Signatures and static detection are becoming less and less useful and the problem is not just Emsisoft.
People must be educated first of all, to keep malware away from PC, just use the appropriate security policy.
There is a wrong approach to the concept though. The average user does not want to spend his time looking at each configuration of the system security and how to configure it. The average user just wants to be able to use the PC safely for work or fun.
Surely he could install a behavior blocker or a HIPS that would allow him to completely control his PC. Who is going to teach him to properly respond to all alarms of the HIPS? (we are talking about average Joe).
Although of course I agree with the idea of having to educate users about PC security, it is still true that an antivirus is able to see more in depth than the eyes of a normal user.
The malware is not developed with the idea of doing as much damage as possible to the operating system as before. Now the key word is “money”.
There are those who may think that it is sufficient to work with a limited account to be safe from malware. Approach totally wrong: of course working with limited privileges remarkably helps the users to protect the integrity of his system. But it is not enough to protect from malware.
A malware running with restricted privileges can still steal the information that it wants. If the user is running a browser session, the malware can still inject its code inside the browser, it can still alter the necessary API to intercept the traffic. If a malware is running with limited privileges, it can still intercept the keys pressed and record what the user is writing or infect the USB device when they are connected to the system, strange? Study deeply change your conceptions!
It would be easier to remove? Yes, it's true. The infection would be confined to the user's account and removal would be trivial. The question then becomes: if there isn't an antivirus installed in the system, who notices if there is a malware that is doing this?
You could do it manually. But if the infection includes a rootkit user mode? Yes, they can run in a limited account.
You need to manually run a file to stay infected? Most of the browsers (Firefox and Chrome) are running the plugin using the same privileges as the browser itself. This means that, if an exploit Flash is inserted in a web page apparently secure, a malware can be easily executed on the PC.
The antivirus are not designed to be the ultimate solution to the problem of malware.
A standard approach based on signature is no longer sufficient to avoid the problem malware. But there are other technologies that work together with the most classical signature-based one:
technologies of local heuristic, behavior-based blockers, technologies in-the-cloud. All technologies that help to identify new malware or malware variants that are already known. And they manage to detect many malware.
Antivirus is an important part of a strategy of multi-level security that every user should have to protect his digital identity.
Thank you
@LabZero for picking up the question, just came home from work, had no time to reply. Very detailed description, IMO it's spot on.
@Malakke:
I personally noticed Emsisoft (and Bitdefender) being behind with the time they need to iron out new signatures for threats, however, testing Emsisoft Internet Security 12 from mid of July of this year onto now, I got quite impressed by it's Behaviour Blocker (BB) - especially when it comes to (IMO) biggest threat, Ransomware. Of course, it does not always prevent an infection of the device, however, you need to be aware that the blackhats of nowaday are no amateurs. And, if you don't click wildly on everything you face on the internet, but pay some caution to unknown stuff, I'm not sure whether it's likely you're going to get infected as much as we do performing "Zero-Day" malware
* tests in the Malware Vault.
Me rather sacrifice a bit of protection than having some protection software blocking everything and causing problems with everydays use, and legit software.
Also, just as
@LabZero already pointed out, Emsisoft is (thanks god) prone to have lot's of BB alerts if something cannot be rated by their cloud. And this even in stock settings!
As you can see in the Malware Vault, we do not rely solely on the Antivirus Product we use, but also have some 2nd opinion scanners as their sidekicks. You do not need to pay for them, most of the time, free versions will serve you well if you can sacrifice their real-time-protection feature. As I would suggest to at least run them on a monthly basis (even if they will not find anything), the free versions are highly recommended as on-demand scanners.
@Evjl's Rain be aware that the "infected" rating will be given at the tiniest indication of an malware infection, this can also be a
dropped file might not doing harm while the testing process rated accordingly to the SysInternals tools & 2nd opinion scanners (but might be triggered after restart, which is not possible with ShadowDefender, as it will reset everything to the snapshot before the shadowed session). But I can clearly understand your worries, I hope that Emsisoft Internet Security 12 will come up even stronger.
To sum it up, lessons learned like that is why you should not run unknown files in a live system, but virtualized by a VirtualMachine (VM) or a tool like ShadowDefender (make sure there is no personal data on this PC, also I might suggest using a VPN like CyberGhost Free!) to reduce the risk.
*"Zero Day" Malware: Malware being very young, not detected widely by the signatures of Antivirus Software (see the VirusTotal rating in the thread opener's description).
. Anyway, i understand 100% efectiveness is not possible... Now i'm using Emsi + Zemana and i think it's a good combo.
