Do you agree with this statement?

Do you agree with this statement?

“Malware detection rate is still one of the most important and reliable factors in determining the effectiveness of an anti-virus engine which works without asking for user interaction, decision or opinion”

If not pls explain your reasoning after voting. thanks.

Protection from malware is the most important and reliable factor. But protection must work without asking for user interaction, decision or opinion.

That statement is so wrong, Simply said, the most important thing about a AV-engine only setup is NOT the detection rate, as it can never be 100% therefore you will always get infected if given enough time. The most important thing about a Antivirus only setup, is the Cleaning power. Since it is not a prevention method it is likely to fail, so it needs to be good at cleaning up after it self!!

I replied to this question where i first read it.;msg565606#msg565606

at OmeletGuy,
you should read more carefull, before saying a statement is so wrong :wink:
“…is still one of the most important and reliable factors”.

Btw, its not sure to get infected while using an antivirus only. Some people can hurt themself with a pillow or a page of the newspaper, others can use a hammer and are still not in danger to hurt themself.

I did read it, and I stick by what I said, a AV’s detection strength never being able to reach 100% means it better be good at cleaning, that to me is the most important part of a AV only solution. And to put a hole in your expression… People can catch a cold without having wanted to catch it… And they can be hurt by factors they cant control… Much like a worm you wont know that its there or that it installed if there isn’t any detection for it. So the AV will after having been made aware of the Malware, (after it infected the users PC) will need to be Good at cleaning… Sure it cant know the malware was there without detection… But it will only know the malware after its been installed on users machines…

Lets give a example for what I am saying.

Detection is not “one of the most important and reliable factors in determining the effectiveness of an anti-virus engine” simply because of what Detection means.

A anti-virus with detection only isn’t any good, after all would you like your AV to tell you “We have detected active malware, we are sorry you got infected, now clean it your self”. It’s likely to say that most average users would have no idea how to deal with removing active malware. This being the case of a AV having missed a sample and then detected it after a users machine being infected. What good is detection only, should a anti-virus engine miss a sample and get killed by it… What good is Detection if its happens after your system has been killed to the point of you having lost all your files, and needing to re-install the Operating system. Tell the user to fix it uh? Oh the users reaction to that i would love to see.

Now for dead malware malware detection alone is rather fine… AV would tell you after a DB update that it just detected malware in folder “A”. The user can send all the malware to the recycle bin, not quarantine, but that is… should the user be able to get to the folder “A” where the malware is located, for example it could be in a hidden folder.

Now for malware you just downloaded, most users being showed a Malware alert will likely hit clean, Now with detection only, your given no such option. So a user would go to the download folder, should he/she be luckly enough to not have downloaded a worm, then its already too late and the user will be getting no alerts, or a ton of alerts depending all on if the AV has detection for it. Your only chance at good luck in this scenario is if you downloaded malware that needs user interaction to start. And then even some will start it.

Self-Protection and Cleaning are what allows a AV to protect a user. So no, Detection alone is not the most important or reliable factor to determining the preformance of a Anti-virus engine.

Btw no hard feelings clockwork. :slight_smile:

agree,not everyone cares about internet security and dont want to be blasted with a popup asking what you want to do.they just want to use the comuter for whatever reason and thats it.though this day and age its not the safest option but thats my opinion.

at OmeletGuy
No, i am fine. Discussions on a thematic level is nothing to avoid.

I still think, you misunderstand the core. The sentence doesnt say, deletion abillity isnt important. And this sentence doesnt deal with other scenarios than the antivirus engine scenario at that point.
It says, among other things the detection rate is very important for “autonomous” antivirus engines to be effective.

Now its on me to give an example of an antivirus engine scenario: The user doesnt want to be infected. The user can not reproduce the lost files (black day) anyway, can not bring back the sended data. So its obvious, that the detection rate is one of the most important and reliable factors to valuate the effectivity of an antivirus engine for the user.

The sentence says, there are at least two (or more points) which are important for an antivirus engine. And detection is one. The user has a vital interest to know about relative detection abillity.

The sentence is very specific.

  1. antivirus engine
  2. determining effectivity
  3. in an “userinteraction-free-scenario”

The effectivity is only based on the abillity of the program itself, as the user isnt participating in the scenario of this sentence.

Hm, maybe its easier with this question (its still the antivirus engine scenario): Would you install an antivirus with 10% detection rate, but 99% delete abillity?
If you would not use that program as your protection(!) tool, you basically agree to the sentence that its one(!) of the most important points to know about the detection, aka test it :wink:

I have used CIS (inc. AV) for quite some time now (since 2005) so I’m not familiar with other AV products out there. Do other AV’s now quarantine infected files without user interaction? (i.e silently).

I think most people would say detection is more important but personally, protection is more important to me. Only once (that I know of) have I been infected with malware and that was because I lowered (well, disabled) the products protection :-[.


The statement is wrong because detection is only one of several methods used by AVs to identify malware.

A perfect anti-malware suite would provide 100% protection against malware with insignificant system impact, no false positives, and no user input. In theory, this could be achieved entirely by behaviour analysis (e.g. programs like WinPatrol or Threatfire). In practice, all current methods to identify malware have limitations (such as ineffective against zero-day threats, too resource intensive, too slow, or not fully automatic) which is why most good anti-malware solutions use several methods in combination.

Detection rate is probably the only currently-used malware identification method that can be measured with repeatable results for very large-scale tests within a realistic period of time which is the main reason it continues to be used for comparing AVs.

I agree, but “prevention” could also easily be measured. You can execute the malware (as many as you like) and see if the infection has occured or not.

Where in the statement it said, it would be the only one? It says, one of the most important…
What should be wrong here?

Btw, how is an antivirus able to identify malware apart from using detection?

I would say, a statement would be wrong that would EXCLUDE detection from this testing.
But this given statement INCLUDES detection, and just doesnt name all the other factors by name, in this sentence, its not a book.

Of course prevention can be measured, but it is a much slower process to execute a program and monitor its behavior rather than scan it to look for known malware signatures. This is why most large-scale tests use the scanning method. Av-Comparatives tests about 20 AVs against roughly a million threats and it takes them 3 months to publish results. I reckon it would take more like 3 years if they were testing prevention by executing each malware program for each AV.

The statement is wrong because it is possible to provide good protection without having a good detection rate, therefor detection rate cannot be one of the most important factors. CIS is an example of a security suite that provides well above average protection, but usually gets mediocre results in tests that only compare detection rate.

You make no distinction between detection and protection. My interpretation of detection is identification of known malware. AVs can protect against known malware by detecting it (usually by signature or blacklist), and also protect against previously unknown malware by behavior analysis, which is not detection. If you disagree with my interpretation of detection then obviously you will never agree with my statements about it.

The point is, it WASNT meant about all, its specifically meant about: Antivirus engines which have to act on their own.
The statement cant be wrong, when its about (those) antivirus engines. Because for antivirus engines, detection is one of the most important points, which can show the effectiveness.

No, its not about that i dont make a distinction between detection and protection. I just dont see this statement being WRONG when its characterizing a detection tool :wink: . You can have a interpretation like you want. But saying, something is wrong, that should be right thought through.
Malwarebehaviour analysis is also detection. Because it detects malware. One of the other most important points, which wasnt mentioned in this sentence by name.

The statement is about testing antivirus effectiveness. Not about “full protection”.

Protection and less FP is a factor for these days security.

Really in this discussion we forgot about FPs. They worsens protection.