30 January 2015
Mid 2014, a company called LastLine Labs published some explosive data about antivirus products. They studied hundreds of thousands of pieces of malware for a year, and tracked the antivirus detection rates of each “engine” using the Virustotal site. This allowed them to figure out how fast (or rather how slow) AV scanners catch up with new malware. The results are like a hand grenade thrown into the AV space, it is a blood bath. I’m an industry insider and I was still shocked to see these numbers.
It takes an average of two days for at least one antivirus scanner to detect a new malware sample.
I’m quoting a paragraph here: “On any given day, according to Lastline Labs’ analysis, much of the newly detected malware went undetected by as much as half of the AV vendors. Even after 2 months, one third of the AV scanners failed to detect many of the malware samples. By averaging the daily detection rates, we are able to plot the pace at which the AV scanners catch up with the malware. The least-detected malware – that is the malware in the 1-percentile “least likely to be detected” category – went undetected by the majority of AV scanners for months, and in some cases was never detected at all.” Here is the picture:
It is no wonder that antivirus cannot keep up. AV-test estimates a whopping 12 million new malware variants a month.
The German independent IT security institute AV-Test has published an interesting statistic on the current creation and distribution of malicious code, the data reveal that experts noticed 12 million new variants per month. The AV-TEST Institute registers over 390,000 new malicious programs every day. Here is the graph since the year 2000:
Here are the most important things you need to know:
Conclusion? Antivirus alone is not enough anymore
It is clear that “traditional” AV technology is not dead but it cannot keep up with the onslaught of hundreds of thousands of new malware samples per day. AV needs to be complemented with other approaches. This analysis based on data from the industry standard Virustotal site definitely shows that antivirus alone is not enough. End-user security awareness training is an obvious additional layer, but application whitelisting (AWL) is also a technology that at this time should be layered on top of AV.
(ISC)2’s Lou Magnotti wrote: “AWL will deny the execution of any application not previously and explicitly identified as “not malicious.” AWL offers more security primarily because it denies malicious code that has never been seen before (zero-day issues) and code that blacklists won’t recognize immediately.
I also found a great article called the “Top 10 Common Misconceptions about Application Whitelisting” and you can find that here: http://resources.infosecinstitute.com/top-10-common-misconceptions-application-whitelisting/
To start out with, by far the best bang for your IT security budget is effective end-user education. Find out how affordable this is for your organization:
Source – http://blog.knowbe4.com/antivirus-isnt-dead-it-just-cant-keep-up