AntiVirus software lacking effectiveness

At the recent AusCERT 2006 Conference, a survey was published by Graham Ingram general manager of the Australian Computer Emergency Response Team (AusCERT) which discussed the effectiveness of several leading anti-virus products.  The survey states that an average of 8 in 10 threats are getting through the protection that these products provide.

Some research done by ZDNet Australia's Munir Kotadia in a series of articles notes that the three top products (by market share) in 2005 were Symantec's Norton Antivirus, Mcafee Virusscan and Trend Micro VirusDefense.  If the survey results are accurate, or even partially accurate, that could mean that running even two of these security defense products at once may only provide a 20%-40% protection.  Not exactly a comforting thought.

So where does this leave us?  Do we need to install three, four, five anti-virus tools?  Or should we just throw caution to the wind and not bother with anti-virus tools at all... after all what difference does it make.

The survey makes two interesting observations.  The first is that the quality of malware is improving.  The authors of the trojans, spyware and other threats are improving the methods that they use to attack and infiltrate our systems.  The second is that the threats are targeted very specifically.  Gone are the days of teenaged script kiddies who use primitive means of trying to attack or scam people.  Easy enough to detect and clean.

Today's threats masquerade themselves as useful tools or applications.  This makes them more difficult to detect.  One such example is SpySherriff which though it must be manually installed purports to find various problems with the system and prompts the user to purchase a full copy of SpySherriff.

The vast majority of these threats are targeted at Windows systems.  Why?  Because nearly 90% of people who use the Internet, do so in a Windows environment (courtesy w3schools.com).  So if you were writing software for the home user (be they legitimate or malware) what platform would you target to get the largest number of people to use or see your application??  This puts the comments from Charlie White on Gizmodo in perspective.  When he discusses this subject he sums it up by saying: "Get a mac".

I don't want to get into the details of the Windows vs. Linux vs. Macintosh debate here, but let me say that yes its more likely that you'll get infected with a Windows System.  Thats not a fault of Windows itself, just that the vast majority of threats are written for windows, and initiated by the end-user most often unwittingly.

I know we've all heard them before, but come on people some common sense!

  • Don't download programs if you don't know where they're coming from.
  • Don't open email attachments unless you're 100% sure of the source, and you're expecting the file to be sent.
  • Do install some sort of firewall product (Windows firewall works too) to help block unauthorized activity So what does it all mean?  Well, virus scanners aren't perfect (duh), but we already knew that.  Should you use one?  Yes.  Should you use more than one?  It won't hurt (except for system performance).  Will it help you if you open anonymous email attachments, or don't use some kind of firewall? No.