Is antivirus getting worse?

Anti-virus software is getting worse at detecting both known and new threats

Injection syringe needle vaccinate

Is anti-virus software getting worse at detecting both known and new threats?

Earlier this week, Stu Sjouwerman, CEO of security awareness training company KnowBe4, looked at the data published by the Virus Bulletin, a site that tracks anti-virus detection rates. And the numbers didn't look good.

Average detection rates for known malware went down a couple of percentage points slightly from 2015 to 2016, he said, while detection rates for zero-days dropped in a big way - from an average of 80 percent down to 70 percent or lower.

"If the industry as a whole is dropping 10 to 15 points in proactive protection, that's really bad," he said. "Anti-virus isn't exactly dead, but it sure smells funny."

According to Sjouwerman, the Virus Bulletin is the industry's premier testing site. The tests are comprehensive, and consistent from year to year, so that a historical comparison is valid.

Several major vendors aren't included in these statistics, he said, because they declined to participate -- and implied that there might be a reason for that.

What's happening is that current anti-virus vendors aren't able to keep up with the attackers, he said, who can generate new malware on the fly.

"The bad guys have completely automated this process," he said. "It's now industrial strength, millions of new variants daily, in an attempt to overwhelm the existing anti-virus engines -- and guess what, the bad guys are winning."

He's not alone in pointing out the problems that anti-virus has been having lately, and other agree with the main thrust of his analysis.

"The report does sound pretty much in sync with what my feeling is, and what the industry is talking about," said Amol Sarwate, director of vulnerability labs at Qualys. "It's not an easy problem to solve. If they make antivirus too aggressive, it causes too many false positives. I think the hope for the future is a combination of multiple technologies. Anti-virus by itself cannot cut it any more."

Justin Fier, director of cyber intelligence and analysis at Darktrace

It's bad, and it will continue to get worse, said Justin Fier, director of cyber intelligence and analysis at Darktrace.

"I would never tell a customer not to invest in it," he said. "But in regards to whether anti-virus is working any more -- I don't think so."

At its core, security reacts to events.

"It's hard to predict what the next big wave of malware or the next big attack platform is going to be and protect against it," he said.

Ransomware in particular is causing problems, said KnowBe4's Sjouwerman, because the malware is so profitable that the cybercriminals are putting more and more resources into development.

Criminals earned $1 billion from their ransomware last year, showing that it's consistently getting through defenses.

But there are some new, early-stage products that specifically target ransomware, he added.

"Some of them work, some of them don't -- this is still very early days," he said. "Sophos has acquired one of those companies and now have an additional module that specifically protects against ransomware, and that actually works fine, so Sophos is actually scoring well but they're one of the few that do."

Sophos, which offers both network and endpoint security products, is not included in the Virus Bulletin, but received a 100 percent score for blocking zero-day attacks in the latest antivirus reports.

"One of our major advantages is that we don't rely on any one technology," explained Dan Schiappa, senior vice president and general manager of end user and network security groups at Sophos. "We have a little mini analytics engine, and when it's scanning a file or looking at a behavior, it can call on a bunch of different pieces of technology to determine if it's malware."

The new Intercept X product, which is designed specifically for zero-day threats, looks at how malware attacks systems.

"There are only about 24 different ways that you can exploit a vulnerability," he said. "We might get a couple of new techniques a year, and as long as we keep up with those techniques, we're in pretty good shape. For example, one new technique is to get into the pre-boot environment, and we're building protections against that."

Some vendors dispute whether the results of this one set of tests is conclusive.

"Test scores tend to fluctuate as attackers create new techniques and defenders continue to innovate," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Trend Micro was not included in the Virus Bulletin report.

"I can't speak to why we did not participate in this specific round of testing, we do have a lot of respect for Virus Bulletin," said Nunnikhoven.

Instead, he pointed out to his company's performance with AV Test. There, Trend Micro scored at 100 percent in 11 out of the last 14 zero-day detection tests for Windows 7 and Windows 10, and 99 percent on the other three tests.

In fact, average scores on the AV Test of zero-day detection have been going up, from under 97 percent in early 2015 to over 99.7 percent during the last Windows 10 testing round.

Another problem with some tests is how they measure successful detection, said David Dufour, senior director of engineering at Webroot.

Signature-based antivirus can spot malware early, but behavior-based systems have to wait for the malware to actually try to do something.

"Many testing methodologies still rely on older techniques measuring the number of threats that land on a machine," he said, "Rather than taking the time to understand that zero day and unknown malware will take time to identify."

Webroot was absent from both the Virus Bulletin and the AV Test reports.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)