Malwarebytes is tracking missed detections in traditional antivirus

New tool tracks detections on systems where traditional anti-virus failed to detect a problem

Malware virus

Tracking real-world scans on systems over the first six months of 2017, Malwarebytes says that typical desktop antivirus solutions aren't cutting it.

The company examined detection data from nearly 10 million endpoints, and discovered some of the most notable names in the anti-virus industry - even those who rank high in lab testing - are missing basic threats completely.

Malwarebytes released their data just before Halloween, and the report takes aim at current state of antivirus lab testing. Coincidentally, while the company usually earns high marks in such tests, they say the true value of lab testing is yet to be determined, "as malware in the wild behaves in a manner significantly different from laboratory samples – even recently captured samples apprehended in security honeypots."

Malwarebytes has been a key toolbox item to helpdesk and IT staffers for more than a decade. Often loaded on to systems for emergency malware removal, or to confirm that a system is clean after the other anti-virus product has ran, the software is well-known among IT pros. Last year, this reporter used it to help recover a laptop after it was infected with Locky ransomware.

In order to track what's being missed by typical antivirus offerings, Malwarebytes examined instances where they were being used for remediation, and not when they had proactively blocked a given threat. Moreover, the testing excluded potentially unwanted program (PUP) detections, focusing solely on malware instead.

When a detection was made, Malwarebytes checked to see what antivirus software was registered in Microsoft Security Center and recorded the vendor's name.

Initially, Malwarebytes didn't name the vendors who missed the most malware, however, the company did list a few of the more common failed detections. IRCBot (61%) and Kelihos (26%) were the top two missed bot detections, followed by the HiddenTear (41%) and Cerber (18%) ransomware families.

Malwarebytes repeated the test in October, to coincide with the larger report's release. This time, they did name names.

Tracking nearly 4 million missed detections, and following the same methodology used earlier in the year; Avast, ESET, AVG, Kaspersky, and Norton were the top five products ranked by missed detections once Microsoft Consumer was removed from the mix (Windows Defender is on every system).

Considering the results after six months of tracking, Malwarebytes said the data shows that 'new and improved' AV appear to be the technology of the past, dressed in new packaging."

"Even the top-rated, highly-lauded, “recommended buy” AV solutions continue to struggle in real-world applications."

The Malwarebytes report is focused on the risks of missed detections, and the impact that has on consumers and businesses. The other lesson though, one that isn't mentioned really, is that anti-virus alone isn't enough, and this has always been the case.

In the enterprise, long before a threat hits the desktop, it has to face off against other network protections.

The problem is the home users, where things like patching and software updates are inconsistent and awareness training as a whole is non-existent. Here, even though anti-virus has issues, it's still needed and will remain a solid defensive requirement for years to come.

If you wanted to see the testing results for yourself, the company has released a tracking map to the public, which is a live view of the test as detections happen.

NEW! Download the Winter 2018 issue of Security Smart