The Hard Truth of Anti-Virus

Even robust enterprise anti-virus solutions do not fully protect systems from malware.  At any given time, anti-virus software will fend off only a certain percentage of new malicious code, and the numbers may surprise you.  The metrics reinforce the notion of establishing a comprehensive set of security capabilities in combination with strong anti-virus tools.

False sense of security

Do you feel safe from malware because you are diligent with your anti-virus(AV) deployment and frequent updates?  Ever wonder how effective anti-virus tools are at preventing malware?  Well here is the hard truth.  Expect a well managed anti-virus deployment to prevent against approximately 75% of malware landing on enterprise clients.

Hard Truth About AV.jpg

Still feeling warm and fuzzy?

The graph shows over a 6 month period, malware was prevented by up-to-date host anti-virus only ~75% of the time.  For approximately a quarter of the events, AV products did not identify the malware and failed to protect the system, even with currently available updates.

Systems get infected with new malicious code and unless you are actively looking, you will not know.  Eventually, the AV vendors track key markers and update their products which then clean the systems.  But that could be after the damage is done.  If you rely solely on AV, you are taking a gamble with terrible odds.

It's a malware race out there!

Over a million new specimens of malware are created every month!  AV vendors take on the momentous effort of detecting the code and updating their products with the means to prevent and remove such malware.  It is a relentless race between malicious code authors and the AV industry.  Malware is growing and the numbers will continue to increase over time with no end in sight.  The security of our systems and data hang in the balance.

Don’t laugh, but ~75% prevention is pretty good given the outpouring of new malicious code.  Without such protection, all hope is lost.  AV is important, but obviously it is not enough by itself.  Organizations must establish a more robust security service to pick up the slack.

Some believe, due to the effectiveness, AV is a thing of the past.  A small security community advocates abandoning client AV.  They are a minority.  I just don't see the sense in that stratagem.  In fact, I believe it is borderline insane.  Host based AV/malware agents sit at the right location to maximize protection, even if it is not 100%.  For now, no solution can match the contributions of a host based capability to monitor and counter malware.

Recommendations:

A Defense in Depth strategy is important in considering the strengths and limitations of different controls, to establish a proper mix which delivers the optimal level of security.  Intel maintains a very strong capability to defeat malware, which includes predictive, preventative, detective and responsive aspects.  An enterprise managed host based anti-virus product is just one link in the chain of protection.

1. Employ other methods to keep malware at bay.  A good security strategy will include both behavior and technical controls.  Network and other communication based tools can block significant attacks before they get a chance to test the client AV. 
2. Keep AV current on the clients.  Don’t give up on AV.  Instead push for better processes to keep it up to date.  Eventually the AV researchers track down malware and release product updates to combat the threat.  Be ready to rapidly deploy those updates.
3. Purposefully look for the other ~25% (it is out there).  Knowing your AV is missing malware is half the battle.  Armed with your new field-intelligence, establish mechanisms to detect them.  A variety of options exists, including network scans, honey-pot systems, end-user reporting, and log monitoring for anomalies. 
4. Be proficient in response capabilities.  Effectively reacting to malware infections enables rapid removal and restoration of service for the infected host.

Real data for serious security

At Intel, we take security very seriously.  This graph is a real reflection of the state of client AV security.  For those of you who are interested in facts behind the metric:
1. This data represents ~100k hosts
2. The X axis are Work Week numbers for 2009/2010
3. This data is malware at the host.  Assume we have very strong measures which filter much of the malware before it can land on the hosts
4. The blue is malware detected by a commercial AV/HIPS solution using current signatures (therefore Prevented by the product)
5. Signatures are typically deployed to the environment within 2 hours of release by the vendor
6. The red bars are infections not protected by signatures but subsequently detected by our dedicated Threat Analysis team.  Once our team detects the malware we work with the vendor to get signature updates (which will subsequently turn them to Blue once the signatures are pushed)
7. Ballpark numbers: Over a 6 month period, on average ~25% of malware is NOT detected by standard signatures

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.