A few months ago, a company called LastLine Labs published some explosive data about antivirus products. They studied hundreds of thousands of pieces of malware for a year, and tracked the antivirus detection rates of each "engine" using Google's Virustotal site. This allowed them to figure out how fast (or rather how slow) AV scanners catch up with new malware. The results are like a hand grenade thrown into the AV space, it is a blood bath. I'm an industry insider and I was still shocked to see these numbers.
It takes an average of two days for at least one antivirus scanner to detect a new malware sample.
I'm quoting a paragraph here: "On any given day, according to Lastline Labs’ analysis, much of the newly detected malware went undetected by as much as half of the AV vendors. Even after 2 months, one third of the AV scanners failed to detect many of the malware samples. By averaging the daily detection rates, we are able to plot the pace at which the AV scanners catch up with the malware. The least-detected malware - that is the malware in the 1-percentile “least likely to be detected” category - went undetected by the majority of AV scanners for months, and in some cases was never detected at all." Here is the picture:
The numbers are confirmed by another company called Damballa, who during a nine-month period, analyzed a sample set of thousands of files delivered for review by enterprise customers and had it scanned by four of the most popular antivirus products currently on the market.
The company found that in the first hour from submission, only 30% of the malware database could be identified by the products as a threat. After a day, the detection rate increased to 66% and the improvement continued after a week, when 72% of the malicious database entries were labeled as a threat.
It is no wonder that antivirus cannot keep up. AV-test estimates a whopping 12 million new malware variants a month.
The German independent IT security institute AV-Test has published an interesting statistic on the current creation and distribution of malicious code, the data reveal that experts noticed 12 million new variants per month. The AV-TEST Institute registers over 390,000 new malicious programs every day. Here is the graph since the year 2000:
Here are the most important things you need to know:
- On Day 0, only 51% of AV scanners detected new malware samples
- When none of the AV scanners detected a malware sample on the first day, it took an average of two days for at least one AV vendor to detect it
- After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for AV vendors
- Over the course of 365 days, no single AV scanner had a perfect day - a day in which it caught every new malware sample
- After a year, there are samples that 10% of the scanners still do not detect
Conclusion? Antivirus alone is not enough anymore
This analysis based on data from the AV industry insider site Virustotal definitely shows that “traditional” AV technology is not dead but it cannot keep up with the onslaught of almost 400,000 new malware samples per day. AV needs to be complemented with other approaches. End-user security awareness training is an obvious additional layer, but application whitelisting (a.k.a. Application Control) is a technology that at this time should be layered on top of AV.
To start out with, by far the best bang for your IT security budget is effective end-user education. Find out how affordable this is for your organization:
Related Pages: Kevin Mitnick