The Thankless Task of Playing Catchup
Being of Kiwi origin, it hasn’t escaped my attention that the All Blacks are playing quite well at the moment. One of the big changes from last season is getting off to a good start. Twice last year the Wallabies got ahead of them, before the All Blacks managed to haul them back and sneak in for a victory in the last 20 minutes. Anyone who follows any football code seriously can tell you, playing catch up football is much harder than keeping ahead of the game.
This is of relevance because of a wonderful piece of research done on Anti Virus scanners by a company called Cyveillance. Anti Virus technology is signature based and therefore it plays catchup football by design.
What Cyveillance have done is focus on the forgotten, or oft ignored, variable in Anti Virus scanner performance, that of time.
When performance of an Anti Virus scanner is talked about, it seems to follow the line of how many of the virus threats in existence does it block? Viruses having been around for a very long time, the percentages are naturally very high. You wouldn’t be much of a vendor if your product couldn’t block the Sober worm of 2003, the ILOVEYOU worm from 2000 or the Melissa worm from 1999. But what happens to those percentages when you exclude the vast bulk of history and measure how quickly a scanner detects current malicious attacks that are happening today? This is what Cyveillance have done.
If you just got your information off an AV Vendors web site you could be forgiven for being optimistic. Symantec list one of their features as speed of update, Pulse updates every 5-15 minutes for up to the minute protection - no less. In that light the following findings are little short of eye brow raising:
The most popular AV signature-based solutions detect on average18.9% of malware threats within 1 day.
After 8 days the average was up to 45.7%
That detection rate increases only to 61.7% after 30 days.
Some vendors were better than others, check it our here.
Melodrama aside, what this confirms is what those of us in the industry have known for some time; signature based scanners have run their course. The days when the AV vendors could troll the internet, identify new threats, create signatures to reliably block them and get those signatures back to the desktop before the threat arrived at the customers doorstep - are gone.
The internet is too fast. The threats are too many. The range of poorly engineered software under attack too large.
It goes a long way to explaining the confusing statistics that have come out of the CSI/FBI surveys in recent years. Although over 90% of respondents had AV enterprise wide, some 20% of them experienced major virus outbreaks in the previous year.
Don’t throw away your Anti Virus solution, it’s by far and away the best way to clean up the mess afterward. Just lower your expectations of it blocking everything in real time.