Hello,

Does anyone know why new (undetected) malware is able to slip by most anti-virus real-time protection?

because they do & can, nothing is 100% perfect...

-{ Quote: "Hello,

Does anyone know why new (undetected) malware is able to slip by most anti-virus real-time protection?" }-

Because until the AV companies get it and add signature, they can't detect it.

-{ Quote: "
Because until the AV companies get it and add signature, they can't detect it.
" }-
So the protection modules don't have the ability to recognize unknown malware files by themselves? That seems very risky. How can I protect my system if the AV can't analyze an unknown malicious file?

-{ Quote: "So the protection modules don't have the ability to recognize unknown malware files by themselves? That seems very risky. How can I protect my system if the AV can't analyze an unknown malicious file?" }-Most AVs have heuristics, which enable them to detect many (not all) of the malwares for which they do not yet have signatures.

In addition to using AVs, some users (myself included) also use HIPS applications, such as Mamutu (a behavior blocker) and Malware Defender (a "classical"), which can further alert users to malware which gets by their AV.

However, IMO the "ultimate protection" is to periodically image your system drive.

-{ Quote: "So the protection modules don't have the ability to recognize unknown malware files by themselves? That seems very risky. How can I protect my system if the AV can't analyze an unknown malicious file?" }-
That's why many users here adopt a default deny policy based on whitelisting,whereby only known good executables are allowed to run and everything else is treated with suspicion.

This is why apps like Returnil and Shadow Defender, not to forget Sandboxie are superior for prevention.

Based on your comments, it sounds like an AV is not enough anymore by itself no matter what brand it is. I wonder why it is still the dominent method in determining if a file is rogue. For example, there are many virus upload sites like VirusTotal that use several name brand AV programs that scan the file(s) for recognition. Sometimes you'll see 2 or 3 that detect, other times more, other times zero. It seems that this is still the security model being used to find out if a file is bad.

-{ Quote: "It seems that this is still the security model being used to find out if a file is bad." }-It's not the only method, but you have to remember scanning sites like virustotal often use older scanning engines and cannot be compared to having the actual product installed on your system which will use newer scanning engines and incorporate other technologies too.

-{ Quote: "Hello,

Does anyone know why new (undetected) malware is able to slip by most anti-virus real-time protection?" }-

Maybe this will give you some insight ?

www.eset.com/download/whitepapers/Heuristic_Analysis.pdf