Immunet Blog

Jeremiah Grossman from Whitehat Security posted an interesting Blog on Thursday entitled ‘Ceding the desktop security battle, almost the war’ which was followed by an article from Dennis Fisher on ThreatPost, ‘Have We Lost the Desktop Security Battle?’.

Both posts draw the same conclusion (with Dennis really hitting it home) – AntiVirus vendors have lost and virus authors have won.  Since this debate has been percolating in the security space for well over a decade now, let’s look at some real facts on how well today’s leading AntiVirus vendors are doing.

To do this, let’s look at one of the few impartial industry reviews that actually measures how well we are all doing.  The best measure for this is AV Comparatives, run by Andreas Clementi in Germany.  His review, the Proactive / restrospective test is designed to measure a product’s detection rate on new, previously unseen threats.  AntiVirus vendors all do very well on known threats, regularly achieving over 99% detection.  Known viruses, however, are shared by vendors across the industry and everyone has them, including the reviewers; so these numbers come as no surprise.  It is how well vendors do on unseen threats that REALLY matters and ultimately dictates how protected Consumers are as they browse the Internet each day.  This is what the retrospective test measures.

Andreas’ last retrospective review was released in November of 2009 and can be obtained here (PDF document).  Note that Immunet has not participated in the review (our product is still in beta as we improve our own detection capabilities).  The below picture pretty much sums it up:



As we can see, average proactive detection rates hover at 50% or less, including those of the two market leaders.  There is a caveat to this test – products that use execution based detection (such as emulation or behavioral monitoring) are not able to benefit from them in this test. 

This is a stark reminder as to what a typical Consumer should expect from their AntiVirus product:

A less than 50% chance of being protected when they encounter a new threat. 

As a result, Financial Institutions (as Jeremiah discusses) are more than justified in assuming that all Consumers are compromised, and in accepting transactions despite this.

Despite these numbers, I would argue that the AntiVirus industry has not ceded the battle, nor has it lost it, but it is struggling to maintain high efficacy rates in the face of a growing number of threats.  The traditional approaches to this problem are not working.  We need game changing technologies to make a dent in this problem, since the status quo just won’t do. 

I remain convinced that by using the latest technologies in cloud computing, collective intelligence, data mining and machine learning, we can make a big leap forward from where we are today and turn the table on these threats.  The AntiVirus problem has turned into a data management and timing problem.  It is about how much temporal data about files you can collect, and how quickly you can process that data in order to make a basic decision on its disposition; ultimately a YES or NO decision.  These concepts are exactly what we are working on here at Immunet and we have certainly not given up.  

Rather than seeing the war as being lost, we at Immunet believe that the battle is just beginning.  We are just starting to see the benefits from these game changing technologies.  We are building technologies that will have the ability to be far more effective than what has been built before us, and we are all devoting our lives to this fight in the here and now.