Antivirus Programs vs. the Malware

AV-Comparatives, a name in online antivirus testing, has released the results of their 2009 malware removal tests pitting 16 antivirus programs against each other to test their ability to clean out malware from systems.

The results? None of the tested programs rated a "very good." The link above takes you to the full results of the test complete with a thorough description of the test methodology.

Not that it's a big surprise. At least not to people that have to deal with this crap all the time.

The fact is that once a system is infected, there's no way to trust that it hasn't been modified in a way to prevent you from finding it. It could change operating system files so that utilities can't see the malware or see indications of the infection (like replacing netstat so that you can't see network activity linked to the malware). You don't know if it's hidden in the filesystem so it's invisible (see what NTFS filestreams are; oddly enough there aren't much for native tools with Windows to let you find the damn things but they are simple to access for hiding data and there are malware that can hide information using them.) You don't know if malware is downloading more in the background or working to create backdoor access to your system or if it's monitoring your keystrokes for passwords or uploading your documents to file sharing sites.

Many malware programs are made in a way to recognize attempts to detect them or remove them or know about popular antivirus programs so they work to cripple your ability to update your antivirus program or break the installation of your antivirus.

It's an arms race. The only way to be "safe" is to not get infected in the first place, since I've mentioned what they can do once in your system and the antivirus programs rely heavily on signatures for detecting malware.

But think about it.

You install antivirus with Monday's signatures.
Tuesday a malware author creates a new "virus" and releases it.
Tuesday night a honeypot used by your antivirus vendor detects the new malware.
Mid-wednesday the vendor has finished reverse engineering the malware and has created a new signature.
Wednesday afternoon the vendor has added the signature to their latest update list.
Hmm...when are you updating your signatures? Every hour? Once a day? Every night?

Even if you update every hour, that's an hour window where you were open to infection by that malware. There are hours and hours, at least, between a malware program's release and a vendor getting it, analyzing it, creating a signature, uploading that, then you downloading the "fix". On the Internet you can be infected by scanning worms and malware within minutes.

That means that for most users the topic of computers and viruses is a cat and mouse game, always playing catch-up. And that's if the user even bothers paying attention to the issue (judging from my web server logs, most don't).

Worse, it's not like you can install multiple antivirus programs and overlap protection. Nope. They will normally end up interfering with each other. You have to pick one and enjoy it. Plus they add overhead by scanning every file your system opens up as they work; there's a memory and CPU cycle cost to doing this.

And again. It's. Not. Completely. Effective.

You can minimize the risk by using "less popular" systems like Linux or OS X instead of Windows. That helps, but doesn't make you immune.

How do you stay safe?
Educate yourself about proper system maintanence.
Stay updated with your vendors bug fixes and patches.
Educate yourself about malware spreads; don't install programs from random websites, or give your information to websites that aren't encrypted and aren't reputable.
Pay attention to warnings about addons running in your web browser or programs trying to install or run.
Pay attention to your system so you can be aware of anomalies in behavior. If it's suddenly getting slower or starts acting weird those are red flags.
If you use an antivirus keep it up to date with the latest signatures.
Install specialized malware programs like Spybot Search-and-Destroy. Keep it updated.
Pay attention to security warnings.
Educate yourself on how to use Google to check into programs before you install them. A lot of sites have fake "virus detected!" popups with offers to clean it with a particular product, when the product is actually the malware.

All of these are good starts to keeping safer while using the Internet. Antivirus and anti-malware programs alone aren't 100% effective. Education is a wonderful way to help curb your personal information becoming public.