Monday, 15 November 2010

Microsoft vs. McAfee: How free antivirus outperformed paid | ZDNet

Microsoft vs. McAfee: How free antivirus outperformed paid

By Ed Bott | November 14, 2010, 6:00pm PST

Summary

How effective is free antivirus software? I had a chance to see a real, in-the-wild example just this month, and the results were, to put it mildly, unexpected. Microsoft’s free antivirus solution found and removed a threat that two well-known paid products missed.

Blogger Info

Ed Bott

Biography

Ed Bott

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

How effective is free antivirus software? I had a chance to see a real, in-the-wild example just this month, and the results were, to put it mildly, unexpected. The bottom line? Microsoft’s free antivirus solution found and removed a threat that two well-known paid products missed. Here are the details.

I’ve had Microsoft Security Essentials (MSE) installed on my main working PC for most of the past year. Mostly, I use it for real-time protection. I typically disable the scheduled virus scans on my PCs and instead occasionally do a manual scan just to confirm that nothing out of the ordinary has snuck through. Last month I decided to perform a scan using the Full option. Because I have 2.5 terabytes of hard disk space, with roughly 40% of it in use, I knew the scan would take a long time. So I scheduled it to run while I was out running errands.

When I came back, here’s a snippet of what I found:

MSE had detected several files files that it considered malicious. One was a rigged PDF file (not shown here). The other was a single file in the Java cache folder on this system that contained three separate exploits. Using the information in the MSE history pane, I found the file and uploaded it to Virustotal.com, which is a free service that allows you to scan a suspicious file using 43 separate antivirus engines. The file, identified by a unique hash, had already been analyzed, so I got the results immediately:

Only 17 of 43 antivirus products detected this as a threat. The full results page showed the identification, if any, for each product on the list. Microsoft, Symantec, Avast, and F-Secure were among the engines that flagged the file. But the majority didn’t. That means one of two things. Either the file was a false positive, and I was about to delete something harmless and perhaps even necessary. Or it was real, and most AV programs were missing it.

To get to the bottom of the issue, I sent e-mail messages to contacts at three companies. I asked Microsoft to reanalyze the file and confirm that it was indeed malicious. I also asked McAfee and Sunbelt to look at the file; both of them had reported the file as clean, according to VirusTotal.

Microsoft had two analysts review the file. Here’s a portion of their response:

We have confirmed that the threat detection you received from Microsoft Security Essentials is indeed valid. There were more than 3.5 million reported CVE-2008-5353 attacks in Q3 2010, and Java vulnerability exploitations like these, while once a rare occurrence, have spiked this year. … [T]his exact file is something we have seen in the wild more than 40,000 times in the past six months.

This October 18 post by Holly Stewart on the Microsoft Malware Protection Center blog provides useful additional detail on why these types of attacks can be challenging for IDS/IPS vendors, as well as the steps customers should take to ensure that they are protected.

According to the scan results, this threat was first identified in definition 1.85.1774.0, which was released by Microsoft on July 9, 2010.

McAfee responded quickly to my e-mail as well. A spokesperson sent this reply:

Our Labs team took a look at the file you referenced and it is malicious. We are in the process of developing new heuristics to combat the effects from a stream of recent malicious JAR files more proactively, the file corresponding with the hash you mentioned is in the queue.

Sunbelt’s Malware Response Manager, Dodi Glenn, reported that this file was in the company’s repository and submitted it for detailed analysis. Here are the results:

This file contains a malicious java.class … that exploits the CVE-2008-5353 vulnerability. … We are currently testing our updated detection for this exploit and expect to release it shortly.

The good news is that my system wasn’t compromised in any way. The exploit in question was blocked by a Java update that I had installed last year. Likewise, the booby-trapped PDF file (which all of the antivirus programs detected) relied on the user having a very outdated version of Adobe Reader installed, and mine was fully up-to-date.

Last week, when I wrote about Microsoft’s decision to expand its distribution of Microsoft Security Essentials via Microsoft Update, McAfee complained that free software simply isn’t as good as its paid protection. Here’s what a spokesperson told me:

McAfee wants consumers to be safe online. Options that provide an elementary level of security are free products including Microsoft Security Essentials, however these mostly rely on traditional protection mechanisms.  McAfee products offer not only more features but most importantly, McAfee products offer real-time protection using cloud-based Global Threat Intelligence to combat even the most sophisticated threats thus ensuring complete protection and peace of mind.

In this case, at least, that protection wasn’t as complete as the free Microsoft product it was comparing itself to.

As an aside, it’s worth noting that criticizing Microsoft Security Essentials because it’s free misses an important point. MSE uses the same scanning engine and definitions as its enterprise-grade Forefront product, which is most assuredly not free.

One certainly shouldn’t draw definitive conclusions from a single anecdotal example, but as this case shows, the gap between antivirus products isn’t as simple as free versus paid, and even the best and brightest researchers can miss a threat.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

Disclosure

Ed Bott

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.

Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books are currently distributed by Que Publishing (a division of Pearson Education) and by Microsoft Press.

On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate.

Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMWare. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than two years ago. All stocks are held in retirement accounts for long-term growth.

Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.

Biography

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

More from “Ed Bott's Microsoft Report”

Talkback Most Recent of 17 Talkback(s)

  • have a client running sav endpoint 11
    whenever one of their workstations tried to access their as400, it would fail. figured it was a virus, so i downloaded and installed mse.

    found the alureon virus and the as400 access was restored. they tried scanning, i don't know how many times with sav, to no avail.
    and i've seen this scenario more than once.

    ZDNet Gravatar
    g_keramidas@...
    11/14/2010 06:54 PM

  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    First of all McAfee is crap and so are their product besides SiteAdvisor. They have a partner ship with DELL and other companies that's why so many users are forced to use their products because it comes pre-installed but the fact is Norton Antivirus and Norton Internet security are far more better than their products. As soon as I got this laptop I removed McAfee security center from this laptop and installed Norton Internet Security 2011.
    ZDNet Gravatar
    shellcodes_coder
    11/14/2010 07:29 PM

  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    @shellcodes_coder

    Norton is just as bad as McAfee and it is even worse when it comes to bogging down your system and raising the cost of the subscription every year. Neither McAfee or Norton would be in my top 8 programs that I would use for antivirus.

    I used to use MSE in conjunction with Avast but I find MSE is all I need now.

    ZDNet Gravatar
    Mythos7
    11/15/2010 04:18 AM
  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    @Mythos7 You might want to update your data on Norton Internet Security.
    ZDNet Gravatar
    Mike (not Cox)
    11/15/2010 04:36 AM
  • We switched from McAfee to Forefront
    We switched from McAfee about a year ago because a family of viruses comprimised our network. McAfee's paid product took several days before it recieved definition updates to id the exploit. We used MSE during our transition to Forefont and it ID'ed the threat right away.

    McAfee has really fallen behind these days.

    ZDNet Gravatar
    mikefarinha
    11/14/2010 08:23 PM

  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    My friend gave me his laptop to work on and told me he thinks he had a virus because he couldn't get on the internet.

    Needless to say, that was an understatement. It took me about 5 attempts just to be able to login. He was clearly infected, getting on the internet was the least of his problems. Once I managed to find a way to get on the internet, I DLd MSE and ran a full scan 5 times, each time it found threats and cleaned them. The system is running as good as new. I was rather surprised.

    We just deployed McAfee at work last week and I'm anxious to see how well it works as it has replaced SAV.

    Paid isn't always better, and free ain't bad either.

    ZDNet Gravatar
    mike2k
    11/14/2010 08:26 PM

  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    I tried many AVs and have no problem using or recommending MSE. I think it is rather good too. To all other AV vendors, if AV is your bread and butter business then make it better than MSE. Why worrying it is a free option to user?

    I see the same way for browser war too. Many years ago, people like netscape and IE is not even near it's quality. Then netscape became so bloated and IE was getting better. Soon people started to use IE and then came the anti-trust. We now have firefox and chrome. Who will bother about IE if you do not like it and free?

    Just work on making better product otherwise you might as well compete in other solution and not in AV business.

    CJ, www.hub-av.com
    Information hub for the anti-virus.

    ZDNet Gravatar
    iamcjbon@...
    11/14/2010 11:14 PM

  • MSE is not much better than McAfee, but it's faster
    I used MSE until I encountered a virus that was not in their database. Competitors (Avast, NOD32, Avira) had it 2-3 weeks before that. McAffe of course did not know about that virus too.

    But MSE is at least rather fast. McAfee is the slowest antivirus I used.

    Currently I use Avira (free). It was not able to detect a virus once (previous day DB), but when I tried to submit it, it was already in the DB.

    I think that MSE quality will improve over time (MS products usually do this), and I hope that McAfee will go out of business.

    ZDNet Gravatar
    Xentrax
    (Edited: 11/15/2010 12:07 AM)

  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    Okay, that's it. I'm installing MSE, and AVG is likely to just remain as an email scanner / backup.

    I've been using MSE on my netbook with great success, AVG gave me an annoying false positive recently (which honestly isn't all that unusual for AVG), and the feedback about MSE I've heard from other sources is largely agreeing with the article. It's going on my main system now.

    "One certainly shouldnt draw definitive conclusions from a single anecdotal example, but as this case shows, the gap between antivirus products isnt as simple as free versus paid, and even the best and brightest researchers can miss a threat."

    While it is true it is anecdotal, it is also true that I'm having a tough time finding people who dislike it. I've met people who may still prefer another product, but nobody I've met really hates MSE. I've yet to hear any complaints about its impact on system performance, accuracy, or false positives.

    It's not exactly a scientific study, but most of what I've heard is good. I'd recommend to most people to at least give it a try.

    ZDNet Gravatar
    CobraA1
    11/15/2010 12:29 AM

  • Been using MSE since it was released to the public.
    Haven't looked back since. If Microsoft keeps this up, MSE is all anyone will need coming off of XP (I love Windows, but I would not trust XP at all with just one solution. When I ran XP, I ran at least Malwarebytes, Avast, and Comodo. XP's tacked-on security was that lackluster, that it even had me paranoid).
    No need to kill your systems with 10 billion AV/Malwere packages, which most people still think they need to do. Sadly.

    I also want to add that when I have been called upon by friends/family to take a look at their machines, I have found that malware seems like it is easily able to bypass MCaffee and Norton with ease on XP systems. I haven't seen this on Vista or 7, but if I find anything on those systems, I 99% of the time direct them to MSE. I'm still getting praise from a classmate who I helped out recently get rid of a fake AV infection.

    Microsoft is doing something right here. Like them or not, they've made a complete turn around in their efforts to secure Windows. Kudos.

    ZDNet Gravatar
    Cylon Centurion 0005
    11/15/2010 12:58 AM

  • Anything vs McAfee
    If the point of the article is to dismiss the notion that free anti-virus solutions cannot be good then I agree. MSE is a solid choice and choosing an anti-virus isn't as simple as Free vs Paid.

    Beyond that, and despite the last paragraph's disclaimer, this is too anecdotal for me. I've seen MSE miss things as well. They all do. None are perfect. One could write a similar article with a different example that makes MSE look bad and backs the opposite conclusion.

    Anti-virus products are extremely difficult to evaluate, other than their effect on performance (and a "do nothing" product would score perfectly there so it's obviously not enough of a test). This is even more true when nobody really cares which viruses get blocked except the ones that end up on their system. (i.e. An excellent a/v product might block every single virus except one; it's still going to be terrible if you're unlucky and get that one on your system. You can't account for that in a review.)

    So it's a difficult job, and I know it's not your job to do it and not the point of this article, but there seems to be very little proper evaluation of a/v products. With MSE in particular, most reviews I read just seemed pleased that it didn't ruin their systems and caught the odd sample they threw at it. I guess the problem is people reviewed it compared to other free offerings, with low expectations, but what I really want to know is how it compares to, say, NOD32. (I don't mind paying for the best, but I also don't mind using something free if happens to be the best.)

    On the other hand, Anything vs McAfee does seem like a simple choice, from what I've read. Well, for values of Anything excluding syphilis. happy

    ZDNet Gravatar
    LeoD
    11/15/2010 03:33 AM

  • McAfee ... the armpit of AV Vendors
    I can't think of a single AV vendor I despise more than McAfee. Even their own QC checks are failing them... wasn't it just this year that they released a definition update that was erasing svchost.exe (a critical Windows system DLL)?! They really need to get their act together or just go away completely.

    I've been using MSE on all of my systems since its release, and OneCare prior to that. I've never had an issue with their protection but then again I'm not visiting sites I ought not visit. I know that on XP systems, it's still very possible to get the fake AV software installed because people are duped into it, but that's due more to XP vulnerabilities than to MSE or any other AV package.

    I agree with the comments here... ANYTHING other than McAfee is a good choice, and MSE is a great option.

    ZDNet Gravatar
    GoodThings2Life
    11/15/2010 04:15 AM

  • That's any system though
    @GoodThings2Life

    While on XP it is easier, and user can be duped into installing that crap on Vista or 7 as well. However, having MSE on those systems helps greatly.

    ZDNet Gravatar
    Cylon Centurion 0005
    11/15/2010 04:20 AM
  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid
    it's virtually impossible for any malware engine to detect everything, as frequent independent tests show. the best you'll see is around the 90% mark, and even then a particular engine will only stay this high for a month or so before dropping down.. a test on a single infected file isn't a great test, but it does highlight the issue that all anti malware and endpoint security vendors face.

    having said that though, i can't help but feel that the big names in endpoint security, symantec, mcafee, etc, have not done themselves any favours by building ineffective bloatware.. that just fosters an environment where it's ripe for someone to come in an introduce a better, smater, and leaner product.

    ZDNet Gravatar
    jrbrewin
    11/15/2010 04:41 AM

  • Why MS?
    You note that Avast picked up this file as well. Avast is just as free as MSE, yet you recommend the MS product. Why not be a little more evenhanded?
    ZDNet Gravatar
    Evil(er) Overlord
    11/15/2010 04:45 AM

Talkback - Tell Us What You Think

Posted via email from projectbrainsaver