New AV Definition Updates: How often is enough?

Topic

New Reply

I’m really in need of some recent education on this, as it’s been a few years since I studied the subject in any depth. My knowledge is outdated, and the fine people here, I’m sure, will have some insight! My question falls into two parts:

1. How often should a good AV product ask for an update to it’s definitions? MSE, stock, seems to think every 24 hours is good enough; I didn’t think so, and changed the reg to check every hour. Reason: many years ago I was saved from a Trojan by a matter of minutes! After I got the Eset (updates any time new threats were discovered) “Hey, a nasty is trying to get through your browser,” warning hit, I fended it off, quarantined it, ran a scan and, upon looking at the latest defs, found that the definition for it had just hit my AV 20 minutes before! Talk about close calls!

I also notice that MSE can go several hours without issuing a new definition pack. So first thing in the AM, I pick up the latest feds before doing anything else. Question: Is MSE lackadaisical in creating and issuing new defs, or has the landscape changed so that this sort of urgent, real-time update frequency is unnecessary? Maybe my experience was a fluke. Never happened again. (In any case, I can no longer afford Eset!)

2. I’ve heard a lot of talk about the future of AV being “definition-less, and more Heuristically driven.” Rubbish, or true?

Again, thanks to all the fine folks here for their insights!

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Replies

Since computing turned into always-online, I’ve had my software set to check definitions every couple of hours. I agree that daily isn’t usually appropriate, but that depends on how often companies update their software. Some used to prefer a daily schedule, although I believe most have long-since left this behind.

The UK-consumer non-profit Which? has a Technology section for home users, which explains

If an update is available, it’s there for a reason – to make sure your antivirus software’s databases are up-to-date and able to protect you against the latest threats.

How often should my antivirus software update and scan?

 
On the prospect of definitionless AV, you should find interesting information in this Reddit thread, replied to by ESET’s Aryeh Goretsky:
Definition-less home AV

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Nibbled To Death By Ducks wrote:

How often should a good AV product ask for an update to it’s definitions? MSE, stock, seems to think every 24 hours is good enough

I use Kaspersky A/V which checks and updates every 2 hours.

Every day there 230,000 new viruses, trojan, malware…

https://preyproject.com/blog/en/24-cybersecurity-statistics-that-matter-in-2019/

Some say 1 Million every day

Nearly 1 million new malware threats released every day

https://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

If the AV company only updates once every two days, checking hourly will only clog up their servers.

Spotting a nasty minutes after an update is more luck than anything. If the vendor provided the update 30 minutes later….

cheers, Paul

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

When I was using Kaspersky, it checked every couple of hours. MBAM Premium checks every hour.

Windows Defender in my new Win10 box has gone as long as a day or more between updates, which is rather disturbing. I could drop some screengrabs in here, but why waste bandwidth?

This is part of the reason I’m moving to BitDefender AV Plus 2020 here in about 2 months when my MBAM Prem subscription dies. I’ll then transition to MBAM Free as an on-demand scanner.

The other part of the reason I’m moving away from Windows Defender / “Security Intelligence” is that I don’t really trust Microsoft anymore; why would I trust them with my real-time AV security? I realize the Win10 Defender is a whole other animal than the “Defender” of the Win7 era, but still…

Windows 10 Pro x64 v1909 Desktop PC

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

While the purpose of updating the definitions is to be protected against rogue attacks, what if the rogue attack comes from the latest definition? Recent history on this very site suggests that just occasionally an AV definition can itself cause problems, and there may be merit therefore in not looking to install a new definition the moment it is released, as with Windows Updates generally it may be better to give MS time to spot any issues and pull/replace the offending definition.

@Grond may also want to review Susan Bradley’s advice in a recent newsletter to the effect that Win10 doesn’t take well to third party AV or multiple AV programs which can be broken by Windows Updates, meaning that it is recommended to stick with Defender – and only Defender – if running Win10.

Reply | Quote

To clarify, I mentioned MS because the discussion is centred on MSE/Defender, but the point would apply to whichever company was running the AV definition of course.

Reply | Quote

It is my opinion (and I’m not humble) that the old-school idea of relying on AV that constantly downloads definitions is not only a losing battle, but the war is lost. I am no one of any importance, I’m just a small business consultant and IT guy, but several years I tested several of the well known AV products that do the constant downloads. I went thru the alphabet. I quit looking when I tried Webroot. Webroot works on completely different model. No constant downloads. It’s a small program that runs fast, and has been keeping my client’s systems clean. Research it before you curse me out and scream that it used to be crummy – it’s not anymore.

Cheers,
TChalms

Reply | Quote

[rc primak]

What you are describing sounds like the newer “Cloud Antivirus” programs. They only work if you are online, connecting to the company’s database servers. The definitions and heuristics rules live in the Cloud, not on your local machine. The advantage is supposed to be that new definitions are applied as they are developed, reducing your exposure to Zero-Day attacks.

BTW, AdwCleaner sort of operates this way. It wants you to download at least part of the program before each use.  That download is the first step in running the program. Emsisoft used to make an antivirus scanner which worked the same way, and Microsoft Safety Scanner is also something where you first download the program, then run it, and it expires after two weeks.

Personally, I don’t trust any security company whose products only work if I am tethered to their servers. I don’t even use Cloud Storage for primary file storage. I upload after making local copies, preferably including one copy off the PC which I am using. You just never know…

For Windows 10, the only “live” real-time AV program I use is Microsoft Windows Defender. Other active AV programs have simply caused me too much hassle and trouble.

 

-- rc primak

• This reply was modified 4 years, 11 months ago by rc primak.

Reply | Quote

A sizable number of anti-virus programs these days use a combination of both definition-based detection and cloud-based heuristics. The idea being that the definitions can protect you while you’re offline and as a first line of defense, while cloud-based protection can detect things that slipped past the first line of defense.

It’s not necessarily “rubbish” (to answer the OP’s question) but I don’t think definitions are going away anytime soon. Many email spam detection filters already use heuristics-based models that are more effective than a long list of definitions, but definitions are still useful in many circumstances and are still better than no protection at all.

Reply | Quote

rc primak wrote:

What you are describing sounds like the newer “Cloud Antivirus” programs.

Close but not exactly. There’s a whole lot more to Webroot’s technology than that. And no, I don’t work for them, so I have zero confidence in my ability to describe exactly how it works.

All I can say without stepping in a fresh cow pie is that the proof is in the results. Webroot has been keeping my client’s systems clean.

It’s really worth researching, rather than standing firm on a preconceived misconception.

Cheers.

Reply | Quote