Download - Preventing Known and Unknown Threats
Preventing Known and Unknown Threats Agenda
How much malware is out there
How to measure the quality of anti-malware products
The value of multi-scanning
Threat prevention
How much malware is out there?
Known threats
Unknown threats Targeted attack Outbreak
How much malware is out there?
How much malware is out there?How many known threats are we up against?
2010 2011 2012 2013 2014 20150
100,000,000
200,000,000
300,000,000
400,000,000
500,000,000
600,000,000
Differences in Reporting the Total Amount of Threats
AV-Test McAfee
How much malware is out there?How many new known threats are we up against?
2010 2011 2012 2013 2014 2015020,000,00040,000,00060,000,00080,000,000
100,000,000120,000,000140,000,000160,000,000180,000,000200,000,000
Differences in Detection Rates for New Malware
AV-Test McAfee
How much malware is out there?Why are different measurements being used?
Different detection logic
Different engines
Different data sources
Different market share Different honeypots
How much malware is out there?The power of crowdsourcing
How much malware is out there?
Detection coverage Response time for an outbreak Amount of False Positives Product quality and stability Product Vulnerabilities Operating system compatibility Other metrics
How to Measure the Quality of Anti-malware Products
How to Measure the Quality of Anti-malware Products
Engine Name AV -Comparatives Performance Rating
AV-Test PerformanceRating
Avira 90% 100%
AVG 85% 70%
Avast 83% 80%
Panda 80% 90%
McAfee 80% 80%
Threat Track 80% 40%
Trend Micro 78% 90%
Sources:1. AV-Test2. AV- Comparatives
Comparing AV-Test to AV-Comparatives
How to Measure the Quality of Anti-malware Products
Measuring the quality of anti-malware engines – from AV-Comparatives
AV Name Mar 2013 Sep 2013 Mar 2014 Sep 2014 Mar 2015 Sep 2015
Avira 99.6% 99.7% 99.2% 99.9% 99.9% 99.8%
F-Secure 99.5% 99.7% 99.6% 99.6% 99.8% 99.7%
Bitdefender 99.3% 99.5% 99.5% 99.6% 99.7% 99.8%
Kaspersky 99.2% 99.0% 99.8% 99.7% 99.9% 99.5%
Fortinet 98.6% 98.2% 99.6% 97.9% 99.6% 98.8%
Trend Micro 98.4% 98.3% 99.0% 99.5% 95.1% 95.5%
AVG 98.4% N/A 97.5% 98.4% 98.1% 93.4%
McAfee 98.0% 98.2% 99.3% 99.8% 99.7% 97.5%
Sophos 98.0% 96.5% 98.3% 98.2% 98.1% 97.2%
Avast 97.8% 97.1% 97.7% 98.6% 99.4% 99.2%
ESET 97.5% 97.1% 98.8% 98.7% 98.6% 99.2%
AhnLab 92.0% 90.6% 89.0% 93.7% N/A N/A
Microsoft 92.0% 90.1% 90.0% 90.2% 86.3% 91.4%
How to Measure the Quality of Anti-malware Products Individual Engine Vulnerabilities
Avira
Kaspe
rsky
Avast
Window
s Defe
nder
ESET
Bitdefe
nder
Trend
Micro
0
4
8
12
Engine Vulnerabilities Over Last 4 Years
2015 2014 2013 2012
Source: National Vulnerability Database
Do not know exactly how much malware is out there
No accurate/standard measure on quality of anti-malware engines
Quality of anti-malware engines changes from year to year
Anti-malware engines suffer from vulnerabilities
Well known vendors miss over 10% of known threats
How to Measure the Quality of Anti-malware Products Conclusions
Advantages
Detect both known and unknown threats
Some engines detect over 80% of known threats
How to Measure the Quality of Anti-malware Products The value of a single anti-malware solution
Disadvantages
Single point of failure Vulnerabilities Misdetection
Detection of outbreaks may be slower/delayed
The Value of Multi-scanning
Advantages
Improved malware detection Decreased detection time for
a new outbreak Flexible patching for anti-
malware engine vulnerabilities
The Value of Multi-scanning Multi-scanning
Disadvantages
More false positives Decreased performance Higher costs more vulnerabilities
The Value of Multi-scanning Advantage 1 - Improved malware detection
Antivirus 1
X1%Detection Rate:
100%
Antivirus 2
X2%Detection Rate:P(A ∪ B) = P(A) + P(B) - P(A ∩ B)
The Value of Multi-scanning Advantage 2 – Decreased detection time for an outbreak
https://www.metadefender.com/#!/results/file/5268027b71414692b64649318619e33f/history
The Value of Multi-scanning Advantage 2 – Decreased detection time for an outbreak
*Simulated time
The Value of Multi-scanning Disadvantage 1 – more false positives
Azarus packageTrojan.Generic.6304836Buchdruck packageGen:Variant.Zbot.29Intrapact packageGen:Trojan.Heur.VP2.fm0@a5KoffgiShellex packageGen:Variant.Kazy.17493Skriptum packageExploit.CVE-2011-0977.GenVirtualization packageGen:Trojan.Heur.KT.4.bq8@aqLITyfWinnerTw packageGen:Variant.Kazy.18603WoodMahjongg packageGen:Variant.Kazy.14979
Antivirus 1
8 False Positives
AbsoluteBlue package Win32:Malware-genDateCalc package
Win32:Trojan-genDB2EXE package
Win32:Malware-genFiman package
Win32:Malware-genFTPcontrol package
Win32:Malware-genJoshua package
Win32:Malware-genSardu package
Win32:Dropper-FRUShannel package
Win32:FasecShellPicture package
Win32:Malware-genxComposer package
Win:32:SMorph
Antivirus 2
10 False Positives
Source: www.av-comparatives.org
14AbsoluteBlue package
Win32:Malware-genAzarus package
Trojan.Generic.6304836Buchdruck packageGen:Variant.Zbot.29DateCalc package Win32:Trojan-genDB2EXE package
Win32:Malware-genFiman package
Win32:Malware-genFTPcontrol package Win32:Malware-genIntrapact package
Gen:Trojan.Heur.VP2.fm0@a5Koffgi
Joshua package Win32:Malware-gen
ShellPicture packageWin32:Malware-gen
Virtualization packageGen:Trojan.Heur.KT.4.bq8@aqLIT
yfWinnerTw package
Gen:Variant.Kazy.18603WoodMahjongg package
Gen:Variant.Kazy.14979xComposer package
Win:32:SMorph
The Value of Multi-scanning Disadvantage 2 – decreased performance
The Value of Multi-scanning Disadvantage 2 – decreased performance reality
The Value of Multi-scanning Disadvantage 3 – more costly
Hardware requirements Additional IT training Licensing cost Bandwidth consumption Other costs
The Value of Multi-scanning Reduce the risk of malware that is targeting specific engines
02468
101214
Engine Vulnerabilities Over Last 4 Years
2015 2014 2013 2012
Source: National Vulnerability Database
Advantages
Improved malware detection Decreased detection time for
a new outbreak Flexible patching for anti-
malware engine vulnerabilities
The Value of Multi-scanning Multi-scanning
Disadvantages
More False Positives Decreased performance Higher costs more vulnerabilities
The Value of Multi-scanning
Known Threats Unknown Threats
The value of multi-scanning
Known Threats Unknown Threats
Threat prevention Data sanitization
File may be harmful
Data sanitization Different file Harmless
Threat prevention Data sanitization
File may be harmful
Reconstruct file Converting format Removing elements
Different file Harmless
Q & A
Benny [email protected]