back to article Anti-virus products are rubbish, says Imperva

A study released in December by US security outfit Imperva has tipped a bucket on the multi-billion-dollar anti-virus industry, claiming that initial detection rates are as low as five percent, and concluding that enterprise and consumer anti-virus spend “is not proportional to its effectiveness”. Working in conjunction with …


This topic is closed for new posts.
  1. ed2020

    ...spend “is not proportional to its effectiveness”

    My spending on AV is very proportional to its effectiveness. I avoid using Windows unless absolutely necessary and, on the rare occasions I use Windows, it is protected by freeware AV software.

    Avoiding malware costs nothing but a little time, a little knowledge, and a little caution. Use a secure OS, adopt a cautious approach to browsing and downloading.

    1. Danny 14

      Re: ...spend “is not proportional to its effectiveness”

      Wow, I can see how that would work in the state secondary school I work in. With our 500 pcs and 2 staff I'm sure I could convert to Linux, harden the system, update patches and find all the software needed.

      Back in the real world this isn't always possible. AV regular patching and locking down installation rights is the best we can do

    2. RICHTO

      Re: ...spend “is not proportional to its effectiveness”

      What do you call a 'Secure OS'? For instance most Linux distributions have loads more vulnerabiities than Windows does, as does OS-X.

      1. Anonymous Coward
        Anonymous Coward

        Re: ...spend “is not proportional to its effectiveness”

        For instance most Linux distributions have loads more vulnerabiities than Windows does, as does OS-X.

        Thanks for starting this year with a laugh. Be honest, do you believe that yourself? There is a reason why AV vendors removed the "OS" tag from their database of vulnerabilities - otherwise their clients would start to leave the most vulnerable platform in droves and their business would dry up. I actually work with vulnerability and malware researchers of 2 different vendors so I'm pretty close to the fire on this one.

        The sole and single reason where there is an anti-virus industry in the first place is because of Microsoft, and if you want any evidence of shoddy coding I suggest you watch what happens when you power up your Windows work machine after a week's break.

        No, I'm not advocating a switch to platform X, Y or Z - the devil you don't know means you can make mistakes there too, but being unrealistic about the security of Windows is a sure recipe for trouble. Having said that, Windows 7 was actually a bit better (no idea of 8 yet, too early).

        1. Thomas 4

          Re: ...spend “is not proportional to its effectiveness”

          Well, why not have both Linux and Windows in schools? That way kids an get experience with both OSes and encourages them to draw similarities between the two, which only help their understanding of how computers work?

          Crazy talk I know.

        2. heyrick Silver badge

          Re: ...spend “is not proportional to its effectiveness”

          "and if you want any evidence of shoddy coding I suggest you watch what happens when you power up your Windows work machine after a week's break."

          Go on, tell me, what happens. Because I'm pretty sure I went in, pushed the power button, and waited for the usual startup stuff to complete... nothing extraordinary, nothing blew up, the time was even correct. Wow.

          I've had my old XP machine come out of hiberate after EIGHT MONTHS with no unexpected effects. The only quirk was it fiddled the time zone for summer time, and a tooltip popped up to tell me of this.

          So, your point is?

          1. Anonymous Coward
            Anonymous Coward

            Re: ...spend “is not proportional to its effectiveness”

            I've had my old XP machine come out of hiberate after EIGHT MONTHS with no unexpected effects.

            Depending on your network link you may need to wait about 10 minutes or so before the first patch warnings start to appear. You will probably have set them to automatic so you're simply used to a beefy machine running a ZX Spectrum, but I monitor everything that flows through my network because of my work and boy oh boy, a cold started Windows box sure does a lot of catching up.

            Incidentally, you're right in that there are no UNexpected effects because the above is well known - and you know it..

      2. Anonymous Coward
        Anonymous Coward

        Re: ...spend “is not proportional to its effectiveness”

        RICHTO's question: "What do you call a 'Secure OS'?"

        Answer guidance:

        Windows: 0.25 points

        GNU/Linux: 0.5 points

        OpenBSD: 1 point

        Best general answer: OpenBSD ;)

        1. RICHTO

          Re: ...spend “is not proportional to its effectiveness”

          Open BSD is a reasonable answer - it has a relatively low vulnerabiitiy count

          Linux isnt - it is much worse for vulnerabiities than Windows - and is a hackers dream on the internet...

    3. Anonymous Coward
      Anonymous Coward


      We installed Imperva's database auditing software agent on an SQL cluster and it promptly fell over. Pile of Junk. (Eventually we went for Quest Change Auditor which while not perfect, at least doesnt take out your server).

      1. David Cox
        Thumb Down


        If you're going to slag someones product, then you should at least have the courage of your convictions and not go under "anonymous coward", if not actually citing some proof (!). Downvoted.

        1. Anonymous Coward
          Anonymous Coward


          How would someone prove a server crashed? Sounds too believeable and specific to be made up imo....

    4. LarsG

      Re: ...spend “is not proportional to its effectiveness”

      Just like in medicine, a human being can be innoculated against certain nasties because the virus is known and measures to deal with them are already in place.

      If a virus has mutated or something 'new' appears research is needed to develop the drug to deal with it.

      I have no idea what point the article is trying to make. Anti virus software will always be better at dealing with what is known, than what has not been discovered yet. As soon as it has been discovered Norton, Kaspersky etc get on the case and update their data bases accordingly.

      This protects us from the majority of the script kiddies, unfortunately some will get through every now and again until the 'cure' has been developed.

      These is nothing new in the Imperva research, sounds like it is scare mongering to further whatever they are offering to sell.

    5. Gordan

      Re: ...spend “is not proportional to its effectiveness”

      Does the "spend" include the extra cost in CPU requirements to get anything done with AV software running? I find that with on-access scanning enabled on an average CPU (2.4GHz Core2) doing things like installing software or windows updates takes 2-3x longer than it does without having it enabled.

      The AV vendors' solution to malware proliferation seems to be to create anti-malware products that consume all resources on the machine to the point where it is made unusable, presumably in order to impede the spreading of malware.

      1. Fred Flintstone Gold badge

        Re: ...spend “is not proportional to its effectiveness”

        The AV vendors' solution to malware proliferation seems to be to create anti-malware products that consume all resources on the machine to the point where it is made unusable, presumably in order to impede the spreading of malware.

        No, no, that's on smartphones. Do pay attention :)

    6. teebie

      Re: ...spend “is not proportional to its effectiveness”

      time is free now?

    7. gromm

      Re: ...spend “is not proportional to its effectiveness”

      Oh yeah. I took this approach for a while, and it worked too.

      Up until about 2006, that is. Around that time, viruses started getting spread by images in websites and other novel routes. You'll also notice that this was about the time when dual-core CPUs basically became *necessary* so that one CPU could do near-constant virus scanning, while the other did useful stuff.

      We live in a world now where "avoid scummy e-mail and websites" isn't enough protection. And I say this from my Linux workstation.

    8. Snake Silver badge

      Re: ...spend “is not proportional to its effectiveness”

      If your "freeware AV software" is AVG Free, you got EXACTLY what you paid for. I'm SICK and TIRED of removing viruses from infected computers that are running AVG Free...

  2. djstardust

    The whole thing is a vast money making scam.

    I wouldn't be surprised if these large companies covertly pay people in Outer Mongolia to create viruses and malware to keep the gravy train going.

    I have never paid for AV and follow simple rules.

    1 - Avoid warez, porn and dodgy gaming sites

    2- Look for free alternatives. I have been running MSE and Spybot S&D for ages and only the odd bit of malware is ever found.

    3 - NEVER open an attachment you do not trust or know where it's come from.

    If you browse dodgy sites then by all means pay to block shit out, but if you are avoiding all the usual places then there's no need to pay at all.

    1. Oliver Mayes

      I've had warnings from avast about malware embedded in advertising links on reputable sites many times. It's not only 'bad' places that can become infected.

    2. Anonymous Coward
      Anonymous Coward



      Even worse; sometimes the virus scanner can be an even bigger problem than the threat its supposed to stop. When I started doing more company stuff on my PC (self employed) I decided that since I liked Avast up to that point that I should simply show some support and apply for a one year subscription.

      And then it started; they introduced their "Internet security suite" and I got a free upgrade. It could scan my e-mail, web traffic, the system itself and all through separate engines. So far, so good. Since I don't use torrents / peer to peer stuff on this PC I could turn that down, messenger and such; same deal.

      However; I soon started noticing that whenever I did a global update on some in-house software (which basically opens 20 - 30 simultaneous network connections for a moment and passes a few kB's of data) then my PC would freeze. Completely. Only after a while it would become responsive again.

      You never guess what it was; Avast. And not even because it thought that I had some sort of virus; because their firewall was plain out crapware: it simply couldn't cope with a simultaneous 30 peer data stream, instead it sucked up all the resources it needed to cope.

      Right now I use MS security essentials, the PC gets a full scan every once in a week and that's the end of it.

      1. Anonymous Coward
        Anonymous Coward

        Re: @DJ

        Time and time again it's proven that any anti virus software is better than non at all, but paid for security outperforms free in every case. Strangely a recent anti-virus software test in a leading UK PC magazine found Microsoft essentials at the bottom of the pack. Other tests in other magazines confirm this.

        1. Mike 125

          Re: @DJ

          Ok, wow, so it seems the evidence is overwhelming. And you present it so well. Thank you.

        2. jason 7

          Re: @DJ

          @AC Re. recent AV tests and MSE

          I've found it quite interesting that for quite some time MSE always tested really well and was always recommended.

          However, now that it's been reconfigured into Windows 8 as Defender as standard (which basically means you dont have to buy Kaspersky/Norton/McAfee etc. etc. anymore). We are getting a raft of 'independent' reports stating its not very good.


    3. Anonymous Coward
      Anonymous Coward


      Although I admire your common sense stardust (yes, a thumbs up will be on its way), unfortunately lots of people choose not to follow it. The amount of student laptops I saw whilst working at a school in my first proper IT job came in with a whole host of viruses, malware and spyware. The other issue was netbooks being too slow to even host Windows XP/7 and caused AV that was planted on there by recommendation of "PC World" to make it extreme sluggish. We're also still at a stage where parents of primary/secondary school kids are still out of touch with computers and cannot education their children on how to use the internet properly. Just pure carelessness because there's a lack of understand of what's out there on the web. And the kids in the know always encouraged torrent's and illegal downloads with other students who weren't in know.

      This comes back to the education system in the UK being clueless and will refuse to update the sylabus to teach these sort of common sense skills (along with word processing, spreadsheets and other stuff businesses want). So how on earth will our future generations know what a good site and bad site is? AV vendors will keep winning easy money until people are properly educated about common sense IT skills and the web in general.

  3. nuked

    Wait, so AV doesn't work?

    1. Anonymous Coward
      Anonymous Coward

      It works if the virus is known about, if it's new then it's not going to get detected. The virus scanners look for specific patterns in files, not recognise bad behaviour.

      1. nuked

        Set sarcasm receptors to 'on' would you

  4. koolholio

    The reality is all too real

    However there are some, such as boot sector infections which stem from simple injections, which were made for linux and mac OSX and also android etc?

    So usually knowing how to configure the antivirus/security package (given theres a difference) and also how to configure / deploy the network and application infrastructures with it, usually works best, given that not even unix is 'invincible'?

    To think that windows is the only vulnerable system is naive, in this Univeral Plug and Play world!

    It's clear to see the "report" heavily promotes mcafee as 'the most robust' --- pfft, okay! whatever you say lol

    1. Ole Juul

      Re: The reality is all too real

      To think that windows is the only vulnerable system is naive, in this Univeral Plug and Play world!

      You might well be totally correct. I'm always into learning. Since I have a box here where it wouldn't matter, would you be so kind as to post a link that I could click on with a NIX system and get a virus? That would really help me learn about this situation and I'd really appreciate it. Thanks.

      1. RICHTO

        Re: The reality is all too real

        Web site to root a UNIX based system just by visiting a URL - here you go:

        Here is another:

        1. Anonymous Coward
          Anonymous Coward

          Re: Web site to root a UNIX based system just by visiting a URL

          Well they didn't "root" my system just by visiting those URLs. Back under your bridge TROLL

          1. Anonymous Coward
            Anonymous Coward

            Re: Web site to root a UNIX based system just by visiting a URL

            Well they didn't "root" my system just by visiting those URLs. Back under your bridge TROLL

            And you would know this how? :)

            1. Anonymous Coward
              Anonymous Coward

              Re: And you would know this how

              Errmm by looking at the source of the webpage, by viewing portmap info, by viewing my router log. I could go on but then it must be over your head. So no, those pages don't "root any *nix operating system". They simply provide tools to do so when you choose to employ them.

        2. Chemist

          Re: The reality is all too real


          "Web site to root a UNIX based system just by visiting a URL - here you go:"

          I see the usual abysmal quality of your 'information' hasn't improved with the new year - what a load of FUD

          1. RICHTO

            Re: The reality is all too real

            Im not clear how that is FUD - the first link will root unpatched IOS based systems - which is based on BSD UNIX - and and the second will root unpatched Android systems - which is based on Linux.

            1. Chemist

              Re: The reality is all too real


              "Im not clear how that is FUD"

              Gosh, I thought you'd know !

              Just visiting the link doesn't root the phone - you have to get involved -there's even a link for donations for goodness sake.

              This no more roots an OS than me deciding to put a different Linux distro on a computer as far as I'm concerned.

            2. Peter Gathercole Silver badge

              Re: The reality is all too real @RICHTO

              WRT the FUD claim and the links to URLs that you claim will affect iOS and Android.

              Question. Do you understand the application deployment model in either iOS or Android?

              In both cases, the way applications run is handled by a layer ABOVE the OS. So when you talk about it 'rooting' the OS, that is almost certainly not the correct terminology. Rooting by definition means getting access to the root account on UNIX-like OSs.

              What has been compromised here is the application framework, *NOT* the underlying OS. In both cases, the underlying OS will be untouched. In terms of what a user sees, the result may appear to be superficially the same, but if you are going to make such claims, it is vitally important that you understand what you are talking about. Anything else is FUD, especially if you are spreading fear as a result of your uncertainty and doubt.

              These specific issues are rather analogous to a Facebook application or account being hacked or a vulnerability in IE or other browser, while the underlying OS, whatever that is, remains untouched (unless, you run the browser from an admin account of course, in which case all bets are off).

              This one of the historical differences between UNIX based OSs and Windows. Unless you take specific actions, you will *NOT* be running applications as a privileged user on UNIX, BSD or Linux. This was not the case on Windows before Vista, where many people's normal accounts had full Administrator privilege. This has changed, for which I say Hurray! but it took a long time for MS to recognise this (although NT was designed with a good security model from the ground up, even though it was rarely used to full potential).

  5. Anonymous Coward
    Anonymous Coward

    It's about time OS defence techniques were tightly integrated into the OS.

    1. The Vociferous Time Waster

      Oh go on, I'll feed em...

      Hard to resist the idiocy of the comments here.

      1) Viruses for Linux are fewer in number because linux users are fewer in number, where's the incentive.

      2) Tightly integrating malware protection into the OS is something MS are trying to do but there is massive resistance from the software devs. A trusted platform methodology would never fly with the FOSS brigade because they want to run what they want when they want with no protection.

      1. Destroy All Monsters Silver badge

        Re: Oh go on, I'll feed em...

        > Hard to resist the idiocy of the comments here.

        Well, thank you for really adding to it.

      2. snarf

        Re: Oh go on, I'll feed em...

        Yeah, because the FOSS brigade are exactly who dictate the direction of Microsoft's security policy...

        I've misappropriated the Sherlock icon, as I'll have some of what you're smoking, cheers.

      3. Jason Togneri

        Re: Oh go on, I'll feed em...

        "2) Tightly integrating malware protection into the OS is something MS are trying to do but there is massive resistance from the software devs"

        No, it's not the software devs and certainly not the FOSS lunatic fringe. It's the core userbase, who are used to having it easy (at the expense of security). MS made a botched attempt at locking down root with Vista's invasive UAC, and finally got it right in Windows 7's more subtle UAC. Remember, this is a feature that *nix users take for granted, not running with superuser rights without specific necessity to do so. But suddenly it's an annoyance that Windows users, installing from day 1 with Administrator accounts, never had to get used to. It's as much in the end-users' resistance to change as anything else. I'm by no means a Microsoft fanboi, but you can't say they aren't at least trying, and it isn't all their fault.

        Additionally, I do use Microsoft Security Essentials on many of my Windows machines - it's lightweight, relatively effective, and does pretty well when partnered with a competent hardware firewall. However, although I agree with other posters that making security more an integral part of the OS is an essential goal, how many anti-trust suits do you think the AV market and the anti-MS brigade will bring if Microsoft started bundling their AV solution with their OS? It would be the IE browser wars all over again, but this time in a bad way. Choice is fine, but not at the expense of security.

        1. Fuzz

          Re: Oh go on, I'll feed em...

          " many anti-trust suits do you think the AV market and the anti-MS brigade will bring if Microsoft started bundling their AV solution with their OS?"

          Don't tell anyone else but they're doing this already and so far no one is kicking up a fuss. Windows 8 has a new version of Windows defender that includes the functionality from MSE.

      4. jonathanb Silver badge

        Re: Oh go on, I'll feed em...

        On internet facing servers, the number of linux machines is around the same or a bit higher than the number of windows machines. If you are a botnet operator, those sorts of machines are much more valuable than desktops.

  6. Magani

    Let's face it...'s hardly surprising that AV publishers want to sew a little FUD around the place from time to time.

    The balance lies in knowing what's a real threat and what's just smoke and mirrors. I suspect most El Registas know the difference and can make up their own minds about the right course of action for themselves.

    The real problem arises when Joe Public/Auntie Myrtle/Your brother-in-law clicks on a dodgy web page or opens the You've-won-a-squillion-dollars email and wonders why their PC has turned into an IT version of Typhoid Mary.

    The AV industry probably protects at least some of them from themselves. The rest are a profit centre for home visit, fix-your-PC types.

  7. Mage Silver badge

    Educate the User

    occasional use of Silent Runners (Windows) and Root Kit Detection etc to check the education.

    Almost all infections in my experience of cleaning others messes are self inflicted. Mindless opening of mindless attachments or stupid installs. Mindless clinking on "OK".

    1. Anonymous Coward
      Anonymous Coward

      Re: Educate the User

      That's not always the case though, which is why it winds me up when people say "just don't visit dodgy websites'. Non-dodgy websites can still be compromised, for example Lenovo's website has infected visitors with trojans in the past, a couple of days ago it was the Council on Foreign Relations, I've even seen a live ebay listing in the motors and vehicles section compromised by overlaying on top of the original listing.

      I know a lot of people don't help themselves, but others shouldn't be under any illusions that they're above it all just because they don't open email attachments or visit 'dodgy' sites (whichever ones they are).

    2. Tom 35

      Re: Educate the User

      Not all are self inflected, but when you see a user with 3 or more toolbars on IE there is a good chance that running Malwarebytes will find something nasty as well.

      1. Dave Bell

        Re: Educate the User

        That's apart from IE?

        It doesn't help anyone that some corporate applications depend on notoriously old and insecure versions of IE.

        Thing is, a single defence method is never going to be reliable. Avoiding the dodgy sites doesn't avoid infected sites. An AV scanner will never detect everything. There are ways to subvert firewalls. No OS is free of exploitable bugs, even if it is designed to be secure. But using several of these techniques makes it much harder for the virus/malware writer.

        So the average Resgistard may not be as safe as he thinks. And the UI of Windows 7 does rather tend to encourage people to click on "OK", because you get the same dire warning for so many different things. I have not used a modern Mac, but I would be unsurprised if it had the same problem. My AV software does go for a spectacularly different pop-up warning box. Multiple layers of defence, again.

        Remember, moats don't stop alligators.

        1. Danny 14

          Re: Educate the User

          poisoned adverts have appeared on many "normal" sites before now. Granted these tend to use "less than zero day exploits" or toolkits so should be detected with AV

  8. Anonymous Coward
    Anonymous Coward

    Google: Symantec Sucks (top hit)

    So-called cure is *literally* worse than the disease.

    MS-SE seems tolerable.

  9. Benjamin 4

    I'll stick with using an AV suite ta very much. I've used unprotected machines, admittedly back in the dark days of XP / IE6 so maybe things have moved on, but they were riddled with viri very quickly. (I use viri as a generic term for viruses, worms , trojans, adwere, spyware, whatever else the latest term de joure is)

    I use Eset Small Business Security, cost something Like £15-20 per machine per year which seems a worthwhile investment and I've never had a virus slip past it. Maybe I'm lucky, maybe I'm not the target of this report, but for the money it costs me I'll stick with it.

    1. jake Silver badge

      @Benjamin 4: "viri" is incorrect Latin.

      In English, it translates more properly to "viruses".

      The correct term for what you describe as "viri" is "malware", short for "malevolent software".

  10. Steve Crook

    Better than nothing at all...

    So, what they're really talking about is the so-called Heuristic scanning that's supposed to nip infection in the bud, and the responsiveness of the vendors to update signatures when a virus is found. Everything else works pretty well by the sound of it...

    Given some of the problems we've seen with rouge scanner updates trashing legitimate OS components, I'd rather they took a little time to do the testing to make sure it's not going to brick my OS. I try to be careful in what and where I visit, so I hope there's not too large a window of opportunity.

    As for the heuristic rubbish, did anyone really believe that worked in anything but the simplest cases?

  11. Gary F

    Blame staff for infections more than poor value AV software

    If you're going to get a virus infection then it's most likely to be one of the more common viruses. Therefore any anti-virus program is going to be reasonably effective on average in terms of protecting you. Any brand new virus can take time for AV software to receive an update to detect and resolve the infection; there will always be casualties to begin with, much like any human viral outbreak. Sad but true.

    I have used AVG Free for well over a decade on many personal PCs and it's been fantastic, and certainly lets machines run smoother than the more bloaty and costly products. I pay for AVG for use on servers and it's very cheap so the value is excellent. (No infections in 6 years)

    In my view enterprises should spend less on AV licences and more on implementing and policing better IT security policies for staff. Most infections are down to the ignorance or risk taking of staff - which can be avoided if staff were better trained on the subject and IT was better policed (physical and network). That sounds a bit draconian but what do you expect if staff bring in files on a USB stick to print off on the office printer, or download executable files at work, or open emails that most of us would find suspecious, or access Facebook (clicking on links), etc. This stuff should be done on computers at home or personal smartphones.

    When I was younger I hated these sort of rules and I was a risk taker. But 15 years on I'm more experienced and have bigger responsibilities so this "draconian" approach helps safeguard the business, jobs and reputation. Damn, I sound l like my old boss. I'll be wearing the same sort of clothes as my dad soon too probably.

    1. RICHTO

      Re: Blame staff for infections more than poor value AV software

      In an enterprise, you need more than just 'Free AV' - you need to be sure that your devices have up to date AV software and definiation - and you need to be able to report on exceptions. You also need central control of AV policies and exceptions. If there is a free product that does this well, then I havnt found it yet.

      Also many vendor enterprise AV solutions are part of a suite that includes full endpoint control (e.g. access control to CDs, USB, etc, and control of encryption on portable media, configurable IPS and firewall, etc, etc.)

      1. Danny 14

        Re: Blame staff for infections more than poor value AV software

        indeed. Lockdown of installation rights to stop drive by installers (rather than injection) also helps. Central web filtering to minimise exposure to known naughty websites etc. Fairly common sense stuff for enterprise.

  12. This post has been deleted by its author

  13. MrT


    ... the study revealed that virus writers** improve their chance of evading detection by keeping a low profile."

    **Also works for spies, tax evaders, love cheats, burglars, Santa, stealth bombers, the Higgs boson, etc, etc, etc.

    The DotBO is sponsoring some cracking studies lately...

  14. Allan George Dyer

    Flawed study?

    Full disclosure: I sell anti-virus software and do a little research on viruses and related security areas.

    I was surprised at the small sample set Imperva used - just 82 samples, collected from honey pots, google and hacker forums. Can this really reflect on effectiveness against the millions of malware samples known to exist?

    In comparison, AV-Test uses two test sets in its Protection tests:

    * All malicious files they discovered in the last 6 - 8 weeks: around 100,000 – 150,000 files.

    * Extremely widespread malicious files they discovered in the last 6 – 8 weeks: around 2,000 – 2,500 files.

    Looking at the full study, there is another surprise - Imperva do not do their own testing, they threw the samples at VirusTotal. VirusTotal is a useful website, but they are quite explicit that it is unsuitable for product testing. Imperva takes the short form of VirusTotal's advice, "not designed as a tool to perform antivirus comparative analyses", and counter it in their 'Limitations' section saying that they are not doing a comparison. They ignore the longer advice, that details why VirusTotal is unsuitable for both comparative and effectiveness testing.

    Anti-virus testing is notoriously difficult, and competent researchers put a lot of work into making sure they use methodologies that will produce relevant, reliable results. Did Imperva?

    1. Dr. Vesselin Bontchev

      Re: Flawed study?

      Excellent points, Alan! (Hi there, BTW. Long time, no see. Yes, I'm still alive.) Here are a few more:

      1) If Imperva are selling a security product, then it is highly unethical for them to test (or even comment on the quality of) other people's security products. They are obviously biased. As the following points demonstrate, they are incompetent, as well.

      2) They don't seem to distinguish between viruses and malware in general. Most of what they have used in the tests were not viruses but various kinds of Trojans. Trojans don't "spread"; only viruses are able to replicate themselves. It is because of this lack of self-replication that the spread is low and the AV vendors haven't got samples or got around to implementing detection of them. With thousands of new malware variants appearing every day, the AV vendors are forced to concentrate on handling the more widespread threats first.

      3) They don't seem to understand how AV works. There are two main kinds of AV solutions - malware-specific ones and generic ones. The malware-specific ones (commonly known as "scanners") is what most people think of when they talk about AV products. As their name suggests, such products detect KNOWN malware - known to their producers, that is. If it is not known to them, they won't detect it. Revealing the "troubling" fact that such products are not very good at detecting unknown malware is like saying that a screwdriver isn't a very efficient tool for nailing nails. It's true, but it is a completely pointless statement and only reveals the incompetence of the person saying it.

      The generic AV products (of which there various kinds - heuristic analyzers, behavior blockers, integrity checkers, etc.) try to detect malware not known to them by using some generic knowledge about its structure or behavior (like "if an executable file tries to modify another executable file, this is suspicious" or "if a set of executable files have one and the same code at the end and this code receives control when the file is executed, then they might be infected"). Unfortunately, it is mathematically provable that it is impossible to detect all possible viruses without causing false positives. (The proof is constructive - i.e., if you claim to have an algorithm that does it, the proof shows how to construct a virus for which the algorithm will fail.) In the above examples, the "executable modifying other executables" could be a compiler or a linker, and the files having common executable code at the end might be compressed and executing the decompressor at runtime. So, most AV products of the generic kind try to strike some kind of balance between detection and false positives.

      Most AV packages nowadays try to combine products of both kinds. However, VirusTotal uses only the known-malware scanner part of them. Testing it with unknown malware is simply wrong.

      Finally, even if Imperva's claim were true (which, I contend, it is not), would you rather use something that gives you a 5% chance of protection or nothing at all?

  15. Anonymous Coward

    You can get working hueristics-based IT security products

    Yes, a strict AV product is not going to work against a zero-day virus attack, because there is no signature. However, most AV products now have embedded features like heuristics to help steer you away from phishing sites and identify processes that are trying to perform suspicious changes or unauthorized traffic within your system.

    Chucking AV (which protects you from known-viruses/worms/etc.) is pretty irresponsible, considering the "installed base" of malware that can infect your systems. And AV firms do make a major investment in honey-pot and sensor-based detection networks to make sure that unknown malware doesn't stay unknown for very long.

    And who wants to put their job on the line by going in front of company management and saying "Yeah, really sorry about the worm that infected our storage, but Imperva notified me that we didn't need to spend on AV anymore".

    1. jake Silver badge

      ::heh:: memories ... Re: You can get working hueristics-based IT security products

      "And who wants to put their job on the line by going in front of company management and saying "Yeah, really sorry about the worm that infected our storage, but Imperva notified me that we didn't need to spend on AV anymore"."

      In 1988, the Morris Worm affected the Sun3 systems at work. It did NOT affect my personal DEC system under Bryant Street in Palo Alto. Why not? Because I didn't really trust remotely available software being made available to all and sundry, and had all that stuff turned off on the internet-facing gear. In modern terminology, I was using the DEC kit as an early version of what we now would call a "stateful firewall" (behind it was an AT&T PC7300 "UNIX PC", running the actual server code).

      I had warned my company of the potential vulnerability. TCP/IP wasn't perfect, was still a research platform, and those of us in the trenches knew it (the same applies today, BTW!). I got to say "I told you so!" to the Board. It was fun to see the red faces of the VPs, & watch 'em wriggle ... the big grins from my Boss (the Senior Member of the Technical Staff), and from the CEO (who was the tech who started the company) were just gravy ...

      I got a largish raise and larger packet of stock options for proving to management that I really did know what I was doing, a good reputation in my chosen field ... and was allowed to keep the pilot-build Dual-Pedestal Sun 3/470 "Pegasus" that I was testing, complete with source, from a grateful Sun Microsystems for cleaning up their Internet facing gear.

      The Sun replaced the DEC kit under Bryant Street two years later. She's still there, happily supervising the friends&family private network in what is probably the world's oldest colo :-)

      1. This post has been deleted by its author

        1. jake Silver badge

          Re: ::heh:: memories ... You can get working hueristics-based IT security products

          Uh, no, AC. The Morris Worm exploited holes in the network code itself. It had no need of 1d10t wetware to assist in propagation.

  16. SoulSherpa


    A company that sells non-"anti-virus" computer security kit performs a study that concludes "anti-virus" products are rubbish.

    So, so shocking.

  17. Anonymous Coward
    Anonymous Coward

    I think it's a bit like driving: act reckless for long enough and you will crash, it's just a matter of time. With that said being as careful as you like doesn't mean you won't crash.

    Also, I thought a fair few of these guys now do this 'keep you safe while shopping or banking' lark as well as firewalling, anti-spam etc. Do we know how good any of that stuff is? I see the AV side get talked and bashed and all that but I rarely see those bits mentioned.

    And why the hell am I posting comments at 2am...

  18. jason 7
    Thumb Up

    Folks, give EMET3.0 a try.

    It's designed to mitigate the unknowns by forcing all apps (or those that you choose) to run with DEP/ASLR and SEHOP. It acts as an extra defence along side your current AV.

    Anything nasty or unknown just gets stopped dead in its tracks and you get informed as to why.

    Been using it with MSE for several months now and I install it on all new machines I rollout with the 'All' apps profile (stored in the EMET file in Program Files) at maximum settings. I then add in any other .EXE files that may go near the web.

  19. crayon

    'Bankers also don't push pencils through screens "just to see what would happen".'

    Of course, they are too busy crashing the economy and see who'll pick up the pieces.

    "Tightly integrating malware protection into the OS is something MS are trying to do"

    I read that as "Tightly integrating malware into the OS", which is something MS has been doing since forever.

  20. Andrew Moore

    Where's Sophos???

    Oh, that's right Sophos probably don't qualify because they now do 'Endpoint Security' rather than 'Anti Virus' products.

  21. John Robson Silver badge


    Why do we still try to blacklist?

    Surely we can use some ditributed system (DNSSEC maybe) to allow for companies (large and small) to distribute md5 checksums for "approved" releases.

    1. Jerren
      Thumb Up

      Re: Whitelist...

      @ John Beat me to it... ;-)

      Black list and Heuristic Algorithms are great for catching stuff you already know about and they will catch what they know and a few things they shouldn't based on the patterns that have already been established. As a pen tester I can say none of the exploits I have used (ahem only with signed authorization or on my own boxes that is..) have ever tripped off an AV client, there are plenty of repackagers that are way too easy to use out there not to mention toolkits like SET that will do it for you from a menu option.

      It dosn't mean they are worthless or you can safely surf naked (e.g. running with no AV/firewall) it just is what it is, a filter to catch know bad stuff. Think of it as getting a flu shot, it works against the bugs you predict you'll be exposed to but not everything that makes you sick.

      White listing is a great solution, and I personally think it IS the best one, basically it only allows you to run what the system admins have "pre-blessed" is ok to run on your system. It works, it works very well when implemented properly....

      Which is the problem. Most companies who sell white listing applications out there do not tell you the effort involved in maintaining that white-list. One security researcher I know once commented a corporation will need to hire 4 times the number of staff needed to run a proper AV and patch management implementation in the same environment. I mention patch management since that now has to be tied into the process since the patches themselves need to pass though the white-listing process as well, which can add delays in implementing patches which may cause friction for management who have been pushing for ever shortening patch cycles, of course white listing actually prevents the risks driving these demands in the first place it typically comes up in the discussion.

      The other issue I see most commonly is delays or frustration due to over-complex white listing processes for new applications can cause users to rebel against corporate systems and you will see a surge in BYOD (Bring Your Own Device) or copying data to portable storage to use on personal laptops outside of the company's control. USB sticks get lost, personal laptops get hacked or stolen, it can be a nightmare if you do not have controls in place to enforce policies against it.

      When all's said and done, a properly funded, managed, and implemented white-listing program offers the best defense against all exploits. Sadly, it's just too damn expensive for most organizations to do properly. :-(

      1. John Robson Silver badge

        Re: Whitelist...

        Hence my comment about vendor provision of md5 via something like dnssec.

        Most people would trust MS not to be virus (jokes aside), so they would simply sign/hash their patches/versions and provide the requisite authentication via dnssec-alike...

        Smaller organisations need to sign fewer releases, that's OK.

        Then you start explicitly trusting organisations, not testing all software you run. Revocation would be important.

        Thought would be needed for offline devices (although they are typically easier to secure via "normal" means...)

        1. Anonymous Coward
          Anonymous Coward

          Re: Whitelist...

          Well done. You just re-invented code signing.

          I wouldn't bother trying to patent it, though.

          1. Jerren

            Re: Whitelist...

            @AC - Actually no it's not code signing, it's basically hash enforcement at the os level - if the app and hash you have stored on PC when you try to save/execute dosn't match the version on the white-list on the server it is blocked. It's been a feature of windows server for years as well as several 3rd party tools.

            This goes well beyond malware protection to address what users can and cannot load on their systems, if your group dosn't have permission to say run firefox you cannot install or run it period, weather it's a "trusted" source and code signed or not dosn't make a difference. if it's not on the list it's not going to run on your PC period.

            I stand by my comments before, it's highly effective when done right, but it can take a lot more effort and money to implement properly than AV amd IPS devices like Imperva.

  22. Hubert Thrunge Jr.
    Paris Hilton


    Other than the state generated virii for "their" purposes, does anyone wonder if many of the anti-virus companies actually write the bloody things to self perpetuate their income?

    Thankfully my PDP8 isn't affected by these Windows/XML/HMTL/FLASH/etc.. critters. Though it did all go horribly wrong when some numpty used an A4 Hole Punch on one of my paper tapes the other week by mistake.

  23. Alan Brown Silver badge

    peanuts and monkeys

    You may be paid 115k in SoCal, but the pay offered in UK schools is a long way short of that - and they get the calibre of staff that you'd expect as a result.

    Not to mention that because the people holding the purse strings only know desktop systems, they think that everything is a desktop system and networking can be achieved using cheap hubs - which promptly melt down when 30 PCs in a classroom simultaneously try to access the same fileserver. There are far more effective ways of locking down systems, as have already been mentioned (fixed images which restore on reboot so it doesn't matter what the little scrotes try to install, thin clients, etc etc etc)

    The stanard model in education systems is to go for the cheapest possible option, then maybe rip it out and pay for another half-baked cheap solution when it doesn't work, instead of actually doing the job right the first time.

    Raspberry PIs are cheap enough that they can be a required consumable for the course - just like calculators.

    As for pencils through monitors, the classroom CCTV will finger the real culprit fairly quickly, for shagging round with networks and power switches, it's easy enough to make things get very loud when Dennis the Klepto puts his hands around the back of a machine - and if you use a thin client it's a lot easier to deal with. For starters, the box doesn't need to be on the desktop.

    None of this matters when you realise that UK "Computing" in schools is about teaching kids how to use Excel or Word by rote to the point that an unfamiliar revision of the software often results in handwaving and tantrums from those with various pieces of paper which claim that the holder is computer-literate.

    (Cynical? Me? Not really. I have to deal with what comes out the other end and quite frankly most secondary-level "computing" qualifications are fit for wiping your arse with, but usually the paper's too shiny even for that simple task.)

    1. Anonymous Coward
      Anonymous Coward

      Re: peanuts and monkeys

      actually while i agree with almost all of what you've said, from a personal point of view, there's a bigger problem with what passes for "IT" in UK schools. A friend's children were recently told that homework had to be handed in electronically, in MS Word or MS Excel formats.

      Did the school pay for the software licences? (Not the stupidly restrictive education ones, the full licences?) Yeah right. Reason given? Oh, that's what the teachers use. Well then, tell the teachers to learn more than one application suite. On their own time, like the rest of us do - and if they need a training course they are free to pay for it.

      "(Cynical? Me? Not really. I have to deal with what comes out the other end and quite frankly most secondary-level "computing" qualifications are fit for wiping your arse with, but usually the paper's too shiny even for that simple task.)"

      I disagree, sorry. I don't think you're being cynical enough :-)

    2. RICHTO

      Re: peanuts and monkeys

      Micorosft have a neat solution for this type of school environment. You can have have 1 PC in the classroom shared by the pupils on thin clients. See

      Good for training rooms, etc. too.

  24. Dr. Vesselin Bontchev

    Excellent criticism of Imperva's so-called study

    Some of the juiciest quotes:

    "imperva keeps shopping this quackery out to more and more media outlets where it gets gobbled up and regurgitated uncritically by writers/editors (who really ought to know better if reporting on this sort of topic is part of their actual job)"

    "imperva has behaved like a dung beetle, persistently rolling this turd around, but somehow it keeps getting bigger like some katamari damacy of bullshit"

    1. diodesign (Written by Reg staff) Silver badge

      Re: Excellent criticism of Imperva's so-called study

      Although, TBF, we've taken Imperva's study with a pinch of salt and reported it as mere claims.


    2. jake Silver badge

      Re: Excellent criticism of Imperva's so-called study

      I run no AV snake-oil. No need, with a properly put together system.

      Dr. V.B. sells snake oil, as do all the other anti-malware marketards.

      If you know how to run good code, snake oil is not necessary.

      If you don't know how to run good code, you're screwed right from the git-go. Might as well pay somebody to make yourself feel better about being vulnerable, whilst still being vulnerable through your own ignorance ... or perhaps you'd be better off off-line entirely?

      Whatever. It's your money/privacy, not mine.

This topic is closed for new posts.

Other stories you might like