Antivirus software can't keep up with new malware, Lastline Labs analysis finds

Startup runs malware through VirusTotal, gets depressing answer

Brand new malware is detected by only around half of antivirus programs on the day it first appears, an analysis by security startup Lastline Labs has found after running samples through the VirusTotal online scanner.

Over the last year, the firm ran hundreds of thousands of pieces of malware it had encountered through the service to see how many of the 47 antivirus products correctly identified the files as malicious.

On the first day the overall detection percentage averaged 51 percent of the programs, which rose slowly until suddenly ramping up to 61 percent about two weeks after the malware's first submission.

Measuring detection rates using VirusTotal is not a new idea and the firm's results were more or less as might be expected; antivirus software gets better and better at spotting malware as time passes, but the detail reveals some important caveats. When no program on VirusTotal spotted a piece of malware on the first day, it took an average of two days for at least one program to detect it.

Without naming any names, it is clear that some antivirus programs are still better (i.e. faster) at detecting new malware than others, with some examples managing to elude one in ten scanners a full year after their first appearance.

So does all this tell us whether antivirus software works or not? On the basis of Lastline's findings, the answer probably depends on what is understood by the word 'works'.

The firm found that around 1 percent of malware is stubbornly hard to detect using the signature technology that is the core of antivirus software. This unusual and presumably rare malware sits undetected for months and might never make it into signature databases of any product. Indeed, they were probably specially crafted to evade signature detection by simply not being common enough to be quickly spotted and fingerprinted.

This is not good if you happen to be one of the small group of firms being targeted by these programs but that's been true for some time.

"We think that 'traditional' AV technology is not dead, but needs to be complemented with other approaches (e.g., based on dynamic analysis of samples, network anomaly detection) that provide additional signals for detection," argued Lastline Labs' CTO, Giovanni Vigna.

"For us, this preliminary dataset leaves us with as many questions as answers."

As ever, it's a line that chimes with the argument by a range of more recently-founded security firms that the technology employed by the established brands is no longer good enough as a single line of defence and should be supplemented with newer technology.

Ironically, it's a message that increasingly works for the larger traditional AV vendors such as Symantec, which recently surprised the security world after an executive recently told the Wall Street Journal that antivirus software was "dead." But Symantec increasingly wants its business user base to move to more recent products too and timed its historic admission to coincide with the announcement of new systems.

Lastline itself jumped the Atlantic, launching a UK wing in London's Tech City last November.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechLastline Labssecurity

More about SymantecWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts