TESTING THE ANTIVIRUS THAT YOU USE

Have you ever wondered how antivirus is tested before it is available on the market? The truth is that, despite what you may think at first, these applications pass a series of tests that have the mission, obviously, of verifying their effectiveness. Well, for most IT security vendors these assessments are now out of date.

Testing an antivirus before its launch is something that is done regularly. Thus, the AV Tests (name by which the aforementioned tests are known) allow users to choose which antivirus they want to install on their computers, knowing what their main characteristics are and what they protect against.

So far everything normal. So what is the problem? Some manufacturers of security solutions have raised their voices against the fact that these tests are “not modernized”. In what sense? Some companies claim that, although the complexity of security applications has grown considerably in recent times, when conducting evaluations they do not test the new technologies with which they are developed.

Complaints heard?

Well, it seems that the complaints have not fallen on deaf ears. Those primarily responsible for conducting the tests have come to the conclusion that, as time passes, threats are becoming more harmful, newer and more difficult to detect, and that security solutions are trying to protect against these new threats, it is necessary to change the way of evaluating applications and incorporate new formulas.

Thus, few antivirus companies reached an agreement to develop a new evaluation plan whose mission is to reflect the new capabilities incorporated in the solutions that are being launched on the market.

Although at first this new test will evaluate the products of the three firms, they trust that little by little the rest of the players in the antivirus market will join the initiative and joint evaluation standards will be developed.

One of the most common tests is to "infect" a PC with numerous malicious applications to see if the antivirus engine is capable of detecting all threats. In this way, the aforementioned engine contains a series of indicators, known by the pseudonym of “signatures”, which allow identifying harmful software.

This test, which was considered highly reliable at the time, is one of the most controversial tests. The reason is that, for manufacturers, their solutions incorporate other methods of identifying not only viruses, but also other threats such as malware, more effective if we consider the importance and magnitude of the threats.

In this way “this test is important, but it is no longer infallible. The reason is none other than the fact that there has been an explosion in the number of unique virus programs created by hackers that have resulted in reduced effectiveness of the virus. The result is that manufacturers have had to incorporate another type of defense to detect other types of threats, and in some cases it overlaps with detection through signatures”.

What Is Being Used?

And, as technology advances, manufacturers are employing behavior analysis detection systems that identify whether a certain application is harmful depending on the action it takes on the PC. In other words, a user can download a virus or malware onto their computer, without their knowledge, and that it is not detected by those security applications that base their operation on analysis through signatures. On the other hand, if the program in question starts to send spam, thanks to the behavior analysis detection system, the action of the virus can be neutralized.

But it is not only detected in the case of spam. The actions of threats can also be neutralized in the case, for example, that they try to exploit a buffer vulnerability, where a failure in internal memory can mean that the virus works without problems.

Manufacturers also want evaluations of other types of systems, such as host-based systems, or intrusion or prevention systems (which include firewalls and inspection techniques), as these can also stop systems attacks.

Shapes count too

Another key factor in changing evaluation modes lies in the way in which a computer can be infected. For example, years ago it was most common for a virus to collect on a PC if the user had inserted a floppy disk. Instead, today, the forms are different, and more complex. The infection can occur through an email message, or by visiting web pages that have been designed to exploit web browser vulnerabilities.

Thus, it should be noted that, continuing with the reasoning, the various modes of attack also imply that there are various defenses, which should be evaluated exhaustively. The tests that are carried out based on the analysis of the signatures take less than five minutes to analyze the system, insufficient time if what you want is to know the effectiveness of a certain solution.

And the worries do not stop here. The amount of viruses that exist in the network, or the fact that the samples that are carried out are "already old", are factors that also concern the computer security sector, which advocates an evaluation system that verifies what applications are capable of neutralizing threats, since if the analyzes are excessive they can affect the functioning of the computers, while if they are scarce, viruses can create real havoc.