The efficiency of anti-virus

The discussion about the efficiency of anti-virus is very much alive. I touched on the subject a few times before like here and here. Let's have another look at it with Google's latest security technical report: All Your iFrame Are Point to Us.



For this exercise, we are interested in chapter 7.1 Anti-virus engine detection rates:

We subject each binary for each of the anti-virus scanners using the latest virus definitions on that day. Then, for an anti-virus engine, the detection rate is simply the number of detected (flagged) samples divided by the total number of suspicious malware instances inspected on that day. Figure 15 illustrates the individual detection rates of each of the anti-virus engines. The graph reveals that the detection capability of the anti-virus engines is lacking, with an average detection rate of 70% for the best engine. These results are disturbing as they show that even the best anti-virus engines in the market (armed with their latest definitions) fail to cover a significant fraction of web malware.



I'm not telling you that anti-virus is useless, but it isn't as efficient as some people believe. Security is still about risk reduction. The only question you need to ask, if the price of the software is justifiable for the amount of protection you are getting today. Here is an example of someone who thought they weren't getting their value: Staying safe without anti-virus (BBC)

One such is Brent Rickels, the one-man IT department for the First National Bank of Bosque County in Texas, who has thrown out his anti-virus software and has a much quieter life as a result.

"I just wanted to be able to sleep at night," he said explaining the decision to stop using anti-virus.
"There had to be something better by now," Mr Rickels told the BBC News website. "Anti-virus is such a reactive model."

"The bad guys out there have copies of Symantec and Trend Micro and all of the anti-virus software and are using it to develop their stuff on and get their stuff past it," he said.

As its front line of defence the bank uses a so-called whitelist system that only lets a few programs run on every PC that bank staff use. Everything else, including viruses or malicious programs that try to strike via websites, are shut down before they can get a hold.

The bank has also imposed limits a 20 minute per day limit on the time staff can spend looking at non-work related websites.

Don't forget, it isn't all about prevention. Detection and Response are often overlooked. No single prevention measure is bulletproof. I like the whitelisting idea but it's all about the type of environment you're in. Flexibility vs Security. They are just two opposites on the scale. Pick your poison.