This article is more than 1 year old
Study: If your antivirus doesn't sniff 'new' malware in 6 days, it never will
But opposing researcher smacks down the finding
Mainstream antivirus software only has small window for detecting and blocking attacks, according to a controversial new study.
Host-based intrusion prevention firm Carbon Black found that if an antivirus package had failed to detect a piece of 'new' (recently discovered) malware within six days of its first being detected by another firm, the chances were it still wouldn't detect the sample even 30 days later. Carbon Black reached the finding after running an experiment assessing the effectiveness of 43 antivirus products in detecting 84 random malware samples using the VirusTotal website.
However David Harley, a senior research fellow at antivirus vendor Eset, said that the study has several methodological drawbacks that he believes make its conclusions potentially misleading.
For example, the packages available through VirusTotal are not the same as their desktop equivalents, he says. In addition, as Carbon Black itself notes, the study only looked at static signature detection, only one of several ways that modern security packages block malicious code. Another potential problem fingered by Harley was that the malware samples used by malc0de.com might be simply potentially unwanted applications that some anti-virus packages deliberately omit to detect. These and other reservations are noted in a detailed blog post by Harley here.
It’s probably safe to assume that there are threats that are never detected by any product.
The Carbon Black experiment showed that multiple antivirus products provided better security protection than just one, as expected, but it also showed that if signatures for a malware sample were not added within a few days after the sample first appeared, then they are likely to be permanently absent. "We found that the average new detections per day dropped to nearly zero after day six," Carbon Black researchers explain in a blog post. "What this means is that, on average, if AV doesn’t detect a piece of malware almost immediately, it likely never would." Carbon Black findings fly in the face of received wisdom that, given sufficient time, almost every piece of malware will be detected by all antivirus products. Harley said that, despite his reservations about Carbon Black's methodology, it may have a point.
"Stuxnet and its siblings have proved pretty conclusively that the entire security industry can completely miss a significant threat for extended periods," Harley concludes. "It’s probably safe to assume that there are threats that are never detected by any product."
However Harley added a caveat that in most cases "detection of significant, active threats" cascades through the industry so that protection against high-profile threats is offered by most vendors within days.
A month is a long time in malware detection
A second separate experiment by Carbon Black found some antivirus packages detected fewer malware samples on day 30 than on day one. Carbon Black suggests the reason for this may be that antivirus firms are removing detection for malware samples that are no longer in circulation.
Eset's Harley disputes these findings. "I doubt if any mainstream vendor pulls a detection within 30 days of an initial detection just to make room for another detection. If a vendor stops detecting something, it’s likely to be something else entirely: recognition of a false positive, reclassification (for instance as Possibly Unwanted), or even a process error," he writes.
Carbon Black concludes that its research suggests that antivirus firms are struggling to develop signatures for the hundreds of thousands of malware sample they receive every day. Even by using generic detection of malware strains the whole system is inundated, it suggests.
Again Harley demurs. "Modern products are indeed highly generic in their approach to detections (signatures, if you insist, though that term is misleading)... But we don’t just add a detection for each processed sample, we modify a detection as necessary," Harley explains. ®