Friday, November 6, 2009

Andreas&Andreas Vs. the Devil

I am sure you are wondering what that title means. Let me explain: Andreas Marx and Andreas Clementi are two guys that well known in the Anti-Virus world as independent 3rd party testers that test the effectiveness of antivirus products. They work at two different companies in Germany: Av-Test and Av-Comparatives respectively. And between these two companies all the worlds anti-virus testing is done.. seriously! The magazine you bought off the newstand that claims they "evaluated" every security suite in the world in some kind of shoot out, didn't actually do it themselves. They paid the Andreas', obtained the results and then "interpreted" them and decided a winner. So far so good. But there is one BIG problem. The kinds of tests done by A&A (Andreas and Andreas) is not real world. They will dump a couple of million files in some random folder and scan the files. No real user would ever do something like this. This is not how real users come into contact with threats. Instead, the typical user will get infected by
1. Not patching and getting compromised by a drive-by download when they visit an infected site
2. Open an email attachment
3. Run a fake keygen, crack, rogue AV, Fake Codec or some other socially engineered malware
4. Open a malicious PDF

They dont scan a million files!!

Companies like Symantec have gotten tired with such test methods since they do not test 90% of what products like Norton have to offer. Norton products have probably the most layered security of any other product. They have:
a) Local Antivirus
b) Cloud Antivirus
c) Reputation with Quorum
d) Behavioral detection with SONAR 2
e) Intrusion Protection
f) Browser Protection
g) Website Reputation with SafeWeb

A&A tests just a). Bletch!!

So they hired Dennis Labs to do a real world test. The challenge (as outlined in the Dennis Labs results document http://community.norton.com/norton/attachments/norton/ModBoard/58/1/PC-Virus-Protection-2010-DTL-Report-consumer.pdf) is to expose a machine to malware like a real user would - browse to an infected website, open attachments etc.

The results were spectacular. Norton Internet Security 2010 got a 100% detection rate. Unbelievable ? Maybe.

Not surprisingly there has been a huge backlash from companies (even CEOs like Avast) claiming that the test is bogus, the results are bogus etc. Avast has not a contender in my book but after their CEO's pathetic clearly clueless reaction (Google it), they have reached a new low.

Everyone is focused on the result.. the fact that NIS had a 100% detection rate. That fact is irrelevant. What is important is that one company has taken a stand and challenged the status quo to come up with a better testing methodology that will benefit all customers, not just Norton's.

No doubt the backlash will continue to come from all the shills and ghost posters from other companies that only have a lame static file scanning engine. Avira and GData at the very top of that list.

No comments: