Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Don’t Anti-malware Tools Work Better?

Question: I’ve been an independent computer repair tech for over 12 years now. The question I get the most (and have the hardest time answering) is this: how come my antivirus program didn’t stop me from getting this virus? When you’re installing AVG, the program says that only 3% of today’s security problems are caused by traditional viruses. Is this true? Is it true for the other antivirus programs as well?

In other words, why don’t anti-malware tools work better than we want or even expect them to? :-)

I have to fault AVG for the phrase “traditional viruses”. I think that puts an unrealistic spin on your expectations. Malware is malware, and that includes viruses, spyware, ransomware, rootkits, zombies, and gosh knows what else.

What do they mean by “traditional”? I have no idea. I also have no idea where that 3% figure comes from.

But there’s a kernel of truth in AVG’s statement. No matter what program you run, there’s still a chance your computer will get infected.

Become a Patron of Ask Leo! and go ad-free!

A common goal

In the past, we categorized security software by the type of malware being targeted.

Anti-virus programs examined files for data patterns matching those of known viruses. Anti-spyware tools monitored your machine for known spyware behavior. Anti-rootkit programs specifically countered advanced techniques used by rootkits to hide files.

Basically, any “anti-whatever” program sliced the malware universe in a unique way, using specific techniques to look for or protect against specific types of threats.

In recent years, the lines between different types of malware has become significantly blurred. Spyware might include malware-like behaviors, viruses might employ some of the techniques of a rootkit, and so on.

Security software vendors adjusted their approach too. Most packages are just that — security packages — ideally addressing all aspects of malware detection, prevention, and recovery, regardless of the style of attack.

These varying classes of malware still require different techniques for detection and prevention, and each anti-malware tool is likely to be stronger in some areas and weaker in others.

Virus Detected!Different programs, different techniques

Even within the same category, anti-malware tools from competing vendors often use different techniques to detect malware. This is one of the biggest reasons one tool will not detect the same malware as another.

Malware is crafty. It uses a variety of techniques to avoid detection and get into your system. From making sure that no two copies of itself look alike, to encrypting key parts of its inner workings, the ways malware can hide is only limited by the malware author’s skill.

That’s why anti-malware tools constant play a game of catch-up. Every time new malware is found, the tools must be updated. Most often, it’s a simple matter of updating the database of known malware with new information.

But this can be more involved than you think. Malware can be so good at hiding itself that a simple database update isn’t enough; the fundamental technique used simply can’t detect the new malware. In such a case, the tool itself needs to be updated.

Different companies, different responses

New malware of all forms is discovered daily. This means anti-malware companies need the resources and dedication to continually update their database and tools. They also need the infrastructure, maturity, and means to rapidly implement, test, and deploy changes to those tools.

That’s another source of disparity among security software vendors: some are better at effective, rapid deployment than others.

It may not even be a matter of competence, but prioritization. Specific malware might be considered high priority by one company, requiring an immediate update, while another company might see it as less important and thus take longer to respond.

I don’t mean to imply that any of this is easy. We’ve seen major security vendors push out updates that have failed, or even crashed some customer’s machines. It should never happen, but in the rush to get updates tested and out quickly… well, I’m surprised these problems don’t happen more often. It’s exceptionally difficult to get it right 100% of the time, especially when we expect anti-malware tools to not impact the performance or functionality of our machines while they do their important work.

Dancing bunnies?

I’ve written about “The Dancing Bunnies Problem” before. In essence, it’s simply this: people explicitly ignore, disable, and bypass all security measures to access something they’ve been led to believe is desirable. If an email you get says “download the attachment to see dancing bunnies”, some percentage of users will do exactly that and more, if necessary, because they’ve been promised dancing bunnies, dammit.

Put in more relevant terms, you can have the best anti-malware and security software that could possibly exist, and it’ll do you absolutely no good if you ignore its warnings or bypass its restrictions.

Your security software “allowed” you to get malware because you told it to, explicitly, against its warnings and advice.

It didn’t matter what security software you were running, or how good it might be.

What’s it all mean?

There is no single best anti-malware tool.

Security tool “A” may catch this newly-released virus today, but tomorrow’s new virus might be caught more effectively by program “B”. Most vendors know this, so they’re continually working to improve the coverage of their products.

The techniques used by program “C” may work with little to no impact on my system, yet be a major resource hog on yours. The best vendors test across a wide variety of systems and configurations, but by definition, doing so is in direct conflict with getting important updates out as quickly as possible.

And of course there’s still a race between malware authors releasing new versions, and anti-malware vendors struggling to make sure each new issue gets caught quickly and safely. There’s always a hole in the coverage and something will slip through.

The best anti-malware tool

You are the most important anti-malware tool your computer has.

Your ability to recognize and skip malware is far superior to that of most anti-malware tools. You can recognize spam and bogus attachments. You know you shouldn’t have visited that website. You know that too-good-to-be-true offer was, indeed, too good to be true. You know that the dancing bunnies were never real.

That knowledge, and what you do with it, is what keeps your machine safest.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

23 comments on “Why Don’t Anti-malware Tools Work Better?”

  1. It is my opinion that anti-malware tools don’t work better because they are always playing catch-up. Every piece of malware that they have to respond to is already in the wild for a while until they can identify it and develop, test, and deploy their response to it, therefore the bad guys have those windows of opportunity where even the most diligent person is unprotected from, and especially unaware of, the threats against them.

    Reply
    • The thing about virus and antivirus is that, (antivirus comes with virus) anti-virus developer are also the cause of virus. Think about it,how will they earn if it’s only virus thing right? soo they work out virus and develop anti-virus to earn. Anti-virus won’t make your pc 100 % safe they can detect major problems but can’t keep up with manor thing such as malware and etc.

      Reply
  2. There is always one thing that EVERY anti-malware cannot protect against. The User.
    The malicious few have been getting better and better at disguising their true intentions, while the average User has gotten less and less savvy about what their PC ‘should’ be doing. If we were all as thorough and as careful as Leo, viruses would become a thing of the past – and these huge companies couldn’t charge us for their ‘protection’.

    Reply
  3. I truly believe people who create and spread all types of malware should be prosecuted to the full extent of the law. There is absolutely no possible legitimate reason for releasing this havoc on the world community. Battling malware has to be at the top of my list of things that upset me most. I would like to recommend Microsoft Security Essentials which is free. I had repeated problems battling the dreaded “Google redirect” malware and since going to MSE I’ve had no problems with any type of Malware. Get it here: http://www.microsoft.com/security_essentials/

    Reply
    • Until sometime around 2012, I used to think the same. I remember when MSE was launched, around the same time as Windows 7 & it beat one of the best free solutions around in Avast. MSE was racking up awards left & right in it’s first two years, then there came sudden change.

      As Microsoft was preparing to release Windows 8, MSE was neglected. This, I know first hand. Back when we could install Safari with Google Safe Search enabled, I installed the browser & was browsing around, had 20+ tabs open, then all of a sudden, came the UAC for an ‘urgent security update’. Once I applied it, the OS went bezerk (thank goodness for full disk image software in Macrium Reflect).

      I removed the drive, placed in a docking station, using a testbed OS which was also imaged. Then scanned using various tools, first with MSE, which caught a few things. Then Malwarebytes caught more, as did Kaspersky Internet Security & Emsisoft free ‘A2 Malware scanner. Finally, all looked to be clean & I placed the drive back into the PC.

      Then I done the most dumb thing I had in years, having been up all night cleaning the drive, that UAC popup appeared again to update MSE & once I did, it was the same. At that point, use DBAN (Darin’s Boot & Nuke) on the drive & recovered from my Macrium image taken just 2-3 days prior & finally was able to get some much needed rest.

      From that point on, was stocking up at Newegg on the Malwarebytes Lifetime licenses, at $15 each, sometimes a freebie such as a Flash drive would be included. Sometimes, would purchase the limit of 5 for the price, as I have many computers. No more infections since, other than adware cookies that SuperAntiSpyware catches & search engines which AdwCleaner (now a Malwarebytes product) catches.

      Plus now as a member of a prominent Tech forum Staff member, we get other software which requires yearly renewal at no charge (ESET Internet Security or Emsisoft Anti Malware). No more infections.

      While MSE or Windows Defender included with Windows 8 onwards are OK for a student doing their homework or research, it’s NOT good for those whose travels the Internet across the globe. Note that I dump suspicious emails in a heartbeat, can recognize these easily, yet it’s much harder to catch every bad link. Nor do I click OK to unknown UAC prompts any longer.

      No more free security solutions for me!

      Reply
  4. ” – and these huge companies couldn’t charge us for their ‘protection’.”

    What ‘huge companies’, Bob? I use Avast! for virus detection, ThreatFire for malware/spyware and WinPatrol for everything else. Doesn’t cost me a penny and my computer is virus and other malware free.

    I’m also careful about where I poke around on the Internet.

    Reply
  5. Most users don’t read what they are agreeing to when installing software. Everyone is in a hurry to get it installed and set up to run. I’ve found almost everything is bundled with something we don’t want installed, its not always malicious but it can be and sometimes the price is malware and spyware. So remember this “CUSTOMER BE WARE”!!!

    Reply
  6. I’m also a computer tech.
    Part of the question was “we then must rely on free software downloaded from the internet”

    I also wonder why the “paid” security solution cannot beat the free/donation ComboFix (please donate, they will save your computer better than anybody else) for extracting malwares, including the hard to kill Rootkit.

    Maybe a list of “free” tools would be useful because searching the internet after an infection is very confusing and stressful. This will bring you to numerous sites where they sell solutions not so good. Even searching for the free tools by name can bring you to a dangerous site.

    I use mainly MalwareBytes for a quick clean up and ComboFix which is not for the fainted of heart, I recommend that you hire a technician to run it and recuperate your computer if a bigger problem happen during the cleaning.

    Also first thing to do after (or before) an infection: backup backup backup.

    Michel G.

    Reply
  7. I had the misfortune of catching a virus in the wild once. Fortunately it was more just an annoyance than anything that did any real damage. But, once in as many years and I leave my PCs on 24/7 isn’t bad. A lesson learned I like to remind XP and any other OS user that has a system restore- an infected file can well end up in your system restore files and, once -I don’t know about now- by default anti virus programs did not scan the restore files! After my infection was removed i would get an alert that a virus was on my computer. I would run a scan and it came up clean. I ran one from Symantec’s site and it DID scan the restore files and found it. I do sit behind a router and use both a firewall and antivirus plus a malware tool. As an aside, I tried Microsoft Security Essentials for a week running it alongside my NIS, I know it’s not recommended but I have this curious streak inside me and wanted to see how they acted. Besides, I hadn’t crashed my computer in 5+ years. Anyway, they did not conflict with each other but one day while I was on the PC I got two alerts within a few minutes of each other for a blocked hack attempt from two different former Soviet Bloc countries. The alerts came from NIS which made me wonder just how or if MSE was going to handle them. Since it apparently did nothing and left me uneasy about it, I spent the next few days reading everything I could find on comparisons between MSE and the various security suites. After all my research I removed MSE and went back to NIS, especially since my ISP offers it free to subscribers. My reading showed MSE to be only marginally better at a few things than other products -emphasis on marginally-, but it was worse at doing other things. One place on a 15 point scale rated it a 6.5 while there were many more well known products that rated twice that in overall performance. Its biggest advantage is it’s free. Still, good sense is the best add on to whatever protection you use. Lately the most frequent thing I personally see is fake friend requests from Facebook. If you are on FB and get such requests I strongly suggest opening a browser window and entering FB in the address bar. Once you get to your home page check under the notices icon at the top. If the friend request isn’t there, it isn’t genuine. To steal a quote from a long ago cop show: be careful out there!

    Reply
  8. I use varied and assorted ‘anti-malware’ programs. They overlap, which is good, IMHO, and I update them religiously and use then when I feel a need.
    The best anti-bad guys stuff is paying attention.
    YOU are your best defense.

    Reply
  9. 95% of the malware that I get to remove, consists of the rogue anti virus variety. The writers of these are getting better at what they do. AntiVirus System 2011 in particular, which hid behind a fake AVG 2011 icon, took me a long time to track down. Not one of the Anti Virus programmes I have seen can stop these from coming in, and only a few anti malware programmes will remove them.

    Reply
  10. One publication that periodically compares anti-malware programs (sorry forgot name), said that most of them will snare 95% of known malware (it doesn’t go in depth however of the overlap/intersection of who catches/misses what). Are these the “traditional” viruses? I agree with Leo; lousy marketing.

    It also went on to say that only 35% of new viruses are caught in the first month in the wild.

    I recall (fuzzy on this too) that there is a anti-virus sharing site but that still leaves time to acquire (if it’s been submitted), test, package, and distribute a new datafiles with the new anti-virus solution. And, then you’ll need auto-download to integrate it into your system; you do this everyday right?

    You do pay your subscription right? The Free viruses are, ah well, free; what’s their incentive to do this pronto. You get what you pay for. Paid programs download many times per day.

    Microsoft’s Security Essentials comes out very well in these head-to-head comparisons and it is “free”. But then again you did have to purchase Microsoft Windows.

    Reply
  11. Just a comment or a few on this topic..

    I do have to say i do 1000% agree ( if that even a figure i can use here) with everything that has been said..

    Your best defnense .. is COMMON SENSE .. you can have all the software you want ( ive been working with systems for close to 15 years .. ) ive seen all sorts of infections on systems .. even with having SOME OF the best scanners that are out now..

    NOTHING .. and i mean NOTHING replaces common sense..

    I have had to redo systems where this crap SHOULD NOT have gotten thru .. even after teling and showing the owner of the system how to go about things and what not to do ….

    what you have to remeber as well .. is ( yes this is documented secertly) some A/V A/M companies .. DO contract things out to se what can breach their security ( THink BLack Hat ) MOST a/v’s and A/M WILL catch a majority of things .. but the “hackers” always sem to be one step ahead of the a/v, a/m companies..

    But agian the ULTIMATE PROTECTION is the user..

    BUt also think about this .. if it wernt for the virus /malware creators.. some of us .. that are independant workers on systems .. we would not realy have our side jobs.. that some of us have..

    In a weird way .. its a bit of a symbyotic relationship.. if it werent for them we wonldnt have to redo computers .. ( yeah a pain in the back side) but we wouldnt make an income…

    NO I AM NOT CONDONING what the Viris or malware creators do .. it sucks cot he “novice user” but just think about it …

    Just my thoughts.
    ~LoneWolf

    Reply
  12. Compare the situation with the Medical World.

    The Vaccines for protection against Virus Infections such as Flu/Influenza, are no good against Bacterial Infections.

    The Anti-Biotics for Bacterial Infections are no good against Viral Infections.

    But you generally need both simultaneously, because of side effecrs, eg Flu weakening the general resistance leading to Pneumonia.

    As regards producing the Anti-Viral Vaccine, the Medical world has to wait and see how the many Flu Viruses are developing, to decide on which one is the greatest threat, obtain samples after it has been identified – and then set about developing tha specific Vaccine.

    Similarly, Bacteria are developing resistance to the many Antibiotics on the market, so the long-term research to develop new ones.

    It is “survival of the fittest” on all sides of the story.

    Reply
  13. I remember the day when a virus was a virus. Avoiding email attachments from unknown senders was your best defense. As the internet has successfully ingrained itself into our everyday lives, and especially with the advent of broadband, there are so many new ways to get into trouble. As a twelve year bench tech, the majority of “infections” that I see now are self inflicted, many by our customers who still believe that you can get something for nothing. We carry a laundry list of utilities, all freely available, to perform our cleanup and repair, but the most important tool in our arsenal is still education. No anti-virus/malware tool out there can defend against bad judgment.

    Reply
  14. I worked 7 years for a major AV company. All AV firms rely on customers sending them samples of malware/infected programs. And ALL the major players first develop the ‘fix’ for that item – then within a day or two, swap their sample malware/infected sample with each other. So there is minimal delay for adding detection to their products. A month or more is far out of line, and I don’t believe it for a second.

    Major firm’s anti-virus ‘hunters’ meet yearly for conferences and exchange information and papers. Though their companies are competitors, the better ones encourage their AV people to cooperate with each other. So going with a minor ‘freeware’ program where the developer isn’t involved with this group is not a ‘cheap’ solution, but an ‘iffy’ one.

    Some of the sneakiest malware being devolped today is web pages with Java script allowing that web page to ‘steal’ all sorts of information from your computer. I.E. cookies (containing useful information), your Contact list, to annoy your contacts with apparent requests from your ID, and who knows what else can easily be lifted off your computer.

    You’ve seen those “Click here to send your friends a request to join XXXXXX”. I was stung myself by LinkedIn due to an accidental click on their ‘tiny’ “click me” box!!

    As so many of the comments state, YOU are the best defense. In addition to the inane action of downloading an unexpected attachement from anyone. – DO NOT go to ‘suggested’ websites from ‘strangers’ (and be cynical about those from your friends, they could’ve had their contact list stolen too)

    Reply
  15. Best judgement always # 1. I admit I have found humor in the folley of others through various forums (best judgement not used). One case: a user wanted money back due to a virus filled download of an open source program from e-bay. Another case: a user was at the proper download site, but chose to click a sidebar ad and received the program, but with…..a virus. User failure indeed. Always do research, go to the actual true download site, never deviate from the direct path. Otherwise, I’ll be chuckling at your folley in a forum. Sorry.

    Reply
  16. i have never used an av on my laptop all i use is firewall and defender and occasionally run anti malware to check system i have never had a virus in 2 years

    Reply
  17. On a trip to New York, I noticed that restaurants, even the hole-in-the-wall type (where I found the tastiest food) prominently displayed a sign with a large, upper-case letter in the window. I was told that this was a rating by the health department (A, obviously being the highest rating). You wouldn’t want to eat at a restaurant with a low rating (or NO rating). Similarly, you wouldn’t just pick up food that was lying on the sidewalk and put it in your mouth. A lot of people, apparently, would do just that with their computers and unknown software.

    Before installing software, check out its rating with trusted sources. This site is one of them. Leo has several articles that discuss other trusted sites.

    Reply
  18. “There is no single best anti-malware tool.”
    A statement you made, but I truly believe that there is a single tool built into most Microsoft OS’ which is
    Windows Defender….
    I’ve been using it for several years now after AVG and a few others and I am extremely happy with it and it does
    work if you keep it updated ON A REGULAR BASIS. With that being said, now I’ll probably get hit…hope not tho!

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.