Feeds

Study: If your antivirus doesn't sniff 'new' malware in 6 days, it never will

But opposing researcher smacks down the finding

Top 5 reasons to deploy VMware with Tegile

Mainstream antivirus software only has small window for detecting and blocking attacks, according to a controversial new study.

Host-based intrusion prevention firm Carbon Black found that if an antivirus package had failed to detect a piece of 'new' (recently discovered) malware within six days of its first being detected by another firm, the chances were it still wouldn't detect the sample even 30 days later. Carbon Black reached the finding after running an experiment assessing the effectiveness of 43 antivirus products in detecting 84 random malware samples using the VirusTotal website.

However David Harley, a senior research fellow at antivirus vendor Eset, said that the study has several methodological drawbacks that he believes make its conclusions potentially misleading.

For example, the packages available through VirusTotal are not the same as their desktop equivalents, he says. In addition, as Carbon Black itself notes, the study only looked at static signature detection, only one of several ways that modern security packages block malicious code. Another potential problem fingered by Harley was that the malware samples used by malc0de.com might be simply potentially unwanted applications that some anti-virus packages deliberately omit to detect. These and other reservations are noted in a detailed blog post by Harley here.

It’s probably safe to assume that there are threats that are never detected by any product.

The Carbon Black experiment showed that multiple antivirus products provided better security protection than just one, as expected, but it also showed that if signatures for a malware sample were not added within a few days after the sample first appeared, then they are likely to be permanently absent. "We found that the average new detections per day dropped to nearly zero after day six," Carbon Black researchers explain in a blog post. "What this means is that, on average, if AV doesn’t detect a piece of malware almost immediately, it likely never would." Carbon Black findings fly in the face of received wisdom that, given sufficient time, almost every piece of malware will be detected by all antivirus products. Harley said that, despite his reservations about Carbon Black's methodology, it may have a point.

"Stuxnet and its siblings have proved pretty conclusively that the entire security industry can completely miss a significant threat for extended periods," Harley concludes. "It’s probably safe to assume that there are threats that are never detected by any product."

However Harley added a caveat that in most cases "detection of significant, active threats" cascades through the industry so that protection against high-profile threats is offered by most vendors within days.

A month is a long time in malware detection

A second separate experiment by Carbon Black found some antivirus packages detected fewer malware samples on day 30 than on day one. Carbon Black suggests the reason for this may be that antivirus firms are removing detection for malware samples that are no longer in circulation.

Eset's Harley disputes these findings. "I doubt if any mainstream vendor pulls a detection within 30 days of an initial detection just to make room for another detection. If a vendor stops detecting something, it’s likely to be something else entirely: recognition of a false positive, reclassification (for instance as Possibly Unwanted), or even a process error," he writes.

Carbon Black concludes that its research suggests that antivirus firms are struggling to develop signatures for the hundreds of thousands of malware sample they receive every day. Even by using generic detection of malware strains the whole system is inundated, it suggests.

Again Harley demurs. "Modern products are indeed highly generic in their approach to detections (signatures, if you insist, though that term is misleading)... But we don’t just add a detection for each processed sample, we modify a detection as necessary," Harley explains. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.