New Malware Too Often Escapes Antivirus Detection

Damballa's fourth-quarter 2014 State of Infections Report finds that AV technology is not all that effective against advanced malware.


Damballa's Q4 2014 State of Infections Report, released on Feb. 12, reveals that antivirus (AV) technology doesn't always detect new malware.

As part of the report, Damballa conducted a study that included four of the most popular AV technologies to determine product efficacy. In the first hour of submission, 70 percent of malware was not detected by the AV technologies, and after 24 hours, 66 percent of malware was still not being detected by AV. The study found that it took more than six months for all of the AV products to include signatures for 100 percent of newly detected malware files.

Damballa's CTO Brian Foster said that his company will not publicly name the AV vendors whose technologies it tested, though he added that the vendors are widely known and have commonly deployed AV products.

"The intent of the test was not to say how good or bad these products are in general," Foster told eWEEK.

The point was to demonstrate that AV is not necessarily all that effective against advanced malware, which is designed to be evasive, he said. AV typically relies on seeing a malware file in motion, according to Foster. That means if a user gets infected off the network and reconnects to the network, the infection can't always be prevented.

"This is important because the vast majority of enterprises still spend most of their security budgets on prevention," Foster said. "The ability to prevent damage lies in how quickly you can detect hidden infections and respond."

Damballa's study leveraged its own enterprise product called Failsafe, an advanced detection system. The way that Failsafe works is that it uses predictive analysis and doesn't rely on prior knowledge of a threat, Foster said.

"It looks at the behaviors of devices over time to reach a verdict of 'infected' based on multiple detection techniques," he said.

Although Damballa's study shows low efficacy of AV against new threats, that doesn't mean that AV doesn't have a place in an enterprise's security deployment.

"Enterprises should prevent what they can, and there are millions of known threats that can be identified with AV," Foster said. "But the real threat lies in what AV can't identify."

For every malicious file that AV misses that infects a device, there is the potential for data exfiltration, according to Foster. AV can, however, be used as a remediation option after infections have been discovered. For example, Foster noted that a couple of Damballa's largest customers share their Damballa infection information with their AV provider and then wait for their AV provider to provide signatures to remediate the infected assets.

The Damballa State of Infections Report also provides details on how much data is actually leaving enterprises by way of malware data exfiltration. In the first quarter of 2014, Damballa found that infected devices uploaded a median of 683KB of data per day. That number dropped to only 160KB per day in the fourth quarter of 2014.

"Based on what our customers tell us, we believe the reason for the decline is they get better and faster over time at remediating infections," Foster said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.