Helping people with computers... one answer at a time.
It's possible to get malware, even with anti-malware tools installed, for a variety of reasons. I discuss some of the reasons why this happens that I feel are the most significant.
I've been an independent computer repair tech for over 12 years now. The question I get the most (and have the hardest time answering) is this: how come my antivirus program didn't stop me from getting this virus? When you're installing AVG, the program says that only 3% of today's security problems are caused by traditional viruses. Is this true? Is it true for the other antivirus programs as well? And why is it that, when we do get one of these non-traditional security issues (i.e. malware), we then must rely on free software downloaded from the internet? Why don't the ‘traditional' antivirus suppliers include a malware remover module with their software? If traditional antivirus programs are going to be satisfied with being the canary in the coal mine (we know we're infected when our antivirus program dies), why not just download a free product, use our common sense on the internet and hope for the best?
In other words, why don't anti-malware tools work better than they seem to?
I have to fault AVG for the phrase "traditional viruses". I think that put an unrealistic spin on your expectations. Malware is malware, and that includes viruses, spyware, rootkits, zombies, and gosh knows what else.
What's "traditional"? Ya got me. I also have no idea where that 3% figure comes from.
But there's a kernel of truth in AVG's statement. No matter what program you run, there's still a chance your computer will get infected.
When looking at anti-malware tools, the most obvious way to categorize them is by seeing what kind of malware that they're targeting:
Antivirus programs examine the files that are currently on or being copied to your machine for patterns of data that match those of known viruses.
Anti-spyware programs lock or monitor certain types of changes on your machine and compare these to the known behavior of spyware.
Anti-rootkit programs specifically look for and counter the advanced techniques that rootkits use to hide the files that comprise them.
Anti-whatever programs slice the malware universe differently or look for more specific threats.
Convention has long held that you need at least one antivirus and one anti-spyware tool, in addition to other things like a firewall, a backup and good behavior on your own part.
But picking tools can be confusing as more anti-malware tools try to cover more bases. Almost all of the major anti-malware vendors offer a suite of programs with multiple tools, like those mentioned above.
The varying classes of malware out there typically require different approaches for detection and prevention. The result is that specific tools are needed for different jobs. For example, a purely antivirus program isn't likely to catch spyware.
Even within the same category of anti-malware programs, similar tools from competing vendors will often use different ways to detect malware. This is one of the reasons why some antivirus programs won't catch the same viruses that others will.
Viruses are crafty little beasts. They'll use a variety of techniques to get into your system and avoid detection. From making sure that no two copies of itself look alike to encrypting key parts of its inner workings, the ways that a virus hides are only limited by the virus writers' imagination and skill.
That's why antivirus tools are continually playing a game of catch-up. Every time a new virus is found , the antivirus tool needs to be updated. Most often, it's a simple matter of updating the database of known viruses with new information.
But even this can be more involved than you think. It's possible that the virus is so good at hiding itself that the tool requires more than a simple database update; the detection method used by the antivirus tool simply can't detect the virus. In a case like this, parts of the tool itself are what needs to be updated.
As I said, new malware of all forms is being discovered daily, if not more often. That means that anti-malware companies need to have the staff, resources and dedication to continually update their database and tools. They also need the infrastructure, maturity and means to rapidly implement, test and deploy changes to those tools.
I think that's the other source of disparity among anti-malware tools - some are good at rapid deployment, while others take a while longer.
It may not even be a matter of competence, but rather prioritization; a specific virus might be defined as high priority by one company and in need of an immediate update, while another company might classify it as less important and thus take longer to push out the detection update.
I don't mean to imply that any of this is easy. We've seen major antivirus tool vendors push out updates that have failed or even crashed users' machines. It shouldn't happen, but in the rush to get security updates tested and out quickly... well, I'm surprised problems like these don't happen more often. It's exceptionally difficult to get it right 100% of the time, especially when we expect anti-malware tools to not impact the performance or functionality of our machines while they do this important work.
I've often said that there is no best anti-malware tool. Program A may catch this newly released virus today, but tomorrow's new virus might be caught more effectively by program B.
Most vendors know this, so they're continually working to improve the coverage of their products.
But it's still a race between malware writers releasing new versions of their stuff, and anti-malware vendors struggling to make sure that each new issue gets caught appropriately.
There's always a hole in the coverage and something will slip through.
That's why, in addition to a good antivirus tool, anti-spyware tool and firewall, I also say that you are the most important anti-malware tool that your computer has.
Your potential ability to recognize and skip malware is actually far superior to that of most anti-malware tools. You can recognize spam and bogus attachments. You know you shouldn't have visited that web site. You know that too-good-to-be-true offer was, well, too good to be true. What you then do with that knowledge is what keeps your machine safest of all.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.