It is possible to get malware, even with anti-malware tools installed. How can that be?
I have been an independent computer repair technician for over 26 years now. The question I get the most (and have the hardest time answering) is this: how come my antivirus program did not stop me from getting this virus? When you are installing AVG, the program says that only 3% of today’s security problems are caused by traditional viruses. Is this true? Is it true for the other antivirus programs as well?
In other words, why don’t anti-malware tools work better than we want or even expect them to?
I must fault AVG for the phrase “traditional viruses”. I think that puts an unrealistic spin on your expectations. Malware is malware, and that includes viruses, spyware, ransomware, rootkits, zombies, and who knows what else.
What do they mean by “traditional”? I have no idea. I also have no idea where that 3% figure comes from.
But there is a grain of truth in AVG’s statement. No matter what program you run, there is still a chance your computer will get infected.
A common goal
In the past, we categorised security software by the type of malware being targeted.
Anti-virus programs examined files for data patterns matching those of known viruses. Anti-spyware tools watched your machine for known spyware behaviour. Anti-rootkit programs specifically countered advanced techniques used by rootkits to hide files.
Every “anti-whatever” program sliced the malware universe in a unique way, using specific techniques to look for or protect against specific types of threats.
In recent years, the lines between distinct types of malware has become significantly blurred. Spyware might include malware-like behaviours, viruses might employ some of the techniques of a rootkit, and so on.
Security software vendors adjusted their approach too. Most packages are just that — security packages — ideally addressing all aspects of malware detection, prevention, and recovery, regardless of the style of attack.
These varying classes of malware still need different techniques for detection and prevention, and each anti-malware tool is likely to be stronger in some areas and weaker in others.
Different programs, different techniques
Even within the same category, anti-malware tools from competing vendors often use different techniques to detect malware. This is one of the biggest reasons one tool will not detect the same malware as another.
Malware is crafty. It uses a variety of techniques to avoid detection and get into your system. From making sure that no two copies of itself look alike, to encrypting key parts of its inner workings, the ways malware can hide is only limited by the malware author’s skill.
That’s why anti-malware tools constantly play a game of catch-up. Every time new malware is found, the tools must be updated. Most often, it is a simple matter of updating the database of known malware with latest information.
But this can be more involved than you think. Malware can be so good at hiding itself that a simple database update is not enough; the fundamental technique used simply cannot detect the new malware. In such a case, the tool itself needs to be updated
Different companies, different responses
New malware of all forms is discovered daily. This means anti-malware companies need the resources and dedication to continually update their database and tools. They also need the infrastructure, maturity, and means to rapidly implement, test, and deploy changes to those tools.
That is another source of disparity among security software vendors: some are better at effective, rapid deployment than others.
It may not even be a matter of competence, but prioritization. Specific malware might be considered high priority by one company, needing an immediate update, while another company might see it as less important and thus take longer to respond.
I do not mean to imply that any of this is easy. We have seen major security vendors push out updates that have failed, or even crashed some customer’s machines. It should never happen, but in the rush to get updates tested and out quickly… well, I am surprised these problems do not happen more often. It is exceptionally difficult to get it right 100% of the time, especially when we expect anti-malware tools to not affect the performance or functionality of our machines while they do their important work.
What is “The Dancing Bunnies Problem”. It is simply this: people explicitly ignore, disable, and bypass all security measures to access something they have been led to believe is desirable. If an email you get says “download the attachment to see dancing bunnies”, some percentage of users will do exactly that and more, if necessary, because they have been promised dancing bunnies, dammit.
Put in more relevant terms, you can have the best anti-malware and security software that could exist, and it will do you absolutely no good if you ignore its warnings or bypass its restrictions.
Your security software “allowed” you to get malware because you told it to, explicitly, against its warnings and advice.
It did not matter what security software you were running, or how good it might be.
What is it all mean?
There is no single best anti-malware tool.
Security tool “A” may catch this newly-released virus today, but tomorrow’s new virus might be caught more effectively by program “B”. Most vendors know this, so they are continually working to improve the coverage of their products.
The techniques used by program “C” may work with little to no impact on my system, yet be a major resource hog on yours. The best vendors test across a wide variety of systems and configurations, but by definition, doing so is in direct conflict with getting important updates out as quickly as possible.
And of course, there is still a race between malware authors releasing new versions, and anti-malware vendors struggling to make sure each new issue gets caught quickly and safely. There is always a hole in the coverage and something will slip through.
The best anti-malware tool
You are the most important anti-malware tool your computer has.
Your ability to recognize and skip malware is far superior to that of most anti-malware tools. You can recognize spam and bogus attachments. You know you should not have visited that website. You know that too-good-to-be-true offer was, indeed, too good to be true. You know that the dancing bunnies were never real.
That knowledge, and what you do with it, is what keeps your machine safest.