December 17, 2012

From A to V: Refuting Criticism of Our Antivirus Report

Our anti-antivirus study got a lot of attention (you could say it went viral).  Most interestingly, people called our methodology “flawed.” 

While our report acknowledged the limitations of our methodology, we believe that, fundamentally, the model for antivirus—and not our methodology—is flawed.  Antivirus was built years ago during an age when mass infections was the name of the game.   Today, malware is deployed to target SPECIFIC individuals—CEOs, researchers, politicians, executives—and not everyone’s mom. 

One reaction to our study asserted that a virus can be blocked based on source IP:  “email with the malware attached, or the included URL… could have been blocked based on its source IP.”   This approach, however, addresses an old threat model in which the attacker would try to infect as many as possible targets with a single campaign – that included reusing URLs to hoax the malware and IP addresses to send an email. Reusing IPs allowed security companies to have blacklists for both IPs and URLs. However, in today’s threat scape, where we consider attackers that are specifically targeting a specific victim, they create a dedicated URL to host the malware and use a dedicated IP address to send malicious mail, easily overcoming blacklists.

Our study concluded that antivirus solutions are very effective in fighting widespread malware, and slightly less effective for older malware (2-3 month old).  But for a new malware, there is a good chance it will evade the antivirus.  In fact, our results are consistent with other studies.    For example, let’s look at the AV-TEST Institute’s results.  

The AV-TEST Institute, according to their site, is a “leading international and independent service provider in the fields of IT security and anti-virus research.”  According to AV-TEST’s website, in order to test the protective effect of a security solution, AV-TEST researchers simulate a variety of realistic attack scenarios such as the threat of e-mail attachments, infected websites or malicious files that have been transferred from external storage devices. When carrying out these tests, AV-TEST takes the entire functionality of the protection program into account. But even when all of the Anti-virus functionality enabled, the results reveal a worrisome security gap:


While antivirus solutions are very effective in fighting widespread malware and slightly less effective for older malware, for a new malware, there is a good chance it will evade the antivirus solutions.  That’s exactly what we found.

Finally, one should ask a question CEOs are asking CISOs worldwide:   if antivirus software is so good, how come we see so many successful attacks based on infected computers (Coca-Cola, South Carolina DoR to name a few)? And the obvious answer is that antivirus is not perfect and needs to be augmented with data security solutions, as was honestly acknowledged by antivirus veteran researcher, Mikko Hypponen “Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense.”

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.