Daily Archives: April 11, 2012

Why Antivirus Programs Fail

This is a real example of why just relying on an antivirus to detect all malware will fail. Today I got, for the nth time, a few of those scam emails that have an infected attachment and a message enticing me to open it. Since I hate to disappoint, I went ahead and opened one, just to see what my antivirus would do (But also having fail-safe measures in place).

I’m currently using Kaspersky Internet Security 2012, one of the top security suites and my current favorite. Normally upon receipt of the email Kaspersky would quarantine the suspicious attachment… if it detects it as malicious. But it didn’t. The attachment was compressed in a file, so I thought maybe that’s why and went ahead and extracted the file from it. Nothing. No response from Kaspersky. So I forced a scan of the object, and still was not detected as malicious!

I then went to a website where individual files can be scanned by many scan engines. This particular one scans the file against 42 different engines. Kaspersky, Avast, Symantec, VIPRE, McAfee, you name it. All the big brands and more. Well, only 4 out of the 42 detected the file as malicious!

Why is that? Because the creation of different malware samples outdoes by far the updating of signature files (the files that tell your antivirus program which files are good and which ones malicious). Signature files are what antivirus scanners mostly depend on to detect malware.

I said it in 2009, and I’ll reiterate it today. Want to have a better chance at staying malware-free? Follow the model I laid out back then, in my pivotal article on the subject.

 

P.S.: 4/12/12: It’s the morning after, and I decided to analyze that piece of malware in detail, so I tried to fetch it from the trash folder in my email… Wasn’t able to. Kaspersky beat me to the punch and deleted it. In re-analyzing the file (from an alternate source) against the 42 scan engines, the count had changed to 7 out of 42 recognizing it as malware. Kaspersky was one of them. So relatively good.