Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Windows Technology IT

Testing Free English Anti-Malware On Non-English Threats 78

An anonymous reader writes "Brazilian technology news site O Globo posted an interesting comparison on how free anti-malware behaves against non-English threats (Google translation of Portuguese original). By using a database of over 3000 samples from Brazil's Security Incident Contact Center, the numbers are quite different from all US anti-malware reviews. While Avira achieved the best score, 78%, Microsoft Security Essentials stopped less than 14%. This can be a headache for some large multinational corporations, whose IT departments deploy US anti-malware on the entire network, but have network segments outside US with many 'unknown' threats roaming around. I wonder what the results would be in other countries."
This discussion has been archived. No new comments can be posted.

Testing Free English Anti-Malware On Non-English Threats

Comments Filter:
  • by Anonymous Coward

    So it can be as simple as getting your malware translated into another language?

  • by Aerorae ( 1941752 ) on Tuesday February 22, 2011 @12:27AM (#35275768)
    paid solutions?
    • In my experience, the vendor makes more difference than whether you get the paid or free version.

      Generally the free version is for home use only, whereas the paid version is for commercial use and comes with support.

      However, some vendors offer more frequent updates with the paid versions than with the free versions. This might play a role here, but probably not; chances are the location of the R&D lab and the language spoken by the virus submitters makes a larger difference.

      • Still, some vendors get left out entirely. I use ESET. Since they don't have a free version, they weren't included. I'd like to know how they measure up, though... hell, whoever's testing could just install their 30-day trial and not even have to buy it.

        • hell, whoever's testing could just install their 30-day trial and not even have to buy it.

          But ... it's a fairly safe assumption that the people doing the study were doing it for some commercial purpose (even it were only trapping of advertising victim's eyeball-seconds). So that would render them ineligible for most non-commercial-use versions of most software that I've read the EULAs for (yes, someone does read the damned things, even if incompletely and inconsistently ; [Henry 6 P2, A4S2, get it said and

  • Interesting... (Score:5, Interesting)

    by fuzzyfuzzyfungus ( 1223518 ) on Tuesday February 22, 2011 @12:29AM (#35275784) Journal
    It isn't really news that AV products rely fairly heavily on canned signatures and that heuristic detection of evil lags behind evil by a fair margin.

    What does surprise me, though, about these results, is that they suggest a fairly high level of geographic discrimination in the customization and targeting of malware. My (naive) expectation would have been that, aside from trivial stuff like trying to get the language of your spam/phishing/social engineering emails correct, the market for good exploits, well-crafted viruses, and so forth would be a fairly global one. Also, given that some malware attempts to propagate itself, rather than being delivered by a bugged website or other external mechanism, I would expect a fair amount of "splash" from malware spreading to any vulnerable hosts it can find, not bothering with any sort of geolocation, or from expats who live in country A, but still visit websites from home country B.

    I would have expected a much more homogeneous(from the perspective of the mechanics of the exploit mechanism, evasion techniques, and payload) worldwide population of malware.
    • by AmiMoJo ( 196126 )

      Most malware does not spread by looking for vulnerable hosts. Ever since they turned on the firewall by default in Windows XP and especially now that most people have routers with a built in firewall that technique has long been abandoned.

      Instead most viruses use some social engineering to spread. Fake emails sent to contacts of the infected user, free crapware downloads, browser exploits and so on.

      These kinds of tests are not that useful when evaluating AV software. The focus is on prevention of infection

  • This only proves what people have been saying since day 1: fighting malware via blacklisting is a losing battle.

    Eventually some company will come up with a business plan which is the opposite: if you are interested to run an application, you can pay them to do a security review on it. If the company worked on a "we do the review once $X dollars have been raised" basis, popular applications would be reviewed for small change per user, and niche applications would be expensive to have reviewed.

    Unfortunately,

    • by JustOK ( 667959 )

      uh, something like an "app store", perhaps?

      • by mlts ( 1038732 ) *

        How about not just "app stores", but a repository system?

        The OS can include the app store, a place for OS updates, and a well secured repo for F/OSS software. The updating programs can grab a list of packages, see what needs updating, then grab those via curl or wget. Further repos can be added by the user, assuming they click through a dialog that one can't just walk into Mordor, other repositories may not be trustworthy, do at own risk, etc.

        Oh, of course, all install packages (RPM, MSI, installp, .deb,

        • by Anonymous Coward

          Repositories have served the F/OSS community well for over a decade, and have proven to be historically clean (with an exception here and there, of course that gets fixed posthaste.) I just wish Apple and Microsoft would build this in, and not just "App Store or install manually" functionality.

          Can you imagine how badly people would complain about Microsoft abusing their monopoly if they did any such thing?

          Not to mention you forget the biggest problem...getting developers to go along. Given how many unsigned packages and programs I have, even some from relatively high profile open source groups, and well...I don't see it happening.

          See, most people don't get the reason why Microsoft lets Windows be so vulnerable and even crotchety. It's not because they can't do things better, but because they ca

          • by Khyber ( 864651 )

            "Can you imagine how badly people would complain about Microsoft abusing their monopoly if they did any such thing?"

            They could complain all they want but since other OS have this feature Microsoft would not be abusing the monopoly position in any manner. If anything they're keeping with the state of software distribution.

          • by mlts ( 1038732 ) *

            The good news is Windows 8 (from a previous /. article) is getting an "App Store". What it will be like when it gets released, who knows. However, it is a step in the right direction.

        • by deniable ( 76198 )
          Yes, but repos fall down on small details like payment and copy protection. I know, open source is the best thing ever, but we haven't convinced the large manufacturers yet. Speaking of manufacturers, I can think of several that need to use a common OS updater. Adobe updates, ick.
      • > uh, something like an "app store", perhaps?

        Interesting, I hadn't thought of the relationship to that existing model.

        The answer is: not really, because

        • in "app stores" the platform controllers are taking a cut, not being paid to do security reviews and nothing else
        • in (some) "app stores" the platform controllers are actively censoring applications which do things they don't like (in my suggestion, the consumer is controlling what gets reviewed based on his needs).
        • most(?) existing "app stores" prevent the
    • So, you are advocating Apple's app store strategy??
    • This idea is so insanely bad and competition-murdering that I'm surprised Microsoft hasn't quietly spun off some security firm to make this happen.

      • I love how the default in your head is this anti-MS fantasy, yet what he describes is more or less the very real Apple app store.

        • This bears no resemblance to the Apple App Store. Apple doesn't audit for security, they audit for boobies and giving the user the ability to run software they didn't audit for boobies and take 30% of.

    • by mlts ( 1038732 ) *

      What antivirus/antimalware is good at is stopping the stuff after the first wave, and the companies get updates out. However, the blackhats know this, so they know their moneymaking is during the 0 day wave, before Patch Tuesday and the Malicious Software Removal Tool is run.

      True resistance to malware requires a defense in depth philosophy, and until recently, this was not implemented in a significant fashion. For example, the usual setup of Windows XP would give Admin rights to any process by default tha

      • by afidel ( 530433 )
        Stop it before it ever gets to the client, IDS/IPS and an intelligent filtering proxy running a different engine than the desktop. It's not foolproof but it blocks the vast, vast majority of threats. Same with email (though that seems to be dying as a vector) use a different AV engine on the email gateway than you run on the desktop and servers.
        • by mlts ( 1038732 ) *

          This makes me wonder about having NICs with an embedded firewall OS. Of course, this can be a target for remote flashing of malware, but this can be minimized with both signatures, and having a DIP switch that has to be physically pressed before a write to the OS can be done.

          With the NIC handling the IDS/IPS capability, as well as being able to handle enterprise network configurations, the OS can be isolated and happily think it is receiving a DHCP address while in reality, an enterprise server has it on a

          • It would certainly be trivial to put a firewall on a NIC. I'd rather shrink the firewall to a dongle, though, and let it hang out of the back of the system. That shouldn't be too difficult.

    • by Anonymous Coward

      The whole halting problem thing is largely mitigated by the fact that we only execute code pages that are marked as executable and that they're write only. I'd agree there's a whole world of "evil-code(TM)" out there though - p-code based systems that emit code on the fly. I think these are the ones you want to audit and subject to intense scrutiny. Alas there is no simple way to take a piece of code and prove that it does X and ONLY X; at least not for anything more than "Hello World!".

      I think our short te

      • > their computer got nerfed and their bank account is empty and "OMGITSYOURFAULT!!1!oneone!1 ....
        > the Windows model is pretty much dead outside the enterprise

        Personally I don't use Windows for anything financial or for sensitive personal information, but I have a feeling that the problems with Windows which I understand you are assuming will cause consumers to stop using it will end up being "fixed" in a different way, where personal liability for the kind of losses you are talking about is limited b

    • Comment removed based on user account deletion
  • by _133MHz ( 1556101 ) on Tuesday February 22, 2011 @01:01AM (#35275926)
    In my experience it's pretty easy to spot malware when English menu options and stuff start appearing on a non-English Windows installation, such as "Open" or "Open folder to view files" for thumbdrives while the rest of the options show up in the local language, sometimes malware can even bork the system because of it (like in the olden days of Windows 9x when installing IE in a different language caused all sorts of havoc in the OS)

    Even with such a blatant language mismatch most users simply won't notice anything wrong with their systems until it bites them really hard.
    • Yeah, it's quite hard to imagine for even 100% clueless people to fall for e-mails from Joe saying 'here... look at the funny movie attached' if they don't know a single Joe personally, and none of their friends would even think of commenting on a funny picture in english.

    • I don't know what language you speak, but a lot of software (even some commercial ones) have a half assed Hungarian localisation. So I have a lot of mixed language software on my computer.

  • A few corrections (Score:5, Informative)

    by Leafheart ( 1120885 ) on Tuesday February 22, 2011 @01:14AM (#35275982)

    O Globo is one of the biggest newspapers on the country. But it is not a technology news site as the summary implies. Although yes, this was posted on the tech area of the site, it is hardly the focus of the newspaper.

    Regarding the testing itself. This is just a report on a test made by an external firm (www. clavis.com.br) which was commissioned by the site. The test focused on the quality of free antivirus only. With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article). Besides that, the test is devoid of crucial information. The database they used is a great one, the CAIS is maintained by our best scientific network, RNP (site in English: http://www.rnp.br/en/ [www.rnp.br]), so I trust the info there. But nowhere does it say that the threats are in Portuguese.

    They used a list of 3.269 threats among virus, trojan horses, spywares, keyloggers, and etc. We don't know how many of each. Before the article they praise pay security suites, because they are a suite and not an antivirus only. There is no data on these threats, nor how many of each type, how old each one was, nor how they have threats which are not on the known list of each antivirus. Much less the language of the code.

    Let me repeat it: NOTHING on the test implies that antivirus have a problem with non-English threats. It only said that those antivirus had that percentage of correct matches on either Heuristics or non-threads. But we don't know the exactly content of the database or the code used to test it. Much less the quality of the test.

    Again: Language was not a part of the test!!!

    • by spedrosa ( 44674 )

      Perfect. Please move quickly to the chamber-lock, as the effects of prolonged
      exposure to the button are not part of this test.

    • Not to mention, Avira is a German company, and a German product. That they provide an English localization does not make it "English Anti-Virus" software.

    • With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article).

      Yup.
      It's strongly tuned to make reader buy commercial antivirus.

      For a start, it only mentions popular commercial antiviruses which happen to have a free version.
      It does not mention the freesoftware ClamAV, for example, which could have been a nice addition. Specially because ClamAV accepts lots of community input in its database. So malware more frequent in some less marketed countries (like suggested by the /. entry and mentionned elsewhere in this discussion), has better chance to get covered.

  • Right, because a multinational is going to be using a basic security product with no management features like Microsoft Security Essentials.
    • by mlts ( 1038732 ) *

      I don't see any multinational company doing this because of what you said (no ability to manage/audit workstations), plus the EULA would be violated as MSE is for personal/home use and defines it.

      This is what Forefront is for. Forefront is essentially MSE, but it has enterprise-level features, as well as that MS advertised that a few years ago that it can deter zombie invasions. Just the fact that the undead won't be attacking the workplace alone makes Microsoft's offering worth getting on an enterprise l

    • by afidel ( 530433 ) on Tuesday February 22, 2011 @01:32AM (#35276044)
      MSSE and Forefront Endpoint Protection are the same base engine and since MS is giving it away to companies with an enterprise agreement you can bet companies are at least considering it.
  • by Neil Boekend ( 1854906 ) on Tuesday February 22, 2011 @02:01AM (#35276152)
    I can't read the article: blocked by company policy.
    But I would like to know whether they tested with Comodo in the "auto sandbox" setting [comodo.com]. Since the virus would run sandboxed, it should not matter what the language was.
    I am thinking of switching from MSSE to Comodo, and if they tested it and it failed then Comodo would not be an option for me.
  • Do you speak English?

    Silence

    Do you speak English?

    Silence

    (This time with Hand gestures and really loud) Do YOOOOOO SPEEEAAAAAAAKKKKK Englissshhhh?

  • Thanks to the Internet, there is no reason that malware written in one place cannot easily spread across the world...

  • anti-malware, about as much use as selling rocks ...

  • Not exactly the same thing, but I've been getting a lot of spam in Greek for some reason -- and I have no idea how to filter it out (I could just capture any message with a common Greek word, but it's... gibberish to me). It's clearly spam, and probably all from the same sender, because the formatting is always similar, though of course the links vary.

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...