Interesting cautionary note, old, still very relevant

[ringtail]

From May 2013 to May 2014 Lastline Labs researchers (later acquired by VMWare) studied hundreds of thousands of malware samples, testing new malware against 47 vendors’ AV signatures featured in VirusTotal to determine which caught the malware samples, and how quickly. They found that, on any given day, at least half of the AV scanners it tested failed to detect new malware and after two months, a third of the scanners were still not detecting it.

On Day 0, only 51% of AV scanners detected new malware samples.

It took an average of two days for at least one AV scanner to detect malware that went undetected on the first day.

Detection rates bumped up to 61% after two weeks, indicating a common lag for AV signatures.

In one year, no single AV scanner caught every new malware sample in even one of the test days.

After a year, 10% of the scanners still do not detect some malware.

The 1-percentile of malware least likely to be detected was undetected by the majority of AV scanners for months, and in some cases was never detected.

[I abstracted this from the article, "Most Antivirus Software Is Lousy At Detecting Advanced Malware," by Engin Kirda, Ph.D., in Forbes Magazine, LINK]

Causes me to rethink whether it's wise to totally rely on MS Windows Defender.

 

[Red Squirrel]

Seems to me there really are not that many good AVs at all, probably worse now than it was before even. Been a while since I've touched windows myself but the few times I've had to work on someone's computer I always come at a blank when it comes to figuring out what AV is best.

I think the best defense is to just ensure people are more educated in not opening files or clicking links they don't trust. Good luck with that though! The real attack vector now days is not even email but browser. Just landing on a bad website is enough to get compromised.

 

[mikeymikec]

Ringtail, how on earth did you conclude "maybe Windows Defender isn't good enough" from what you read?

IMO anti-virus is almost completely irrelevant these days. When I started my business 20 years ago, malware removal was a routine part of my work; I'd have appointments multiple times per week. These days I can't remember with confidence of when the last time I removed a virus from a customer's computer was. I remember one run-in with the Aurora rootkit about ten years ago. These days, the worst that I've seen typically involve browser extensions that the customer has (presumably) been duped into installing that might cause browser pop-ups or something equally not-scary.

It seems to me that ever since User Account Control was introduced in Vista, admin/system level malware infections dropped sharply. It also seems to me that malware writers and scammers typically haven't been up'ing their game in some time, that if anything they're getting dumber.

While I'm sure there is still sophisticated malware out there, I suspect that it's not being aimed at the average user (who chances are has moved on to a "factory reset it and restore stuff from the cloud" platform such as Android or iOS).

 

[VirtualLarry]

It seems to me that ever since User Account Control was introduced in Vista, admin/system level malware infections dropped sharply. It also seems to me that malware writers and scammers typically haven't been up'ing their game in some time, that if anything they're getting dumber.

While I'm sure there is still sophisticated malware out there, I suspect that it's not being aimed at the average user (who chances are has moved on to a "factory reset it and restore stuff from the cloud" platform such as Android or iOS).

Quite the opposite. Malware writers these days are on top of their game. Most sophisticated malware isn't detected. The thing is, thought, they're not blanketed anymore, they're targeted, often taylor-made for their target.

 

[mikeymikec]

Quite the opposite. Malware writers these days are on top of their game. Most sophisticated malware isn't detected. The thing is, thought, they're not blanketed anymore, they're targeted, often taylor-made for their target.

That's pretty much what I said...

 

[VirtualLarry]

Your new avatar is offensive. some sort of robot eating a human? Disgusting.

 

[compcons]

Seems to me there really are not that many good AVs at all, probably worse now than it was before even. Been a while since I've touched windows myself but the few times I've had to work on someone's computer I always come at a blank when it comes to figuring out what AV is best.

I think the best defense is to just ensure people are more educated in not opening files or clicking links they don't trust. Good luck with that though! The real attack vector now days is not even email but browser. Just landing on a bad website is enough to get compromised.

The purpose of AV software is to prevent the known viruses from getting in. Think of a funnel. Grab the easy stuff with AV signatures at the top and only analyze the more severe threats with better detection products like EDR which can rely on behavior analytics, sandboxing, etc. You don't want compute resources to be spent to find out you have ILOVEYOU. Almost every endpoint detection product relies on simple signatures as a first pass.

Although browser threats are quite common, even they are most times sent via email. EMAIL IS THE MUMBER ONE ATTACK VECTOR. That is, >80% of all threats (phishsing, browser malware, ransomeware, banking trojans, etc.) are delivered through email. Most often, it is a link to an page waiting to drop malware, exploit a browser vulnerability or simply steal credentials or banking information.

The more advanced threats may be a link to a file sharing service like onedrive (the most abused malware hosting destination) with files that contain embedded malare or a series of downloads and links. Threat actors use those techniques to bypass subpare security solutions.

NEVER click links in email, open attachments OR CALL the number in the email without verifying with the sender.

Your package is en route? Open a browser and go to the seller/shipper website.
Got a conformation pdf in an email for an order? Go to the vendor website.
Unexpected AV renewal or order phone that iPhone with a phone number listed in the email? DONT call! (Learn about telephone oriented attack delivery - they have call centers and helpdesks to help you get their malware installed for them!)

And Microsft doesn't know jack shit about security. Almost ANY product provides better protection than defender.

Stay safe

 

[mikeymikec]

Your new avatar is offensive. some sort of robot eating a human? Disgusting.

*blinks*

Where's the human? Where's the eating? It's a Tachikoma with a bottle of natural oil (which it prefers over the synthetic sort).

 

[ringtail]

mikeymikec, You said:

It seems to me that ever since User Account Control was introduced in Vista, admin/system level malware infections dropped sharply. It also seems to me that malware writers and scammers typically haven't been up'ing their game in some time, that if anything they're getting dumber.

The Kaspersky Cyberthreats Realtime Map has a good display showing count of malware detections, broken down several ways. It shows that detections in the United States on 31Mar2023 were 149,390 (for the Kaspersky brand only). Applying the point made in the opening post above, at any given moment there's probably a lot more active in the wild but undetected by the antivirus software you're defending yourself with.

The other point is, your antivirus is probably not detecting them all, which means odds are, your computer is infected this instant.

 

[mikeymikec]

mikeymikec, You said:

The Kaspersky Cyberthreats Realtime Map has a good display showing count of malware detections, broken down several ways. It shows that detections in the United States on 31Mar2023 were 149,390 (for the Kaspersky brand only). Applying the point made in the opening post above, at any given moment there's probably a lot more active in the wild but undetected by the antivirus software you're defending yourself with.

View attachment 78993

One thing I find interesting about those statistics is that the 'threats' they list are almost entirely labelled 'generic'. While 'generic' in malware names doesn't necessarily mean "we're not sure if this is malware", it very commonly does. Kaskersky also provides no technical information for any of these threats, which is odd for a malware information database; traditionally the whole point of having a publicly-accessible resource is to provide users with extra information with which they can figure out whether they actually have an infection on their computer (as opposed to "software says yes"), or to confirm that the security software has done its job of fully removing said malware.

To summarise: Kaspersky is trying to convince people that there are lots of infections in the wild, but they can't tell us anything useful/specific about any of these infections.

 

[ringtail]

mikeymikec,​

Well they list summaries broken down several ways, like this one:

and they explain the data sources they used. The cybersecurity biz is intensley competitive so any company will be reluctant to give out more than summaries like this one. They're talking about "Detections per Second" so the specifics change dynamically, second-to-second.

Kaspersky is the outfit that discovered stuxnet years ago.

I just happened to cite Kaspersky's info for my convenience, because I still have them in my Firefox bookmarks, having used Kaspersky for many years. Had to dump them because of the US Gov't ban on them. I can't carry my laptop into various client's offices if it's installed, since the client companies have to comply with the US Gov't regulations.

[contract clause, FAR 52.204-23, titled “Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.”]

 

[mikeymikec]

mikeymikec,​

Well they list summaries broken down several ways, like this one:
View attachment 79033
and they explain the data sources they used. The cybersecurity biz is intensley competitive so any company will be reluctant to give out more than summaries like this one. They're talking about "Detections per Second" so the specifics change dynamically, second-to-second.

Kaspersky is the outfit that discovered stuxnet years ago.

I just happened to cite Kaspersky's info for my convenience, because I still have them in my Firefox bookmarks, having used Kaspersky for many years. Had to dump them because of the US Gov't ban on them. I can't carry my laptop into various client's offices if it's installed, since the client companies have to comply with the US Gov't regulations.

[contract clause, FAR 52.204-23, titled “Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.”]

That was the list I was referring to. One of top ten entries was an autorun.INF file, not even a malformed one.

Kaspersky Threats — AutoRun

Database of threats and vulnerabilities, containing data about vulnerabilities of software, a list and descriptions of threats

threats.kaspersky.com

If they're going to list autorun.INF files as threats, then they may as well list all executable files. After all, they could be used as a delivery mechanism for malware!

I'm not sure whether you're attempting to argue that Kaspersky's virus information database sucks because the competition is fierce, but just in case you are, here's an example of what a reasonably decent write-up for a form of malware looks like:

Ransom.Win32.LOCKBIT.YXCGD - Threat Encyclopedia

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.It drops files as ransom note.

www.trendmicro.com

I'd strongly recommend that you take the time to understand the topic before giving your money to these people. I'm not saying they're complete scammers, but they know how to manipulate people and how that translates through to higher sales. Your best defence against such tactics is to learn more and make evidence-based decisions rather than assume "if your security software hasn't detected anything then chances are your computer is infected". That kind of thinking is only going to result in your pockets being emptied faster, because by that logic you can't rely on one piece of security software but many, constantly cycling between them and constantly running full scans of your system, and the less evidence there is of an infection, the more dire your conclusion is.

 

[ringtail]

mikeymikec​

Your several posts are mostly orthogonal to the point of this thread, which is a caution based on analysis performed by a superior AV player of a large set of real-world data.