[Updated 5/1/2016]. The Antivirus industry has a dirty little secret that they really don’t want anyone to know. Despite the claims of their marketing departments, their products are not all that effective in the real world. Many of them only protecting (at best) 80% or 90% against threats out there in the wild at any time, and their protection against ransomware is very bad.
Let us explain why. Antivirus products must protect against two general types of threats to be effective: known threats and unknown threats. Known threats have a signature so good AV products should be able to detect the threat and get rid of it. That is what's known as reactive detection.
There will always be other unknown threats no matter how much protection there may be against known threats. As quickly as fixes are made, the bad guys are creating fresh new malware. AV products need to protect against new threats in a proactive way, therefore antivirus software can be scored by looking at how many new threats they are able to prevent.
Virus Bulletin, an independent security information testing lab, scores different antivirus products on both reactive and proactive detection is actually being done by the antivirus industry’s premier site for insiders: . They have created what they call RAP averages. RAP stands for “Reactive And Proactive”.
The Reactive measure is the average of three test runs against samples seen in the ten days before the test date, allowing the products to use the latest updates and with full access to any cloud-based resources and reputation systems.
For the Proactive measure, products and updates are frozen, then products are run offline, without access to cloud systems, against samples seen in the ten days following freezing.
The RAP test aims to give an indication of how well product developers are able to keep up with the incoming flood of new malware using their standard file detection methods (including heuristic rules), and should also give some idea as to how much different products rely on cloud-based systems to supplement client-side technologies.
Most antivirus products are tested about once per quarter -- except a few that are not willing to participate and you can come up with your own reasons why -- and measure how each product does in both reactive and proactive detections of a large amount of threats. Next, they create a graph where these scores are plotted for all products. The proactive score is on the X-axis, and the reactive score is on the Y-axis. An example is the one at the top of this post.
Stay up to date with how various antivirus products rate over at Virus Bulletin, be aware none are that great! Some consumers are ditching traditional antivirus products, even pioneers in the antivirus industry like Intel no longer have faith in these products.
The results are far from pretty, as you can see none of the antivirus vendors promote their results with this test, for good reason. One well known, major antivirus industry player is routinely scoring no better than 80% reactive combined with a 70% proactive. And people wonder how come PCs still get infected by ransomware, banking Trojans and other malware.
The bad guys know this, and count on it. That is why simply relying on antivirus software (end-point security if you will) creates a false sense of security. Yes, you need antivirus, but don't rely on it for 100% protection. Much more about the why behind that statement at this great post by How-To Geek.
It is just as urgent for your defense-in-depth to have all employees do regular Internet Security Awareness Training and enforce compliance. Just one employee in a weak moment gets social engineered, opens a phishing email attachment, and causes untold grief, losses of hundreds of thousands of dollars, and massive legal bills.
Want to see how big your phishing attack surface is? How many of your email addresses can be found by the bad guys on the Internet, and used for a spear-phishing attack? Get your one-time FREE Email Exposure Check now.