There has recently been quite a ruckus about the ineffectiveness of anti-virus applications against new and unknown viruses, particularly because of tests run by Consumer Reports which rated popular antivirus software based partly on it’s performance against fifty-five hundred new variants cooked up specifically for Consumer Reports’s testing … which showed less than 90% detection for all products, and less than 80% for Norton and McAffee.
Most anti-virus experts agree that creating new viruses is unwise and unnecessary, and in fact, over 100 security experts from all the major companies from RIS and Microsoft and HP as well as anti-virus vendors have signed a public letter condemning the practice. However, although it’s clearly a bad idea for anti-virus companies to create new viruses (how could you trust them not to distribute these viruses in an attempt to improve the marketplace for sales of their products?), it’s not so clear cut when it comes to comprehensive testing by consuer advocates. As The Washington Post blog put it, testing against previously onknown malware is essential to the interests of the users, since with an estimated 250 new threats emerghing per day, recognizing these is probably the most important task remaining to anti-virus products.
There’s an interesting article from back in July on the ZDNet Australia blog commenting that the leading anti-virus vendors are far less likely to detect new viruses than the less popular brands simply because the virus authors would necessarily test their viruses against the big vendor’s products before releasing them into the wild… I suppose there’s some truth to that, but the fact is that it’s not just in heuristics tests that the big vendors aren’t the best .
I should also mention that is actually cheaper, easier, and much safer to simply test previous versions of the anti-virus software against new viruses that have come out since their release, and it arguably gives the same effect of testing the anti-virus heuristics against viruses they don’t have “signatures” for, but without the added cost and risk of creating new viruses. In fact, that’s what AV-Comparatives does. Independent comparisons of anti-virus programs, testing current viruses against both current, and old AV signatures, and they test more of the good applications too (why on earth isn’t ESET Nod32 on Consumer Reports’ review?). Interestingly, the predictions of that blog post (but not the relatively high ratings found by Consumer Reports) ring true:
In the latest “retrospective” test, which tests products against new malware that was actually produced in the three months after they were released, the best score achieved is only 58% detection, and comes from the aforementioned Nod32, which is so obscure (although it’s what I use) that it wasn’t even tested by Consumer Reports. Their top-ranked product BitDefender did fairly well (by comparison) at 45%, but Norton and McAffee are the 3rd and 4th worst in the test, better only than F-Prot and AVG.
At any rate … my personal favorite NOD32 does exceedingly well in these tests, and I honestly recommend that if you’re serious about getting a decent anti-virus, you should check the scores for yourself from some of the leading test centers like:
“I should also mention that is actually cheaper, easier, and much safer to simply test …”
No, it is by far not easier – it is much more work to do a test with malware that really never appeared before and which works. Creating malware samples is much easier and faster to do (probably thats why CR used this method), but the results gathered in this way would not represent real-word results.
“...the best score achieved is only 58% detection…”
58% on-demand detection of really new malware in a 3month retrospective test is a very good score. Peoples that think that this is low have not fully understood the great proactive on-demand detection value of the products which got Advanced+ in our retrospective tests. Of course in on-demand retrospective tests the results will never be as high as with updated signatures and updates.