There is no question about it, antivirus software is not very effective. While tests may highlight that some programs have detection rates of 99% or more, it is not really the case.
The main issue with tests is that they use known samples which are usually older than a day. The real threat however is malicious code that is younger than that, as it will often remain undetected until antivirus companies catch up and add it to the signature database of their application.
But is antivirus really the only problem?
One question that does not get asked nearly enough is how malware gets on the system. Does it make *poof* and it appears magically on the user system?
Not really. While there are attack forms where malware gets downloaded automatically to user systems, drive by downloads come to mind, it often boils down to how users protect their computer systems.
If you check malware statistics, you often find viruses listed there that exploit known vulnerabilities that have already been patched. These kind of attacks are successful because user systems are not patched.
The same is true for third-party exploits targeting Java, Adobe Flash or Reader. While there are certainly attacks that use new 0-day vulnerabilities, the majority uses old vulnerabilities that are not a threat if the targeted plugin is updated to its latest version.
According to research, attacks originate predominantly on the Internet these days and not via email or other means. According to Symantec, 1 in 8 sites had critical unpatched vulnerabilities that attackers could exploit to spread malware.
While antivirus software certainly is not as effective as it should be, a core reason why malware is this lucrative for criminals is that user systems are not protected properly.
This includes updates more than anything else, but does not stop there. Many Internet users lack knowledge when it comes to threats, especially when it comes to knowing what they should and should not do.
Tech savvy users would never open an email attachment from an unknown source, or at least not without proper precaution such as running it in a sandbox or virtual environment to limit the impact it has on the system.
Users who think that security is all about installing antivirus -- and not necessarily updating it regularly -- don't follow what is common sense for tech savvy users.
Phishing and malware attacks would be less effective if all computer users would follow these basic security principles:
- Always keep the PC and software running on it up to date.
- Use of limited accounts on systems for most activities.
- Use of secure unique passwords and two-factor authentication if available.
- Installation of additional security software, e.g. Microsoft EMET, Malwarebytes Anti-Exploit, Sandboxie or a second opinion scanner.
It needs to be noted that this would not eliminate all malware, but it would render a lot less effective or not effective at all anymore.
What's your take on this?