Antivirus programs unreliable during critical coverage gap
- From: Chance Furlong <t-bone@xxxxxxxxxxxxxxx>
- Date: Mon, 01 Dec 2008 13:10:39 -0600
From Arstechnica:
http://tinyurl.com/6y2yef
Antivirus programs unreliable during critical coverage gap
By Joel Hruska | Published: November 30, 2008 08:10PM CT
The reactive nature of IT security is a well-known weakness that puts
defenders at an inherent disadvantage against attackers. Unfortunately,
it's also a flaw that's extremely difficult to correct; teaching virus
scanners to correctly identify new threats without also generating false
positives is no simple task. In theory, anti-malware products have
gotten considerably better at this sort of work, but if recent research
done by the chief scientist of FireEye, Stuart Staniford is correct, our
antivirus dragnet has considerably more holes in it than previously
suspected.
In the interests of full disclosure, FireEye is a security solutions
provider, and Stuart Staniford is their chief scientist. This casts his
conclusions in a somewhat different light, but Staniford makes no effort
to hide his affiliations as he details the experiment he performed in
his blog entry. Staniford walks through his assumptions, data sets, and
procedures in some depth; I recommend consulting his full entry if
you're curious about the experiment.
The good news here is that FireEye's own custom security software tends
to detect new malware more-or-less at the same time as VirusTotal.
Unfortunately, the lag time between VirusTotal learning to recognize a
new MD5 hash and a majority of AV scanners being able to recognize that
same bit of malware is substantial.
Based on Staniford's results, only 40 percent of AV products can detect
a given malware binary within three days of that binary hitting the
'Net. This detection rate improves significantly as time passes, but
never reaches 100 percent, even months after the initial executable was
uploaded to VirusTotal.com. The implications of this lag time are
significant, as it identifies a span of days when the malware (whatever
it happens to be) is free to move about online more-or-less undetected.
Even if we assume Staniford's measurements are off by 15-20 percent,
it's still clear that the majority of AV products leave significant
coverage gaps.
The antimalware companies themselves are aware of this; McAfee intends
to offer a cloud-based solution it believes will reduce an AV engine's
update time. Examine Staniford's data compared to the McAfee article I
linked above, however, and you'll note a distinct difference in how long
it takes AV companies to roll out solutions (as measured using
VirusTotal) versus how long McAfee claims it takes (1-3 days). This
isn't proof that McAfee is wrong; FireEye's chief scientist doesn't
break out results by scanner, but it's statistically doubtful that
McAfee is always one of the 40 percent Staniford measured.
.
- Prev by Date: Re: Windows, Windows everywhere
- Next by Date: Re: Windows, Windows everywhere
- Previous by thread: Apple Could Buy Dell, and Linux Is No Threat to Mac OS X
- Next by thread: Gibsonšs new Les Paul guitar connects to your Mac
- Index(es):
Relevant Pages
|
