Eric,
I personally don’t know what CAVS’ percentages are. My understanding is that it’s not at full strength yet, still being a Beta, although with HIPS that may be different. I will tell you, anything new triggers HIPS, as best I can tell.
And yes, I think it’s probably more about Prevention than Detection/Removal. If you stop it from getting on your machine in the first place, then you don’t need to try to get rid of it…
However, I don’t think that anything is 100% in that respect - not prevention, not detection. Just my opinion. I think the companies that claim that are either overconfident, or intentionally deceptive. There are too many variables to be able to say 100%.
If it wasn’t problematic to run multiple AV programs, or multiple HIPS programs, I would do so. I think a reasonable solution is to run a respected resident AV program that does email/on-access/on-demand/scheduled scans (but I’d personally skip Norton or McAfee), combined with a respected AS program or two, and a HIPS (like Prevx1, SSM, etc) if the AV doesn’t encompass that. Follow up with nonresident (Trend Micro’s Housecall, VirusTotal, etc) and rootkit (Rootkit Revealer, GMER, etc) scanning on a regular basis.
If your browser and email client won’t run scripts/active x/etc, and clears all data cached when closing, this should stop a lot of the junk from the start (in other words, use something besides MS’s browser/email…). HIPS-type programs should stop undesired changes from occurring. On-Access & Email scanning by your AV, combined with daily/weekly scheduled scans by AV & AS should find anything that’s been missed. Back that up with the nonresident, and rootkit scanning, you should catch pretty much all of it. A firewall that’s effective (ie, CPF) will stop anything from getting out (and it’s soon to have a HIPS, too, in addition to the ABA it already has).
100%? I still don’t think it’s possible, but you should be pretty darn close. Many years ago I got a header-embedded email virus using Outlook Express, and could not get rid of it. I didn’t have AV installed, and when I did, the virus ate the AV before I could get it updated so it could catch and stop the virus. I ended up wiping my HD and starting over. With paranoia! I’ve learned a lot since then, and have a level of confidence in my protection. The enemy changes daily, and the protection tries to keep up; we have to be able to function, so a balance is what I look for.
LM