What your antivirus software doesn’t tell you, and how to get that data

Since the beginning, antivirus software vendors have lied about their accuracy. Many claim 100 percent accuracy in detecting bad programs and we, despite nearly every computer being protected by an antivirus program, are still exploited by malware.

Submit any malware program to Google’s VirusTotal and get it scanned by 67 to 70 antivirus programs. Never have I seen the early hit rate better than maybe a third. The most popular antivirus engines often miss a submitted sample for days. The antivirus vendors won’t even let VirusTotal share the accuracy stats of individual engines.

Antivirus vendors and independent interests have tried to develop their own list of ethical testing methodology steps. Even those attempts have been accused of tainted measurements. Those who get a 100 percent detection result tout it in their advertising, and those who don’t point out flaws in a particular test’s methodology. None are 100 percent accurate no matter what test is done.

So, how can we determine an antivirus product’s real accuracy? I know a way.

The importance of malware dwell time

All that matters is how accurate an antivirus product is in your environment, across all your managed devices. Who cares if a test declares an antivirus product is 100 percent accurate when your environment is getting malware programs that the antivirus product misses?

Accuracy isn’t the only issue. We also care about dwell time.

None of the products tell you how long a malware program is active before it detects and removes it from your devices. It takes days for most antivirus programs to detect a new malware sample. Different antivirus programs take different amounts of time to recognize a malware sample, and from my experience, none are the top, quickest dog on all malware.

It’s not in any antivirus vendor’s self-interest to tell you how long their product took to detect and remove a malware program. You shouldn’t care about antivirus tests across thousands of malware samples more than what’s truly going on in your own environment. You want anti-malware programs to be very accurate and quickly accurate.

I know a way to hold your antivirus vendor accountable for detecting malware in your environment accurately and decreasing malware dwell time. You need to capture every newly executed program and process, related to files or fileless (e.g., registry, memory-based or PowerShell). Most computers already have a program that can do this built-in. Microsoft Windows has had the ability since the very beginning with its Windows Event Logging capability, but Microsoft’s application control programs like AppLocker are even better (less distracting noise). Apple and Linux distros vary as to their process tracking capabilities, but most can be configured to capture the necessary information. You can also download a commercial or open-source third-party application.

Every time a new program or process runs on a managed device, write the appropriate details to a central database repository. You’ll need to capture at least the device identifying information, user, date, time, process, and process identifying information. I love using AppLocker and other application control programs because you can configure them to report only new processes that were executed after you “snapshotted” the device in its baseline state. That cuts down on extraneous noise.

Once you have this information, every time an antivirus product reports a detection (and related removal), compare that new data point to when that program or process was first executed on the device. You want to see that most of the detections were noticed immediately (i.e., 0 seconds dwell time), as the program was trying to exploit the user and device. That’s good–very little risk. That’s defensive controls working as designed.

What you’re more interested in is how many antivirus malware detections had non-zero dwell time and how the malware got into your environment (social engineering, phishing, unpatched software, misconfiguration, buffer overflow, etc.). Any malware program that had more than a few seconds of dwell time is an elevated risk to your environment. As dwell time increases, so does your organization’s cybersecurity risk.

How to capture malware dwell time

Capturing malware dwell time allows you to do a few things. First, it allows you to make proactive decisions based upon that dwell time. Do you notify the user? Now, the best you can probably do is tell the user that they had a malware program detected and removed. With a known dwell time, you can tell the end-user something like:

“Our antivirus product detected and remove the following malware program, which has the following potential malicious capabilities…. The malware program was active on your computer for X minutes before it was detected and removed. Evaluate the risk to your activities and to the organization based on this information. (Were you using elevated logon credentials? Did you access sensitive information? Did you access other systems with other credentials? Did you send confidential emails to others?) Please report any additional risks the organization can assist with in remediating.”

You can start tracking malware dwell time as critical key indicator for each individual device, user, configuration, department and organization-wide. Are the individual indicators going up or down over time? Is a particular user or configuration seeing dwell time go up? Is the organization seeing dwell time go up? Is dwell time going up for particular malware families or classes and why?

If you see increases in dwell time trending over time, contact your antivirus vendor and get them involved. Hand them the data and see if they can decrease dwell time. You can try out other antivirus products and see if they are more accurate for your environment. There are other things to be worried about, such as an antivirus product’s hit on performance and false-positive hits, but without a great understanding of how well an antivirus product is doing in your particular environment, does the rest really matter?

This isn’t rocket-science. This is something you can do for free in your environment. It requires that you capture new executions and report them to a centralized database for comparison against an already existing database you have for your antivirus detections. Run a few queries, and viola! You have a useful new critical datapoint in your fight against cybersecurity threats. You get badness dwell time!

How did malware enter your environment?

You also want to know how a malware program got in your system to execute. Was it unpatched software, social engineering, misconfiguration?

You can probably figure that out to with a little more work. Most malware comes from well-known web exploit kits. These kits typically use a handful of known exploits against unpatched software. Get a readout of the top detected malware programs. Do a little research and find out what exploits those particular malware programs usually use to break into your environment. Put those exploits in another database. When that malware is detected by your antivirus software, find out which unpatched programs were on the computers the malware exploited. If all the involved software was patched, then the malware was likely launched using social engineering. When you see defensive gaps allowing malware in, work on closing them.

You should also be interested in what the malware did and the overall risk to the organization while the computer was exploited. You can capture what the malware program did using similar behavior monitoring software. You can also figure out ahead of time which users and devices are at elevated risk to the environment—for example, a user who has elevated admin credentials, an admin in a program accessing critical confidential data, or maybe a C-level executive.

Antivirus programs mostly tell you “we have detected something.” The most crucial information such as accuracy against the malware programs being downloaded and executed in your environment and dwell time is just as crucial. Making some endpoint adjustments, adding a database or three, and making queries against those databases can greatly increase your knowledge of how great the benefit of your chosen antivirus program is to your organization. You can do more.