How effective is antivirus software?

Question

On one hand, most antivirus websites claim their products are highly effective, and I've seen antivirus "test" videos claiming 95%+ detection rates for new malware (as in less than a day old, not old samples that have already been added to AV databases). In addition, just about every OS protection guide recommends antivirus software as the number one method of preventing malware infection.

On the other hand, I've seen other videos advertising crypter software that seems to render AV software useless. In many of these examples, the "crypted" malware is undetected by any AV systems, even when pitted against 70+ antivirus systems on online testing sites like virustotal. The fact that it's so simple to hide malware -- there are dozens of crypters, some completely free, available from a number of forums and websites, and usable by even the simplest script kiddies -- and the fact that these crypters are so effective, would seem to indicate that antivirus software isn't very effective.

So how effective are antivirus suites like Avast and Norton, and how could one explain the discrepancies between the 95%+ detection rates that are advertised and the prevalence of crypting software that makes malware virtually undetectable?

Answer 1

I worked at antivirus industry 12 years ago, so I'll try to explain, but it is possible that my knowledge is a bit outdated.

Each serious antivirus vendor has antivirus lab, whose work is split to:

• detect new viruses and develop solutions for them: signatures, behavioral patterns for heuristic detection, specialized detection code, sometimes cleaning code etc.

• identify new crypters and archive types, and develop code to decrypt original files

Both of these activities include infiltrating several forums and sites hidden from general public.

Better antivirus vendors, like ESET, Kaspersky, BitDefender etc., recognize and deal with hundreds (or today maybe even more) of crypters and archives, so from user perspective, most crypters are transparent and not affecting detection rate.

However there are also less serious antivirus vendors in the market, which recognize less crypters. So if you want maximum security, you should generally choose products from vendors that recently achieved VB100 award.

Answer 2

The antivirus product have different techniques to check if a given file is malicious or not.

The most common technique is to check the file signature against the virus database. If there is a match then the file is considered malicious else not. Antivirus products examine a file and create a signature of it, depending upon the characteristics of the file. During the scanning the antivirus simply checks if this signature is present in its virus definition database. If it is present then the file is considered malicious else not.

Now consider a malicious file Temp.exe Now assuming that this file is already know to be malicious to the antivirus product, when you scan this file, the antivirus will detect it as malicious. Because the file signature will match the virus database of the antivirus.

Now suppose you encrypt the file Temp.exe. Now when you scan this file with an antivirus product the file signature of this encrypted file might not be same as the file signature of the unencrypted Temp.exe(Malicious file). Hence the antivrus might think this encrypted file is not malicious.

So how effective are antivirus suites like Avast and Norton, and how could one explain the discrepancies between the 95%+ detection rates that are advertised and the prevalence of crypting software that makes malware virtually undetectable?

This fact could be the answer to your question.

Most of the antivirus products now a days use many other techniques in addition to signature based technique. Here is a list of some other techniques.