The Limits of Scanning - ' Analysis ' (
Page 2 of 2 )
Some of the best products surprised me. I didnt expect Symantec to do so well, but hats off to them. People like to complain about them, mostly for reasons unrelated to detection percentage, but this test does seem to show that they have taken detection of non-viral malware very seriously. The other high scorers, AntiVir in particular, dont get a lot of attention in the press, and perhaps we have not done them justice.
Then down in the Hall of Shame section we have many products that cant seem to keep up with the flood of malware. Ill start this list with Microsoft which, at 76.18 percent is seriously third-rate. I expected better from Sophos, although thats based on reputation, not personal experience. The eTrust engines and ClamAV are just where I expected them. Of course, even if they didnt dispute the tests in some way, authors of these products might claim that users are highly unlikely to encounter most of the threats in it.
What does this test show? Is it more important that its possible for products, especially if they use multiple engines, to detect a very high percentage of attacks? Or that the majority of products let through a very high number of attacks? I have to focus on the latter point. It makes me want to consider, once again, alternative approaches to malware.
Most, if not all of these products, detect many classes of malware generically by common characteristics. I asked Andreas Marx and he confirmed that they didnt break out for this test which detections were based on specific signatures and which were generic, which is a difficult distinction for an outsider to draw in any case.
But I have to think that the percentage of such detections is increasing over time, especially in products like Symantecs. They cant actually have anywhere near 290,000 signatures.
Webroots SSE 3.0 takes the next step in malware defense, adding the ability to detect rootkits and the malware strains hidden within. Click here to read a review.
And then there are many companies trying to come at the problem from the other direction, whitelisting programs that the user should be allowed to run and disallowing everything else. This is an old idea and has proven difficult to manage in the past, and it misses malicious code run through most vulnerabilities like buffer overflows. I hear from just about all of these "alternative" approach vendors and I wonder if their time will ever come, but their mission is becoming more important.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
