Matasano Chargen - Latest Comments in The AV Doth Protest Too much (Consumer Reports)

Re: The AV Doth Protest Too much (Consumer Reports)

alex eckelberry — Fri, 25 Aug 2006 13:47:58 -0000

It's far worse than expected. I've written more about this on my blog -- http://sunbeltblog.blogspot.com/2006/08/consume...

Re: The AV Doth Protest Too much (Consumer Reports)

Chris_B — Wed, 23 Aug 2006 21:36:44 -0000

Actually the point was passed a few years ago.

Re: The AV Doth Protest Too much (Consumer Reports)

Chris W. — Tue, 22 Aug 2006 09:22:26 -0000

How does the industry respond to articles like this?

Eighty percent of new malware defeats antivirus http://www.zdnet.com.au/news/security/soa/Eight...

This 80% number was confirmed in a posting on the offensivecomputing.net blog which has a database of 33,000+ pieces of malware.

Here is an anonymized quote from a friend who works at a very well known security product company,

"At XXXXX we have a few honeypot boxes that we use to capture malware that is actually in the wild (none of this we found it in our lab). We then run it through an engine that uses 27 different AV products to try and identify the malware. The results obviously vary but out of the 27 it is common to only have 2 or 3 products actually identify the code."

It seems clear that catching old malware is easy and catching new malware is hard, even new malware that is a slight variation on old.

So the efficacy of current AV must be proportional to the churn rate of malware. The faster virus writers are able to make modifications, the more likely they are to be successful.

The number of "hockey stick" graphs in this trend report tells the tale:
http://www.viruslist.com/en/analysis?pubid=1829...

Is there a point where the current AV technology just cannot keep up with the churn rate? Have we reached it?

-Chris

Re: The AV Doth Protest Too much (Consumer Reports)

Dan Ingevaldson — Tue, 22 Aug 2006 09:09:41 -0000

I agree with Chris_B that AVERT is a strong team, and I'm sure someone in the PR group at least got to edit this response before it came out. It's not like security companies are ever in the middle of public relations problems right?

However, I don't think that it is relevant if AVERT or the business people came up with this response. MFE along with the other AV companies have built a good business and they want to protect it. As if it wasn't enough that their margins and market share are being squeezed by Microsoft, but now their product is being called into question by a group a people that review blenders and washing machines. The AV business is full of some very smart and very proud people, and they we're just going to take this one laying down.

Kudos to Consumer Reports for turning the standard security product review on its head and testing the core value of the product. These types of reviews will lead to better products and more intelligent consumers.

Re: The AV Doth Protest Too much (Consumer Reports)

Chris_B — Tue, 22 Aug 2006 02:56:05 -0000

Those of us who worked for companies McAfee devoured under the guise of NAI learned not to trust the business people there but the AVERT folks tended to be good at heart. Its too bad that they probably had to go through some of the corporate vipers in their "official" communications.

Re: The AV Doth Protest Too much (Consumer Reports)

Lucas Nelson — Mon, 21 Aug 2006 23:35:14 -0000

Just to be overly picky and pain in the ass, a better stock analyst rating would be
Sell
Hold
Buy

And what the hell is up with the
Underweight
Hold
Overweight
???

Anyway, we all know that we don't have to worry about viruses now that we are on OS X. ;)

Lucas.-