It has been said before, but if you need another marker to show just how marginalized anti-virus technology is becoming, research carried out by Lastline Labs really brings the message home.
The summary of their findings below probably confirm your worst suspicions about malware and AV
- On Day 0, only 51% of antivirus scanners detected new malware samples
- When none of the antivirus scanners detected a malware sample on the first day, it took an average of two days for at least one antivirus scanner to detect it
- After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for antivirus vendors
- Over the course of 365 days, no single antivirus scanner had a perfect day - a day in which it caught every new malware sample
- After a year, there are samples that 10% of the scanners still do not detect
What is even more sobering is this comment “Our hypothesis is that the least detectable malware is designed to both evade detection and fingerprint the analysis environment”
In other words, the malware that AV is detecting is the basic, ‘mass market’ stuff. This leaves the serious, most damaging, targeted malware undetected, precisely the kind of malware we REALLY need to be concerned with.
For example, malware being used purposefully to steal payment card data, intellectual property, R&D work and financial information, or being used to leverage extortion, industrial or political espionage.
The conclusion from Lastline Labs is that AV must be operated in conjunction with other technologies that improve malware identification. A comprehensive security strategy is really the only response that is going to cut it – system hardening, File Integrity Monitoring, log analysis and breach detection as contingency, implemented in conjunction with rigorously-operated security best practices.