When being #1 means a 42% failure rate

Recently Kaspersky was recognised as the top AV and Product of the Year by Av-Comparatives, a well known independent AV test lab.  This is a great accomplishment that the team at Kaspersky should be justifiably proud of, but for an enterprise concerned with APTs and other targeted attacks, what does this mean?

At a glance, the results are impressive in relative terms compared to the competition. However, things get a little more clouded when you drill down to the absolutes of what is getting detected. The first sign of trouble is in the overall detection rates on page 6 of the report . Kaspersky certainly fares well at a 97.4% detection rate, pipping McAfee at 96.8% and getting pipped by BitDefender at 97.7%. But 97.4% on this test (against a corpus of confirmed malware) means that 2.6% of known malware will slip right past no problem. Let’s put that another way: approximately one time in 40 known malware will slip past onto your desktop even if you are running the best AV in the market.

To use a hockey analogy (we are Canadian after all), AV is the goalkeeper, malware is an agressive forward taking lots of shots at the net. The goalkeeper has to stop every shot, the forward just needs to get one and only one in.

Still, maybe you can live with those odds. But if you’re a bit concerned about that, keep going to page 7 and the on-demand proactive test. This is a test specifically on new and unknown (i.e. no signature exists yet) malware. The stuff you should worry about, that more likely slipped through perimeter defenses before hitting the desktop or server. Here, Kaspersky scores just 57.6%. They were topped by Avira at 60.7%. For an enterprise that gets targeted attacks, fully 42.4% of new threats will settle on your desktop, AV nowithstanding. Worse, those stats include false positives. Avira’s slightly higher detection rate was offset by its’ higher FP rate.

To be clear, we’re still not suggesting you ditch your AV, quite the contrary, per this blog post. And we’re certainly not knocking a particular AV vendor, any more than we did Symantec in a previous post.

To stretch the hockey analogy rather painfully though, just as NHL teams have enforcers to bring down goal-scoring forwards, make sure you’ve got an enforcer like ECAT on your desktops and give your goalie a break.

For a whitepaper on ECAT or to request more information, please click here

 

 

Finding an evil in a haystack...

• The Threats
• Our Approach
• Our Software

Latest Blog Posts

• 16.02Securabit ECAT Podcast Feb 22nd: Old wine in a new bottle
• 15.02ECAT now integrates Bit9's GSR
• 13.02Introduction to ECAT - Video
• 26.01RSA - your complementary expo pass
• 16.01When being #1 means a 42% failure rate
• 09.01ECAT at RSA Conference 2012 - Feb 27
• 01.01ZeroAccess - the movie
• 21.11Down and Dirty with Duqu - Analysis with ECAT
• 02.11Poison Ivy ("Nitro") and ECAT analysis
• 02.11Silicium and Opswat partner to integrate Metascan, ECAT

Follow us

Archives

• February 2012
• January 2012
• November 2011
• October 2011
• September 2011
• May 2011
• April 2011
• March 2011
• November 2010
• October 2010
• September 2010
• July 2010