Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Response to Intego’s criticisms
Posted on January 10th, 2013 at 9:34 AM EDT
Yesterday, Lysa Myers posted some comments on Intego’s blog, in an article titled That Anti-Virus Test You Read Might Not Be Accurate, and Here’s Why, about my recent testing of Mac anti-virus software. Everyone is, of course, entitled to their own opinions, and this is a controversial topic. It is to be expected that there will be some disagreements whenever such testing is done. However, I do have some specific responses to her comments.
First, she criticized the lack of real-world testing. However, as she also points out, this kind of testing is unrealistically time-consuming. “Real-world testing” would involve trying to infect a machine while a particular anti-virus program was installed and active, and seeing if that program would block the infection. To do this with 16 different anti-virus programs (not 19, as Ms. Myers stated) would have required an enormous investment of time with only a small handful of malware, much less the 51 samples I used.
Further, this kind of testing would put all anti-virus software on unequal footing. Not all anti-virus software is equal. Some software has no active scanning capability whatsoever. Some rely on repeatedly scanning the entire hard drive on some timed interval, while other programs use techniques to scan a file when it is accessed by the system or the user, and still others use the concept of “watch folders,” to monitor new files in specific locations. Some install components that are capable of scanning the entire hard drive, while others are limited by the permissions system of Mac OS X to scan only in certain places. Some have additional components that would prevent the user from being exposed to particular kinds of malware in the first place.
The purpose of my testing was not to compare and evaluate all the various features of the numerous anti-virus products in some qualitative manner. Its intent was to make a quantitative measurement of what malware was recognized by the engine during a manual scan, as one metric only for comparing different products on equal footing. As I pointed out in the write-up of my results, there are other aspects of anti-virus software that must also be taken into consideration beyond just detection rate. As Ms. Myers points out, protecting yourself against malware requires a layered defense, and this test only examined one specific layer.
Secondly, she mentions an inconsistency in the results. I was contacted by an Intego representative shortly after I released my results about this. They stated that they could not reproduce my results, and suggested that I had scanned using outdated virus definitions. (During the testing, the methods involved installing the anti-virus software, updating the definitions – the definitions included in most anti-virus software when first installed tend to be old – and then scanning.)
Mistakes happen, and I cannot rule out that I made this particular mistake. However, when I repeated the test, I could not get a result that matched my results by scanning with the outdated definitions supplied by the copy of VirusBarrier that was available at that time. (I no longer had the copy that I tested with, which is something I plan to address when I repeat my tests later this month.) As a result, since there was no way to determine whether the source of the discrepancy was error on my part or a change to the virus definitions on Intego’s end, I did not feel that it was appropriate to change the data and thus invalidate all comparisons. I did note this fact in the results, however.
The difficulty with duplication of my results is that any such testing is extremely time-sensitive. Anti-virus companies are busily updating their definitions every day. This means that, from one day to the next, the results can easily be expected to be different. This is not a problem that can be solved, and as such, results of this kind of testing must be taken for what they are and no more.
Finally, she comments that Intego was not notified of my results before publication. I understand that this may be the way journalists do their reviews, but that does not make such contact a requirement. It is very important for me to emphasize that I am completely independent of all anti-virus companies. To avoid bias, it is important for my results to have no influence whatsoever from any anti-virus company.
Since my testing, I have received a number of critiques from anti-virus companies. A number of them told me that they would have done things in a certain way, or removed certain items from the malware sample list, and requested that I make such a change. The problem with taking such advice is that it would introduce the possibility of bias, if a suggested method would tend to have better results for one particular program than for others. As a concrete example, an item in my sample list was contested by a particular company, while it was recognized as malware by other companies’ anti-virus software. (There were actually several different cases of this following my testing.)
Of course, it’s important to understand that I do appreciate the criticisms of Ms. Myers and the other anti-virus representatives I have talked to. Although I may not always agree, and may not have been willing to make any changes to my results, their words have not fallen on deaf ears. In any study that hopes to be scientific, criticism is important. There are things that I learned from the various anti-virus companies who contacted me after my results were published, and my next round of testing (coming in the next few weeks) will hopefully address some of those criticisms.
I do wish, though, that Ms. Myers had not ended her comments with implications about “false information and outright scams.”
8 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
We understand why you would choose not to do on-access scanning, and you’re not alone in making that decision, as I explained. We feel it is a less accurate test if the end-goal is to show how customers will be protected, but in the grand scheme, it is less of a problem than some of the other methodology choices. I also understand your concern about vendors unduly influencing your methodology or stated results by letting vendors have a say before publishing. As a tester, I was in that same situation and we did have to say no to vendors who wanted us to make changes to methodology that would have harmed neutrality. You always have that right to say No, and vendors are very much used to this. If you argue your case convincingly, people will often see it your way and agree with you. If you have not dealt with vendors in that capacity before, I can see why you would fear that problem. But as someone who has dealt with all the major AV vendors as a tester, I can assure you, we’re a much more reasonable and neutral lot than you might imagine.
Our apologies about the hang-up with your comment. It was not blocked, but it did get tangled up in the comment system. It is now viewable on our site.
Thanks for your response. (Sorry for the delay on my end, this time… I’ve been struggling with network hardware issues all day!)
As I’ve mentioned, I will be repeating these tests with some modifications to the methods, additional samples and more AV software. If you like, I’ll be glad to keep you posted as to what I find.
Being an Apple Consultant, one of the important things to me (and others I have talked to) a lot of the decision comes into play on how well the program runs, and how process and memory intensive it is. For example the Norton has historically been horrible. Sophos on the other hand has a really good reputation out there of being “lightweight” So if the other providers out there want to compete with Sophos – market a product that is fast and lightweight and then make sure it is.
It is not typical for journalists to contact companies before publishing their reviews (for the same reasons you mention). We will, however, contact companies during the course of our reviews if we encounter something that seems “unusual” or highly unexpected to ensure that we are not using a product that is defective or are somehow erring in our usage. That is, our primary goal is to make sure we are providing the best information to our readers, and contacting vendors, when necessary for clarity, doesn’t undermine that objective.
However, I appreciate the difficulty in determining what is “unusual” during complex testing of Mac anti-malware solutions, where little testing has been done in the past and expected results are completely unknown. And while your first test may not have been perfect (are they ever?), it certainly provided one helpful view into an incredibly murky area. I’m looking forward to your future test results and have no doubt you will use the feedback to continue to improve your methodology.
Hmm. Intego told mr
Intego told me last night they can all malware for MacOS. Tom suggests his tests may not be current due to software and rules curnency. I read he’s in the process of bupdating search rules and retest. However, is anyone looking at anamoly rather than signature based algorithms.
Sorry for the typos
Intego told me last night they can all detect all malware for MacOS. Tom suggests his tests may not be current due to software and rules currency. I read he’s in the process of updating search rules and retest. However, is anyone looking at anamoly rather than signature based algorithms.
I completely agree with Josh. Informing an AV company that you’re going to test their software could easily create a bias. It makes absolutely no sense.
Besides, even if Thomas told all 16 AV companies that he was going to test, that would defeat the purpose of the test, because then all of the companies would try to add as many samples of malware to their definitions as they can to get a better score. There would be no way to tell whether a 90% means that the company is consistently doing their homework and keeping up to date, or hasn’t done their homework once and is studying/updating by night.
Also, I’m guessing Thomas doesn’t want to risk a repeat of what happened when he gave MacKeeper a negative review regarding its sense of ethics. (read “what happened” as “bribery to take the whole darned review back”) Despite the fact that said review had factual evidence, it says very little about the effectiveness of the MacKeeper software itself. A review that actually proves that some of the AV software (including MacKeeper) out there completely sucks? Forget it.
And btw, numbers don’t lie. So the whole “false information and outright scams” thing is, well, false information and an outright scam.