AV Software Struggles on 64-bit Vista

Antivirus makers are having a particularly difficult time protecting users using the 64-bit version of Microsoft's latest operating system, Vista. According to the Virus Bulletin security certification body, 35% of the twenty products tested on Vista x64 failed to meet VB's latest test criteria. McAfee Virusscan, Symantec Antivirus, and Microsoft Forefront were three of several major vendors who managed to pass the test. Among those who failed were Computer Associate's eTrust, which comes with improper default settings instructing the application to ignore many file formats, and all three of TrendMicro's submissions, which mistook a Microsoft development tool as malware. John Hawes, technical consultant at Virus Bulletin, explained that "a false positive can cause as much disruption as a virus infection. False warnings often lead end-users to delete valid files in the belief that they are some form of attack and the resultant damage can be significant."

The root of the problem seems to be a struggle by AV makers to adapt to Microsoft's PatchGuard technology, which prevents applications from accessing the OS's kernel. As developers explore new approaches to protecting the user in light of PatchGuard, teething problems are to be expected. Virus Bulletin's certification is particularly stringent: one false positive or one failed detection results in a failing grade.

View: Full Story on vnunet.com
View: Full Results on Virus Bulletin (Subscription Required)

Report a problem with article
Previous Story

Logitech Announces G9 Mouse, Updates G15 Keyboard

Next Story

Disney Joins the Social Networking Club

12 Comments

Commenting is disabled on this article.

Hello,

Not only is testing anti-virus software is incredibly difficult, demanding and exacting, but interpretation of the test results requires some study as well. It is important to remember that many anti-virus vendors provide updates on a daily basis, if not more often. What tests such as Virus Bulletin's reveal is the result of testing of these signatures for a particular instance in time. If they had been done a day earlier or a day later there would likely have been some variations.

Just because Trend Micro's 64-bit anti-malware product generated a false positive report on a Microsoft development tool does not indicate a systemic failure in the release process or quality control. The possibility of a false positive report exists with any sort of anti-virus program, and technologies such as heuristics and genetic algorithms that can make decisions based on statistical and behavioral analysis ( "This looks like a virus I have seen before, but is slightly different, so I will report it probably is a virus." ) tend to increase rather than decrease that risk.

To me, the benefit of testing like this one from the Virus Bulletin is not in the results of a particular test, but in the fact that the test results can be aggregated and graphed out to help determine whether the quality of detection has increased, decreased or remained about the same over time. Bearing in mind that the Virus Bulletin only performs such tests several times a year, I think one would want to look at several year's worth of data at a minimum, which makes it difficult to measure Microsoft's anti-malware products, as they have not been out yet for even a year.

Just as some skill is required to test anti-malware products, anti-malware vendors have to make cautious and careful decisions about such things as the default state of features, file extensions or path specifications to scan or not scan and so forth. Choosing overly-aggressive default settings may result in very slow performance and/or increased false positive rate and ignoring some file extensions may result in infections being missed. For example, if .PDF files are not scanned by default, a malicious program embedded inside an archive file which, in turn, was embedded inside a .PDF file might be missed.

I cannot really say how much of a factor kernel patch protection (PatchGuard) plays in malware detection rates: Some anti-malware vendors had 64-bit versions of their products available at or about the same time Windows Vista became generally available. Of course, every author has a different implementation and it is possible some of them made use of features unavailable under x64 editions of Windows Vista. Although, if there were issues, I would expect that they would not have products for the 64-bit editions of Windows XP Professional or Windows Server 2003.

Regards,

Aryeh Goretsky

Interesting, I am running eTrust on Vista x64 and it did a good job of removing viruses Symantec AV 10.2 failed to remove.

64 bit Windows Vista just means twice the crap as 32 bit, correct? Why doesn't/didn't MS work with these people a whole lot more before they released their POS OS? Actually, why didn't MS work with a WHOLE LOT MORE people before they released this new POS?!!

As far as i know MS made special changes to patch guard in response to Mcafee and Symantec requests that wanted 'more control' on the system and patch guard wasn't letting that happen. Serios;y man, MS has a lot of people to consult before releasing the OS, Antivirus vendors might not be their top pirority in this regard.

Regarding the "Vista just means twice the crap as 32 bit" statement, i would just say... Have u used 64 bit vista??? I think not...

cork1958 said,
64 bit Windows Vista just means twice the crap as 32 bit, correct? Why doesn't/didn't MS work with these people a whole lot more before they released their POS OS? Actually, why didn't MS work with a WHOLE LOT MORE people before they released this new POS?!!

Your statement is nothing short of ignorant.
If you don't know what the difference between 32bit and 64bit software is, don't bother commenting.

Then use Symantec Antivirus if it works! :D

Seriously, it sounds like a bunch of AV companies have no special problems making this work and I recall I saw something on NOD32 working too. Obviously it can be made to work then. Maybe it's just about using new programming methods and the "time for benefit" ratio isn't good enough for these AV companies to invest time on it and they rather blame it on Vista when questioned on why they don't support the OS. It sounds better than "we don't have time to care/learn about how to do it and we think too few use it" anyway.

avast! Antivirus, which is also a very solid and popular product (free for home use) has also passed the latest VB test. They were one of the first AV vendors to provide both 64bit and Vista versions of their software, without any complaining or whining like Symantec or similar vendors did.

Not all security vendors have had issues with Vista x64 support, Sophos has supported x64 since version 6.0 (now on 7.0), and recently won a VB award for Vista x64 more info here

I seem to remember that both Kaspersky and NOD said that patchguard wasn't a problem before Vista was final, so I suppose these should work, at leats there shouldn't be any imagined patchguard problems.

This article looks like complete FUD if you ask me. An AV's default settings are bad? How is that the fault of the OS?
A false positive? Once again, not the fault of the OS.

I fail to see how most, if not all, of this is anything to do with Vista or patchguard. Besides, if AV vendors, who have literally decades of experience with malware, are having trouble opening up vista, then it can only be a good thing.

Sounds more like companies don't want to put out the money to make an AV that works for 64-bit OS.

This is the same website that posted the scientist tests on laser printer inks.....