I first heard that the anti-virus scanner was dead in December 1989. Experts had postulated that the increase in the number of different computer viruses, which at the time numbered almost 200, would quickly outpace the ability of anti-virus scanners to keep up.
That seems a laughable prediction now: Anti-virus scanners and vendors are adaptable, and they only have limited performance problems even when faced with 50,000 or 100,000 threats. Despite this flexibility, the premature announcement of the death of the anti-virus scanner still seems to herald every new malware threat. File executable viruses were going to kill them. Then macro viruses, script viruses, polymorphism, and now root kits.
As a two-decade security veteran, I’ve always chuckled at the thought of anti-virus programs becoming useless. Now, I find myself writing about it. Has the end of anti-virus scanners' useful life finally arrived?
Over the last two years, malware has become professional crimeware. No longer coded by kids hoping to impress their friends, crimeware is big business. It’s more sophisticated, hides better, and contains more tricks; instead of one attack vector, it contains 10. The professionals intentionally code their malware programs to escape detection. Often, the latest crimeware bug is nothing but the same old Spybot or Sobig variant malformed just enough to escape anti-virus scan detection.
There are several Web sites (e.g. virusscan.jotti.org or www.virustotal.com) where users, rogue and legitimate alike, can submit their malware program to find out which of the top anti-virus scanners detect it. These days, most of the malware programs I find go undetected by any of the scanners, or at best, are detected by maybe one out of five.
Several recent studies, including one by Consumer Reports (subscription needed to access the CR study, but the results are available in this Dvorak Uncensored post), conclude that anti-virus companies aren’t doing a great job in detecting slightly modified malware threats. The best anti-virus program only detected 87 percent of the newly modified threats; many of the most popular programs were in the 50-to-70-percent range. Virustotal reports that only 2 percent of submitted viruses are detected by all anti-virus scanners.
In my personal experience, the most popular anti-virus programs are only about 20 percent accurate against new threats. I can’t tell you how many times I’ve heard my customers say, “But I’ve got an up-to-date anti-virus program!” when I find an infection on their PC. It’s about all I ever hear these days when cleaning up a system after a malware attack.
It’s not as if anti-virus programs can’t recognize new threats. Most of them have behavioral checkers (i.e. heuristics), but these mechanisms don’t work very well, or they minimize behavioral checking or turn it off entirely. Either they aren’t accurate (giving you false negatives), or they cause too many false positives. And when they are turned on, they slow down the user’s system. The end result is that most anti-virus scanners are inaccurate at detecting new threats.