| By Robert Vamosi |
Don’t shoot the messenger when it comes to AV test results.
The fact that MSE barely got certified by AV-Test.org shouldn’t be easily dismissed — not without considering all the facts.
Free products are rarely the best products
Since the 1980s, antivirus engines have used signature-definition-file databases to detect malware on infected systems. For this to work, new malware has to be discovered and analyzed, then have its specific signature added to the database. That means frequent database updates. Antivirus vendors typically charge a fee for the software engine and an additional fee for a signature-file update subscription. Most AV vendors make their products obsolete every two to five years, forcing users to update to the latest engines.
Until recently, free antivirus software was not recommended for the average PC user. It was often more complicated to install and maintain. Then a few big-name vendors, such as AVG, started offering older versions of their paid products for free. When Microsoft discontinued its OneCare service, it replaced it with a free antivirus product, Microsoft Security Essentials (MSE). But MSE had a rough start. Although its traditional signature-definition-file model worked well, it fared poorly with new (zero-day) malware — viruses, Trojans, and so on, all with undefined signatures and circulating in the wild. That conclusion was based on AV-Test.org results (as reported in a 2009 ZDNet column) and remains true today, as summarized in a May 4 PCWorld story.
Quick updates and heuristics protect best
Elsewhere in this newsletter, my colleague Fred Langa addresses the lackluster report card given to MSE by AV-Test.org, a German testing lab. Although I agree that the one test is not sole grounds for removing MSE from your computer, I disagree with Fred when he states, “as a practical matter, zero-day attacks have a low probability of actually affecting a given user.”
In an April 21 column, I described how a new Adobe Flash zero-day attack forced Adobe to rush out a new patch. Within 24 hours, the big antivirus players — McAfee, Symantec, and Kaspersky — all had updated definition files to protect their users. These products also had the ability — using heuristic technology — to detect new malware based on its behavior alone. (Companies commonly targeted by new and specialized malware definitely want effective heuristics as part of their antivirus strategy.)
Microsoft’s MSE (along with numerous other AV products) didn’t have signature-definition files for the Adobe zero-day threat until more than a week later. Nor does it have a highly developed heuristic engine. The PC World story quotes Andreas Marx, director of AV-Test.org: