March 2, 2011

The anti-virus industry has long drawn its biggest share of profits from loyal customers, extracting full-price for the software from existing customers seeking license renewals while steeply discounting their products for new users. But a new comparison shopping site makes it simple for renewing customers to take advantage of these introductory deals, or to switch to a competing product for a hefty price reduction.

Launched a month ago, renewalbuddy.com is intended to streamline the process of searching for deals to renew your existing anti-virus product without paying the full renewal price. For example, I have Norton Internet Security installed on one of my Windows 7 machines; I selected that product from the pull-down menu, told it I wanted a 3-user license, and instantly saw an offer for NIS 2011 for $29.99. Had I simply waited until the product was about to expire and followed the prompt from the currently-installed software to renew my license, that renewal would have cost me $62.99, according to Symantec’s site.

True, you can find these deals on your own just by spending a few minutes searching the Web (the $29.99 link offered by this service brought me to an offer on Amazon.com). But my sense is that very few people who pay for anti-virus software ever do this.

“People assume that a renewal license key is somehow different from a new license key, and that’s why most people click on the expiration pop-up and go through the process and end up paying full price for renewals,” said  Graham O’Reilly, renewalbuddy.com’s chief executive and a former sales director of the U.K. division of anti-virus maker AVG Technologies. “What people don’t understand is that a license key is a license key, and that they can just pop it in to the program without having to reinstall it, and it will extend a license in the same way.”

The site tries hard to get you to “switch” to another anti-virus maker, and these referral commissions are where renewalbuddy.com expects to earn the bulk of its revenue. When I first began playing with the site, the page that featured the various Norton offerings had no fewer than seven green and red buttons promoting the “switch offer,” which initially was Panda Internet Security 2011. When I revisited the site a few hours later and re-ran the Norton search, the switch offer was Kaspersky Internet Security.

I don’t want this column to sound like I’m urging everyone to go out and buy anti-virus software. Anyone who has followed my work long enough will know that I’ve been somewhat critical of the anti-virus industry, which increasingly seems to be falling farther behind in combating exploits, and in detecting the latest threats within the crucial first 48 hours of a new malware specimen’s lifespan.

Many Windows users will no doubt be perfectly happy using a free anti-virus offering. I have a ridiculous number of computers in my office and around the house, and have free anti-virus on three of the six Windows-based systems. One is running Avast Free Antivirus, another Comodo Internet Security, and the other one has Microsoft Security Essentials. Out of those three, I vastly prefer Avast, which seems the speediest and least resource-intensive.

Readers often ask about the difference between free and paid anti-virus. The differences depend on the products you’re comparing, but by and large the freebies have fewer bells and whistles, and usually don’t offer customer support. Also, recent comparisons by anti-virus testing lab AV-Test.org showed that paid anti-virus products tend to perform slightly better in detecting malicious software.


82 thoughts on “Renewal Buddy: Comparison Shopping for Anti-Virus Software

  1. brucerealtor

    Brian

    Thank you again for recommending Avast 5 a number of months ago and since installing the free edition, I re upped for the paid edition which includes an excellent firewall and sandbox as well.

    I did notice from anti-virus comparatives

    [http://www.av-comparatives.org/images/stories/test/ondret/avc_retro_nov2010.pdf]

    that G Data got a much higher score than Avast 5, where 15 different products were tested, but nevertheless I also like Avast 5.

    1. milos

      G Data had better score in AV Comparatives because they use 2 scanning engines… one from avast! itself and one from BitDefender.

      1. JCitizen

        One of my clients took a test spin on GDATA, because it was so reasonably priced, and also because of the good scores at AV-Comparatives, as you say.

        She had some operation issues with it, and eventually had to uninstall it. Day to day operations were too unpredictable to remain using it.

        I was hoping they would come up with a Vista/Win7 x64 version; but lets face it, signature detection is obsolete now. However, the IDS on GDATA seemed to have a pretty good behavioral heuristic engine, which could give a heads up on malware that don’t have a definition. We weren’t able to stomach the performance issues though, so I can’t attest to that success.

        I personally think Comodo’s Defense+ was better at that mission anyway. None of my clients uses the anti-virus, just the firewall with Defense plus.

  2. Bill

    Norton Internet Security has a clever variation on this effort to persuade users to renew at full price. They send me the next year’s version via an email link. I download and install the new version (super easy install), which is free until my current subscription runs out. Presumably you will have become accustomed to the new version, and it’s effortless to renew automatically. I just look for a free after rebate, usually with free shipping, copy of the new version, which usually appears around the turn of the year, buy it, collect my rebate, and as Brian points out, just use its license key when it’s time to renew. I haven’t bought a new AV/firewall suite in about five years. This said, I think Brian is right, most people are too busy or lazy to look for a free or cheap copy. But I’m happy to save $70 a year for not much work.

  3. Bill

    PS to my comment above: Renewal Buddy appears only to bring up “deals” from outfits that pay them a commission. I checked for NIS 2011 at two stores that I regularly use, and which often offer good deals. Newegg had the 3 user NIS 2011 for $20 with free shipping. Fry’s Electronics had the same item for $10 after rebate, plus shipping. So I guess I have to say that Renewal Buddy is of limited value, only if you don’t want’ to search more extensively for a better deal than they offer. They also insist on your email address, so I wonder how much additional spam I’ll be receiving from Renewal Buddy or the companies they sell my email to.

  4. Graham O'Reilly

    Hi, This is Graham O’Reilly the CEO of RenewalBuddy. Just to respond to your points Bill. Whilst you’re correct that having only just launched we don’t yet cover every retailer (we are adding more every day) we don’t make any selections based on affiliate commissions. In fact we only receive affiliate commissions on a small number of the overall retailers currently.

    Regarding your email address we are making changes to be clearer about this, but we won’t share your details with anyone and will only email you information relevant to your origional search.

  5. JohnP

    Larger USA ISPs provide free downloads of commercial antivirus softwares. I know that AT&T and Comcast http://security.comcast.net/ do.

    The AT&T link requires a login and jumps around too much to provide.

    Verizon, Cox and TimeWarner may also provide free commercial AV licenses.

  6. Jim J.

    I have a huge dislike for Norton Security in any flavor.

    Norton is difficult to completely uninstall compared to many other programs.

    False-positives too often.

    Begins to nag for renewal too for in advance of end-of-life.

    When finally unisntalled, leaves a huge amount of post-uninstall space debris as empty folders and registry entries.

    Caused my computer to run slow.

    1. Reid

      Norton has had a global removal tool available for download for a decade or more. It does a decent job of cleaning up after the main uninstaller but still leaves a few files and folders behind.

      By design, a good AV program should be difficult to disable or uninstall for what should be obvious reasons.

    2. JCitizen

      I was with you Jim until NIS2008. I got it with a machine, and kept it for a while as I was busy setting up all the capability I had with that particular unit. I noticed the performance was better so I upgraded to NIS 2009, and then 10 just before it expired. The features and improvement in performance were good enough for me to start recommending it, especially to folks that are PC, security challenged. The login vault, and site adviser were two of those that come to mind.

      I personally didn’t like the way it constantly scanned sections of the PC for its heuristic tactic, as I felt it would put too much wear and tear on the main hard drive. I didn’t get a sense that any file behavior IDS capability was showing, so I really think it is still somewhat obsolete for now. Although the password vault was a good feature, I feel standalone programs are still better.

  7. Scott

    AT&T Offers a free McAfee download for free if you have the 3.0 Mb/s or 6.0 Mb/s download speed. If you have .768 or 1.5 you have to pay $5 a month. I work for 2wire in a call center and we support AT&T DSL, Soon to be moving to UVERSE though.

  8. Paul

    I swore off Norton AV long ago but have returned as the newer versions are vastly improved. Fry’s almost always has an offer for a 3 seat version of NIS – and sometimes other Symantec products for free after rebate(s). That said, I also find MS Security Essentials which is a free download, to work well.

  9. Jim Evans

    Anti-Virus software pricing is like Internet / TV / Phone pricing, low price when you first sign up, then price starts creeping up.

  10. Alan

    I share your skepticism about the effectiveness of anti-virus.

    Initially, now some years ago, I gave up on paid anti-virus when I realized that many popular packages required admin rights to properly. As all the evidence at the time showed running as standard user was vastly more effective at stopping infections the decision was obvious.

    Now, it is just not very clear that paying for anti-virus buys any significant protection e.g. see
    http://blogs.cisco.com/security/the_effectiveness_of_antivirus_on_new_malware_samples/

    There are a lot of security measures that are more important. If you do everything else you should be doing it is hard to believe a paid anti-virus would provide any significant advantage over using a free one. In either case the other measures will probably be enough to block the infection. Keeping up with patches and running as standard user (i.e. not “admin” or “admin approval mode”) except on the rare occasions when elevation of privilege is necessary are both critical. Making the most of memory protection technologies is also important. On Windows 7 you can force apps to run with ASLR+DEP with EMET2.

    1. kurt wismer

      the only reason running as a standard user is so effective is because most malware was written assuming the user runs as administrator.

      as soon as most users no longer run as administrator the malware authors will change the way they write malware.

      1. Alan

        I agree. We’re well past the days where running as standard user is enough but what I described was the importance of a layered approach involving limited user privileges, patching, memory protection, plus firewall and malware scanners. And one could add a few other items to the list.

    2. JCitizen

      I agree also with your skepticism. But – although signature based AV/AM are obsolete, at least staying with housekeeping is a good idea.

      Without AdAware Free, and CCleaner, I would never reach 1/3 of the sites with my browser. Downloads speeds have never been greater for me since I went back to Lavasoft. The free virus scanner makes a good backup AV to whatever anti-virus you are using. For me as many other here are saying, Avast still rules!

  11. Clive Robinson

    I’m not going to take the usual slug at MicroSoft for the proliferation of AV software, as many other OS suppliers don’t take the effort to do it right either.

    However the AV companies I will take a slug at for various reasons.

    Firstly as you note there is the difference in price, but in Europe a number of AV companies have gone to places where VAT is (or was) higher than other places adding to the financial burden.

    Then there is the “removal tax” most AV software does not fully de-install and put things in the OS back the way they should be. This has caused in the past significant problems in trying to swap, necesitating expensive phone calls to support lines more interested in making “phone tarriff” than helping the user.

    Then there is the “download tax” those on broadband probably don’t notice but those on “dialup”/”mobile broadband” do. It has taken well over twenty minutes to down load the update files on startup effectivly rendering the computer usless in the mean time.

    There are quite a few other “AV taxes” to consider not just the initial and subsiquent price.

    For instance who pays for the rediculous amount of bandwidth required for AV updates?

    At the end of the day it’s the ordinary user.

    AV software companies are “free riders” with business models that are quite frankly usery, and thus they have no incentive to change the way they do things.

    I’m not sure what the current comparison shows vis a vis the likes of spam and AV files but they should definatly be considered a very significant class of malware in their own right.

    (there got a little of it of my chest 😉

  12. me

    Brian,
    You are a voice in the community, as such you may wish to clarify your use of the free AV. You mentioned your home and office. For my smb clients that are strapped for cash I only use MSE, and only up to 10 licenses as well as free Prevx business edition, which is detection only, these installations are behind a free UTM gateway. Since I last looked into them, the rest of the free AV are licensed for home use only.

    1. JCitizen

      In reply to the poster marked as “me”;

      I am pleasantly surprised at your post, as you and I think almost exactly alike. My only deviation from your path, would be the Z100G UTM by Checkpoint/Sofaware with V-stream anti-virus with an annual reasonable fee for around $79 or so, last I checked. This is affordable to most of my clients, some of whom are very small businesses indeed. Cost Central has the same 5 node license for $36.53(1 yr.); but I can’t vouch for them as I have not had experience with that source.

      With this, some of mine, and your blended defense; they have not had a problem one. I am not a partner and do not sell any product for anyone, just for clarification.

    1. JCitizen

      With the super popularity or smart phones ready to eclipse the PC market in number; it should not be surprising that malware writers have gone where the money is.

      Although I always take AV companies information with a grain of salt, I can personally attest that my clients have had many of their iPhones, Blackberry, and Androids infected, and hosed bad enough to lose their phone lists and email. Just imagine what happens to the PC, or server, they bluetooth with.

      The cases, I am talking about were verified by the manufacture as malware incidents.

  13. Doug

    Paying for anti virus software is silly. I don’t care what anti virus software you have, “viruses” still get by. It’s ridiculous that the same Fake AV software I’ve seen for the past 6 months, the latest and fully updated versions of McAfee, Norton, TrendMicro, etc, they all let the same stuff get onto people’s computers. The only benefit of paying for AV software is that the new versions like Norton, let you have a remote support option to have one of Norton’s lackey’s try and clean your PC. But if you are infected with a virus, well you probably can’t get online anyway, at least not to the sites you want to go to.

    Now I know the end users still are the ones who click on whatever link or advertisement, and that gives the virus executable “permission” to install itself, but you’d think the legitimate anti virus software would be smart enough to halt the process from running a known bad file, even if the user says yes I want to do this.

    AV software is like wearing a bulletproof vest in a minefield…..it doesn’t help at all if you don’t watch where you are going. You need the full body armor and armored vehicle, which is constant vigilance and education.

  14. kurt wismer

    @brian
    “seems to be falling farther behind in combating exploits”

    sandboxing is a pretty good generic defense against exploits. by sandboxing i mean the functionality by which user applications (especially internet-facing ones) are run in the sandbox, not the sandboxing used for generic detection.

    there are a few av suites that include that kind of sandboxing in one form or another. KIS was one, and if i’m not mistaken the newest version of avast is another.

  15. Tom Cross

    WTF Brian? Are you doing paid revues now?

    This site is nothing more than a remake of every IM effort put forth in the (very crowded) malware/virus/slow computer/registry booster marketplace. Proof – the home page IS his squeeze page – you have to give up your email (to his list) to use the service.

    So you can save a few $$ on your next AV purchase. This still leaves the erroneous belief in the customer that AV works by trying to answer the question “Which is best?”

    So, kudos to the site owner for finding a new way to hook the the malware niche and dupe you into providing him with major link juice.

    How ’bout a review of my site that explains to users why NO anti-virus is sufficient to protect the computer and teaches the same lessons I teach my actual, retail, over-the-counter, flesh-n-blood, customers!

    1. Helly

      I guess I am not following your logic here, when you say “NO anti-virus is sufficient” do you mean people shouldn’t use anti-virus at all? I am currently looking at a sampling of a few thousand internet users. I routinely see infections identified and removed by our AV product. Sure some might slip through, but that is why we have layered security.

      Anti-virus might be declining in effectiveness, as Brian often points out, but if the end user can be encouraged to implement better layered security that is a great thing. When I worked directly with end users the single greatest reason they didn’t purchase AV was because of the cost. If this site helps remove that barrier…whats the harm?

    2. BrianKrebs Post author

      Really, Tom? You think I got paid to do this? Interesting. Did you wait a whole second before typing out your comment, or did you just fire it off the hip?

      I thought this service was interesting because I wasn’t aware of anything like it. And for better or worse, lots of people pay through the teeth for AV, when there’s no reason they should.

      Sure, there are plenty of things to pick on in this service. But you know what? You don’t have to give them a real email address. You can make up an email address. You can use 10-min email. It doesn’t matter.

      The rest of your comment seems to echo the second half of my post, except that you seem to be saying AV sucks so people should just not use it. That’s an extreme position that I simply don’t share.

      1. Yar

        @BK,

        How uncharacteristically snarky of you. Don’t get me wrong, though, Tom deserved it, and I agree with you.

        At any rate, the article is a good one, and publishing anything which might save your readers a few bucks a year is doing us a service. Thanks for the article.

        @Tom,

        I can assure you that accusing Brian of a lack of integrity will not only offend him, but his readers. You must be a first-time reader to so seriously underestimate Brian’s commitment to his readers.

      2. Tom Cross

        Did I say to NOT us an AV? No. My objections to this post are:

        1. It’s another IM marketer that has duped you into endorsing the site. What does the price matter when my last three customers today have brought me computers completely hosed and wondering if they could get their money back from the AV vendor. Price is NOT the issue for me nor nor my customers. It’s just another spin on IM marketing – you can’t even get to the price comparison without paying with your email – and you’ve been duped.

        2. Marketers of AVs leave the user believing they can protect the computer from “….inserting hype here…” Whether it’s marketed as the “best”, the “cheapest” or any other tagline, user’s should be informed of the limitations of the product.

        I’ve been screaming for years about the ineffectiveness of AV. Just visit my store on ANY day and I’ll show you ample evidence of the ineffectiveness of EVERY AV on the market.

        Of course we need an AV, but users should be told that their purchase will protect the computer from only the viruses that are KNOWN and is not a complete security solution. Then they may be interested in the price/effectiveness metric.

        Brian, I have tried many times to get you or anyone else in the security industry to open up to the fact that in the retail computer repair business, we see viruses that are NOT detected by the AV software. Yet I can’t get the time o’ day from anyone that might want a sample of the virus for research and inclusion in the updates.

        1. Jason

          I’m sorry but your argument that antivirus products aren’t 100% effective is hardly new here or elsewhere in the security community. It’s good to declare this from time to time, but it’s hardly new information to anybody and the way you went about it (and are still going about it) is rude, over-the-top and frankly, rather silly. Brian wasn’t duped into anything (you must be new to his blog or you’d know better).

          Price comparisons might not mean anything to your customers with their bottomless wallets but it does matter to some of us. You certainly need more than that and you read some of Brian’s past posts, you’ll see that he does a lot of investigative work into what the scam artists do.

          The viruses that you talk about that aren’t detected are zero-day viruses or vulnerabilities. Brian has mentioned them many times. I honestly don’t understand why you have to be rude to people to make your point. Let’s argue the issues not resort to name-calling.

          1. Tom Cross

            This is not about calling Brian out. I’ve followed his posts for a long time and recommend his blog to everyone of my customers.

            Brian, I reread your post and stand by my original comment. But where do you (or your readers) get off extrapolating my comments to mean something I didn’t write? Specifically, “…you seem to be saying AV sucks so people should just not use it”

            That is a gross supposition. My message is simple: Tell people the truth about AV and (if they have to use Windows) then help them improve their security through training/coaching.

        2. JBV

          Looks to me like Tom Cross is just trying to steer traffic to his website, where he initially offers to run security checks on your computer “before you start.”

          Nothing like clicking on a link in a previously unknown website and offering it access to your computer. That runs counter to everything Brian has taught us!

          Hmm! Think I’ll pass on that one – and hope I didn’t pick up anything while driving by.

        3. Helly

          You mentioned: “Yet I can’t get the time o’ day from anyone that might want a sample of the virus for research and inclusion in the updates.” VirusTotal facilitates this exact cause, those are the people willing to listen and to take your submissions and research them.

          You also seem to be quoting me here (I think): “…you seem to be saying AV sucks so people should just not use it”. I posed that as a question because I didn’t really understand your position. Your primary argument seems to be, AV sucks so no one should write about anything that facilitates its distribution or use, prior to discussing how bad it is. I too worked in a retail setting dealing with hundreds of customers a week with infection. From my experience 90% of the people infected, had no AV or long expired AV. It was extremely rare to have a customer come in with an up to date and registered product.

          If I spent the whole time telling the customer how ineffective AV is and how it will only protect them from known threats, simply put most will not buy it and take their chances. In some cases protecting the consumer, is empowering them to do it themselves. The site documented does that very well.

          I apologize for any comment extrapolation I undertook in my response to you, but your argument continues to not make sense to me.

    3. Jason

      Tinhatter, Tom? Why do so many people naively assume that a mention of a service must be a paid review? He’s just mentioning something that could save some of us a few bucks. I see no evidence that he’s getting paid for mentioning the service, and you know what? Even if he was, I’d still check it out, because I trust Brian Krebs based on his other articles. I’ve been a subscriber for probably six months or more and this is the *first* time I’ve ever seen him mention a link.

      If you don’t want to sign-up for the service because you think they really just want to sell your email to spammers, then don’t. Use a service like sneakemail.com which hides your real email address. But I can tell you after many years of using sneakemail.com for everything that I sign up for, that nobody gives a crap about selling our email addresses to spammers. Spammers don’t typically get them that way, if you knew anything about the spamming interest. The number one way spammers get your email address is because you’ve posted it somewhere online, perhaps even on your website.

      1. Jason

        Oops. I meant to say this was the first time I’ve seen him give a link to any product.

        1. JCitizen

          Very true Jason;

          Windows Secrets is one of the most venerated sources of information on the subject; and they make recommendations all the time. I trust them, because they’ve been around so long, and have reputable writers, some of who were MVPs at one time, and I refuse to quibble about it.

    4. Clive Robinson

      Tom,

      No AV software and I do very seriously mean NO AV software can stop all forms of malware. Any one who claims or even implies otherwise is at best deluded.

      The bulk of AV software is “reactive” that is it responds to something that is known not something that is unknown that might present a threat.

      I could trot out the whys and wherefors and even some of the mathmatics proofs and axioms to show why (and also show where some of the supposed axioms are actually assumptions of dubious pedigree).

      But why bother when that is not the issue at hand.

      I said earlier I was not going to take a swipe at MS because they are not the only OS designers to get it very wrong in the very basic very core design of their products.

      However the reason MS get the liones share of the (AV company) touted 90,000 new malware types daily has little to do with the difference in fundemental OS design.

      Other OS don’t have the market share of users therefore the effective Return on a Malware writers time is repaid more handsomly on going for the most numerously available platform not the easiest to attack platform.

      As you note user education can help BUT the configuration of an OS that large is actually so complex and at so many levels that nobody has actualy writen a foolproof book on the whole subject, and to be quite honest I don’t think it could be done and remain current before it went to press let alone his the bookstore shelves.

      The way to deal with malware is to reduce the attack surface and the trust surface.

      Few OS designers do either and I’m not sure most application code cutters even know how to.

      However malware is noticably moving up the stack away from the OS and even beyond the app (think social engineering) and downwards below the OS through the likes of device driver an hardware.

      This is very very important to note because of the proliferation of smart mobile devices that don’t and can’t support the depth of AV software needed.

      The next ten years are going to show a very very major change in things like AuthN/Z and the movment of hardware and drivers into untrusted user space.

      As has been repeatedly shown models like “code signing” are a compleat trust failure and easily circumvented.

      So the point remains AV is a reactive not proactive technology and will remain so whilst the industry can and will move away from it as it has no choice.

      1. Jason

        “Other OS don’t have the market share of users therefore the effective Return on a Malware writers time is repaid more handsomly on going for the most numerously available platform not the easiest to attack platform.”

        I keep hearing that argument thrown up but I’m not sure it’s really true. Other OSes were built with security and networking in mind from the ground up, like Linux and to some extent, from what I’ve read, OS X. Linux really discourages you from running with administrative privileges, unlike Windows. With Windows, you can certainly setup a non-administrative account to use, but applications can still bypass those controls because of the window messaging system. I think that’s the main reason that there isn’t much malware for Linux.

        1. kurt wismer

          the first academic treatment of computer viruses included an experiment that had a virus successfully spread from normal user accounts in a professionally administrated unix environment.

          this was *before* the first PC virus.

          malware can be written for other OSes, and it works on other OSes. the only reason we aren’t seeing a lot of it is because the people who make malware are choosing not to make malware for those OSes (most of the time). it’s a matter of choice, not technology.

  16. Reid

    Thanks for the link to Renewal Buddy. I’ll give it a try when my AV subscription expires.

    For the past few years I’ve been able to find discounts for NIS with a 3 seat license in the $25 to $30 range.

    AV and a firewall isn’t enough in this day and age. I also run weekly scans with other apps such as Malwarebytes. Additionally, I am currently using Norton DNS which is a free service. I think using a DNS that filters out known malicious websites is a must.

  17. Mark Higdon

    “I also run weekly scans with other apps such as Malwarebytes.” Me too, Reid. SUPERAntiSpyware is another good (and free) weekly scan. For maximum benefit and effectiveness, be sure to run their updates right before scanning.

  18. Brian Fiori (AKA The Dean)

    Thanks, Brian. I will check this out for my clients looking to renew, or switch, their commercial AV.

    I also really like Avast free version, and use it on most Windows 7 computers. But for older XP machines with limited RAM, I prefer Avira’s free product. You may want to check it out on the machine currently using Comodo.

    1. JCitizen

      Just for information’s sake; many of my clients had their legacy PCs pwned by .bat injection attacks using Avira. It recognized the delivery zip package, but reacted too late to stop having the PC completely taken over.

      This was on a drive by, from a flash advertisement, while doing administrative tasks. Avast has never let them down. However, none of them are now using anything slower than 1Ghz, and 1Gb of RAM. For anyone attempting to use such old equipment, I now heavily suggest a Linux alternative.

  19. brucerealtor

    Reid – Brian

    How is Norton DNS different from Malwarebytes, since I don’t want to install DNS to block the Malware sites that Malwarebytes already warns me about.

  20. BrianKrebs Post author

    Tom, you wrote:

    “That is a gross supposition. My message is simple: Tell people the truth about AV and (if they have to use Windows) then help them improve their security through training/coaching.”

    I have blogged many times about how AV is not up to snuff, and that it is far from a panacea for today’s malware. So what else does “tell the people the truth about antivirus” really mean? I’m not baiting you: I’m sincerely asking.

    Take a look at these recent stories before you answer

    http://krebsonsecurity.com/2010/08/anti-virus-products-struggle-against-exploits/

    http://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

    http://krebsonsecurity.com/2010/08/anti-virus-products-mostly-ignore-windows-security-features/

  21. Nick P

    I’m surprised nobody mentioned Host Intrusion Prevention Systems. Unlike NIPS’s, HIPS’s are often easy to use, efficient, and good at preventing many malware.

    I remember DefenseWall being tested independently by a variety of attacks and blocking many. Blue Ridge makes another that’s easy to use and consumes extremely little resources called AppGuard that blocks many forms of malware. Others to look into are DriveSentry, CIS, GESWALL, and Comodo w/ Defense+. However, DefenseWall and AppGuard seem to be the best. Many users of these systems report going for ridiculous periods of time without getting a virus.

    If anyone is wondering, my HIPS is a combination of obscurity (Linux), default firewall, well-configured router, memory protection, regular updates, and AppArmor. This isn’t a truly locked down system by any definition but excels at it’s goal: letting me surf the web w/out worrying about about most malware.

    Nick P, of Schneier blog

    1. me

      I’ve always been curious about the folks at Softsphere. I haven’t tested their product because I have to wonder about a security outfit whose host ip was/ or still is, on the ET RBN and, whose host ip is also shared with such winners as ladyboy dot ru.
      I would seem, to me, that a serious security company would, at the very least, host on their own or a dedicated server. I have seen them on the AV Comparitives, etc, but, still…..
      http://www.robtex.com/ip/89.111.176.125.html

      1. Ilya Rabinovich

        Hi!

        “I’ve always been curious about the folks at Softsphere”.
        “to me, that a serious security company”.
        Yes, I’m not a “serious security company” in your terms of mind. There are just me and community of people around the world who are supporting the project. If you need a “serious security company” product, install any well-established anti-virus software. But… oops, its protection level is much lower then DefenseWall can offer. That’s the core difference between software made by a idea-driven hacker and regular money-driver office coder.

        1. TJ

          Ilya – I’ve been using your DefenseWall for years without incident. I trust DefenseWall a thousand times more than I trust any traditional AV specifically because of what Brian stated in the article about how the AV industry is “…falling farther behind in combating exploits, and in detecting the latest threats within the crucial first 48 hours of a new malware specimen’s lifespan.”

          The AV-Comparatives review of DefenseWall ( http://wwww.av-comparatives.org/images/stories/test/single/softsphere-en.pdf ) only reinforced my own personal experience with your product. I can’t give DefenseWall 100 percent credit because I use a layered approach to security, but I haven’t had a true malware infection ( i.e., something other than a verified false positive) since 2005.

          1. Ilya Rabinovich

            I would, also, recommend to take a look at Malware Research Group “Flash Test”, it’s a whole product test of security software against 0-day malware. Results are published on every day basic, usually. As for now, I still have 100% prevention result…

        2. Nick P

          Ilya, it’s great to see you on the site. I read a thorough stress test of your product and was astonished at how well it performed with so little user intervention. It was also simple and didn’t degrade performance much. The reason it’s astonishing it’s the fact that most of the burden is on you to develop the product, when you’re not personally supporting your users. I just had to commend you for your commitment and the apparent quality of your product. (Apparent because I haven’t used it personally). We need more vendors with the same commitment to quality.

          Suggestion: You should consider charging a small yearly fee for your product. Consumers are already used to this. Most of your customers probably wouldn’t mind paying $15-20 per year to cover the cost of more developers to build and improve the product.

          1. Ilya Rabinovich

            Thank you for your kind words. BTW, I’m using a kind of business scheme you’ve suggested, but it’s a little different, more liberal- you still can use your instance (and version) of DefenseWall when your license expires, but can’t install new versions of the program.

        3. Clive Robinson

          Ilya,

          Nice to see you here, and what can I say other than keep up the good work.

          It might be a labour of love but it’s nicely crafted and something others could benifit from following.

        4. me

          From the comments here it would seem to my advantage to test and audit your product.
          It really wasn’t my intention to give offense. But there is a saying that “you’re judged by the company you keep”.
          I will say that perhaps if you wrote a little more about yourself here; http://www.softsphere.com/about/ folks unfamiliar with you and your product might be a little more comfortable trying your efforts.

          1. Ilya Rabinovich

            The “About” page information is a little bit outdated. From one side, I always forget to modify it. From another side, I always hope for the best and I won’t need to modify it. 🙂

    2. kurt wismer

      perhaps people don’t mention HIPS because it’s such an ambiguous term. i’ve seen it used to mean behaviour based technologies, application whitelisting, sandboxing, etc. heck, even a known malware scanner is technically something that prevents intrusions into the host.

      you yourself are lumping alternative OS use, firewalls, updates and a bunch of other things into HIPS. the word loses it’s value as a communication device if it can’t convey a well-defined meaning.

      as for ridiculous periods of time without getting a virus – would 20+ years count?

      1. CloudLiam

        “as for ridiculous periods of time without getting a virus – would 20+ years count?”

        That’s pretty impressive. I’m only at 15+ but still counting and hope to get there. 🙂

        1. Nick P

          Nice. I’ve had two or three major infections during seven years while performing all kinds of high risk activity with a basic, layered defense. I’ll be honest that I don’t put that much effort into malware defense now that I switched to a Linux notebook. I’m still designing new stuff, but not really using anything but a hardened configuration.

        2. Alan

          Do you mean your anti-virus programs didn’t detect anything during those periods? How do you know you weren’t infected?

          1. kurt wismer

            the two primary tactics for detecting when preventative controls have failed is using baseline comparison of either program behaviour or binary artifacts.

            in other words: behavioural monitoring and integrity checking.

            other than that, however, there is the often overlooked fact that even though known-malware scanners are remarkably bad at detecting new malware, new malware doesn’t stay new forever.

  22. Clive Robinson

    Brian,

    Your “thumbs” don’t appear to work on your m.krebs… site.

    I know they used to work with the browser on this Android OS smart phone, just wondering what the difference is?

    1. Nick P

      Curious as to why two people would give thumbs down on a bug report about broken site functionality? Is error reporting to site owners considered bad manners now?

      1. BrianKrebs Post author

        Couldn’t tell you why the thumbs don’t work on the mobile site: I haven’t spent a lot of time fussing over the mobile site code. It works otherwise for the most part, so I’ve just sort of kept it that way. Can’t vote thumbs up or down via the Safari browser on my iPhone either.

        Likewise, I’m not sure why Clive’s comments were given two down votes. I think there are a few OT sticklers on here. For the record, I’m not one of them 🙂

        1. Nick P

          “I think there are a few OT sticklers on here. For the record, I’m not one of them.”

          Good to hear. 😉

        2. Nick P

          Btw, Krebs, whats your views on the HIPS software I mentioned in an above post? Defensewall, AppGuard, SandboxIE, etc. The only one I’ve seen get an in-depth test against everything online was defensewall and it was impressive how much crap it stopped without messing up what the user was doing. You can probably find the report with google. So, what you think of these HIPS solutions? Should probably do an article on them sometime.

  23. JCitizen

    Good to see Ilya here! Hopefully something like Defense Wall will work with 64bit systems some day!

    These are the type of solutions I harp on everyday. Anything to get farther away from reliance on signature based utilities.

    I like the licensing scheme!

    1. Ilya Rabinovich

      “Hopefully something like Defense Wall will work with 64bit systems some day!”
      I really hope it too. PatchGuard is a real pain for security products developers.

      1. TJ

        Ilya – I’ve considered downgrading my wife’s 64bit system to a 32bit system just to utilize DefenseWall. I realize that Windows 64bit systems are inherently a bit more secure than 32bit systems. But based on Microsoft’s own Security Intelligence Report, it’s a fractional difference a best. I think I would prefer to have the zero-day protection demonstrated by DefenseWall in the Malware Research Groups Flash Test – referenced above: http://malwareresearchgroup.com/malware-tests/flash-test-results/ over the added security found in a 64bit system.

        Also, the methodology section of that report does a good job of reinforcing Brian’s comments about “detecting the latest threats”:

        “In our experience, the vast majority of ITW (In The Wild) infections are caused by malware less than a week old, even though these make up a small proportion of the total population.”

  24. Heron

    Has Avira fixed the update downloading problems with its free product? I switched to AVG because the Avira antivirus program was taking so long to update–something to do with the servers being overloaded.

  25. Janitor

    @Brian
    Are you aware of this site, Brian?
    rusecurity.com
    Basically, it is a Russian clone of your blog.

    1. BrianKrebs Post author

      Ugh. Yes, someone sent me that the other day. They say plagiarism is the sincerest form of flattery, but you know wholesale lifting of entire blog posts really takes the cake.

  26. KFritz

    I’d like to put in a word for Microsoft’s own Security Essentials, which came w/ my HP 64 bit Windows 7. It reminds me to update and evaluative sites rate it nearly as effective as non-MS AV programs. Between it, Google & Firefox warnings which have shooed my away fr/ troublesome sites, and Jotti & Virus Total, which this very blog hipped me to, there seems no reason to add another free download program, let alone pay for an AV program.

    1. David WG

      I agree. I use Security Essentials, NoScript, RequestPolicy, BetterPrivacy and a few other free programs. I don’t see the sense in paying a dime one for AV software, although I do make small voluntary contributions.

    2. JCitizen

      I here you KFritz!

      After five years of using Avast and being very happy with it’s performance; version 6 came out and was a disaster! I had bad enough problems with FF and IE freezing as it was, but then I had to wait forever for the browser to open. I’m very disappointed in losing such a good utility. I’m afraid they’ve made the same mistake Norton and Trend Micro did, and succumbed to the bloat!!

      I just couldn’t see going back to ESET because of cost; so I’m evaluating Viper for now. It is supposed to have a very good behavioral heuristic that specializes in undefined malware/viruses. Well we’ll see. I’m not a happy camper at all right now! 🙁

      I wished Checkpoint made a N wireless UTM appliance with V-Stream; I’d switch to Windows Essentials for each node myself. My business clients have done real well using the Z100G, and Avast v. 5 without fail. Maybe v. 6 will run better on XP; I don’t know, I’ll test it tomorrow. X-(

  27. george

    A really nice initiative, kudos Graham, but I’d wish the AV vendors would rally rather than subvert this initiative. For instance I really prefer to buy the downloadable (rather than CD/hardcopy forms). Better for environment, faster delivery, less carbon footprint, no delivery charges, less mess in my office. As far as I could figure Renewal Buddy is offering mostly links to third party vendors selling the hard-copy only version (the only exception to salute was Kaspersky Internet Security offered to be downloaded via Renewal Buddy).

    1. Graham O'Reilly

      Hi George,

      Thanks for your comments.

      We agree with you that people should have the choice between physical and downloaded copies of the software, which is why we offer that option ourselves (and will continue to with different vendors).

      As we add more and more comparison records the renewal choice will grow and you’ll see external sites that offer download options too.

  28. Rafal Kwiatkowski

    Great post and great service. Very useful, exactly what I have been looking for. Thanks.

Comments are closed.