back to article Leaky antivirus defences letting malware through

Even users running up-to-date anti-virus software still get infected with malware, according to stats from an online malware scanning service. Nearly a third (25,000 out of 78,800) of computers with up-to-date anti-virus software were discovered to be infected with malicious code when users scanned their PC using SurfRight's …


This topic is closed for new posts.
  1. Matt W 1

    Didn't PrevX run a cloud solution

    From about 2006 ? hardly a new idea from Panda, and I don't see PrevX storming the sales charts.

  2. Gareth.
    Dead Vulture


    "Even users running up-to-date anti-virus software still get infected with malware, according to stats from an online malware scanning service."

    ...according to stats from an online malware scanning service, eh? Of course, they don't have a vested interest in massaging figures to suggest their online malware scanning service is required by people browsing the web, even those with up-to-date AV software installed.

    I'm not for any minute suggesting that AV is a panacea against malware, but I do question how impartial this research is.

    Did they slip you a nice little backhander for publishing this 'article', El Reg? There's nothing like a free bit of advertising. World Cup tickets, anyone...?!?

  3. Mage

    Education and a separate Firewall

    Education and a separate Firewall are the key, possibly a mail server that eats all executables. not AV/Security software. Some users never have malware and all of the infected PCs I ever fixed did have AV.

    No AV software or Infections on this box in 8 years. Occasional audits by:

    1) Network activity


    3) various root kit detection packages

    4) checking RAM usage and Processes running.

    Never runing IE or Outlook

    patches / SP usually up to date.

    Remote images and remote HTML are blocked.

    Never clicking on unexpected attachments, even if from friends (a spammer could be using their address)

    Always un-needed services disabled

    If have to run with no Firewall, then VPN to own mailserver and MS client Bindings disabled on the Network in Use.

    All unused Networks disabled.

    Never have File & Print server running, use a NAS or Server or dedicated Workstation.

    The AV model without User

    1. Anonymous Coward

      5) the tin foil hat

      of course you could save yourself all that hassle and just use a *secure* os. i am not going to name names.

    2. Big-nosed Pengie

      "Never runing IE or Outlook"

      Or Windows.

  4. Smidge

    Just ran the scan...

    And SurfRight found 3 pieces of 'Malware' on my machine. Those pieces of malware turned out to be legitimate applications ranging from a VMWare ThinApp application to a Network Analyzer installed on my machine which SurfRight reccomended i delete immediately. Granted not everyday applications one might find on a consumer computer but still false positives.

    Do these false positives count when they collect and tally up all this data about 'Malware' on peoples computers? If so, then surely the figures they publish are simply...wrong?

    1. Allan George Dyer

      You're right, they are wrong...

      Disclosure: My company sells anti-virus software.

      Page 11 of the report says, "The statistics in this report are based on malicious files identified by at least 2 (or more) renowned AV vendors in our Scan Cloud. "

      To summarise, if SurfRight finds something it thinks might be malware on your computer, it sends the sample to "the cloud", where they have machines loaded with a bunch of AV software to check it. The sample is then "definitely" malware if two or more scanners think it is.

      So, you might think that this makes SurfRight less likely to give false positives than any ordinary scanner, after all, two other scanners have "agreed" it's bad. Wrong, for multiple reasons...

      Scanners have many settings, some want to help you keep your organisation clear of unauthorised tools installed by naughty users... of course, the BOFH doesn't use that on his machine, he uses it to make sure the Beancounters haven't been installing Network Analyzers.

      Some products detect damaged files, remnants of partial disinfections that are inactive, as malware... some bad testers use those files to test other products, and the developers of those other products get told, "Your lousy software doesn't detect BrokenFile.12345, I'm buying something else", so they add detection to improve their scores.

      Some legitimate programs have suspicious features, so several products with heuristic or behavioural modules might report them as suspicious.

      Testing anti-virus software is a lot more difficult than throwing a bunch of samples at it and counting the hits.

  5. Anonymous Coward
    Thumb Down

    "Users running up-to-date anti-virus software still get infected with malware..."?

    I don't se how their stats say that at all. What their stats say is that a third of users had up to date AV software, and were also infected, nothing more, nothing less. There is no way to know if their AV was up to date at the time of the infection or not. If a user suspects that they are infected, one of the first things they are likely to do is update their AV software, right? So, at best these stats indicate that a third of infections aren't able to be removed by AV software once the infection has taken hold.

    1. EJ

      I've seen this real world

      We routinely get hits on previous incidents when scanning a workstation. The AV signatures can't keep up with the pace with which new threats are churned out. So we'll detect incidents, but only a week or two after the incident actually occurred, and by that time it's too late.

  6. Anonymous Coward

    Not there yet

    I can't wait until it gets to a point where all AV software is basically completely useless and ineffective. Then we might finally move on and actually fix the problem at source (ie - in the OS/browser/whatever) rather than bolting-on more and more crud in the shape of AV software.

    1. Dr. Vesselin Bontchev

      Ain't gonna happen

      AV software became "basically completely useless and ineffective" about 5 years ago, when the malware threat landscape switched from viruses-written-for-glory to Trojans-written-for-money. Nevertheless, we can't "fix the problem at source" without making the computer unusable. Any general-purpose computer will be plagued by malware, as Dr. Fred Cohen proved mathematically almost a quarter of a century ago.

      Of course, the my-OS/browser-is-better-than-yours morons have never bothered to acquaint themselves with his works. It's much easier to blame the evil AV software producers.

      1. Anonymous Coward

        Yes ...and no

        While I agree that if you have a user who is determined to install some malware on his/her computer then there isn't much you can do about it.

        However, a huge amount of this stuff relies on security holes on the platforms that it is running on. Even if a particular trojan or whatever uses social engineering to get a stupid person to kick it off, it almost always still relies on a basic security lapse in the OS to become effective. None of the following should be easily (or at all) possible from a 'normal' computer user's account:-

        - Installing any software anywhere except the user's home directory

        - Installing any software that gets kicked off automatically on boot

        - Allowing software 'A' to access (what sometimes seems) pretty much any other data on the computer that it likes. It's this issue that allows SPAM to be automatically posted to everyone in a user's email address list. Use of suitable basic file permissions should prevent this.

        Even for an administrative account, some of this stuff should at least require confirmation from the user before actioning it. It simply should not be possible for an application to install itself without the user knowing about it - it's basic common sense.

        Applications should not be written in such a way that they REQUIRE running as root - someone mentioned the other day that Flash comes under this category. This is plain stupid.

        And why should it be possible for (say) a web browser to have a security hole that can (say) give remote root privilege? How can that happen? It's just an application. If it has any security holes in it at all then they certainly shouldn't allow privilege escalation. the fact that this does happen, and it IS possible, highlights a woefully poor OS/application model.

        And by the way; I don't think the AV software producers are evil. I just think AV software is the wrong answer - it is sticking plaster over a fundamentally broken system.

        1. Toastan Buttar

          Re: Yes ...and no


          "Applications should not be written in such a way that they REQUIRE running as root - someone mentioned the other day that Flash comes under this category. This is plain stupid."

          Flash doesn't require Admin rights on Windows XP. I insist on running as Limited User all the time (unless I have to install S/W or drivers) and Flash works just fine.

          I haven't used any AV products for the past three years, either:

      2. Ken Hagan Gold badge

        Re: Ain't gonna happen

        "Any general-purpose computer will be plagued by malware, as Dr. Fred Cohen proved mathematically almost a quarter of a century ago."

        I'm not familiar with his work, but the wikipedia article only says he proved that you can't detect all the viruses once they are there. That is neither surprising nor relevant to the question of keeping them off the system in the first place. The latter is a question of computer security and there is a large body of work suggesting that it most certainly *is* possible to keep a system clean.

        1. RandSec

          Controlling Malware *is* Possible

          Certainly scanners cannot possibly detect all malware, because they depend upon each malware previously having been found in some other way so their signatures could be added to the scanning dataset. New ("zero day") or targeted malware will not be found.

          However, it *is* possible to find *every* malware infection: Just check every OS file used when booting and see if it has been changed. That cannot be done effectively within the OS, but can be done externally with some sort of manufacturer provided "Live" CD. It also does require the OS to be designed for security, by eliminating or otherwise controlling every dynamic file which could load malware at startup.

          Although we presently do not know how to control infection through the browser, we *do* know how to *prevent* infection. By "infection" we mean that malware has changed the contents of OS files or boot files so as to re-install itself on every reboot. No form of software or OS protection (e.g., read / write or user / root permissions) can prevent infection when the OS itself has been subverted. However, new hard drive specifications *could* provide *hardware* *protection* for boot files and data, allowing only owner-authorized changes. Until then, widespread use of DVD booting could greatly reduce infection.

          The first step in preventing infection is to prevent malware from gaining control in the first place. To the extent that most malware comes upon users essentially at random, malware generally assumes the presence of common software. Since over 90 percent of browsing occurs in Windows, the most important part of avoiding malware is to not use Windows on line.

          Personally, I boot Puppy Linux from DVD+RW and run Firefox with extensive security add-ons.

          To secure a laptop, remove the hard drive (which then cannot be exposed or infected), and boot Puppy Linux from DVD+RW. Puppy loads into RAM so the DVD can be removed in use.

          I have some articles analyzing malware and describing the configuration and use of Puppy Linux for security, starting at

        2. Allan George Dyer

          Fred's Proofs...

          Then the wikipedia article is lacking some important details. One proof shows that you cannot have a perfect virus detector (not, as you said, "you can't detect all the viruses once they are there" - not only can't you be sure of detecting them once they are in, you can't be sure of detecting them when they arrive).

          Another proof showed that, as Vesselin repeated, a virus can be written for ANY general-purpose computer. This really torpedoes all the arguments, "we should all start using X because it is immune to viruses", and "we just have to make a secure computer". Fred pointed out that it is possible to make a secure computer, it is just not very useful. Fred did list three perfect defences against viruses:

          1. Limited Sharing

          2. Limited Transitivity

          3. Limited Functionality

          In other words, goodbye to rich media, web 2.0, really the whole Internet, new applications, bugfixes for old applications... who wants these electronic computer thingies anyway?

          Compromise on the defences, and a clever opponent can take advantage. Welcome to the real world, no magic wands. I think the Police have been working on "the murder problem" for a long time, we should ask them when they'll have it fixed.

    2. Ken Hagan Gold badge

      Re: Not there yet

      "a point where all AV software is basically completely useless and ineffective"

      As it happens, I was asked to look at a system over the weekend which had been infected whilst using Windows Defender. I installed the trial version of Kaspersky, which duly reported that it had found and removed various things. I *then* removed that and installed McAfee, which *also* claimed to find and remove things.

      The naive view would be that McAfee is "better" than Kaspersky since the latter clearly missed a couple of items, and both are obviously "better" than Defender. However, the evidence doesn't justify that optimism. All I've really discovered is either that most of the products on the market are flawed or that most of them are deceitful in their reporting to give me a "post-install feel-good" factor. (Or both, but now I'm being mischievous.)

      Being a kind bloke, I'll go for the former interpretation. At a trivial level, this means I would probably have got a similar result if I'd installed the two products in the other order. More seriously, it means that no matter which product I use, there are viruses that it won't detect. As far as I'm concerned, AV software was *never* able to offer the level of assurance that I need in a PC used for (say) online banking and certainly isn't able to offer it today.

      Fixing the problem at source is, and always has been, the only solution.

    3. Big-nosed Pengie


      No matter how much lipstick you put in the pig, it's still a pig.

      1. Wortel

        Re: Yep

        Where? hope you wore some gloves. :p

      2. mr.K
        Paris Hilton


        Now, why would you want to put lipstick in a pig?

  7. Smidge

    @anonymous coward

    Unfortunately, no matter how secure an OS, the weak link is always the fleshy human bit attached to the keyboard. Even if you had a secure OS that blocked all remote execution of code from every conduit you can think of you would still get a retarded user legitimately installing malware.

    As long as there are humans interfacing with computers your network is at risk. We need some kind of Social Engineering device that stops the naive and unwary being caught out. It's simply not possible to make a system (that can still be used by 95% of the population) that is 100% immune from malware.

    Where's my coat?!

  8. Jaques Croissant


    What the eff is "Hitman Pro"? Sounds like a name that'd suit one of those scareware fake PC cleaners, that actually drops malware on your machine...

  9. Anonymous Coward


    As many companies will tell you. AV is NOT anti malware.

    It is designed to remove Viri and Trojans, but not spyware. They are not one in the same.

    So you can still get spyware if you are running AV alone.

  10. Anonymous Coward
    Dead Vulture

    Was this article a barely edited SurfRight press release..?

    Because it reads like a sales pitch for SurfRight's software, it could almost have been copied verbatim from their promotional matterial.

  11. maclauk

    Found legitamate software

    Its easy to say you have identified dangerous software on lots of machines if you generate a load of false positives. On my machine it identified my TOR proxy as a danger and two executables from the PCB design suite Diptrace.

    Don't believe the hype....

  12. Peter H. Coffin


    People with out of date AV software or no AV software get malware infestations? Shocker! People with malware infestations seek automated advice more than people that don't have malware infestations would be equally news, equally obvious, and equally interesting. I'm all for a tasty press release concerning a new line of product now and then, or one that comes wrapping a new technology, but the "Dog bites man!" level of material probably isn't worth your time.

  13. Fred Flintstone Gold badge

    Well, that's why I'm looking at switching to OSX..

    "but if OSX is popular it will also become a target"

    Sure - I'll worry about that when it happens. I am fed up to the teeth with all the bandwidth and time leeching that happens on a Windows capable PC. I want to switch on and %&*$ work..

    1. Anonymous Coward
      Thumb Up

      Remember though

      even if more people target OSX, its still a lot more secure than windows - because you are not running in Admin mode.

  14. Anonymous Coward


    That is all...

  15. Bunglebear

    Social engineering

    No matter how good the AV or anti-malware the user will be a weak point. This will continue to be an issue because if you make something idiot-proof nature will come up with a better class of idiot. I stripped off my resource hogging AV a while ago and use third party firewalls for protection, been fine ever since.

  16. Anonymous Coward
    Thumb Down

    shilling for a shilling?

    Useless waste of time and it would help if the free version could be activated but it can't. I wonder why? This stuff is scareware as far as I'm concerned.

  17. JWS

    Why bother?

    I've used virus software once and it was useless. I've not had a virus scanner on my PC for heading on 6 years and amazingly I've had one virus in that time. If people just followed simple bloody rules for using the internet safely we would have no need for this rubbish. Also having a scanner that is updated after the fact seems pointless which is the case with most major outbreaks...

  18. heyrick Silver badge

    No threats found...

    That's nice to read. Of course, upon downloading it I passed it through Avast, and then I threw it across the network to check it with AVG. I wasn't sure what that crypto-cloud upload stuff was about, so I also turned off WiFi during the scan.

    Please note, people (well, SOME of you) what ANTI VIRUS is not necessarily ANTI MALWARE. I've come across malware on computers I've been asked to fix, and in all cases it was the user (or their kids) running stuff without thinking.

    As for SurfRight (or should that be Sur Fright?), what's wrong with Microsoft's baseline security analyser to make sure you don't have any gaping holes, Microsoft's MRT once a week, an anti-virus you feel you can trust, and most of all SANE browsing practice!

    By the way, @AC, the demo version can be registered for a 30 day trial. It's the little link-thingy that says pretty much exactly that below the "enter your registration code here" input box.

  19. Crazy Operations Guy
    Thumb Down

    In other news

    Doctors are saying that people who have all their inoculations can still get sick, recommend staying out of the cold and Staying clean.

  20. Goat Jam

    Calling Captain Obvious

    "Even users running up-to-date anti-virus software still get infected with malware"

    Do we really need to be told that?

  21. James O'Brien

    This is a surprise why?

    For years virus makers have been fighting a losing battle. Trying to stay on top of a flood of viruses (virii?) with an ever growing number coming out each day. It was only a matter of time until signature based detection fails. In the past few years we have seen multiple examples of this, McAfee, AVG, *shudders* Symantec (though it can be argued they failed long ago) among others.

    The problem is there is a limit to what signatures can detect before they flag legitmate files. That time has come and gone and a new method of detection and cleaning has to be devised. Why is anyone surprised that this has been happening? Hell my dad called me twice in the last 3 days saying he had a virus on the home computer with a current version of AVG and later from his office saying he has the same one.

    We need to stop ignoring these and start educating people. Not only on what to look for when infected, but how to avoid them. In 3 years I have NEVER had a virus on this machine. YET I have no AV, no firewall and site in my routers DMZ. Yes I know I just made myself a target but lets think about that for a minute shall we? I am the first to admit I dont visit the most wholesome sites in existance (warez crack and so on) but I do know what to look for and how to avoid it in the first place. If we helped people get even alittle of that knowledge then this problem would be much less. I have trouble believing that people cant learn, they just need to have the worst happen to them once or twice then they learn....or you do what I did and restrict those people to a limited account with no privlidges to install stuff....

This topic is closed for new posts.

Other stories you might like