I've noticed a number of tests recently that seem to be intended to prove that free antivirus is as good as commercial AV. As it happens, I'm not against free AV in principle, as long as people are entitled to use it - commercial use of free AV is usually not permitted. And I'm overjoyed when people who would never dream of paying for a product do at least use a halfway decent free product. Contrary to the common myth, this industry doesn't write malware, and isn't out to hype and maximize threat exposure in order to maximize profit. Well, not all of us, anyway. And of course some companies, ESET included, also offer a free webscan service, though I wouldn't advise the use of such services as a substitute for a full-blown AV solution.

After Aryeh mentioned a recent example of such a test, I was talking to my colleague Urban Schrott, of ESET Ireland. It turns out that he too has given this issue quite a lot of thought, and offered to put some of those thoughts down on (virtual) paper. And here they are. Hopefully, this won't be the last time Urban's words of wisdom appear on this blog. It certainly isn't the last time we'll visit the topic of free anti-malware, I suspect. [David Harley]

Can't Pay, Won't Pay

A while ago I encountered an article in a consumer magazine about “ten things you should never have to pay for” and antivirus software was listed as one of them. Their argument was simple: why pay for something if you can get it for free? The topic has already been discussed before, but perhaps we should revisit whether it is really the same (or equally effective) to use a free antivirus rather than a for-fee product?

First, we have to define the concept of “free”. One has to note that most if not all commercial security vendors also offer a “free” version of their software. It is usually of limited functionality when offered without a fixed time limit, while versions with full functionality are offered with a limited trial time, after which they normally become inactive. Many “free” products, for instance, offer free detection of malware, but require payment for removing it. Some offer “free” detection and removal, but only of certain types of malware. Those same vendors, however, also offer a “full” unlimited version of the software, with complete functionality, for which a fee is (of course) payable.

Loss Leaders

In today’s world, oversaturated with marketing, giving away a certain amount of product without charge is common practice, as it is good for brand building. Yet a brand is not built for the pleasure of seeing a product become more popular, but in the long run, to increase sales and revenue. The “free” tag on a time- or function-limited product is therefore just an introduction to the “full” version rather than a free service to computer users, out of the goodness of the vendor’s heart. Much as we’d love to give our own products away, we have to eat, as do our wives, families, mistresses, aging parents, mortgage lenders and so on.

Then there are security suites supplied by the makers of operating systems. It could be considered a triumph of marketing over security, offering a “free” security suite which tries to graft security onto an operating system riddled with all those security holes that cyber criminals happily exploit, rather than building integrity into an operating system from the ground up. But also, is it really free if in essence it is just a value-add to an operating system you have already paid for in the first place? An observer with a cynical streak could comment that it’s really just a sly way to eliminate system-critical competition, so that later the argument “it’s a feature, not a bug” could be used more conveniently. It's a good thing you and I are not cynical…

Free But Fake

So far, then, we can contend that realistically, you end up paying for a “free” antivirus product one way or another, either through the operating system cost, or through upgrading to the fully functional version when the free version turns out not to meet your needs. This is not the only potential cost however. Not only is a limited product not expected to do the full job of protecting the customer, therefore relieving the vendor of the moral obligation to ensure the best possible protection and support, but many outright fake, fraudulent and rogue anti-malware “products” advertise themselves as “free antivirus software”. An unwary computer user searching the web for “free antivirus” can easily be diverted to sites of lesser virtue through SEO (search engine optimization: a range of techniques used by legitimate companies and cybercriminals alike to ensure that their URLs are highly placed in web searches). Once there, they are prompted to download harmful content, which is likely to result in the victim’s losing money through fraud or extortion.

Health & Efficiency

Now, onto efficiency. A full security product nowadays is much more than just an antivirus product. A cyber criminal’s main focus is on trying to find new ways to get in and do their dirty work, and they have the time and the resources to do just that. Threats therefore come in just about any imaginable shape and form.

Channel Support

Malware is spread through many channels:

  • By emails and other forms of messaging
  • Through videos demanding that the curious victim download and run“special codecs” or “Flash updates”
  • Using drive-by downloads from websites (and not only porn sites, as many users believe) and without any action on the part of the victim
  • Auto-infecting computers through the Autorun function
  • Persistent randomized attempts to probe computer IPs for soft spots
  • Via one of the many programs being propagated that aren’t even malware themselves, but can open doors for other programs to install malware covertly.

The Price of Freedom

The list could go on and on. And security vendors are trying to stay on top of the situation, trying to plug security holes and prevent damage or even mere annoyance and inconvenience on every front. But all that requires skilled manpower, elaborate lab setups and top-of-the-range technology, and none of this comes free. So, while some free security products offer decent detection in some areas, they’re usually focused only on a few particular types of threats. That’s inevitable, as it simply requires too many resources to cover the whole range of potential threats, and while they some appear to excel in certain detections, they are likely to leave a long list of other vulnerabilities entirely uncovered. This is something some testers tend to overlook, in their rush to make it look as though free security software is functionally on a par with full-blown commercial suites.

Important parts of the battle against cyber crime are strategic thinking and the development of new ways of combating threats. Detecting threats is one aspect, and one that is constantly being reviewed and upgraded. Moving on from the traditional “signature” type of virus definitions, we’ve seen the development of sandboxing, behavioural detection, heuristics, advanced heuristics, now cloud integration and so on. As detection strategies have become more proactive, this has increased the need to maintain a careful balance between maximum protection and minimal false positives.

While the move away from the simple model of signatures of known malware towards the recognition of malicious characteristics in unknown malware results in better proactive detection, it doesn’t have the precision of known-malware detection. Even the most careful implementation of proactive technologies cannot completely eradicate the risk of false positives (FPs), which in many cases have already had debilitating effects on operating system stability, when some products have accidentally flagged system files as infected.

Then there is the problem of cleaning or infection removal: often cleaning an infected system can be more harmful than the infection itself. More generic detection technologies require the implementation of sound generic disinfection techniques, and that’s far more difficult. Then, it’s necessary to consider how to prevent attacks from other vectors: this entails complementary technologies such as intrusion prevention, anti-spam capabilities, website security, even the possibilities of social engineering attack prevention or limitation. These are all areas that require a seriously scientific approach and decent resources for achieving any measurable results. In short, pretty much things that no one is going to be able to offer for free except as a taster for for-fee products that offer some return on that investment..  

TANSTAAFL*

The debate about free or for fee is really just a debate on how the sales model for any product is actually set up. For some classes of user (most often, home users), there may be such a thing as a (legitimately) free lunch – it’s clear that some people are using free software who really ought to be using the for-fee version, which isn't legitimate – but people who do so, legitimately or not, may find that the meal is less nourishing than they expect. Not that the industry is totally without altruism: however, the main beneficiaries of free security software are people who will only use it if it is free.

At ESET Ireland we recently ran a poll on what people find most important in a security product. The choices were detection, footprint and price. High detection was chosen as the most important factor by most users, low footprint was considered as a useful feature, while price was hardly ever mentioned. This does suggest that users do have their priorities straight in what to look for in security software. If only certain journalists were less eager to cut corners, with spectacular announcements of wonderfully simple solutions to complex problems…

Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

*There is no such thing as a free lunch: http://en.wikipedia.org/wiki/Tanstaafl