When security firm Imperva checked more than 80 unreported viruses against several anti-virus solutions, it found that none of the tested programs were able to detect previously unreported viruses and that 75 percent of solutions took a month or more to update their signatures.
That isn’t good news, and while Imperva obviously has some self-interest here, their November Hacker Intelligence report, Assessing the Effectiveness of Anti-Virus Solutions, is worthy of a closer read nonetheless. What it means is that we have to depend on a variety of protective solutions to keep our computers safe and infection-free. As the bad guys get more sophisticated with their attacks, we have to get more sophisticated with our defenses.
Let’s look more closely at the tests that were done. First, the team at Imperva collected 82 viruses from various evil places. As the authors state, “A number of sources which assisted us in getting our hands on no small amount of relatively new viruses were forums in Russian, whose purpose was to enable hackers to discuss viruses and obtain assistance in developing them. The availability of malicious code and viruses in these forums was extremely high. Any kid could build a virus by themselves or download one ready-made.” That is pretty scary, but nothing new if you have been following security news postings over the past few years.
They then made sure that none of them had signatures that were already on their books or could be accounted for by their competitors, through a service called VirusTotal. This notion of signature-matching is becoming obsolete, anyway. A number of virus construction kits that are readily available online can customize a virus for each particular desktop, meaning that each virus has a separate and unique signature.
Finally, they ran these viruses through the various anti-virus products and noted which ones were correctly identified, and which weren’t. A sample results table from the report is shown below. So what did they find out?
Lag times are long. Imperva found that it can take typical anti-virus solutions three weeks to update their databases to recognize one of the viruses in their collection, and some took a month or even longer. As the authors state, “The rate of update for their signature databases is very slow, and even viruses that are already known to most anti-virus products are still not identified by these insufficient products.”
Freeware is best. Imperva found the most optimal protection included two freeware anti-virus products, Avast and Emsisoft. Of commercial products, both McAfee and Symantec also excelled in detecting their set of viruses.
Behavior instead of signature detection is needed. Imperva doesn’t recommend completely eliminating anti-virus from an effective security posture. Instead, the company suggests that “security teams should focus on detecting abnormal behavior such as unusually fast access speeds or large volume of downloads, and adjust its security spend on modern solutions to address today’s threats.”
So what are the key take-aways for security teams?
First of all, if all you have is anti-virus software, then you are exposed and you should quickly start to add additional protective technologies. Focus more on detecting badly behaved apps, looking at those situations where you are doing massive downloads or fast flux conditions. Next, look for network-level intrusion detection and prevention products, and also beef up your desktop-based firewalls. Some of the more popular security products from Symantec and others have these features included in their desktop AV products too.
Finally, don’t be complacent: Security is a continuous process, and it’s a constant challenge to stay ahead of the bad guys.