Antivirus Isn’t Dead, It Just Can’t Keep Up

Antivirus Isn’t Dead, It Just Can’t Keep Up

Much has been said in recent weeks about the state of antivirus technology. To add facts to the debate, Lastline Labs malware researchers studied hundreds of thousands of pieces of malware they detected for 365 days from May 2013 to May 2014, testing new malware against the 47 vendors featured in VirusTotal to determine which caught the malware samples, and how quickly.

The focus of this test is to determine how fast the anti-virus scanners catch up with new malware.

Note that the configuration of the various antivirus scanners used by VirusTotal is not necessarily optimal, and it is always possible that a better detection rate could be achieved by relying on external signals or using more “aggressive” configurations.

On any given day, according to Lastline Labs’ analysis, much of the newly detected malware went undetected by as much as half of the antivirus vendors. Even after 2 months, one third of the antivirus scanners failed to detect many of the malware samples. By averaging the daily detection rates, we are able to plot the pace at which theantrivirus scanners catch up with the malware. The least-detected malware – that is the malware in the 1-percentile “least likely to be detected” category – went undetected by the majority of antivirus scanners for months, and in some cases was never detected at all.

Some other interesting findings of this Lastline Labs research:

  • On Day 0, only 51% of antivirus scanners detected new malware samples
  • When none of the antivirus scanners detected a malware sample on the first day, it took an average of two days for at least one antivirus scanner to detect it
  • After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for antivirus vendors
  • Over the course of 365 days, no single antivirus scanner had a perfect day – a day in which it caught every new malware sample
  • After a year, there are samples that 10% of the scanners still do not detect

Antivirus Detection Rate Graph by Lastline Labs APT DetectionView Full Size

Top 1% of malware evolved against antivirus patterns

As you can see in grey lines in the chart above, there is a steady growth curve in the antivirus detection rates from Day 0 to Day 365 of the average malware. This pattern mostly mirrors that in the 1-percentile malware trajectory (percentiles based on least detected) which are likely more sophisticated or unique. The 1% of malware that most effectively evaded detection in this dataset is likely to represent the kind of advanced malware created and exploited by cyber-criminals who are persistently and directly targeting and infiltrating organizations, as opposed to more opportunistic malware distributors.

Antivirus alone is not enough

For us, this preliminary dataset leaves us with as many questions as answers. This analysis does not single out any antivirus vendor, and provides only insights based on VirusTotal data (with the caveats expressed at the beginning). We think that “traditional” AV technology is not dead, but needs to be complemented with other approaches (e.g., based on dynamic analysis of samples, network anomaly detection) that provide additional signals for detection.

In future analyses, we will be looking for patterns in the least-detected malware that may indicate common trends or behaviors that could help all network security – including antivirus scanners – improve malware detection effectiveness and speed. This data definitely points to the conclusion that antivirus alone is not enough.

More research required

We plan to test further and compare the effectiveness of traditional sandboxing with next-generation sandboxing. Our hypothesis is that the least detectable malware is designed to both evade detection and fingerprint the analysis environment. From what we have seen so far, no commercially available signature-based security system appears to be able to get ahead of advanced malware on its own.

Looking for network breach detection?

Lastline’s Breach Detection Platform provides network monitoring and malware sandboxing for web, e-mail, content, and mobile applications, deployed anywhere on your physical or virtual network. Learn more here:

Start Your Trial

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna