Posted by SecResponse - F-Secure
I have lately been following and participating in discussions as to whether or not antivirus products are useless and just waste of money. And as I am employed by F-Secure, my position on the matter may be rather obvious. But rather than going on with the same tired argument, I would like to shine some attention to some common patterns and misconceptions that repeat themselves in almost all discussions.
Pattern 1: Someone tries to use VirusTotal scan results as an argument.
VirusTotal is a very useful system for getting initial information about some particular sample but it does not give reliable indication about performance of various antivirus products. The folks at VirusTotal themselves know this, and they do not like their system being abused in bad research. In fact, VT has declared this for years already in their section about page. See the section called — BAD IDEA: VirusTotal for antivirus/URL scanner testing.
From VT: BAD IDEA: VirusTotal for antivirus/URL scanner testing
At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:
VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.
The reason for this is threefold. Firstly the engines that AV vendors provide to VT are not exactly the same configuration as are in the real-world product and do not receive the same care and attention as real products do, if a sample is missing in VT’s results we do not care as much as we do for our paying customers.
Secondly no organization in its right mind would provide its most advanced technology into a comparative system where attackers can test their new creations at leisure, and try until they are able to circumvent enough scanners to their liking.
Thirdly VirusTotal does not try to execute the files with actual products being installed. This means that any run-time heuristics, behavioral monitoring, and memory scanning are out of the game. And thus the detection results are meager when compared to full products. But it is understandable why VT does not execute files, executing everything on every engine would require massive resources, and many samples would still fail due to missing components that would be present in a real infection case.
Pattern 2: Testers scan files locally that they have downloaded and unpacked (from password protected archives) from some collection and complain if some malware file is not detected.
Even when using the real product to scan such collections or forensic result files, you are still not really using the product as it is intended, scanning is only the third to last line of defense.
The antivirus industry realized years ago that there is no way it can give sufficient protection just by scanning files.
We switched our focus into trying to prevent hostile content from ever reaching the target rather than trying to detect it when it is already running in the system.
The typical antivirus product, or should I say security suite, contains multiple layers of defense of which file scanning is only small part.
What is being used varies from product to product. But the typical product has at least these layers.
1. URL/Web access filtering.
This is done to prevent users from ever coming into contact with hostile attack sites.
2. HTTP, et cetera protocol scanning.
To catch the hostile content before it reaches Web browser or other client.
3. Exploit detection.
To block the exploit before it is able to take over the client. And if the exploit is not detected as such, many products also contain measures to prevent exploits from successfully running.http://www.f-secure.com/weblog/archives/00002482.htmlhttps://www.virustotal.com/about/