Tutorial Anti-Virus & Malware = Myths and Facts

Hello everyone,

Since I joined this great community, I have been engaged in many interesting topic's, heated discussions and most of them I enjoyed very much.
During those conversations I did have the privilege to get to know some of you and what I did notice is that there are some who are technically very skilled and have a wealth of info to share, and there you got those who do not know much and base their skills and opinions upon what the masses publish on the internet.
And then you got those people who are called wannabe experts....

There are some really great guides written on the internet, and there is so much knowledge out there that its perfectly understandable if one does not know which is right & wrong, true or plausible.
Because like it or not there are millions of webpages and blogs out there written by so called wannabe experts.
And in my line of work I come across so many people that based their options upon these information sources.

Does that mean that all those webpages and blogs are totally baseless and wrong?
No not at all, some of them actually do have some valid info.
However most of this info is one sided, incorrect or seemingly altered to fill a blog post.
Note that most of these blogs do not have ANY relation to the industry itself and thus by no means represent its standards.

I am by no means going to pass judgment, and I am not going to claim that I know it all, and neither am I going to portray myself as the ultimate UBER expert.
Because I am not in the position to pass judgment, and neither am I mister know it all.
And I am not going to spend the next 30 minutes writing this HUGE topic with the aim to bullshit you and ruin my reputation. So you might wanna give me a break here as I am going to say some controversial and to some even sensational comments based upon my 15+ years of professional experience in the computer industry.
And based upon that experience I hope you will give me a fair shot in explaining some basic things about security software.

Allow me to explain some according to my knowledge.

1:
This test says that, this report say this.
Who gives the best protection?
Who has the highest detection rate?
Who is the best?
Who has the best removal options?


Testing security software is a integral part of the industry and it serves a basic function which provides security developers with a external baseline and way to test their product outside their own protected environment using various techniques and methodologies.

So these tests are usually a indication for the developers and costumers about what to expect from a product at that particular point in time.
Often if a security developer reviews the report they make macro changes into their product to solve issues and to fine tune their end product.

That being said those tests can cloud your judgment and give you a false indication about a antivirus program, if you do not understand how, what and where.
Some say look program X has 99% detection rate...(Yell JUMP jump HYPER hyper) so program X must be the best out there and all others suck.
People that's BS at best...

Some say I have used this product for years and never did have a virus. Really?
Sure whatever makes you feel comfortable....
Fact is most home users are like sheep, they move in the direction all other sheeps move.
That sounds really disrespectful but its the truth.

Imagine if one person says: Uber Antivirus is the best
Some say: Whatever sure.
If 100000 persons say: Uber Antivirus is the best
Some say: I got to try that.
If 1 million people say: Uber Antivirus is the best.
Then suddenly its the biggest discovery since penicillin.

Imagine 1 million people equals 1 million unique idea's and opinions.
Put them in one room, have them talk for 5 minutes then suddenly you got 1 million people and 1 common idea and opinion.

Does that make a product good or bad? Hell no people.... wake up.
Companies like: ESET, Kaspersky, Symantec, TrendMicro, Mcafee and others spend millions of dollars in research, testing and development... Do you really think they are as bad as some of the tests indicate? Or do you really think that they are as bad as some members claim?

example: Mister X used Sophos and due to a friend he tested Malwarebytes, and guess what?
Malwarebytes found 12 malicious files.
So Mister X comes here on the forum and writes a topic: Sophos sucks & Malwarebytes Rocks.

What Mister X did not tell you is that he ignored basic practices, that he did not follow clear written protocols and that he is using keygens, cracks, torrents and a pirated windows which he downloaded from link: http://iamhackingyou-but-youfailto-realizeit.com and that he did not update his PC and config since the stone age.

There you got one sheep planting a opinion on a huge forum like this one.
Now as you probably guessed Mister X is not the only one breaking every rule...
There are millions across the internet.

And then suddenly Sophos has become the nightmare program of the century.
Truth is that you did not allow Sopshos to protect you in the way they intended.
Or did they do all the above things? I do not think so.
Rules and guide's & protocols are there for a reason.
If you fail to plan you plan to fail its THAT simple.

When push comes to shove it really does not matter if you use Sophos, ESET, Mcafee, Symantec, Bitdefender, Trentmicro, Panda, F-Secure and others, they all will protect you and they all will be capable enough to deal with past, present and even future based dangers.

Test results are NOT written in stone and they are just a indication.
Also each program works in their own unique way, some have a kick ass scanner and some have a better removal module..
A Antivirus package cannot be judged just by its detection, one should judge it over the entire spectrum of its capabilities. On top of that basic practices and protocols should be applied or ANY AV will be rendered useless.
(PS did you just click on the above link? you serious? omg... FAIL.)

Most people do not realize that the antivirus industry has various agreements that guarantee a baseline level of protection which has been formally agreed in the industry.
So pick any of the above names and you will be fine.

Also the comparison between Internet Security Solutions Versus Dedicated tools is comparing a donkey versus a duck.
For example how on earth can you compare NIS and Mbam?
Malwarebytes is a dedicated tool, while NIS is a: Jack of all trades, master of none!!
Just realize that there are so many programs out there, and each one does have its own tools and options.
But they are all different and have their own ways, but at the same time they are very much the same.
They all want to protect you and they all try to offer just that.
The hard part is understanding how these programs are going to protect you, and more importantly what you need to do to make sure that a program can perform optimally.

And a test report or a simple review based upon some new malware is not going to do that for you.
 
Last edited:

Nikos751

Level 17
Verified
Feb 1, 2013
910
n.nvt, I will thank you for another time for all this valuable information and your time. I read both your guide and this reply. What I understand is that most risks for home users can be prevented with common sense and basic education on safe behavior. This small percentage of nasty malware that use more advanced ways to infect a PC, can either infect you if you accept it to enter your computer, or if you give them priviledges yourself (uac for example). In most cases the difference for the paid product is that with it's whole service, it can help you remove those nasty infections and can give you more info on what infection you have (level of risk, description, tech support etc).
Is this correct?
 

Nico@FMA

Level 27
May 11, 2013
1,689
n.nvt, I will thank you for another time for all this valuable information and your time. I read both your guide and this reply. What I understand is that most risks for home users can be prevented with common sense and basic education on safe behavior. This small percentage of nasty malware that use more advanced ways to infect a PC, can either infect you if you accept it to enter your computer, or if you give them priviledges yourself (uac for example). In most cases the difference for the paid product is that with it's whole service, it can help you remove those nasty infections and can give you more info on what infection you have (level of risk, description, tech support etc).
Is this correct?

That is pretty much correct.
 

Jaspion

Level 17
Verified
Jun 5, 2013
822
Thanks everybody for your shared opinions. This has been indeed a productive continuation to the original discussion started in this thread,
and it's good that no one has broken this great combo with personal attacks. After all, we're all here to learn and share knowledge.

At this point, one thing still bothers me. I suspect this is a very important issue that has been largely overlooked here. It is the case for Virtual Machine tests in evaluating antivirus/antimalware solutions.

If n.nvt and Littlebits are correct, VMs do not represent real live machines well enough because the virtual system doesn't have the same level of access to the machine's resources, meaning the AV also doesn't have access to all the resources it needs to work properly. Is that correct? Because this would mean that so many users here doing VM tests are just doing little more than playing a type of video-game: it's cool to watch, but doesn't belong to real life.

Another thing I would like n.nvt to clear up is the difference in trial vs. paid. Is the difference only the obvious time limit or is the protection level diminished as well?

Thanks.
 

Nikos751

Level 17
Verified
Feb 1, 2013
910
I feel much better now that I have a realistic idea for what's happening. One last advice from you n.nvt. As I am a home user with no paid product available, do you think that privatefirewall with avira free is a waste of resources and I should only keep something like windows default security, or windows firewall with avira free etc? I still believe for some reason that most known gree av's can improve security even of as system of mine despite I am not a novice user.
 
  • Like
Reactions: Nico@FMA

Nikos751

Level 17
Verified
Feb 1, 2013
910
Thanks everybody for your shared opinions. This has been indeed a productive continuation to the original discussion started in this thread,
and it's good that no one has broken this great combo with personal attacks. After all, we're all here to learn and share knowledge.

At this point, one thing still bothers me. I suspect this is a very important issue that has been largely overlooked here. It is the case for Virtual Machine tests in evaluating antivirus/antimalware solutions.

If n.nvt and Littlebits are correct, VMs do not represent real live machines well enough because the virtual system doesn't have the same level of access to the machine's resources, meaning the AV also doesn't have access to all the resources it needs to work properly. Is that correct? Because this would mean that so many users here doing VM tests are just doing little more than playing a type of video-game: it's cool to watch, but doesn't belong to real life.

Another thing I would like n.nvt to clear up is the difference in trial vs. paid. Is the difference only the obvious time limit or is the protection level diminished as well?

Thanks.
I thought the same thing as you some seconds ago and it will be nice to know what's really up about vm's.
About trial and paid products, I believe it's up to the vendor and what it provides in it's trial (30 for example)
 
  • Like
Reactions: Nico@FMA

Nico@FMA

Level 27
May 11, 2013
1,689
I feel much better now that I have a realistic idea for what's happening. One last advice from you n.nvt. As I am a home user with no paid product available, do you think that privatefirewall with avira free is a waste of resources and I should only keep something like windows default security, or windows firewall with avira free etc? I still believe for some reason that most known gree av's can improve security even of as system of mine despite I am not a novice user.

Ohh yes there is generally nothing wrong with free antimalware, its better then nothing and good enough for a general level of protection.
And no I do not think you are wasting your resources as I mentioned earlier in my posts.
As I said it really comes down in what you require, know about and feel comfortable with.
It gets the job done... mission accomplished right?
 
  • Like
Reactions: Nikos751

Nico@FMA

Level 27
May 11, 2013
1,689
I thought the same thing as you some seconds ago and it will be nice to know what's really up about vm's.
About trial and paid products, I believe it's up to the vendor and what it provides in it's trial (30 for example)

Well from a vendor point of view, they NEVER are going to give you the full functionality in a free product if the got a premium package for sale.
That would be killing your own product.
See my point? And it really does not matter if its just support you pay for or additional tools, functionality and such.
There is always something (Or a bunch of things) that a paid product does better then a free version.
Why else selling it? otherwise they might as well sell hot air.
 

Nikos751

Level 17
Verified
Feb 1, 2013
910
Ohh yes there is generally nothing wrong with free antimalware, its better then nothing and good enough for a general level of protection.
And no I do not think you are wasting your resources as I mentioned earlier in my posts.
As I said it really comes down in what you require, know about and feel comfortable with.
It gets the job done... mission accomplished right?
Mission accomplished, you are one of the most knowledgable persons here without being half-educated on security related things.
 
D

Deleted member 178

If n.nvt and Littlebits are correct, VMs do not represent real live machines well enough because the virtual system doesn't have the same level of access to the machine's resources, meaning the AV also doesn't have access to all the resources it needs to work properly. Is that correct? Because this would mean that so many users here doing VM tests are just doing little more than playing a type of video-game: it's cool to watch, but doesn't belong to real life.

exact, some AVs features, even can't work as they should in VMs so unaware "wannabe expert-testers" think that the solution is bypassed.
when i did virus-testing , i always used a old spare REAL system, to truly measure the real potential of the solution. VMs approach real system but they ARE not real system; the nuance is very important.

Another thing I would like n.nvt to clear up is the difference in trial vs. paid. Is the difference only the obvious time limit or is the protection level diminished as well?

depend the solution, but mostly it is just time-limited so you can judge the product effectiveness. Trialware are made to give you a taste of the product so you may purchase it, where Free softs is just to gain more audience and maybe potential paid-customers.
 

Nico@FMA

Level 27
May 11, 2013
1,689
exact, some AVs features, even can't work as they should in VMs so unaware "wannabe expert-testers" think that the solution is bypassed.
when i did virus-testing , i always used a old spare REAL system, to truly measure the real potential of the solution. VMs approach real system but they ARE not real system; the nuance is very important.



depend the solution, but mostly it is just time-limited so you can judge the product effectiveness. Trialware are made to give you a taste of the product so you may purchase it, where Free softs is just to gain more audience and maybe potential paid-customers.

100% spot on that's why I mentioned that member testing is nice for reference but does not hold much real info.
 

cruelsister

Level 38
Verified
Trusted
Content Creator
Apr 13, 2013
2,750
Without getting overly involved in this topic I'd just like to make 2 points:

1). Paid is better than Free- This statement speaks to the ignorance of a company's business model more than having any basis in fact. Two examples of this would be Baidu and Qihoo (no WAY I'm mentioning Comodo here). Qihoo, and to a more recent and lesser extent Baidu, use the Anti-malware application as a "loss-leader". Basically they want folks to like BAV and Q360 to draw them into using their respective browsers, which run their respective Search Engines, from which they derive the bulk of their revenue.

To put it in perspective one must look at the market cap (ie. total market value of the company as a whole) of these organizations. Using Symantec as a baseline which has a market cap of about 13.5 billion USD, Baidu is really up there at about 56 billion, and upstart Qihoo is in a virtual tie with Symantec. So one can easily see these aren't fly-by-night organizations by any means and have consistently put money back into their security products to make them better.

So instead of saying a Free Product can't compete with a Paid product, one should question how someone like AVG (market cap 1 billion USD) can compete with Qihoo!

2). A statement was made that the testing done on Malware Hub is a little value. Perhaps this would be indeed the case if occasionally 10 or so rinky-dink samples were run every now and then. But that isn't the case, is it? Since I've come on board at MT I've personally run in excess (EASILY in excess) of 10 thousand samples, all of which were D+2 or newer, on primarily Q+CF (although I always find some time to mock other products). This combination has consistently shown to provide excellent protection and I can only assure you I know what I am doing. And it is Free.

But should we dismiss this testing and instead drool over the results of things like the pathetic AV-C results? I think not.

(note to friend Jasp- my tests are on live test boxes. I'm also leery of doing any realistic tests in a VM, at least when samples are run. On demand scanning only wouldn't be an issue though if that's what others are using)
 

Littlebits

Retired Staff
May 3, 2011
3,902
Testing malware in virtual environments will never give you correct results. Just as mentioned by Umbra Polaris, some protection and detection features will fail to work properly because they will need direct access to Windows kernel, the same applies to Windows features like UAC and secure boot. On-demand scans of malware packs don't tell you nothing about a product's protection features.

If you want to test like a professional, it requires a lot of work and takes time.
-You will need a dedicated testing system with updated Windows OS installed.
-After the all Windows Updates are applied you will need to make an disk image to restore after testing the malware samples.
-To make sure that you get correct results, every time the testing system gets infected, you will need to restore the disk image before continuing to the next sample test.
- Test the protection blocking features of each selected product, on-demand scans are not important since protection blocking features of many products can still protect against infection even though the on-demand scans may not detect anything.
- Besides of testing live malware samples, mix in some popular safe files and test for false positives as well.
- Make sure that your malware samples are current and still available in the wild for accidental download. Testing remote samples that most users will not likely encounter will give to false results. According to Microsoft, malware samples that have not been active in the wild for over 90 days with no reported infections are dead bad samples. Just because you can find the samples and manually download them from a malware hosting site doesn't mean that they are in the wild for accidental download. Some samples never go in the wild, they just sit on hosting sites and stay remote where only malware hunters can find them and test them, these are poor samples to test if you want accurate results.
- Make sure that the samples are actually real malware, just because they are detected by an AV doesn't mean they are real. False positive detection has become a problem with many AV's. You will have to observe the samples after they run to see what they do, because each sample will have to run on the testing system one at a time to verify that they are indeed real malware. Then you will have to restore disk image between running each one to make sure there is no cross infection between each sample.
-Depending on the number of samples tested, it will probably take several months to complete the test, by then many of the samples used will be dead and still will not show an accurate picture of the current active malware in the wild.
-If you have several hundred exact testing systems then it saves a lot of time because you won't have to keep restoring disk images. It also helps if you have a testing crew, too much work for just one person to do.

So who wants to test like a professional?? I have better things to do with my time.

Enjoy!! :D
 

Nico@FMA

Level 27
May 11, 2013
1,689
Without getting overly involved in this topic I'd just like to make 2 points:

1). Paid is better than Free- This statement speaks to the ignorance of a company's business model more than having any basis in fact. Two examples of this would be Baidu and Qihoo (no WAY I'm mentioning Comodo here). Qihoo, and to a more recent and lesser extent Baidu, use the Anti-malware application as a "loss-leader". Basically they want folks to like BAV and Q360 to draw them into using their respective browsers, which run their respective Search Engines, from which they derive the bulk of their revenue.

To put it in perspective one must look at the market cap (ie. total market value of the company as a whole) of these organizations. Using Symantec as a baseline which has a market cap of about 13.5 billion USD, Baidu is really up there at about 56 billion, and upstart Qihoo is in a virtual tie with Symantec. So one can easily see these aren't fly-by-night organizations by any means and have consistently put money back into their security products to make them better.

So instead of saying a Free Product can't compete with a Paid product, one should question how someone like AVG (market cap 1 billion USD) can compete with Qihoo!

2). A statement was made that the testing done on Malware Hub is a little value. Perhaps this would be indeed the case if occasionally 10 or so rinky-dink samples were run every now and then. But that isn't the case, is it? Since I've come on board at MT I've personally run in excess (EASILY in excess) of 10 thousand samples, all of which were D+2 or newer, on primarily Q+CF (although I always find some time to mock other products). This combination has consistently shown to provide excellent protection and I can only assure you I know what I am doing. And it is Free.

But should we dismiss this testing and instead drool over the results of things like the pathetic AV-C results? I think not.

(note to friend Jasp- my tests are on live test boxes. I'm also leery of doing any realistic tests in a VM, at least when samples are run. On demand scanning only wouldn't be an issue though if that's what others are using)

Let me address your points one by one.
1: Within the industry there is a market & business model I will not deny that, and neither will I deny that there is a fair amount of ignorance, which seems to discredit free products and runner up models from lesser companies.
I personally believe that a fair share of hostility keeps things interesting.
With regards to using Symantec as a base line is not really holding any ground because in my many posts I mentioned several vendors who have pretty much a equal status. So you can replace Symantec with any comparable vendor for example Sophos, Kaspersky or F-Secure.
One of the reasons I pointed out Symantec and Sophos for their business and enterprise endpoint & management products is simple.
They control the market in virtually everything while they do not have the biggest market share, but they only control the market at this point due to the fact that the products they do offer in this respective market provide by far the best solutions for high end companies.
Even Kaspersky does not even come close to the level Symantec and Sophos are at. Obviously on a personal note I do not pick a favorite here as I would install Symantec, Sophos, Kaspersky or even Mcafee ANY day if this would be fitting our own company and security strategy.

From a home client perspective you are partially right free does not necessary have to be less then paid solutions, however from a business point of view there is NOTHING that a free solution can offer other then a waist of time and a placebo effect.
Again this has nothing to do with the free solution as being a lesser scanner but you have to look at this is a much broader perspective.
A company does not need just a scanner, spam filter and a few gadgets. There is so much more that come into play when a company is going to sign contracts with security companies like Symantec and Sophos.
And from this perspective you can hardly say that its ignorance or that Free is just as good as paid solutions there is just no way you can even remotely compare them.
So with this in mind you are partially right from a "home" perspective but you have to agree to from a industry point of view I am spot on.
(If not then I have been sleeping for the past 15 years lmao)

Also the comparison based on market cap and share really does not hold any ground, as one security solution is perfect for company x while others are more for the masses and not tailored for company x.
And if you read my comments exactly as they are written then you understand that I draw a clear line between home and industry standards when it comes to security.

So yes let me confirm my previous statement that free does not match up to paid solutions within their respective markets.
And that's really what its all about when you talk about security.

In regards to testing I think some of you do not understand the idea behind testing in the first place, a member test or a independent lab test is a theoretical benchmark based upon various criteria and does not always take into account the full spectrum of a solution and its addon solutions, next to it it does not take into account specific infrastructure configurations.

Example if I put a antivirus program in the middle of 100k live viruses then this security product might detect 80% and lets say it would remove or block another 75% (Incl false positives)

But if I put that same security package on a company infrastructure with all the right policies in place then suddenly the same product can stop virtually ALL the malware because the system itself really does not allow the infection to take place in the first place.
Just saying.

So again from my point of view testing is a essential part but it should be taken with a grain of salt, and using the testing results as a baseline to judge if a program is good enough really is going to give you a placebo effect if you take into consideration what I just explained.

I could go much deeper into this but then I fear that we will lose track of the original context of this topic, and I fear that most others might get lost in industrial mubo jumbo.

Again I am not picking favorites and neither am I painting a wrong picture here, because most of the posters in this topic like your self made some valid points, but things need to be taken into consideration and the info must be seen from a larger perspective, rather then from a single computer & home user perspective.
Testing results and detection rates and personal experiences based upon simple idea's and low level testing and evaluating really does not stick.

I hope this explains some of your questions and ideas.
 
  • Like
Reactions: Deleted member 178

Rahadian Putra

Level 9
Jan 28, 2014
445
Thanks a million n.nvt for sharing your articles here, it is indeed very educating polished with little joke that made me laugh a lil bit and entertaining. Yes it is quite true, I agree with most of your guide written here. I even read this guide over and over to make me really understand. Anyway..thanks for share, very well written, well done :)
 
  • Like
Reactions: Nico@FMA
D

Deleted member 178

None, that its beauty.

If you really really want, you can install RKhunter , an OD scanner (with some few FPs)
 
Top