Even worse, as accuracy increases, performance decreases. Some antivirus programs make their host systems so slow that they're unusable. I know users who would rather knowingly compute with active malware than run antivirus software. With tens of millions of malware programs that must be checked against hundreds of thousands of files contained on a typical computer, doing a perfectly accurate comparison would simply take too long. Anti-malware vendors are acutely aware of these sad paradoxes, and, in the end, they all make the decision to be less accurate.
Counterintuitively, being less accurate actually helps security vendors sell more of their products. I don't mean that lowered accuracy allows malware to propagate, thereby ensuring security vendors can sell more software. It's that the trade-offs of extremely accurate anti-malware detection are unacceptable to those shopping for security software.
And if you do find yourself buying the claim of 100 percent accuracy, just don't ask your vendor to put it in writing or ask for a refund when something slips by. They won't back the claim.
Security snake oil No. 4: Network intrusion detection
IDSes (intrusion detection systems) have been around even longer than antivirus software. My first experience was with Ross Greenberg's Flu-Shot program back in the mid-1980s. Although often described, even by the author, as an early antivirus program, it was more of a behavioral-detection/prevention program. Early versions didn't have "signatures" with which to detect early malware; it was quickly defeated by malware.
During the past two decades, more sophisticated IDSes were invented and released. Popular ones are in use in nearly every company in America. Commercial, professional versions can easily cost in the hundreds of thousands of dollars for only a few sensors. I know many companies that won't put up a network without first deploying an NIDS (network-based IDS).
Unfortunately, IDSes have worse accuracy and performance issues than antivirus programs. Most NIDSes work by intercepting network packets. The average computer gets hundreds of packets per second, if not more. An NIDS has to perform a comparison of known signatures against all those network packets, and if they did so, even somewhat accurately, it would slow down network traffic so much that the computer's network communications, and involved applications, would become unbearably sluggish.
So what NIDSes do is compare network traffic against a few dozen or hundred signatures. I've never seen an NIDS with even two hundred signatures activated — paltry in comparison to the tens of millions of malware and thousands of network attack signatures they should be checking to be truly accurate. Instead, we've become accustomed to the fact that NIDSes can't be configured to be meaningfully accurate, so we "fine-tune" them to be somewhat accurate against things antivirus software is less accurate at detecting.
Sign up for CIO Asia eNewsletters.