It goes without saying that antivirus software can't catch everything. But, does it catch 10% or 90% of the malware targeted at Windows users?
In a recent user group presentation, malware expert David Perry, of Comodo, said there are between 200,000 and 300,000 new viruses discovered every day (here "virus" is a generic term encompassing dozens of types of malware). They are built from kits and most circulate in the wild for a very short time, perhaps only a day. In other words, by the time they are detected, they're often out of circulation.
Typical reviews of antivirus software use small samples so their usefulness is questionable. For example, at PC Magazine, Neil J. Rubenking tests with " ... a dozen or more virtual machine test systems, each one pre-loaded with three or four malware samples." Somewhere in the vicinity of 60 samples doesn't seem like much to judge with.
Statistics published by Brian Krebs, indicate that antivirus software detects about 25% of the most popular malware currently being emailed to people.
The data comes from "computer forensics and security management students at the University of Alabama at Birmingham". They profiled the most popular email-based malware attacks in the last month and, most interestingly, how well the 42 or so antivirus programs employed by VirusTotal did at detecting the malware. Krebs published the data as a PDF (recommended for the live links) and as an image.
The initial detection of the "password stealing and remote control Trojans" was not encouraging. Krebs wrote:
The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.
So, the answer to how effective antivirus software is currently, seems to be around 25%.
In fairness, this is an average across all the products at VirusTotal and some poor performers bring it down. Still, in the last month alone two new malware samples were undetected by all 42 virus scanners and many were detected by only a handful of products.
In reviewing the figures, I noticed that the number of days between the first report of a malware sample to VirusTotal and the last one is often only a few days, enforcing Perry's observation about the extremely short lifespan of Windows malware.
TWO DEFENSIVE STEPS
What to do?
This list of Defensive Computing steps is long. Brutally, depressingly long.
That said, perhaps the two most important things a Windows user can do are rarely, if ever, cited in stories about malware. I attribute this to the way stories come into being: reporters get their information from companies with a self-interest. Being a nerd rather than a reporter, I instead suggest two things that are each free; things from which only you profit.
1. Run as a restricted Windows user.
The concept is simple, restricted users are walled off from the guts of the operating system. For example, they can't insert/update/delete anything in the C:\Windows folder. Put another way, the operating system tries to defend itself when a restricted user is logged on. Malware may run once, but it should be prevented from permanently installing itself.
"Restricted" is the concept. In Windows XP the term Microsoft uses is "limited." In Windows 7, restricted users are referred to as "standard." Sadly, Administrators are the de-facto standard, and the default, type of user on Windows machines.
My scheme is to create two Windows users, for example MichaelAdmin and MichaelRestricted. I logon as MichaelRestricted normally and only logon as MichaelAdmin when necessary.
In Windows XP it was much more necessary than in Windows 7. In the last year or so, using Windows 7 daily, I don't think I needed to logon as the administrator once. Both users share the same password.
This is not a perfect defense against malware, nothing is. But you are much safer running as a restricted user. The same goes for OS X and Linux, by the way.
2. Always be skeptical.
If you are using an iPad and the Bank of America app says it needs to updated, you can be pretty sure that's true. But on a Windows machine, when a window pops up claiming that an update is needed to Flash, it's just as likely to be a scam as the real thing. Windows users are lied to all the time and they need to always keep that in the back of their mind.
Email users are also lied to all the time, a problem not restricted to Windows. Anyone using email, even on a tablet or smartphone, needs to always be conscious of the fact that it is trivially simple to forge the FROM address of an email message.
That email from UPS about a package that couldn't be delivered most likely did not come from UPS. I personally have gotten a handful of emails claiming to be from my cellphone provider reporting that this months phone bill is $1,200 rather than the usual $70. They look exactly like the real thing (it's not hard to do) but are a ruse to send victims to a malicious website.
So many defensive steps are required of Windows users, that the safe assumption is no one does them all. Working from this assumption, I suggest never doing financial transactions on a Windows computer.
Anyone who doesn't think their computer is infected, should consider another warning from Perry: malware is frequently invisible and silent. Think Stuxnet and Flame.
Some alternatives to Windows are
- Boot a Windows computer to Linux running off a USB flash drive. Yes, CDs are safer but they are soooooo slow.
- Use a Chromebook, which runs a hardened version of Linux that automatically self-updates.
- Use an iPad/iPhone app from your financial institution. Just be careful which Wi-Fi networks you connect to.
David Perry won't do online banking on any computing device. And, unlike reporters that offer safety suggestions, he is a world class expert on malware.
Update. June 26, 2012: At the request of a commenter below, here is a simple approach to convert a Windows computer with a single administrator user into one with both an Admin user and a restricted user that preserves the current desktop environment. Assume the existing Windows userid is User1.
- In the Control Panel, go to User Accounts
- If User1 does not have a password, assign it one
- Create a new user called User1Admin with the same password as User1
- Logoff User1 and logon as User1Admin
- Go back to User Accounts in the Control Panel
- Set user User1 to be limited (Windows XP) or standard (Windows 7)
- Logoff User1Admin
You may want to rename user User1 to User1Restricted, but this can be a bit confusing as the underlying folders dedicated to User1 are not renamed.
After adding the new user, you may find that instead of booting directly to the Windows desktop, it is first necessary to select a Windows user and enter the password. To boot directly to the Windows desktop, Microsoft has an excellent free utility called Autologon written by Mark Russinovich that works with Windows XP, Vista and 7.