28

I have heard claims that anti-malware software isn't really effective and will "only catch 33% of malware", and so it's best to "get rid of them; you don't have to pay, and your system will be faster".

It is right here on my favorite blog, Coding Horror:

Not only does anti-virus cripple your machine's performance, it doesn't even protect you adequately!

A quote Jeff uses in his article from here:

Let me give you the answer: it is 33%. In other words, the average detection rate of malware from these "solutions" was 33%, with the maximum at 50% and the minimum at 2%. Keep this number in mind, that shiny anti-virus product you just bought might be protecting you from just 2% of currently active and common malware (not some esoteric and custom uber-haxor stuff)!

EDIT: I found this, and it looks like 60% is the highest "new malware" detection rate. I do not know if they are scanning or actually protecting you real-time, though.

While it is true that the second best protection is your brain (the best being not turning your computer on at all), my PCTools SpywareDoctor with Antivirus has caught some trojans; it even cleaned it of a Rogue Antivirus application. Mind you, it definitely slows my system down noticeably, but I'm happy enough for now ("640K ought to be enough for anybody.") so I have switched to the best Antimalware program in history, avast!, which is the fastest program with a >95% detection rate.

The brain argument doesn't always hold true for non-geeks (even if they may have some amount of brains). One I considered to be tech-savvy (somewhat, at least) stared at a web page saying "Your computer is infected!" for a minute at school, in IT class, throwing his hands up in exasperation, and getting every other student to look at it. (I of course, having been infected by Scareware before, immediately recognized it, and told him to close it.) He continued to be exasperated until the teacher came around and told him to close it. He did (too late, of course), and a few minutes later, it took over the Windows XP computer.

For geeks (and other people with brains), how true are these claims [con-AV]? What about "normal" people?

Sklivvz
  • 78,578
  • 29
  • 321
  • 428
Mateen Ulhaq
  • 942
  • 8
  • 24
  • 2
    Depends on your operating system, too. You don't need AV-software on Linux Desktops. – user unknown Apr 15 '11 at 05:45
  • True and windows vista/7 are usually considered more secure than XP. – apoorv020 Apr 15 '11 at 06:45
  • 9
    Avoiding dangerous sites is a lot more difficult these days. Any site that sells ad space is vulnerable to malware in the ads, and this did indeed happen to New York Times readers not that long ago. Brains are not as useful as they once were. – David Thornley Apr 16 '11 at 14:28
  • It's 'anti-malware' not 'antimalware' I think. The latter is not very readable. I can't suggest an edit because of the six character limitation. – Martin Scharrer Apr 18 '11 at 07:04
  • Some of these tools are indeed useless and do nothing. Others work very well indeed. And for the average Joe it's sometimes hard to tell the difference from the advertising for them. – jwenting Apr 26 '11 at 08:44
  • @userunknown This is a very dangerous claim to make. It should be noted that while Linux malware may not be as prevalent as on other platforms, it is not impervious to malicious software. That being said, you don't "need" AV on any computer. – SpellingD Jul 23 '13 at 16:43
  • @DavidThornley I'd be interested in knowing if avoiding dangerous sites is indeed more difficult than in the past. You specifically mention nowadays that malware can hide in advertisements on respectable web sites, but an ever-increasing number of users now use ad-blocking solutions. Along with many browers' built-in "malicious site" protections and other preventative measures, I'd be sooner to say avoiding danger while browsing the web is probably easier than in the past. – SpellingD Jul 23 '13 at 16:47
  • @SpellingD: Well, ok, so please name an AV-Software which runs on Linux Desktop and a piece of malware from 2010 or later, from which it protects the desktop Linux. Or explain how it can protect you wihtout - well - protecting you. Maybe you need to realize, that AV software on linux is allways for file- and mailservers to protect Windowsusers. But maybe my knowledge is out of date, and you can name something. – user unknown Jul 23 '13 at 17:16
  • @userunknown [Wikipedia](http://en.wikipedia.org/wiki/Linux_malware) has a pretty good article for surface-level information about Linux and malware. Whether or not a piece of malware post-2010 is known about doesn't prove that Linux is virus-proof, and the fact that viruses have existed in the past demonstrates that malware is possible on Linux. My comment was simply intended to highlight that the implied "Linux can't get viruses" notion from your post (which I interpreted, and felt others might, too) is not true. I did not suggest that one should run AV on Linux or that it is necessary. – SpellingD Jul 23 '13 at 18:22

3 Answers3

23

The claim is mostly not true, and in my opinion perpetrated by people who just want a justification for not caring about security.

Here's a test on the detection rates. Here's a snapshot from this report: enter image description here

Note that this graph plots the missed samples, so the worst efficiency is 82%. The above graph applies to known viruses. Of course, it is impossible to say how effective any given anti-malware software is on zero-day attacks. To prevent these, heuristics are required that detect malicious or suspicious behavior such as one program inserting code into another executable file. While these will not prevent a dedicated and personalized attack, they can at least prevent some common pathways of attack.

My attention was brought to another graph for "real world" efficiency of malware detectors: real world test of malware software It also shows quite a high detection rate.

This all being said, it is indeed highly dependent on the user's behavior how relevant anti malware software is. A professional user keeping her system up to date and avoiding potentially dangerous sites (porn- and warez-sites come to mind) might not need anti malware software. A "casual" user who does not hesitate to click on random links sent to him by email or on social networking sites and who unquestioningly install apps found wherever in the web, on the other hand, will catch some malware infection with high probability, although anti malware software might at least safe him from the most common dangers.

Lagerbaer
  • 12,311
  • 2
  • 68
  • 81
  • 7
    Ah, but these are known threat samples used by a company. There's no knowing how many are unknown, or how well these products would do on if we take frequency-weights into account. – apoorv020 Apr 15 '11 at 06:43
  • 9
    There are a gazillion malwares out there, and only the most recent few are relevant most of the time. These comfortably fit into a 0.2% non-detection rate: I don’t care whether an AV software recognises 100% of the viruses from five years ago since these rely on security holes that are now fixed. I care about the 10 viruses that came out this week, and which the software doesn’t recognise yet. That is to say, the graph you show is completely irrelevant in assessing the protection gained from AV software against current threats. – Konrad Rudolph Apr 15 '11 at 10:46
  • 4
    Of course there are unknown viruses. I think I mentioned that in my answer. Thing is: The virus doesn't care if it's 5 years old. If you don't have proper protection, you *will* catch that virus. It's like not getting a measles vaccination for the reason that it doesn't protect against Ebola. – Lagerbaer Apr 15 '11 at 14:47
  • 7
    @Lagerbaer My point is that up to date operating systems and softwares tend to protect against older viruses no matter whether an AV software is present or not. Their detection rate is therefore completely irrelevant, and highly misleading if presented as above. The only relevant detection rate is for current viruses and I don’t think the statistic would look nearly as good then. Your answer actually suggests that AV software works very well. I claim that the opposite is true, or at least that your answer does *not* demonstrate this claim. – Konrad Rudolph Apr 16 '11 at 12:21
  • @Konrad I wonder if there is a test in which one-year-old AV softwares are tested against the newest viruses? – Mateen Ulhaq Apr 16 '11 at 19:43
  • What this chart appears to indicate is that all AV software operates at varying degrees of ineffectiveness. Nothing catches 100% of the threats, because all the AV software operates the same way the TSA operates: Defend against an attack that's already been used. – Kyralessa Apr 16 '11 at 23:16
  • @Kyralessa Not necessarily. There are some general paths of attack AV software can prevent. For example, you can monitor executable files and detect attempts to insert malicious code into them, and there are other signatures of suspicious behavior you might detect. – Lagerbaer Apr 16 '11 at 23:21
  • 3
    **"perpetrated by people who just want a justification for not caring about security."** is **not correct**, The lack of security is not patched by using AV. AV's are intrusive and obstructive, sure for simple mundane users that need saving anything will be usefull including any AV, but for professionals who live on the machine they are nothing more than pain. Developing with a machine loaded with AV is impossible. Ever since XP SP1 where a program has required explicit permission from the user I have never had any problem with Viruses or Malware.AV's are nothing more than snake oil – jimjim Apr 18 '11 at 22:56
  • 4
    @Arjang This is just an anecdote. How do you *know* that you never had problems with Malware? There could be spyware on your computer, or you could be part of a botnet. How do you know? Apart from that, anecdotes are not evidence. – Lagerbaer Apr 18 '11 at 23:35
  • @Lagerbaer Konrad Rudolph's point is that some diseases are irrelevant for different groups; for example, though protecting against malaria might be deadly relevant for Africans, who take prophylactic measures with quinone, it is quite irrelevant for people who don't live in tropical zones, even though _if they were_ struck by malaria it would be just as deadly, probably deadlier, as they have no natural immunity. You can extend the analogy aged computer viruses; as you can see, it doesn't make sense to talk about a broad detection rate, you need a context of relevancy. – Uticensis Apr 21 '11 at 08:39
  • 2
    @Lager: **your graph is misleading**. It represents AVs without heuristics on I believe. [From the same site](http://chart.av-comparatives.org/chart2.php) you can get [this graph](http://imgur.com/lt85Y) which clearly shows detection rates in the 90-99% range with out-of-the-box AV configuration. Please review your answer. – Sklivvz Apr 26 '11 at 08:36
  • I'll see to it when I have time – Lagerbaer Apr 26 '11 at 14:03
  • 1
    The organization producing this graph is funded in part by anti virus companies: http://www.av-comparatives.org/funding/ . It may be neutral with regards to which company is better than other companies, but not necessarily about whether anti virus software is useful. – Andrew Grimm Jul 22 '13 at 01:56
  • @KonradRudolph: Interesting idea, but is it true? How much viruses from the past are harmless, because the software is patched? Afaik, on Windows there is no patching culture as on Linux since every program depends on it's own mechanism. Don't most viruses disappear, because they get known by the malware detection tools? I don't say you're wrong, but I think you could be wrong. – user unknown Jul 23 '13 at 17:31
  • @userunknown Most, in fact almost all, security holes get closed. But even if that were not the case, and only anti-virus software protected against old malware – most viruses have a half-life and most older viruses are no longer in circulation anyway (there are a few exceptions). Taken together, recognition rate of old viruses is simply not an adequate measure of effectivity. Given the number of upvotes on this highly misleading post I’m sorely tempted to abuse my moderator rights to make it vanish (I won’t! But I’m tempted). – Konrad Rudolph Jul 23 '13 at 17:41
  • Most security holes being closed is another claim without evidence. Practically, the more interesting question is, whether the users patch their software and how often. – user unknown Jul 23 '13 at 18:10
  • I've had experience with Fully Undetectable Malware before and can assure you this is **misleading** – Dudey Apr 25 '16 at 17:09
8

Short version

A virus program will do a good job in protecting the user against himself, simply because:

  • You are not likely to be the first person to get XXX virus/malware, and the likelihood that AV company finds it first is very high.
  • Assuming you have a good anti-virus software it is going to update serveral times a day, basically faster than application vendors are going to close X exploit that Y virus/malware uses.
  • You the user are very likely to download and try to install something that contains malware.
  • Malware creators and virus creators often build new malware/virus based on an existing one, and this means that virus software can detect the shared code sometimes.

Longer version

It is important to understand what a AV protects you against. The majority of virus programs mainly detect threats they know about before hand. They do not detect viruses like a human can (e.g. knowing a .exe is out of place or deducing the .exe name is randomly generated).

So if you are an average user needing protection, then an AV is going to do a great job detecting the vast majority, if not all, after a while, of malware. But if you are trying to protect against a target attack on you/your organisation then they will not be that effective, especially if the attacker writes custom code for "you", as most AV software is not designed to handle this.

In response to comment I will link to the tests.
http://www.av-comparatives.org/en/comparativesreviews

And taking a good result from:
http://www.av-comparatives.org/images/stories/test/ondret/avc_od_feb2011.pdf

You can see detection rates over 98% - if you pick the tests that virus programs are good at (i.e. detecting known viruses), but if you pick harder tests - like using a virus program which is out of date by a month against current viruses/malware, then their detection rate drops a lot (e.g. see this Link to NOD32, claiming they can detect ~50% of "unknown" viruses, as proof that detection rates are lower when the virus/malware is not known)

Link collection:
Changelog from AV to show update rate, and the fact that commen virus/malware has families: http://www.eset.com/us/threat-center/threatsense-updates
Link to search engine to show that "tool kits" to generate viruses exist:
http://duckduckgo.com/?q=virus+creator+toolkit

Sklivvz
  • 78,578
  • 29
  • 321
  • 428
EKS
  • 483
  • 4
  • 11
  • This is a pseudo-answer. Where is the evidence that “a AV is going to do a great job detecting the vast majority … of malware”? Lagerbaer *also* has no evidence for that, and in fact the security expert cited by Jeff Atwood in the question says *the opposite*. – Konrad Rudolph Apr 18 '11 at 10:30
  • The fact that Jeff Atwood posts it does not make it true. I linked to the repots showing dection rates of 98%+ – EKS Apr 18 '11 at 13:12
  • 1
    @EKS Of course not, that was not what I said. But at least one renown security expert says the opposite of what you said. In fact, AV comparatives also cite such low figures in their retrospective/proactive tests. Arguably, **these** are the only important statistics. – Konrad Rudolph Apr 18 '11 at 13:57
  • I never linked to AV sites, these are to be best of my abilties the highest quality AV tests out there. But i also try to explain in the beginning of my reply what a AV is likely to protect you again. – EKS Apr 18 '11 at 14:46
  • @EKS “I never linked to AV sites”– you really need to read my comments more carefully, this is the second time (out of two) that you have misinterpreted my comment in a fundamental way. I said that you linked to “AV comparatives” which is the name of the website you linked to. – Konrad Rudolph Apr 18 '11 at 15:11
  • @Konrad, i dont know what your talking about. AV comp clearly shows they have 98+ detection rate malware given a bit of time. That given the context what i posted that most AV depend basicly finding a virus/malware it knows about already shows their very effective at what they do. You just have to know what their good at, and what their not good at. – EKS Apr 18 '11 at 18:58
  • @EKS “given a bit of time” – that’s the whole point: in reality you **are not** given a bit of time. A malware needs to be recognised before the vulnerability it exploits is fixed. Afterwards I don’t need AV recognition. The 98% detection rate is snake oil and it is **really** misleading if cited as evidence for AV efficacy. – Konrad Rudolph Apr 18 '11 at 19:06
  • No, its how they work. Remember that some AV are patched several times a day, and simply the odds of you being the first to be hit by X malware is very low. Also take into account alot of malware spreads because of user "stupidity" and not exploits. Many ppl download and install their malware without knowing it has bundled malware – EKS Apr 18 '11 at 19:13
  • First part of your comment: That’s a completely different claim. It may be true but it’s not shown by these statistics. At all. The second part of the comment may also be true and should go into the answer! – Konrad Rudolph Apr 18 '11 at 19:27
  • @Konrad, more links added to backup my claims. Sadly my word is yet accepted as the universal truth – EKS Apr 18 '11 at 20:32
  • Much better now. This could still use some editorialising (getting the update rates from the changelogs, that sort of things …) but I realise that’s “a bit” too much work. +1 – Konrad Rudolph Apr 18 '11 at 21:21
  • @EKS: This is the correct answer - AV detection rates are around 99% *with heuristics on*. This protects you from unknown/new viruses, quite effectively. Further to your post - there is also another reason why AVs are effective for a company - support. Companies need to have a strong partner to help them get rid of malware effectively if they catch it. – Sklivvz Apr 26 '11 at 08:45
-2

Update : This is an excerpt from http://cbl.abuseat.org , when look up information about a infected computer that had AV software installed on it: "Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected." cbl.abuseat.org Once a program is executed there is no way of having any guarantee that is not a virus, This is a mathematical fact that is thought in Introductory Computer Science courses. c.f. : http://www.computingbook.org/ch12-computability.pdf , Exploration 12.1: Virus Detection

The idea of AV is outdated, and they are no longer effective: http://codeinsecurity.wordpress.com/2012/06/13/the-anti-virus-age-is-over/

jimjim
  • 426
  • 1
  • 3
  • 13
  • 3
    That's an opinion piece without empirical evidence that concludes they do have a role. – Oddthinking Jul 22 '13 at 01:33
  • 1
    Despite edits, this answer remains very poor. It quotes from a page that doesn't include the quote. There's no way provided of verifying the claim or showing it is widely true. Linking to the text book on computability doesn't demonstrate there is no practical way of detecting viruses. You will need to make a more explicit argument there. (Facetious example, even after my formula has been executed on my desktop calculator, I guarantee there are no viruses.) The final link remains an opinion piece that draws the opposite conclusion to your summary. – Oddthinking Aug 07 '13 at 07:06
  • Thank you oddthinking,1.The page was from network audit of an Ip address, I could not include the ip as well, 2.Linkning to text books that proves mathematically that it is impossible to have an algorithm that detects all viruses, only leaves the possibility of detecting viruses by a database of their signature, which is why all the modern AV's are completely useless against polymorphic viruses. Lastly, there is a you tube video of some Symentec head huncho admitting that they have no clue about stuxnet. – jimjim Aug 07 '13 at 08:53
  • @Oddthinking : Added the screenshot from the page without exposing private details to get to that page. – jimjim Aug 07 '13 at 23:15
  • If I may paraphrase your argument to demonstrate my concerns: 1) A vendor with a conflict of interest made a difficult to verify, undated anecdotal claim (which isn't even easy to check they made) about one piece of trojan software, which proves that all anti-virus software is completely ineffective, even if it happens to reduce the number of successful attacks by several orders of magnitude. – Oddthinking Aug 08 '13 at 00:44
  • 2) If you were to write an essay, you could demonstrate the non-computability of a generic tool relying on nothing by static analysis to 100% accurately establish whether a novel piece of code ever executes malicious steps, and here is one reference that you might include in that essay. The fact that no virus-scanner uses such techniques or is bound by such constraints doesn't undermine my argument that they are ineffective. – Oddthinking Aug 08 '13 at 00:45
  • 1
    3) This essay summarises that AV systems have holes in them. If you only read the title and first paragraph, you would think that AV systems are "dead", but if you read to the conclusion you'll see the author admits that AV systems still have a place. I use this to conclude that they don't. – Oddthinking Aug 08 '13 at 00:48