shady AV companies

[futhermocker]

I am convinced there must be at least ONE shady AV company that creates viruses to make money. Hard to prove, but very well possible.

Re:Shady AV companies

[smpoole7]

> I am convinced there must be at least ONE shady AV company that creates viruses

Heh. We speculated about that all the time back when I was writing AV software. I know there were a few cases where "proof of concept" stuff magically sneaked out of the lab, but to be fair to the companies involved, they immediately sent full details to all of their competitors.

But you do have to wonder. :)

And if you consider those "are you sure you want to close this window?" online popup scams, they DO install malware. I guess it's just a question of whether you consider them a "shady AV company" or just outright bad guys. (I vote for the latter, myself.)

Re:Shady AV companies

[fluffy99]

Kapserasky was accused of this when it was noticed that their definition files contained signatures for some zero-days that hadn't been seen in the wild yet.

It's important to keep up on these things.

[apcullen]

I used to read the AV comparisons once in a while. MS Security Essentials used to score fairly high on these tests! Back when it was one of the top rated products I installed it on the two machines that in my house that still run windows -- my wife's laptop and my son't netbook. I assumed (obviously wrongly) that the quality had been maintained.

Re:It's important to keep up on these things.

[Tridus]

Now that it's gotten more popular, the malware makers devote more time to making sure their stuff gets around it. The quality of the product hasn't changed so much as the quality of the work being done against it has improved. It's been true of pretty much every such program that gets popular.

MSE still has the upside of not turning computers into boat anchors, unlike Symantec's crap bloatware.

Like watching a political race

May the best liar win. Sure they both have their own peculiar brand of corruption; but they're both liars.

Power Off?

[raftpeople]

I take it a step further. I carry around a "1" and a "0" in my pocket.

If I need to compute something I pull them out and get to work.

Re:Power Off?

[lala]

That data is the property of your employer and may not leave the premises!

Re:SRS BIDNESS

To be honest, 99.9967% isn't very bad at all. It's pretty close to the golden "five nines."

Security software is like birth control

[murphtall]

Security software is like birth control, no one form is 100% effective; therefore always use two. Unless you mean abstinence. And that's no fun

Re:Security software is like birth control

[fluffy99]

Wearing two rubbers with holes is no more effective than one with a hole. Two different methods improves your odds. So user training ("don't open shit from sites you don't trust"), a better browser that does proper sandboxing, and an antivirus to look for suspicious files.

Re:Security software is like birth control

[DaDaDaaaaa]

I use Sandboxie with run restrictions for my browser, so it protects me from system changes, and no other programs can be started even in a worst case scenario. I use Opera and use the click to play function so that plug-ins only start when I authorize them. I also use Kaspersky because I got a copy for $10. Kaspersky used to be really bloated, but with the version 2013 I'm surprised at how light it is, I don't notice any performance hit. Kaspersky usually ranks among the highest, and seems to have fared well in all of these tests consistently over the years.

Re:Security software is like birth control

[murphtall]

Wearing two condoms with holes is better than one. You won't line up the holes and Johnny's sperm has a harder time finding from one hole to the next. And yes I agree two methods improve your odds. I taught my daughter no one form is perfect. Use two. As long as one security app isn't simply a subset of another you're gaining security. Or one could not use windows.

Re:Security software is like birth control

[fluffy99]

Most a/v apps use the same common definitions. It's their heuristics against unknown malware, speed, and ability to clean contamination that distinguish one from the other. Running to a/v programs usually just results in a slower system.

"virii" is not a fucking word, moron.

"virii" is not a fucking word, moron.

Re:"virii" is not a fucking word, moron.

[Algae_94]

Your source links to a Wikipedia page that says the "plural of virus is viruses". Virii is not generally accepted. The word virus has no plural in latin. Here's some further discussion here.

Not all words ending in -us are plural with an -ii suffix. See genus (plural genera) for an example.

Re:"virii" is not a fucking word, moron.

[Panoptes]

Not only is 'penii' not a word (copulating or otherwise), but the offence is compounded because the correct Latin ending would 'i', not 'ii'. From the Oxford English Dictionary: penis (ËpiËnÉs) Pl. penes (-iËz), peni (erron.), penises. 'Erron', of course, is a contraction of 'erroneous'.

Re:"virii" is not a fucking word, moron.

[mark-t]

No... it is not. Using an ending of 'i' for the plural form from words where the singular form ends in 'us' comes from Latin, and is as such only applicable to Latin plurals. Virus is originally a Latin word, but in Latin could not itself possess a plural, because it did not denote a single thing. It is best likened to an English noun which does not have a quantity associated with it, such as "happiness" or "everything", and so does not make any sense to try to pluralize. If you are a native English speaker, trying to pluralize such words is going to probably sound sort of odd. That's because it's wrong. In modern English, we have have altered the conceptual meaning of the word virus so that it can refer to a unique thing, but because that is an English invention and not Latin, the plural follows English convention for pluralization and not Latin. Hence, viruses.

Re:"virii" is not a fucking word, moron.

[LordLimecat]

To continue this useless debate, if the word were latin, wikipedia indicates that whatever it would be it wouldnt be an "i" ending:

http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us#Mass_noun_in_Latin

Re:"virii" is not a fucking word, moron.

Actually 0 words use an -ii suffix. The suffix is just -i. Everyone who thinks it is -ii is seriously fucking retarded.

Re:"virii" is not a fucking word, moron.

But often it is, like Prius -> Prii
Citation: http://www.engadget.com/2011/02/21/toyota-decrees-the-plural-of-prius-is-prii-your-latin-teach/

Re:"virii" is not a fucking word, moron.

[Corbets]

No... it is not. Using an ending of 'i' for the plural form from words where the singular form ends in 'us' comes from Latin, and is as such only applicable to Latin plurals. Virus is originally a Latin word, but in Latin could not itself possess a plural, because it did not denote a single thing. It is best likened to an English noun which does not have a quantity associated with it, such as "happiness" or "everything", and so does not make any sense to try to pluralize. If you are a native English speaker, trying to pluralize such words is going to probably sound sort of odd. That's because it's wrong. In modern English, we have have altered the conceptual meaning of the word virus so that it can refer to a unique thing, but because that is an English invention and not Latin, the plural follows English convention for pluralization and not Latin. Hence, viruses.

Best explanation I've read yet for the virii-viruses issue. Thanks!

Re:"virii" is not a fucking word, moron.

Well, thank God, there are people who finally understand latin is dead and should stay that way. It's a problem for everyone, not just native English speakers.

Re:"virii" is not a fucking word, moron.

[Waldeinburg]

Whether virus has a morphologically marked plural in latin is debatable. The discussion you link to claims that "virus" is a 4th declension noun, but all dictionaries I've checked (including Oxford!) says it's a 2nd declension noun. Anyway, "virus" is a neuter, not masculine noun, which means that the latin plural (if it really is 2nd declension) is not "viri" ("virii" does not make sense to me; is it an anglicism?), but "vira", which btw is well established as an alternative to "virus", at least in Denmark.

Re:"virii" is not a fucking word, moron.

[Waldeinburg]

But that is not an -ii suffix. It's still an -i suffix (Pri-us, Pri-i)!

Re:"virii" is not a fucking word, moron.

Three words: virus, vulgus, pelagus. Guess what they have in common.

Re:"virii" is not a fucking word, moron.

[sporkboy]

What?! next you'll tell me boxen isn't the plural of box. Sad face.

Re:"virii" is not a fucking word, moron.

Of course - anyone who doesn't know and inherently understand the grammar of a long dead language ~must~ be seriously fucking retarded. It's just too important of a subject to remain ignorant of.

Re:"virii" is not a fucking word, moron.

I'll take that and meet you with cactuses and octopuses and mucouses.

Re:"virii" is not a fucking word, moron.

[MechaStreisand]

Not only that, but 'virii' could only be the plural if 'virius' was the singular, which it is not, but most people seem to be too stupid to realize that. So there's that too.

MalwareBytes?

[hduff]

Are they not included in the test or am I just missing them?

All that matters.

[taxman_10m]

It is better than a Norton or McAfee that came with the system, had the subscription lapse, and hasn't had updated defs for at least a year or more. And it also doesn't bork your system worse than if you had malware on it.

Pass or Fail

[Murdoch5]

Are you serious, you either pass or fail this Kind of test. Microsoft is known for creating the most hideously insecure software on the market, im not surprised they fail attempting to create antivirus software. If Microsoft was good at it, third party companys wouldnt make billions supporting windows.

Re:Like I said...

[mister_playboy]

To believe that Microsoft Security Essentials is any good at what it is ostensibly meant to do is to believe that Microsoft is good at detecting and clearing viruses from users' systems, but to believe this is to hold a contradiction to every observation made of various versions of the Windows operating system.

To me it seems even more contradictory to have no trust in Microsoft's coding ability and yet continue to run Windows. If the people who know the most about Windows can't secure it, what makes you think some third-party can?

If you don't trust MS, you shouldn't run Windows.

Ha ha ha ha

[stevez67]

There's no software available that will protect against the weak link in the chain ... the nut at the keyboard. I've been using MSSE for years and have yet to get a single infection. I'm sure I'll slip some day but so far it's been a good backstop for me.

Re:Like I said...

[black3d]

You do realise that AV-Test acknowledged that MSSE detected 100% of known malware threats. 100%. Where it failed was on 0-day viruses which aren't in the wild and which (per MS) only impacted 0.0033% of users (which may be several Win8 users, but considering how badly ignorant the general populace is of PC security, happily installing DOWNLOADFREEPORNMOVIES1080PHD.EXE, etc, this isn't many).

I understand you have a preconceived notion and have basically read the summary and decided that MSSE isn't any good at detecting viruses - while ignoring the actual facts of the issue - it IS good at detecting viruses. It's heuristics aren't as good as some (it only picks up 8 out of 10 brand new malware samples that aren't necessarily even in the wild) but it's detection routines are very good.

From AV-Test:
"AV-Test teams take malware that is minutes old, Marx explained, and run the data into the security testing suite. A testing process carried out by Microsoft much later would be bound to cover the malware tested, since samples would already have been reported.
Today, every two seconds we see three new malware samples, which are summing up to a few million samples per month. Instead of looking at millions of samples, our focus is on the unique families," Marx explained.
"Out of every family, we select recent samples in order to use them in our tests. So the impact of these samples is indeed low, however, the impact of the malware family is considerably high."

So they've acknowledged themselves that 1) the impact of the new samples they're testing is practically non existant, being minutes or even SECONDS old, and 2) by the time these samples are in the wild, Microsoft would have already added them to their detection routines.

Basically, MS and AVTest are looking at two different things. AVTest is basically testing to see "how good is a piece of software at detecting that certain code its never encountered before, is malware". MS, on the other hand, is constantly going "OK, what new malware is there for us to detect? Add it to the detection routines." And to be fair, MSSE was never meant to be a heavily analystic package. There's plenty of those available if you want them. MSSE is AV for the masses, and in terms of known-virus detection it's among the best available and has been for years.

Of course it's the most popular

If you don't have an AV, Windows 7 nags you about getting one and it leads you to Security Essential.

Why the hell...

is the user space not 99.9997% segregated from the OS by a thin strand of heavily scrutinized string of operations by the OS itself?

The OS should be WELL hidden from not only the user but ALSO the likes of Java, Adobe any piece of software that thinks it is ok to install system level easter eggs that should only be ran in user space. The whole ideology is a profit gold mine and is NOT designed to be made extinct, just remedied; like big pharma. The OS should be creating the user in a VM sandbox each time it loads up and the users interaction with the OS should never be allowed. Both the OS and the User can run side by side in separate VM's and the OS should be one way communicating with the User, period.

Re:Why the hell...

OS should never be allowed, or be extremely limited by definition and scope.

Re:Why the hell...

Also, the user space could utilize sub-vm's within its own space for application processes that segregate the user from the applications themselves and keeps the user and applications all safe from each other. Interactions between each of the applications and/or the user (esp the user) would have to first be passed to the OS for approval at which point the transaction is allowed or denied. In this way, applications can only harm themselves if they try and be malicious to the user or other applications.

When vulnerabilities are found for each individual application (for example that my corrupt its connections to the net or its own saved data) it would then be necessary that the OS be heartbeating back to OStream(tm) and apply the fix to a snapshot of the application (and that app in the sub-vm checksummed by its vendor) then applied to a new instance of the sub-vm thereby killing the old sub-vm instantly.

Re:Like I said...

[chrismcb]

If the company can't even write a decent, secure operating system to begin with, ...

In reality no one can write a decent, secure operating system.
Computers are meant to be used, therefore they can be hacked. It is sort of like saying why can't someone make a decent, secure lock.

Mandatory xkcd:

[menno_h]

I don't use any antivirus software.

Windows

[ruir]

The most popular platform for viruses. Why not switch??

I will correct your main argument

1. An up to date patched system is secure

This is wrong.
A patched system is protected against attacks that the vendor has taken trouble to create a patch for.
That means that the vendor is aware of the problem, has taken action against the problem, and has
successfully patched it.

A lot of the vulnerabilities exploited by malware are unknown and may stay unknown for a long time.
During that time a fully patched and up to date system is vulnerable.
   

Re:Like I said...

I'm not an Apple fanboy by any means. But hasn't signed code proven to be the best method to prevent viruses? Dont know how it might work in the PC ecosystem but I'm convinced it should be attempted, perhaps a trusted third party set up to regulate, funded by PC manufacturers, banks, insurance companies, and legitimate software companies. Give developers the option to turn off but make it in BIOS or something so the average Joe cant just be tricked into doing it.

The most troubling aspect...

[idbeholda]

Is the fact that these competing antimalware companies do not openly publish and/or share detection methods or datasets. This ultimately does little more than give the users a false sense of security no matter which product is being used. What should be done (and what I've been attempting to do for quite some time) is to have a centralized/universal database of definitions, and from there, the real competition would be who, or what company can write the most effective *scanner*, thus benefiting the user, and weeding out ineffective coding practices, half-baked theories and groundless conjecture. To illustrate what I'm referring to, here are the datasets I maintain on a fairly regular basis. Keep in mind that 0-F is not an actual URL, but some of the datasets are defined as single characters, and sorted accordingly.

http://www.tot-ltd.org/blacklist/0-F/
http://www.tot-ltd.org/whitelist/0-F/
http://www.tot-ltd.org/API
http://www.tot-ltd.org/heuristics.dat
http://www.tot-ltd.org/installation.db
http://www.tot-ltd.org/packer.db
http://www.tot-ltd.org/files-wl/
http://www.tot-ltd.org/files-bl/


In the end, sure, there are several million files, but each specific group is only a few hundred bytes in size, which reduces a LOT of overhead and brings individual scantimes to near zero with a halfway decent connection speed. By doing this, a single scan is limited only by your hardware and internet latency.

Why MSSE has always been a joke.

Using MSSE to secure your Windows computer is like buying a car from a car company, realizing they forgot to include locks on the doors, and when you take it back to complain, they suggest you just use their after-market anti-theft system. Thanks, but I'm looking for a car that comes with locks, and/or an operating system with minimal vulnerabilities in the first place.

If Microsoft's engineers knew how to make Windows virus-proof, it would ship that way.

Re:Why MSSE has always been a joke.

The current state of Windows is more like buying a car and it working fine with just you as the driver and a single passengers, then converting it to be a bus with regular stops and passengers getting on and off, and complaining that these strangers are stealing the seats.

It worked securely as a single user system - or a Personal Computer. It's when PCs became networked, locally or on the 'net, that the real problems happened. Microsoft had the chance to rewrite it, or even make a new network version, which would have security by default, but instead they just tried to patch over the holes.

Cleaning my Dad's PC just yesterday with MSSE

[Esperi]

I've had MSSE on my dad's laptop for a few years now. He recently mentioned his laptop was very slow, so I guessed it was overdue for some maintenance. A quick look at task manager immediately flagged up stdrt.exe using lots of resources so I got MSSE running while I checked online to find out what this thing was. It's not new by any stretch and looks to be fairly commonplace. MSSE failed to find anything, even when I scanned the executable directly. I had to install Malwarebytes Anti-Malware to remove it (which it did quickly and easily).

I've removed MSSE and set him up with AVG Free and Malwarebytes.

Re:Like I said...

One thing about MSSE I do like is if it finds something it is something for me to perk up about. Unlike some that squawk that you have 1228 files that may be suspicious. You open it up and find out it scanned you cookie folder and called them all suspicious.

Also if I am installing something 'from the wild'. I run it thru one of those mega sites that has all the AV scanners and see what they say about it.

The easiest way to nuke 99% of all infections is a simple NAS/Firewall, adblock, no-script, and disable java/flash if you do not need it. The funny thing is Adblock gets most of it. These days most of the ones I see pop up come thru some 3rd party ad network.

My personal experience

[peppepz]

I've just finished fixing a computer where a virus had disabled Microsoft Security Essentials (and had altered IE's proxy configuration in order to hijack the user's web searches). MSSE was still there, but it didn't detect the virus if I started a scan from the command line, while its graphics interface would close shortly after launching it. It was the same problem that these guys were having almost two years ago. Like them, I had to install another antivirus to remove the 50+ instances of the virus that were lying undetected on the hard drive.

I hope that MS will fix the accuracy of MSSE, for an antivirus is essential to have on Windows (at least for non-technical users) and what the competition offers tends to be heavy, infested with nag screens and unwanted features. Somehow this reminds me of the days of DOS 6, when Microsoft had added a nice built-in antivirus to the OS (MSAV), but then stopped upgrading it, and removed it altogether from later versions of their OSes.

Re:Like I said...

I clicked on DOWNLOADFREEPORNMOVIES1080PHD.EXE, but nothing happened. Could you post that link again?

Who guards the guards?

[Ex-Softie]

Public companies have their books audited by external entities to ensure impartiality and objectiveness. Microsoft writing its own anti-whatever fails that test. It is also so typical of Redmond to whine whenever anyone criticizes them. So what if the AV test people run a harness that covers everything? All MS competitors' offering faced the same test, except they passed. I run Norton 360, have done for years, at $60/yr for 3 PCs it's a bargain. None of the issues of false positives, verbose updates etc. that others on this thread report. You get what you pay for, which explains why the MS protection software is free.

If the 0-Day infections are undetected, then how..

[wernst]

So, if all these 0-Day infections are UNDETECTED BY MICROSOFT, then HOW could Microsoft's telemetry show them that the vast majority of its users are unaffected? If Microsoft knew about these things' existence, it stands to reason that it's product would block them.

Independent testing groups hold AV vendor's feet to the fire like a good free press does to politicians'. When caught, both groups tend to respond the same way: deny the problem and accuse the whistle-blower of being out of touch or inappropriate.

It stays current

[DrStrangluv]

Bad engine with current definitions beats a good engine with out of date definitions.

The thing of MSSE is that it stays current on it's own. I come across machines running the other products all the time that are months out of date, because someone bot the product one time or just stuck with the trial that shipped with their computer, and couldn't be bothered to re-subscribe later on. With MSSE, there is no risk of that, and for this reason alone I'd rank it above most of the other products.

That said, I give good scores to AVG for the same reason, and to a lesser extent also to AVast (still requires re-registration every 14 months, but at least it's free, which removes one barrier to keeping it current).

Re:If the 0-Day infections are undetected, then ho

[ae1294]

Zero-day doesn't stay zero-day. sooner or later a new dat file will detect it... right? Plus with crc checking of system files you should see something is wrong. I get what you are saying but I get what MS is saying. Basically MS is saying a little more than what is true but probably pretty close to the facts...

Re: trying to pluralize such words...

[peacefool]

It's probably not that odd in the internets, you know...

Re: trying to pluralize such words...

[mark-t]

Actually, internet is a gramatically pluralizable word, since you can identify a quantity for it, even if that quantity is one.

Re:Like I said...

take malware that is minutes old

I can't help but be cynical and think that minutes old could also mean submitted by their advertisers and supporting companies, minutes ago. How does AV-Test make money, but from the very publishers of the security software that they are supposedly independent from?