Antivirus suites fail more often than not
Posted on | September 18, 2009 | 5 comments
Reactive, signature-based antivirus suites provide only partial protection. Everyone knows that. But just how much protection? LastWatchdog recently heard a major AV vendor claim its flagship suite repels 90% of threats.
Now comes Cyveillance with this new report showing anti-virus programs fail more often than they succeed in protecting you from bad things on the Internet.
Cyveillance, which was recently bought out by British tech firm, QinetiQ, crawls the Web 24 X 7 X 365 looking for corrupted and malicious sites, especially servers dishing out malware and collecting stolen data.
It’s report for the first half of 2009 outlines in detail how traditional antivirus suites and Web browser scanning tools lag behind online criminals when it comes to detecting and protecting against quickly evolving online threats. Cyveillance says more than half of the active threats on the Internet routinely go undetected.
Cyveillance also ran an interesting test on the anti-phishing technologies used by the major Web browsers and found they, too, were only about half effective — particularly in the first 24 hours of the deployment of a freshly tweaked phishing attack.
“Cyber criminals have become more adept, operating globally and leveraging worldwide resources in order to evade enforcement efforts,” says Cyveillance CEO Panos Anastassiadis. “With the influx of increasingly sophisticated attacks and social networking sites as targets, antivirus engines are finding it difficult to keep up with and protect against morphing malicious attacks.”
Anastassiadis says it’s in the first 24-hour time period when the most damage occurs.
Cyveillance also tested two popular Web health check tools: McAfee SiteAdvisor and Symantec’s Norton SafeWeb, and found both lagging.
“Organizations must embrace a combination of reactive and proactive security measures if they intend to stay ahead of today’s dynamically changing threats,” opines Anastassiadis.
Illustration: Sam Ward, USA Today
by Byron Acohido
Comments
5 Comments »
RSS feed for comments on this post.
I am not taking this report serious at all. It all comes down to them trying to sell their own defense system.
As long as they not publish a full report about how and what they exactly tested, i’m not buying it.
Comment by Robert — 9/19/2009 @ 2:00 am
Really? Someone published Cyveillance’s self-promoting and antivirus bashing report? They don’t give any detailed information on their methodology, what version of the antivirus software they were running or any other test details. On the most serious note, they continue the myth that antivirus companies are only using signatures to detect attacks still.. MOST of those companies listed use all kinds of new technologies including Heuristics, blacklisting, whitelisting, behaviour analysis, protocol anomaly detection, process controls, and many more. For shame.
Comment by William — 9/22/2009 @ 7:31 pm
William, what are you saying, exactly?
Heuristics? They are not ignored in the detections generated by *any* scanner, be it online or in a real product. If a scanner detects a file through heuristics, it’s considered detected in any “test”. Period. I don’t know what gave you the idea that it isn’t.
Blacklisting? What? Blacklisting *is* signature-based detection; a very poor type of signature based detection.
Whitelisting has *nothing* to do with detecting malicious files.
Behavior analysis can’t be used in tests because it’s based on running the executable, therefore is not suited for general purpose scanners such as gateway scanners. Behavior analysis is also extremely unreliable because if a malware gets the upper hand and doesn’t get detected, it may completely disable the AV.
Protocol anomaly detection? Huh?
Process controls: same thing as behavior analysis.
Comment by Francesco — 9/24/2009 @ 8:05 am
When I say “same thing as behavior analysis”, of course, I’m talking about that it is based on actually running the executable, hence it can’t be considered something that can be present in every type of AV scanner. I’m not saying that it’s the same thing with a different hame.
Comment by Francesco — 9/24/2009 @ 8:26 am
Pretty good post. I just came across your site and wanted to say that I’ve really liked browsing your posts. I hope you post again soon!
Comment by antivirus express — 10/20/2009 @ 7:31 am