Feeds

Study: If your antivirus doesn't sniff 'new' malware in 6 days, it never will

But opposing researcher smacks down the finding

Boost IT visibility and business value

Mainstream antivirus software only has small window for detecting and blocking attacks, according to a controversial new study.

Host-based intrusion prevention firm Carbon Black found that if an antivirus package had failed to detect a piece of 'new' (recently discovered) malware within six days of its first being detected by another firm, the chances were it still wouldn't detect the sample even 30 days later. Carbon Black reached the finding after running an experiment assessing the effectiveness of 43 antivirus products in detecting 84 random malware samples using the VirusTotal website.

However David Harley, a senior research fellow at antivirus vendor Eset, said that the study has several methodological drawbacks that he believes make its conclusions potentially misleading.

For example, the packages available through VirusTotal are not the same as their desktop equivalents, he says. In addition, as Carbon Black itself notes, the study only looked at static signature detection, only one of several ways that modern security packages block malicious code. Another potential problem fingered by Harley was that the malware samples used by malc0de.com might be simply potentially unwanted applications that some anti-virus packages deliberately omit to detect. These and other reservations are noted in a detailed blog post by Harley here.

It’s probably safe to assume that there are threats that are never detected by any product.

The Carbon Black experiment showed that multiple antivirus products provided better security protection than just one, as expected, but it also showed that if signatures for a malware sample were not added within a few days after the sample first appeared, then they are likely to be permanently absent. "We found that the average new detections per day dropped to nearly zero after day six," Carbon Black researchers explain in a blog post. "What this means is that, on average, if AV doesn’t detect a piece of malware almost immediately, it likely never would." Carbon Black findings fly in the face of received wisdom that, given sufficient time, almost every piece of malware will be detected by all antivirus products. Harley said that, despite his reservations about Carbon Black's methodology, it may have a point.

"Stuxnet and its siblings have proved pretty conclusively that the entire security industry can completely miss a significant threat for extended periods," Harley concludes. "It’s probably safe to assume that there are threats that are never detected by any product."

However Harley added a caveat that in most cases "detection of significant, active threats" cascades through the industry so that protection against high-profile threats is offered by most vendors within days.

A month is a long time in malware detection

A second separate experiment by Carbon Black found some antivirus packages detected fewer malware samples on day 30 than on day one. Carbon Black suggests the reason for this may be that antivirus firms are removing detection for malware samples that are no longer in circulation.

Eset's Harley disputes these findings. "I doubt if any mainstream vendor pulls a detection within 30 days of an initial detection just to make room for another detection. If a vendor stops detecting something, it’s likely to be something else entirely: recognition of a false positive, reclassification (for instance as Possibly Unwanted), or even a process error," he writes.

Carbon Black concludes that its research suggests that antivirus firms are struggling to develop signatures for the hundreds of thousands of malware sample they receive every day. Even by using generic detection of malware strains the whole system is inundated, it suggests.

Again Harley demurs. "Modern products are indeed highly generic in their approach to detections (signatures, if you insist, though that term is misleading)... But we don’t just add a detection for each processed sample, we modify a detection as necessary," Harley explains. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?