Via SecurityWatch by Neil J. Rubenking on Dec 24, 2013
What's the best way to avoid getting hit with a drive-by download or
some other attack by a malicious website? Simple—don't go there! Most antivirus
vendors protect your browser with a plug-in that automatically blocks
access to known bad sites. The best of them identify brand-new malicious
sites based on reputation, and the latest report from Dennis Technology Labs verifies that this approach can be very effective.
Reputation here doesn't have anything to do with gossip, or with what
people think. Rather, it's a catchword for all kinds of website
attributes. When was the domain first registered? What's its country
code? Does it link to other known bad sites? Do the site's pages visibly
contain malicious code? Aggregating these various attributes, the
plug-in can pretty accurately spot new bad sites.
To evaluate how well
different products protect against Internet-based attack, Dennis Labs
researchers scan the web for the latest malicious sites. Using advanced
website recording and playback tools, they then expose each antivirus to
exactly the same threat by visiting the captured malicious website in
the browser. Kaspersky, Norton, and ESET came out on top in this test. All three earned AAA certification, the highest rating from Dennis Labs.
Kaspersky and Norton in particular have demonstrated very effective
reputation-based malicious URL blocking. That also translates to
effective detection and blocking of phishing sites—fraudulent sites that
imitate banks and such in an attempt to steal your login credentials.
I expected to see McAfee in the winner's circle too. McAfee's Global Threat Intelligence
network "correlates real-world data collected from millions of sensors
around the globe" to quickly determine whether a brand-new website is
malicious. Up close, it's quite impressive
Undone by False Positives
In reality, McAfee
didn't get even a C-level certification from Dennis Labs. What happened?
False positives, that's what. McAfee blocked 91 percent of the attacks
in one way or another. That's not bad, though Norton and Kaspersky
managed 99 percent. The problem is that it flagged way too many valid
programs as bad.
Dennis Labs uses a weighting system that assigns more importance to
erroneous detection of legitimate files that are very prevalent, and
also to files that would cause big problems if quarantined by an
antivirus. (Remember the McAfee fiasco
in 2010, when a false positive disabled XP computers?) The system also
distinguishes several levels of user interaction, from quarantining
without notice to various types of user interaction. In all, a product
that blocked no legitimate programs could earn 740 points.
AVG, ESET, and Kaspersky got a perfect 740 points. Microsoft ,
with 724, came close. McAfee, on the other hand, earned just 450
points, lowest of the products tested. (Microsoft, like McAfee, failed
to win certification, but for a different reason. It let so many
malicious threats slip past that its protection score came in below
We may disagree over details of what we want in an antivirus,
but the essentials are very simple. First, it should detect and
eliminate malicious programs. Second, it should leave legitimate
programs alone. The real-world testing performed by Dennis Labs does a
very nice job of quantifying those needs and identifying effective
Wednesday, December 25, 2013
Posted by Mike Ungerman at 8:36 AM