Last month, security firm Imperva released its November Hacker Intelligence report “Assessing the Effectiveness of Anti-Virus Solutions,” which collected and
analyzed more than 80 unreported viruses against more than 40
anti-virus solutions. Imperva found that none of the tested anti-virus solutions
were able to detect previously unreported viruses and that 75 percent
of solutions took up to a month or longer to update its signatures.

That isn’t good news, but while Imperva obviously has some vested self-interest here, I think their report is worthy of a closer read nonetheless. What it means is that we have to depend on a variety of protective solutions to keep our computers safe and infection-free, and that as the bad guys get more sophisticated with their attacks, we have to get more sophisticated with our defenses.

Let’s look more closely at the tests that were done. First, the team at Imperva collected 82 viruses from various evil places. As the authors state, “A number of sources which assisted us in getting our hands on no small amount of relatively new viruses were forums in Russian, whose purpose was to enable hackers to discuss viruses and obtain assistance in developing them. The availability of malicious code and viruses in these forums was extremely high. Any kid could build a virus by themselves or download one ready-made.” That is pretty scary, but nothing new if you have been following security news postings over the past few years.

They then made sure that none of them had signatures that were already on their books or could be accounted for by their competitors, through a service called VirusTotal.com. This notion of signature matching is becoming obsolete, anyway. There are a number of virus construction kits that are readily available online that can customize a virus for each particular desktop, meaning that each virus has a separate and unique signature.

• Lag times are long. Imperva found that it can take typical AV solutions three weeks to update their databases to recognize one of the viruses in their collection, and some took up to a month or even longer. As the authors state, “the rate of update for their signature databases is very slow and even viruses that are already known to most anti-virus products are still not identified by these insufficient products.”
• Freeware is best. Imperva found the most optimal protection included two freeware anti-virus products, Avast and Emsisoft. Although for commercial products, both McAfee and Symantec also excelled in detecting their set of viruses.
• Behavior instead of signatures is needed. Imperva does not recommend completely eliminating it from an effective security posture. Instead, they suggest that “security teams should focus on detecting abnormal behavior such as unusually fast access speeds or large volume of downloads and adjust its security spend on modern solutions to address today’s threats.”

So what are the key take-aways for security teams? First of all, if all you have is AV, then you are exposed and you should quickly start to add additional protective technologies. Focus more on detecting badly-behaved apps, looking at those situations where you are doing massive downloads or fast flux conditions. Next, look for network-level intrusion detection and prevention products, and also beef up your desktop-based firewalls. Some of the more popular security products from Symantec and others have these features included in their desktop AV products too. Finally, don’t be complacent: security is a continuous process, and a constant challenge to stay ahead of the bad guys.