Is anti-virus software a waste of money?

(MoneyWatch) Using up-to-date anti-virus software is the cornerstone of computer security, not to mention simple common sense. Or perhaps not. A recent study by security research firm Imperva startlingly concludes just the opposite: Anti-virus software is so universally ineffective that it's just a waste of money.

In the study, which was conducted by the University of Tel Aviv in Israel, 40 anti-virus products were tested against 80 fresh, uncatalogued threats from malicious software code. What percentage of this malware did the anti-virus technology initially detect? Nearly zero.

• Protect yourself with 9 free anti-virus apps
• Ransom payments on rise for malware
• What are the most dangerous websites?

The study then assessed if the 40 products got any better at detecting these threats over time, as their databases were updated. They were all re-tested over a span of weeks, but the anti-virus software showed little improvement. It took an average of four weeks for malware to become detectable, and overall performance remained quite low. In particular, a dozen poorly detected malware files were still not detected by half of the products even weeks later.

Drawing on these results, the Imperva study does recommend a pair of free antivirus products -- Avast and Emisoft -- over commercial products, though the firm does point out that these programs are particularly susceptible to false positives.

So what does this mean for your computer security planning? Certainly, it shouldn't signal an end to your use of anti-virus software, and even Imperva does not recommend eliminating anti-virus tools from your security toolkit. Moreover, this is a single study, and there are questions about its validity. Kaspersky Labs, whose own anti-virus product was included in the study, had this to say about the testing methodology:

[There is a] significant drawback in Imperva's testing methodology which makes it impossible to take these test results seriously. When scanning for potentially dangerous files, the Virus Total service used by Imperva's specialists does not use the full versions of antivirus products, but merely relies on a standalone scanner. This approach means that the majority of protection technologies available in modern antivirus software are simply ignored. This also affects proactive technologies designed to detect new, unknown threats.

We've long recommended anti-malware software -- commercial or free -- and continue to say that any protection is better than none, as long as it's consistently updated.

[saucymugwump]

Anyone who knows what they doing regularly reads the three following web sites for advice on anti-virus solutions:
AV-TEST http://www.av-test.org/en/home/
AV-Comparatives http://www.av-comparatives.org/
Krebs on Security http://krebsonsecurity.com/

Most of the leading AV vendors -- e.g. F-Secure, Kaspersky, and Norton -- maintain a blog.

Curious readers should look at AV-TEST's latest W-7 report to see just how mediocre Microsoft's free AV protection is.

[archana_srajan]

We wholeheartedly agree with Kaspersky Labs -- the Imperva-sponsored test referenced in the article presents a jaded and distorted view of the effectiveness of endpoint protection products. It did not attempt to accurately represent real-world threat conditions and has misleading conclusions based on solely testing in isolation just one aspect or layer of the products.

Symantec, where I work, and most other security vendors recommend multiple layers of security technologies to defend against attack. Nearly all modern endpoint security products use these multiple layers, which include the traditional signature-based antivirus mentioned. Tests like this one from Imperva lead some readers to think that they no longer need to follow industry best practices and take a multi-layered approach to security. This is dangerous.

Dennis Labs Endpoint Security did an independent and more balanced report which was not sponsored by any security company and represents real world testing methodologies with the tester evaluating each product in realistic infection scenarios. We referenced it here: http://******/Qt0hsE

[garilou100]

One thing not mentionned is the service attached to the anti-virus program.
Last Sunday, a program installed it-self in my computer.
No idea how.
I uninstalled it, but "?something?" was there, that kept reseting my browser's home page, which I usually keep ' about: blank', so that each time I opened a new window or a new tab, I was ?"rejected", like if I was trying to attack the site (web sites also have anti-virus programs)

Usually I can settle such problems my-self, but this became over my skills, and I was close to panic.
And I absolutely needed my computer for Monday.

It took 2 online chats - and then of the phone, 3 different technicians (in India of course), but at the end, the last one managed to get rid of this, (of course still pretending that it was not a virus).

If it looks like it, behaves like it, for me it is a virus.

I did not regret my paid subscription. If the Anti-virus software had not prevented this program to install, at least, the service got rid of it.

So in choosing a anti-virus, I think that the most important is the guaranty: these companies have a 24/7 service with high qualified technicians, and one year subscription was cheaper then trying to find one on a Sunday 4:00 PM problem.

[richardstarr]

If you are staying to the more established web sites and not browsing the more obscure or underground sites, a good commercial anti-virus program will, if updated, usually protect you quite well.

The only way to keep a computer 100% safe is to never connect to anything.
You can also create a virtual computer and browse from there. When done, you throw it away. If it gets infected it can do you no harm.

[_M_e_h_]

As for false positives from a couple of products recommended, generally you can set the detection thresholds so it is your choice whether some viri slip through the cracks or the opposite, that some things are flagged which are benign. Any decent AV product will allow learning something is false and restoring it so you do not lose important data.

Lastly the quote by the spokesperson for Kaspersky is true, certain malware is detected by what it does, how it installs, not the resultant file sitting on a hard drive or loaded into memory which may change if the author designs it that way in an effort to escape some detection schemes.

Don't use just one malware prevention or scanner program, have one running realtime monitoring the system then have another already installed on a USB thumbdrive so in the event of an infection you can disconnect the infected system from both a LAN and WAN (internet for example), scan the system with the installed software, update the 2nd program on the USB thumbdrive on a 2nd, clean system, then use it to scan the infected system. Just be aware the infection could spread to the USB thumbdrive, don't plug it back into another system until you're certain it is clean.

Ultimately antivirus software is only a backup plan if the inital plan to not allow a virus to spread doesn't work.

[_M_e_h_]

As a professional in the industry I have to take issue with the study and conclusions drawn. I should add I have no affiliation with any antivirus or malware prevention developers or other entities profiting from their software.

The study almost seems deliberately flawed, I don't believe they could overlook the fact that by choosing 80 fresh uncataloged threats, they were trying to keep them from being detected instead of the real world situation where the vast majority of viruses an end user is likely to encounter, have already been discovered in the wild and cataloged, and detectable by popular anti-virus products so long as they run realtime and have timiely updates to the AV engine and definitions.

What you have to look at is what percentage of malware out in the wild, including the number of systems infected or acting as servers exploiting vulnerabilities in the client (end user's PC) system, is comprised of the 80 malware variants tested against. In other words, many antivirus products may keep you 95% safe, with only a few weeks between initial discovery and preventing another, then another 0.1% every week.

So which do you want, to be infected 1 time running antivirus software (as 5%) or 20 times with no protection at all? If you aren't engaging in risky practices on your system, that 1 time may shrink to 0.001 time. In this latter case it is fair to say you won't benefit from antivirus products much, merely because you never get exposed to any viri, but this is not so common in the modern world where we have wifi, office networks, even hackers working on your system when it breaks down.

[DrScrat]

Sadly the free packages aren't sufficient for the malware, trojans,viruses, etc. that exists today. I'm responsible for computer tech at our company and have seen all the virus packages on various employees 'personal' (not company) computers that they want to hook to our network. Many of these were flagged as infected after a scan by our virus and malware software. The employees were surprised.

DavidD5063 states "...the WILL to NOT install every free download..." as part of the solution. The issue is a user 'downloads' every time you click on a webpage. If the website has poor security practices, it may be infected and thus infect your computer by you simply 'reading' an article. Generally, this is a trojan that installs itself as part of the website page download and then downloads other malware to your PC. You need a security package that watches email, website access, network activity and so on to prevent this. A security package that only watches files using only virus detection may miss this. Packages offered by most of the security companies have these features now, generally not for free however. A good NAT (network address translation) firewall (part of Wireless Access Point Router or just a router) combined with a good security package is what is needed to be mostly secure.

Getting a Flu 'shot' doesn't always stop you from getting sick, but it does prevent a lot of problems. PC Security is like this, a good software security package coupled with some simple hardware does stop a lot of 'computer illness'.

[brinebold]

I happen to agree since MS started including a firewall in their OS all you need is something watching the incoming/opened files for known bad stuff. Paying for an AV is really a waste of money for your average home user. Med to large businesses are another story because of the reporting and management features but for a handful of PCs, Avast or Avira free are just as effective as anything they'd be paying for.

What many people don't realize though is that your AV is an incomplete layer of protection. It is pretty effective but nothing will save you from running everything you find on the internet and 'needing' your java/flash plugins.

The best an AV can do is stop 80-90% of the times you would have trashed your computer with a virus.

[davidd5063]

Yes. In addition, many products create instability and rediculously unnecessary constraints within the system. The simple, free packages are all you need, besides the WILL to NOT install every free download you find.