Home > IT, Security > Microsoft Responds to AV Attacks

Microsoft Responds to AV Attacks

March 16th, 2007 Leave a comment Go to comments

Microsoft has taken a lot of heat lately for their results in various AV testing (Examples: -1-, -2-, -3-, -4-, -5-). My opinion has stayed pretty much the same... My assumption is that the product failed due to missing older viruses... so their competitors who have years of industry experience and a large signature database would have a better chance... I highly doubt that these AV tests use only new viruses. This is why the AV Tests fail in my opinion... The older viruses aren't usually the problem... How many people reading this blog even remember CIH for example (t could, in certain cases, cause you to go out and buy a new motherboard). Microsoft is new to the game... If they were to cover every old virus and front load them before product release, then the product may never get out the door... So they had to pick and choose... I'm sure this older coverage will come. They probably have a small team dedicated to filling in the coverage. In the mean time it was much more important that they cover viruses that are in the wild and current... So that was my take on it and I didn't think very much of them failing the virus tests. At the same time, I don't use OneCare... There are plenty of free AV Solutions that are great and I prefer them.

Regardless, Microsoft has now stepped forward and responded on their Anti-Malware Engineering Blog. The writeup confirmed some of what I had assumed and pointed out that they are new to the AV game. Sure they purchased Sybari so they had some AV insight... but I don't think that insight was comparable to that of Symantec, McAfee or Trend Micro. Anyways give the article a read... a follow up is coming in a few weeks from the Microsoft Security Research and Response GM.

Categories: IT, Security Tags:
  1. March 16th, 2007 at 11:58 | #1

    “My assumption is that the product failed due to missing older viruses…”

    they failed to get a VB100 award… that only involves viruses on the wildlist – old or not, those viruses are ones an anti-virus needs to detect because they’re active in the wild…

    “so their competitors who have years of industry experience and a large signature database would have a better chance…”

    microsoft didn’t start from scratch – they purchased an existing anti-virus company, not to mention having attracted some big name av’ers to their ranks…

    “The older viruses aren’t usually the problem…”

    actually, they are (to an extent)… old viruses never die and email worms from 2-3 years ago are still topping the charts…

    “How many people reading this blog even remember CIH for example”

    hey, i got a hit on my blog this year from someone doing a search on “stoned.empire.monkey removal” – monkey dates back to 1992 and managed to stay on the wildlist for just over 10 years – but even though it’s no longer on the wildlist doesn’t mean it isn’t in the wild (else, why should someone be searching for removal instructions?)…

    “Microsoft is new to the game… If they were to cover every old virus and front load them before product release, then the product may never get out the door…”

    the theory was once expressed that we had passed the point where it was feasible to start a new anti-virus company from scratch because analyzing all the old viruses and keeping up with the new ones at the same time was just too much for any startup… then kaspersky started up and everyone watched as they became a major player…

    microsoft didn’t even start from scratch, they bought an established company and technology…

    “Regardless, Microsoft has now stepped forward and responded on their Anti-Malware Engineering Blog. The writeup confirmed some of what I had assumed and pointed out that they are new to the AV game. Sure they purchased Sybari so they had some AV insight… but I don’t think that insight was comparable to that of Symantec, McAfee or Trend Micro.”

    that writeup was written by jimmy kuo – he used to be the head of research at mcafee (and also worked for symantec at one point if i recall correctly), and he is not the only av big-name microsoft has attracted since entering the field so they most definitely have the insight…

  2. March 16th, 2007 at 12:08 | #2

    Kurt,

    I defer to you on this because you obviously no more about AV than me… My thought has always been that if you practice safe computing you don’t need to worry about AV :)

    IT Security is like sex:
    Proper Security with User Intelligence is like a vasectomy.
    AV is like a Condom

    Get a vasectomy and the odds of pregnancy are almost nil. Combine IT Security and User Intelligence and the odds of a virus are almost nil. Use a condom and you’re taking a risk… Use AV and you’re taking a risk… Sure it lowers the odds over being unprotected… but I feel there are better protection methods.

    Back to the discussion… Having a few big names in AV still doesn’t mean you can cover everything… You’d need a complete experienced research team… The few big players helps, but it’s the entire team that provides the coverage.

    Also I mentioned that they acquired Sybari (and you pointed it out twice again)… but that’s still not the same as having Symantec or McAfee.

    They only missed VB100 by one virus (by their account)… and who knows if the other tests used only ITW Viruses.

  3. March 17th, 2007 at 00:24 | #3

    “My thought has always been that if you practice safe computing you don’t need to worry about AV”

    i know others who feel the same way, and to be honest an av has never actually stopped me from getting an infection (it’s alerted me to the presence of malware, but it’s never been a ‘whew, that was close’ sort of situation) because i do practice safe hex on top of using an av…

    “Get a vasectomy and the odds of pregnancy are almost nil. Combine IT Security and User Intelligence and the odds of a virus are almost nil. Use a condom and you’re taking a risk… Use AV and you’re taking a risk… Sure it lowers the odds over being unprotected… but I feel there are better protection methods.”

    how about using a condom *and* intelligence… layers work… some layers (*cough* symantec/mcafee/trend *cough*) might be a little too thick and impede your enjoyment, but there are other/thinner layers out there…

    “Back to the discussion… Having a few big names in AV still doesn’t mean you can cover everything… You’d need a complete experienced research team… The few big players helps, but it’s the entire team that provides the coverage.”

    absolutely true, and i can only imagine that a company as big as microsoft has plenty of people… you don’t develop your own in-house behaviour-based automated malware analysis technology with just a handful of people…

    “Also I mentioned that they acquired Sybari (and you pointed it out twice again)… but that’s still not the same as having Symantec or McAfee.”

    and why don’t they have symantec or mcafee? why do they feel the need to be personally in the game? there is no reason why a company with pockets as deep as microsoft can’t license technology from just such a vendor – they did it in the past with the much ridiculed (and deservedly so) msav… however with msav they chose a vendor with a poor offering, and this time they chose sybari who were never particularly big… if ms thinks av is such a big deal, why do they consistently cut corners when acquiring technology? and why did they sit on their acquisition for so long before doing anything with it?

    microsoft has done some monumentally dumb things in the av space in the past – i can only hope that with additions like jimmy kuo that won’t keep happening… i fully expect onecare to get better, but i think it’s going to require the normal decision makers at ms to keep out of it…

    “They only missed VB100 by one virus (by their account)… and who knows if the other tests used only ITW Viruses.”

    the av-comparatives test does not restrict itself to viruses from the wildlist, but the way the malware population growth curve works, the vast majority of their test bed are relatively new… also, unlike the VB test, av-comparatives includes non-viral malware in their test (which is important because more and more of the malware threats out there today are non-viral)…

    additionally, there are some valid criticisms of in-the-wild testing, such as all models of what’s in the wild are simply approximations and are prone to a lot of under reporting… the wildlist (http://www.wildlist.org) has been criticized for pretty much this reason… not only are there relatively few people reporting viruses to the wildlist (maybe somewhere on the order of 100) but viruses that scanners have no problem removing never get brought to the attention of the wildlist reporters in the first place and therefore don’t get on the list – it’s only the ones that anti-virus products struggle with that get the attention of those doing the reporting…

    virus bulletin’s VB100 award is just a byproduct of their full comparative test, by the way… just in case anyone got the idea that the above criticisms of in-the-wild testing indicated a methodological shortcoming in vb’s tests…

  4. March 17th, 2007 at 00:49 | #4

    I really can’t disagree with a lot of that… I still think they deserve a chance though…

    Side Note: So you’re in Toronto… you should fire me an email sometime and we should grab a coffee.

  5. March 17th, 2007 at 10:17 | #5

    if they improve i’m sure they’ll get their chance…

    not so long ago (maybe 10 years) it was symantec who was a poor performer in the av tests and people were waved away from nav until symantec brought their detection rates up to par and built a track record of having consistently good test results…

  6. kurt wismer
    January 19th, 2009 at 14:20 | #6

    "My thought has always been that if you practice safe computing you don’t need to worry about AV"

    i know others who feel the same way, and to be honest an av has never actually stopped me from getting an infection (it's alerted me to the presence of malware, but it's never been a 'whew, that was close' sort of situation) because i do practice safe hex on top of using an av…

    "Get a vasectomy and the odds of pregnancy are almost nil. Combine IT Security and User Intelligence and the odds of a virus are almost nil. Use a condom and you’re taking a risk… Use AV and you’re taking a risk… Sure it lowers the odds over being unprotected… but I feel there are better protection methods."

    how about using a condom *and* intelligence… layers work… some layers (*cough* symantec/mcafee/trend *cough*) might be a little too thick and impede your enjoyment, but there are other/thinner layers out there…

    "Back to the discussion… Having a few big names in AV still doesn’t mean you can cover everything… You’d need a complete experienced research team… The few big players helps, but it’s the entire team that provides the coverage."

    absolutely true, and i can only imagine that a company as big as microsoft has plenty of people… you don't develop your own in-house behaviour-based automated malware analysis technology with just a handful of people…

    "Also I mentioned that they acquired Sybari (and you pointed it out twice again)… but that’s still not the same as having Symantec or McAfee."

    and why don't they have symantec or mcafee? why do they feel the need to be personally in the game? there is no reason why a company with pockets as deep as microsoft can't license technology from just such a vendor – they did it in the past with the much ridiculed (and deservedly so) msav… however with msav they chose a vendor with a poor offering, and this time they chose sybari who were never particularly big… if ms thinks av is such a big deal, why do they consistently cut corners when acquiring technology? and why did they sit on their acquisition for so long before doing anything with it?

    microsoft has done some monumentally dumb things in the av space in the past – i can only hope that with additions like jimmy kuo that won't keep happening… i fully expect onecare to get better, but i think it's going to require the normal decision makers at ms to keep out of it…

    "They only missed VB100 by one virus (by their account)… and who knows if the other tests used only ITW Viruses."

    the av-comparatives test does not restrict itself to viruses from the wildlist, but the way the malware population growth curve works, the vast majority of their test bed are relatively new… also, unlike the VB test, av-comparatives includes non-viral malware in their test (which is important because more and more of the malware threats out there today are non-viral)…

    additionally, there are some valid criticisms of in-the-wild testing, such as all models of what's in the wild are simply approximations and are prone to a lot of under reporting… the wildlist (http://www.wildlist.org) has been criticized for pretty much this reason… not only are there relatively few people reporting viruses to the wildlist (maybe somewhere on the order of 100) but viruses that scanners have no problem removing never get brought to the attention of the wildlist reporters in the first place and therefore don't get on the list – it's only the ones that anti-virus products struggle with that get the attention of those doing the reporting…

    virus bulletin's VB100 award is just a byproduct of their full comparative test, by the way… just in case anyone got the idea that the above criticisms of in-the-wild testing indicated a methodological shortcoming in vb's tests…

  1. No trackbacks yet.