SoftSphere Technologies, the official site of the DefenseWall HIPS - Host Intrusion Prevention System - Sandbox, Virtualization, Anti-Spyware, Anti-Rootkit, Anti-Malware, Anti-Keylogger, Anti-Virus. DefencePlus - Buffer Overflow protection. Security software just for you! Virus Prevention proactive protection!| Articles

	Company news
	Products
	Downloads
	Support
	Forum
	Registration
	Articles
	Press-Releases
	About us

Home | Articles

Do anti-virus software tests tell us the truth?

Do AV tests tell us the truth? Let's see how deep is a rabbit's hole!

At this time, virus detection is the most common method of protection. Anti-virus tools show good ratings (~99%) of virus detection within all the known anti-virus software tests. Heuristics are good too (~50%) in detection of unknown malware modules. But is it really true? DEFINITELY NOT!

Let's see HOW all the tests are done. First you need to collect a number of samples, run file scans and count the percentage of the malware detected. Most of the samples come from VX nets (VX net- inner virus exchange network between anti-virus companies - yes, they exchange the samples!) or are already sent to anti-virus companies. But in real life, malware acts another way!

Nowadays, malware writers morph(alter) their modules as soon as anti-virus companies start to detect the current ones (within 2-4 hours!). So, if you've surfed and become infected by some malware, you can bet that it is undetectable by your anti-virus, because this concrete sample is still unknown by any anti-virus company! Heuristics may detect it as malware, but its creator always looks for ways to fool and bypass heuristics. Trust me - it is not so hard to do! Also, a high level of heuristics means a high level of false positives.

OK, you have got malware, what now? Your anti-virus is sitting quiet, but you think that there is something wrong with your computer. You suspect something, generate a HiJackThis log and post it to a computer help forum. They help you clean up the malware, send all the malware found to anti-virus companies, grab them for the future AV engine tests and everything is OK now - everything but the time and money spent, and perhaps even one’s mental health. You even may have luck and your anti-virus may clean up malware after the next database update. But what happens if your anti-virus doesn't show that some malware is hidden in your computer system and AV companies don't have its signature? It means your computer is not yours anymore; your personal files and confidential data have been stolen? your money at your bank account may disappear?.... Hmmmm.....

Anti-virus test results you may see in all the magazines are not from real life - they are too synthetic. Most In-The-Wild malware is not immediately detected by anti-virus signature-based tools. Are there any ways to be protected and safe?

YES! IT IS POSSIBLE TO PREVENT VIRUSES FROM INFECTING YOUR COMPUTER!

It is possible to morph malware's code, but its behavior remains the same! So, the main idea of a Virus Prevention Tool is behavior-based analysis. But how do you determine if it is malware behavior and block it? That is the main problem for the behavior-based virus prevention solutions.

There are two ways to solve it.

First - the user must make the decisions.
A popup window appears with a question about a potential malware action, some hints to help the user make a decision and that is all! Now it is the user's problem! Simple and easy! But is it simple for the user? Is it easy? DEFINITELY NOT! It is not a Malware Prevention Tool, it is merely an examination tool! Average users don't have enough knowledge to answer such questions correctly! Paranoid users always press "No", normal users always press "Yes", but FEW READ WHAT’S WRITTEN IN THE POPUP! This idea is known as classical HIPS a/k/a Application Firewalls. Those tools are made for advanced, highly skilled users.

Second - the virus Malware Prevention Tool makes the decision!
It blocks all potential dangerous activity according to a built-in rule set. The user simply needs to mark the possible avenues of infection (browser, e-mail, IM, IRC and P2P clients) as controlled by this tool ('untrusted' in DefenseWall's ideology). This method is known as sandbox HIPS. There are no popup windows with questions at all! This type of anti-virus malware protection is highly transparent and simple for users. Sandbox HIPS virus prevention tools won't allow malware to be installed correctly into the system, break out from the sandbox virtual zone and hijack important files. It gives you the user easy and simple ways to terminate all the processes within the sandbox area and then to clean up all the malware pieces from your computer manually. This kind of virus prevention tool requires no technical knowledge from its users.

Are anti-virus tools still necessary if using a proactive anti-virus tool? Yes, they are! Why? It is hard for the regular average, non-expert user to determine which module on the hard drive contains malware. It is much simpler for the user to send all the suspicious files to their anti-virus tool company and then, with the updated anti-virus database, clean them up!

Ilya Rabinovich, CEO, SoftSphere Technologies, July,05,2006.