Is Antivirus Software Slipping?

A "study," released by a security firm just yesterday, points out the well-known weakness in signature-based antivirus software. But does this mean you shouldn't rely on antivirus software?The study, which was conducted by anti-botnet vendor Damballa (which has an obvious chip in the game at pointing out the weaknesses of antivirus), says that the antivirus software it used immediately spotted barely half of all of the malware samples the company threw at it.

From DarkReading.com:

"Antivirus software immediately discovered only 53 percent of malware samples, according to data gathered by Damballa in a six-month study that used McAfee Scan Engine v5.3.00 to scan more than 200,000 malware samples. Another 32 percent were found later on, and 15 percent were not detected at all. The average delay in detection and remediation was 54 days." There are a couple questions I have about this analysis. First, only one antivirus engine was used, which limits its usefulness, despite McAfee Scan Engine being widely used. No where in the DarkReading story, or on Damballa's site, could I find details on how the 200,000 malware samples were picked, or where they were picked from.

Certainly, if you pick newly released, low-risk, barely spread bots and Trojans -- and there are tens of thousands of them -- antivirus will fare quite poorly. Many times, because the torrent of malware runs so fast, antivirus firms need to focus their resources on the real-world threats first. Just as they should.

A decent study would be to take a number of systems protected by antivirus and a basic firewall, and model the possible usage patterns of low-risk individuals (technically-savvy folks who don't go to risky places and aren't easily duped into opening risky attachments), and medium and high-risk users who would be more inclined to perform such behavior. Use real people, going to commonly used Web sites and peer-to-peer networks (for the risky group), and see how the technology does.

My bet is that the low-risk group would run into very little trouble.

That said, antivirus won't, and never has, done a good job at protecting people from targeted and zero-day attacks. That's what your firewall, coupled with a lot of common sense, should do.