Bruce Schneier points out a recent study on the behavior of malware against the top-selling antivirus programs:
The top three antivirus programs — from Symantec, McAfee, and Trend Micro — are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs.
Well, that’s not good news, is it? The original report is here. The money quote:
At a security breakfast hosted by e-mail security firm Messagelabs in Sydney on Wednesday, the general manager of the Australian Computer Emergency Response Team (AusCERT), Graham Ingram, told the audience that popular desktop antivirus applications “don’t work”.
“At the point we see it as a CERT, which is very early on — the most popular brands of antivirus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate.
“So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in,” said Ingram.
And if you think you’re safer because you’re relying on some obscure piece of software, think again:
Although less popular antivirus applications are more likely to pick up new malware, Ingram said that the average level of new malware that is undetected is 60 percent, which is “worrying”.
Indeed. I’ve been a vocal critic of the whole concept of security software for a long time. The business model is flawed and it’s vulnerable to precisely this sort of targeted engineering. Now that malware writers are making serious money off their poison, they have a powerful incentive to write higher-quality code. And it appears that’s exactly what they’re doing.
Ed Bott 
if you read the article closely you’ll find that’s it’s 80% of NEW malware that’s getting missed…
in the malware domain new equals unknown – it should come as no surprise that known-malware scanners would have difficulty with UNknown malware… it doesn’t mean there’s anything wrong with those scanners or even that type of technology, they do what they were meant to do… if you want something that works on unknown malware you should be looking at an entirely different type of technology and using it in concert with your known-malware scanner…
although the original article makes it sound like the sky is falling (and schneier does nothing to dispell that myth), it isn’t… most incidents don’t involve new/unknown malware and new/unknown malware doesn’t stay new/unknown for long…
Ed, your previous comments about security software persuaded me long ago. But just to be clear, you are not saying that even a careful user doesn’t need some type of security software (e.g. Windows LiveCare) as well as all security updates? Or can you actually get by without it if you know such things as not to open attachments from strangers and so on?
Ken, at the risk of seeming overly vague…
I think a careful user who has multiple layers of security can probably – almost certainly – remain safe without AV software. In my case, I have an email server that blocks all potentially executable attachments, and I use browser settings that make it virtually impossible for a piece of malware to be installed without my consent. So I regularly run without AV software.
For the average home user with a less diligent email admin, good AV server provides an additional layer of protection but doesn’t replace common sense.
Kurt, I disagree that “most incidents don’t involve new/unknown malware.” The reason that malware writers are constantly creating new versions of existing malware is precisely so they can exploit the delay between the time it appears and when an AV maker writes detection code and the user installs it.
@ed
“Kurt, I disagree that “most incidents don’t involve new/unknown malware.””
the stats i’ve seen (both vendor supplied and from independant researchers) say otherwise… check out this example http://momusings.blogsome.com/2006/07/18/june-2006-malware-review/
Ed, can you elaborate slightly on “multiple layers of security?” I understand how to block e-mails with attachments at the server level. I can do that. I am not as clear about the browser settings, but I assume you mean fully updated SP2 at default settings for IE (which I use). If not, what would you change?
A few more things about my situation. I don’t open any file that I do not already absolutely know and trust, even when they come from friends. I regularly back up data to an external hard drive. I have an “always on” cable connection, but there is no file sharing or remote access and services such as Alerter and Messenger are disabled. The computer in question is not on a network. I use user accounts, including passwords, even though no one else uses my computer. I am very careful about where I go on the Internet.
Am I a candidate for computing a bit more dangerously? Does your Inside and Out book on Windows XP security (which I have) cover all this? If it does, I’ll check it out. It has been awhile since I last read it.
Right now I am using Windows Live Care, but it sometimes causes problems or (more often) annoyances (all security software does — this one is actually less intrusive than others I have tried). I really don’t want to use it if I don’t need it. It seems to me like buying hurricane insurance for a house in Utah.
Thanks again.
Ken, the two biggest things I would advise are:
1) Using a standard account if possible (much easier in Vista than in XP). Even if you can’t run in a standard account, any untrained/untrusted/naive users should have standard accounts.
2) Disabling download and installation of new ActiveX controls – allowing use of existing controls. I’ve put together instructions and scripts for this purpose. Extremely useful for those untrusted users who can’t be given a standard account.
Thanks much, Ed. I may look further into this.
I have an older lady whose computer I set up and manage for her. In the past, when a grandchild had visited, she was bit by some malware from a site her gc surfed to. Because I had her OS (win98) locked down as tight as possible, she suffered no real damage that I could not undo. From then on she had to run AV software (InoculateIt PE till it became the expensiveware it is today). After a few years I took it off, she is AV free and that particular install of win98 lasted a good 4 yrs (with an occasional fluffing) till I found her a new (used cheap) comp. What works for my ‘people’ is education, a proper lean-and-mean install of the OS, and a mandatory switch to Firefox and Thunderbird. Some get AVG free, some I let go till they goof up. I gave up on the firewalls when I found out that they were letting everything and its sister out on the net….
My point is that education works (and most of my clients are seniors) once you provide a firm foundation by tweaking Windows (but I get lonely because they don’t call me all the time….)
I think Virus scanning is the ‘last line’ of defense. I view security in a ‘normandy’ approach. That is numerous layers of controls that on the whole, make life very difficult for the malware writer.
My configuration at home is a example. I built the configuration because I have young children and I dont want their activity on the internet to introduce viruses on my computers.
First I have a router that has a hardware firewall enabled with latest encryption and a mac filter enabled. This means it you dont have a key and the correct mac address I have given you, you dont get in!
Second, I have a computer running the patch guard technology on x64 windows(dual core cpu). It is a unpatched, no user software system with firewall enabled and no internet access(web browsers are locked down). I permit only one software to be run, vmware player. I am the only authorized user of the system, and I am the only person in the house that can turn on a virtual operating system.
Third, I run all software applications in a virtual operating system built by vmware workstation on a different machine that is only used for this purpose. The other people in my house on only permitted access to these machines.
Fourth, The virtual machines physically reside on a network disk running a slimmed down Linux OS. Only I possess the passwords to write directly to the disk. My children have separate virtual machines that run their apps and browsers that are different from mine.
Fifth, Software is presented on Thin client computers running another specialized version of Linux. The connections are password configured and only I possess the passwords to configure the links.
Sixth, the real computers and network disk drive is locked physically in a storage space in my home, so the removable disk drives cannot be access with a key.
Seventh, The web browsers are patrolled by Net Nanny, which only permits browser access to approved web sites.
Eighth, The virtual machines have the firewalls enabled in the operating system.
And finally, if you figure out how to manuver around all of this I have a virus detection program that check the legitimacy of your software.
I have never had malware successfully gain control of my network. The only viruses I have had was inside of my kids virtual machine. I simply destroyed the virtual machine and recreated it (a 5 minute operation). Doing it this way gives my kids a disincentive to download viruses because when I get rid of their viruses, I also get rid of any unapproved software installed by them in their virtual machine….