Survey: AV Products Are Hit Or Miss; But Effective When Aggregated
"We thought it was inconceivable that the entire antivirus industry is no longer effective, even though the prominent message was that it wasn't working," explained Mike Viscuso, CEO of Carbon Black, a Sterling, Va.-based vendor that focuses on security-related data collection. "In our first survey, we took 84 samples of new malware from one given day and ran them through a website called, 'Virus Total,' which allows you to scan any binary with as many as 43 different antivirus packages. What we found was that in every case at least one of the antivirus packages detected that new malicious sample that was brand new on that given day. Every piece of malware was caught by at least one AV product. But, none of the individual virus packages found all the malware samples on day one."
The Carbon Black team then tested how long it would take for the individual AV packages to catch up with the ones they had missed. "The results were a big surprise to us," he said. "What we found was that if an antivirus package did not detect the virus within the first week, it probably never would."
[Related: RSA Fraud Report: Security By The Numbers ]
Viscuso speculates on two reasons why the samples are not eventually caught.
"The first is that the virus traffic is very heavy," he said. "One AV company reported something like 783,000 new samples each day. So, whatever that can't address on any given day is probably going to be lost because tomorrow they've got another 783,000 samples to deal with. Our second hypothesis is that even if you could catch them by signature, allowing all the signatures to pile up will eventually slow down the computer, which would cause a customer backlash. So, we're finding that the AV packages find more on day one than they do on day 30. Both of these are just hypotheses. We don't know for sure."
A second survey, this time involving 90 malware samples, yielded the same results. When used as an industry-wide defensive line, nothing got through. But, no single AV package was universally successful by itself, even after 30 days.
"That leads us to believe that customers should leverage the signature databases of multiple AV packages, as opposed to just one," said Viscuso. "In many cases, the AV products don't allow you to run more than one on a single machine. So, channel partners and customers should use a service that can scan all those binaries so that even if your particular antivirus isn't catching it, maybe the other one will."
Individual results varied by product and configuration.
PUBLISHED AUG. 16, 2012