Monday, September 21, 2009

Finding A Virus Scanner That Works

When it comes to online threats, freshness counts. In mid-December, for example, Microsoft revealed that cyber criminals had found a never-before-detected, unpatched vulnerability in its Internet Explorer browser, allowing tens of thousands of Web sites to install password-stealing software on users' PCs.



 That kind of new attack--what cybersecurity researchers call a "zero-day" exploit--tests the limits of antivirus-scanning software's ability to not only filter previously detected infections but also compete with the cutting edge of cyber-fraudster innovation. And for consumers, it makes choosing the right PC protection software harder than ever.

The best performers in the firm's tests? Two names most Americans have never heard of: the German company Avira and the Slovakian firm ESET. And those rankings, cybersecurity analysts say, may reflect just as much on the industry's growing pains as they do on the two firms' ability to clean up your hard drive.

In Pictures: Grading 10 Antivirus Vendors

Video: Goodbye Anti virus, Hello White listing

Avira, based in Tettnang, Germany, won AV-Comparatives' label as the overall best anti virus product of 2008, based on its ability to pull more malicious files off hard drives than big name competitors like Symantec, McAfee and Microsoft in less time and with less impact on a PC's performance.

In the latest AV-Comparatives tests performed last month, for instance, Avira found about two-thirds of the previously undetected malware--collected over a four-week period--installed on the machines it scanned. ESET's NOD32 program found 51%. Symantec and Microsoft, by comparison, found only 44% of those samples, while McAfee's detection rate was below 30%.
Andreas Clementi, AV-Comparatives' chief executive founder, chalks up Avira's apparent superiority to the fact that the company has a smaller user-base than its larger competitors, so it can more quickly pipe out new virus watch lists to users without dealing with a massive network. "Symantec, for instance, is used by many millions more people around the world," Clementi says. "Smaller companies can be faster in releasing updates. Symantec has to be careful: If it caused a false alarm, it would create much more trouble for those millions of users."

But AV-Comparatives' top ranking for Avira isn't the last word in antivirus vendor ranking. In fact, the evolution of malicious software means measuring the efficacy of antivirus vendors is more complicated than ever.

n its quarterly cybersecurity showdowns, AV-Comparatives uses 50 1.5-terabyte hard drives packed with a uniform set of newly collected malicious software from "bait" computers around the world.
In half of its tests, it pits anti virus software against previously detected malware and measures the software's ability to successfully scan those big disks. In the other half, it "freezes" a version of the antivirus software, waits a month without updating it and tests it against all the malware the testers have collected during that month. That technique is designed to check the antivirus softwares' ability to find previously undetected breeds of malicious code.

But even in those elaborate tests, AV-Comparatives may not be measuring the newest features of anti-malware programs, protests Symantec's senior director of product management, Dave Cole. The next generation of malware detection, he argues, is "behavior-based" detection, which filters out bad files based largely on how they act over time after they're installed on your PC--not just their appearance at the moment of a scan.

"We used to know it was bad because it was 'the bumpy Trojan,' " Cole says. "Now we know it's something bad because it grabs your keyboard, sends your data to China."

Another test last September by a German antivirus analysis firm called AV-Test, however, may have captured those behavior-based scanning features. AV-Test, in fact, gave Symantec top marks for the kind of "proactive" scanning that Cole describes. Avira, however, fared far worse.

The real winner, it turns out, may be ESET, which placed near the top of both AV-Comparatives' and AV-Test's "proactive" scanning tests. The company, whose antivirus software serves more than 70 million users largely in Russia and the U.S., claims its secret is "advanced heuristics," the ability to statistically recognize a familiar piece of malware in a new form.

"Viruses today are constantly shifting. They're like wolves in sheeps clothing," says Jeff Brosse, ESET's director of North American research. "Recognizing that malware is where we excel."
ESET began working on heuristics long before other antivirus companies, says John Hawes, a researcher for the British virus analysis online newsletter Virus Bulletin, and it has been able to avoid the false alarms that plague most heuristic tests. "They've struck a good balance between strong heuristics and false positives," he says.

Hawes' own tests backs up the other two: He says that the 16-year-old company has been on the newsletter's VB100 certification list more times than any other firm.
But the real outcome of the two tests may be to show how outmoded signature-based malware detection has become. The fact that Avira could outperform competitors and only catch two out of three new types of malware, says security blogger and consultant Rich Mogull, shows that without real behavior-based detection, cybersecurity can't keep up.

In fact, he says the real key to defeating malware isn't antivirus but approaches like Firefox's no-script plug-in, which blocks Web pages from running potentially malicious programs. Mogull also advocates software platforms like Windows Vista or Google Chrome that "sandbox" or limit applications' access to computer resources. "You give applications a very small, safe place to play in," he says.

Until those kinds of security features become commonplace, the explosion of different malware breeds means antivirus vendors will be fighting a losing battle, Mogull says. "Tests can show which of these work better, but they're all far from perfect," he says. "The truth is, it doesn't really matter which is better. The bad guys will scoot around any of them."





Share/Bookmark

1 comment:

  1. I like this post. Very informative. Thanks!

    ReplyDelete

Share your thoughts here!