Malware researchers analyzing the pace at which the 47 vendor antivirus solutions featured in VirusTotal detected new malicious code samples found that many went undetected for several months, and in some cases the malware was not detected at all during the sampling period.
The researchers looked at hundreds-of-thousands of new malware samples monitored over a one year period spanning May 2013 to May 2014 to determine which antivirus solutions detected the malware samples and how quickly they did it in an effort to baseline the average rate of detection.
“On any given day, according to Lastline Labs’ analysis, much of the newly detected malware went undetected by as much as half of the AV vendors. Even after 2 months, one third of the AV scanners failed to detect many of the malware samples,” the researchers said.
“By averaging the daily detection rates, we are able to plot the pace at which the AV scanners catch up with the malware. The least-detected malware – that is the malware in the 1-percentile “least likely to be detected” category – went undetected by the majority of AV scanners for months, and in some cases was never detected at all.
Other key findings in the study included:
- On Day 0, only 51% of AV scanners detected new malware samples
- When none of the AV scanners detected a malware sample on the first day, it took an average of two days for at least one AV scanner to detect it
- After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for AV vendors
- Over the course of 365 days, no single AV scanner had a perfect day – a day in which it caught every new malware sample
- After a year, there are samples that 10% of the scanners still do not detect
The researchers mad note of the fact that that the configurations of the AV scanners employed by VirusTotal are not necessarily optimal in all cases, acknowledging that it may be possible to achieve a better detection rate by evaluating external signals or implementing “more aggressive configurations.”
“For us, this preliminary dataset leaves us with as many questions as answers. This analysis does not single out any AV vendor, and provides only insights based on VirusTotal data (with the caveats expressed at the beginning).” the researchers continued.
“We think that “traditional” AV technology is not dead, but needs to be complemented with other approaches (e.g., based on dynamic analysis of samples, network anomaly detection) that provide additional signals for detection.”
Read More Here…