Monday, October 21, 2013

How Important is an Antivirus Software?


It goes without saying that antivirus software can't catch everything. But, does it catch 10% or 90% of the malware targeted at Windows users? 

In a recent user group presentation, malware expert David Perry, of Comodo, said there are between 200,000 and 300,000 new viruses discovered every day (here "virus" is a generic term encompassing dozens of types of malware). They are built from kits and most circulate in the wild for a very short time, perhaps only a day. In other words, by the time they are detected, they're often out of circulation. 
Typical reviews of antivirus software use small samples so their usefulness is questionable. For example, at PC Magazine, Neil J. Rubenking tests with " ... a dozen or more virtual machine test systems, each one pre-loaded with three or four malware samples." Somewhere in the vicinity of 60 samples doesn't seem like much to judge with. 

Statistics published by Brian Krebs, indicate that antivirus software detects about 25% of the most popular malware currently being emailed to people. 

The data comes from "computer forensics and security management students at the University of Alabama at Birmingham". They profiled the most popular email-based malware attacks in the last month and, most interestingly, how well the 42 or so antivirus programs employed by VirusTotal did at detecting the malware. Krebs published the data as a PDF (recommended for the live links) and as an image.
The initial detection of the "password stealing and remote control Trojans" was not encouraging. Krebs wrote:

The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.

So, the answer to how effective antivirus software is currently seems to be around 25%.

In fairness, this is an average across all the products at VirusTotal and some poor performers bring it down. Still, in the last month alone two new malware samples were undetected by all 42 virus scanners and many were detected by only a handful of products. 

In reviewing the figures, we noticed that the number of days between the first report of a malware sample to VirusTotal and the last one is often only a few days, enforcing Perry's observation about the extremely short lifespan of Windows malware.
TWO DEFENSIVE STEPS 
What to do? 

This list of Defensive Computing steps is long. Brutally, depressingly long.  

That said, perhaps the two most important things a Windows user can do are rarely, if ever, cited in stories about malware. I attribute this to the way stories come into being: reporters get their information from companies with a self-interest. Being a nerd rather than a reporter, we instead suggest two things that are each free; things from which only you profit. 

1. Run as a restricted Windows user.  

The concept is simple, restricted users are walled off from the guts of the operating system. For example, they can't insert/update/delete anything in the C:\Windows folder. Put another way, the operating system tries to defend itself when a restricted user is logged on. Malware may run once, but it should be prevented from permanently installing itself. 

"Restricted" is the concept. In Windows XP the term Microsoft uses is "limited." In Windows 7, restricted users are referred to as "standard." Sadly, Administrators are the de-facto standard, and the default, type of user on Windows machines. 

My scheme is to create two Windows users, for example MichaelAdmin and MichaelRestricted. I logon as MichaelRestricted normally and only logon as MichaelAdmin when necessary. 

In Windows XP it was much more necessary than in Windows 7. In the last year or so, using Windows 7 daily, it’s not necessary to logon as the administrator once. Both users share the same password. 
  
This is not a perfect defense against malware, nothing is. But you are much safer running as a restricted user. The same goes for OS X and Linux, by the way. 



2. Always be skeptical. 

If you are using an iPad and the Bank of America app says it needs to updated, you can be pretty sure that's true. But on a Windows machine, when a window pops up claiming that an update is needed to Flash, it's just as likely to be a scam as the real thing. Windows users are lied to all the time and they need to always keep that in the back of their mind. 

Email users are also lied to all the time, a problem not restricted to Windows. Anyone using email, even on a tablet or smartphone, needs to always be conscious of the fact that it is trivially simple to forge the FROM address of an email message. 

That email from UPS about a package that couldn't be delivered most likely did not come from UPS

FINANCIAL TRANSACTIONS  

So many defensive steps are required of Windows users, that the safe assumption is no one does them all. Working from this assumption, we suggest never doing financial transactions on a Windows computer

Anyone who doesn't think their computer is infected, should consider another warning from Perry: malware is frequently invisible and silent. Think Stuxnet and Flame. 

Some alternatives to Windows are  

  • Boot a Windows computer to Linux running off a USB flash drive. Yes, CDs are safer but they are soooooo slow. 
  • Use a Chromebook, which runs a hardened version of Linux that automatically self-updates. 
  • Use an iPad/iPhone app from your financial institution. Just be careful which Wi-Fi networks you connect to. 



0 comments:

Post a Comment

Share

Twitter Delicious Facebook Linkedin Stumbleupon Favorites More