Antivirus Isn't Dead, It Just Can't Keep Up

Hackers infiltrating your cellphone? It could happen
January 29, 2015
New Facebook Tagging Scam Is in the Wild, Containing Malware That Can Infect Every Device
February 2, 2015

30 January 2015

Mid 2014, a company called LastLine Labs published some explosive data about antivirus products. They studied hundreds of thousands of pieces of malware for a year, and tracked the antivirus detection rates of each “engine” using the Virustotal site. This allowed them to figure out how fast (or rather how slow) AV scanners catch up with new malware. The results are like a hand grenade thrown into the AV space, it is a blood bath. I’m an industry insider and I was still shocked to see these numbers.

It takes an average of two days for at least one antivirus scanner to detect a new malware sample. 

I’m quoting a paragraph here: “On any given day, according to Lastline Labs’ analysis, much of the newly detected malware went undetected by as much as half of the AV vendors. Even after 2 months, one third of the AV scanners failed to detect many of the malware samples. By averaging the daily detection rates, we are able to plot the pace at which the AV scanners catch up with the malware. The least-detected malware – that is the malware in the 1-percentile “least likely to be detected” category – went undetected by the majority of AV scanners for months, and in some cases was never detected at all.” Here is the picture:

lastline-labs-av-vendor-apt-detection-rate

 

It is no wonder that antivirus cannot keep up. AV-test estimates a whopping 12 million new malware variants a month. 

 

The German independent IT security institute AV-Test has published an interesting statistic on the current creation and distribution of malicious code, the data reveal that experts noticed 12 million new variants per month. The AV-TEST Institute registers over 390,000 new malicious programs every day. Here is the graph since the year 2000:av-test-2014

 

Here are the most important things you need to know:

  • On Day 0, only 51% of AV scanners detected new malware samples
  • When none of the AV scanners detected a malware sample on the first day, it took an average of two days for at least one AV vendor to detect it
  • After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for AV vendors
  • Over the course of 365 days, no single AV scanner had a perfect day – a day in which it caught every new malware sample
  • After a year, there are samples that 10% of the scanners still do not detect

 

Conclusion? Antivirus alone is not enough anymore

It is clear that “traditional” AV technology is not dead but it cannot keep up with the onslaught of hundreds of thousands of new malware samples per day. AV needs to be complemented with other approaches. This analysis based on data from the industry standard Virustotal site definitely shows that antivirus alone is not enough. End-user security awareness training is an obvious additional layer, but application whitelisting (AWL) is also a technology that at this time should be layered on top of AV.

(ISC)2’s Lou Magnotti wrote: “AWL will deny the execution of any application not previously and explicitly identified as “not malicious.” AWL offers more security primarily because it denies malicious code that has never been seen before (zero-day issues) and code that blacklists won’t recognize immediately.

I also found a great article called the “Top 10 Common Misconceptions about Application Whitelisting” and you can find that here: http://resources.infosecinstitute.com/top-10-common-misconceptions-application-whitelisting/

To start out with, by far the best bang for your IT security budget is effective end-user education. Find out how affordable this is for your organization:

Source – http://blog.knowbe4.com/antivirus-isnt-dead-it-just-cant-keep-up

 

 

 

 

 

Request Demo