20 December 2007, 13:08

Antivirus protection worse than a year ago

The effectiveness of antivirus software has fallen off, and more and more pests can now slip past these barriers. This is the sobering conclusion the german computer magazine c't comes to in issue 1/08 with a test on 17 antivirus solutions. For the first time, c't also tested the behavioural blocking system they use.

In standard tests, the virus scanners have to recognize known malware. When tested by c't with more than a million pests that have appeared over the last six months, Avira Antivir and Gdata Antivirus 2008 identified over 99 per cent by their signatures, but Avast, AVG Anti Malware and BitDefender also achieved very good results.

For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent. Only NOD32, with 68 per cent, still delivered a good result, while BitDefender, with 41%, could be called satisfactory.

One reason why almost all of the scanners did worse in these heuristics tests than a year ago is certainly the professionalization of the malware scene: more time and energy are being invested in slipping this stuff past protective software. What is worrying, however, is the fact that recognition rates of virus variants created experimentally by c't also fell significantly. Virtually all of the scanners missed variants of viruses they had identified a year earlier.

Finally, and for the first time, c't also systematically tested the protective function based on behavioural blocking. To do this, they ran twelve handpicked pests on systems with antivirus software installed and subsequently analysed them for any residues. Such tests require enormous effort as they cannot be automated, and a suitable virtual environment has to be created for each example, in which it could, for example, reload further components.

Only F-Secure was able to perform convincingly in the behavioural blocking test, fending off all the pests. Kaspersky and Bitdefender showed promising approaches, but only in individual cases were they able to prevent infection. Gdata, Norton, Microsoft and Trend Micro did at least monitor particular system resources, but only in exceptional cases was that enough to keep the system really clean. More than half of the virus detectors were overtaxed in this respect and had nothing with which to counter an infection of the system.

Other worrying test results are the longer latency times caused by the antivirus guards in comparison with the previous year, and the markedly higher false-alarm rate. The full test is only available in German at the moment, in print form, in c't 1/08. The article Antivirus software as a malware gateway discusses the underestimated danger of protective software mutating into a gateway for pests.