Feeds

Study: If your antivirus doesn't sniff 'new' malware in 6 days, it never will

But opposing researcher smacks down the finding

Website security in corporate America

Mainstream antivirus software only has small window for detecting and blocking attacks, according to a controversial new study.

Host-based intrusion prevention firm Carbon Black found that if an antivirus package had failed to detect a piece of 'new' (recently discovered) malware within six days of its first being detected by another firm, the chances were it still wouldn't detect the sample even 30 days later. Carbon Black reached the finding after running an experiment assessing the effectiveness of 43 antivirus products in detecting 84 random malware samples using the VirusTotal website.

However David Harley, a senior research fellow at antivirus vendor Eset, said that the study has several methodological drawbacks that he believes make its conclusions potentially misleading.

For example, the packages available through VirusTotal are not the same as their desktop equivalents, he says. In addition, as Carbon Black itself notes, the study only looked at static signature detection, only one of several ways that modern security packages block malicious code. Another potential problem fingered by Harley was that the malware samples used by malc0de.com might be simply potentially unwanted applications that some anti-virus packages deliberately omit to detect. These and other reservations are noted in a detailed blog post by Harley here.

It’s probably safe to assume that there are threats that are never detected by any product.

The Carbon Black experiment showed that multiple antivirus products provided better security protection than just one, as expected, but it also showed that if signatures for a malware sample were not added within a few days after the sample first appeared, then they are likely to be permanently absent. "We found that the average new detections per day dropped to nearly zero after day six," Carbon Black researchers explain in a blog post. "What this means is that, on average, if AV doesn’t detect a piece of malware almost immediately, it likely never would." Carbon Black findings fly in the face of received wisdom that, given sufficient time, almost every piece of malware will be detected by all antivirus products. Harley said that, despite his reservations about Carbon Black's methodology, it may have a point.

"Stuxnet and its siblings have proved pretty conclusively that the entire security industry can completely miss a significant threat for extended periods," Harley concludes. "It’s probably safe to assume that there are threats that are never detected by any product."

However Harley added a caveat that in most cases "detection of significant, active threats" cascades through the industry so that protection against high-profile threats is offered by most vendors within days.

A month is a long time in malware detection

A second separate experiment by Carbon Black found some antivirus packages detected fewer malware samples on day 30 than on day one. Carbon Black suggests the reason for this may be that antivirus firms are removing detection for malware samples that are no longer in circulation.

Eset's Harley disputes these findings. "I doubt if any mainstream vendor pulls a detection within 30 days of an initial detection just to make room for another detection. If a vendor stops detecting something, it’s likely to be something else entirely: recognition of a false positive, reclassification (for instance as Possibly Unwanted), or even a process error," he writes.

Carbon Black concludes that its research suggests that antivirus firms are struggling to develop signatures for the hundreds of thousands of malware sample they receive every day. Even by using generic detection of malware strains the whole system is inundated, it suggests.

Again Harley demurs. "Modern products are indeed highly generic in their approach to detections (signatures, if you insist, though that term is misleading)... But we don’t just add a detection for each processed sample, we modify a detection as necessary," Harley explains. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.