Do % Detections matter ?

On average there are between 15,000 and 50,000 new malware samples released EVERY day out into the wild. Which also means at mimimum OVER 100,000 per week, and quite possibly well over a Million in any month. That's a Phenomenal amount by anybodys standards. Makes you wonder how the AV etc peeps manage to keep up with all ? I know some products have heuristics etc which can go a long way in helping the situation, but still.

Each month just 1% point equates to a potential 10,000 samples missed based on a Million, and it can be even more. 0.1% missed is still a high 1,000 missed.

So i'd say % points really do matter when considering/comparing products.

 

That's why I've recently started using Appguard along with ClamAVwin. Appguard stops what the AV might miss.

 

In my personal opinion no. If it protects me the AV is doing it's job very well.

 

ClamAV's detection is dismal.

I think percentages do matter in detection, but prevention is a much better route along with a disaster recovery plan. Its easier to prevent infection that it is to clean an infection after its infiltrated your system, stolen your passwords and your money.

 

I agree and would say the same!

TH

 

Out of the 15,000-50,000 how much do we usually encounter while browsing anyway? I agree that prevention is much more desireable than detection. My whole family shares our main computer to do almost all of the browsing, including my kids, and maybe 3 or 4 times have I come across any malware in the last year or so. That's not to say that their are not thousands of new malwares coming out daily.

On another note, I wonder what percentage of this new malware is actually new and not just a repacked variant?

 

The one sample that is not detected that you execute is the one sample too much.

Let me explain the high number of new samples per day. Some malware writers keep automatically updating their samples on the servers that are hosting the malware. Some generate new samples every few hours, some generate new samples every minute, some generate a new sample for each user that downloads a sample, a new sample per IP and so on.

So you have many samples but not so many different malware families actually. The question is, can your AV detect the entire family with a generic detection or does it just add static detection for each sample that the AV company got?

I think Microsoft stated somewhere on their malware information blog that they grab something like 50.000.000 MD5 unique samples each day of these server-side polymorphic malware families. Numbers mean nothing here.

If I remember correctly, AV-Comparatives reduces those large families to 500 or 1000 samples maximum in order to clean up the test set.

 

if executed...
from my point it makes not really a difference if i catch 99% or 97% - from
the possibility to get some. i need to focus my activity to judge what is best
for me and the section - more scripts, more macros - or more executable - or...
example: while using ms office i am more vulnerable than using any other office.
Or adobe reader versus Foxit or PDFX-Change Viewer. IE versus any other browser.
some users are recommended to use the program with highest detection rate.

 

Here's why i feel detection is paramount.

If your AV is able to detect a very high proportion of nasties, and is FULLY configured to intercept/block them ALL on execution and/or download, then you won't be infected unless you allow them

So even if the removal % is less good, it won't matter because there is nothing to remove In theory, you could have an AV etc with Zero removal capability, but excellent detection. Not advocating that just illustrating the fact.

Obviously this excludes the few % or 0.% that it might not know about yet. But that trait is common to all Anti's, some more than others !

 

You have not really gave an argument for detection. It is the same case with prevention using other layers of protection other than an on-demand scanner. Both should come hand in hand. Detection is a method of prevention, but not the only method of prevention.

 

It seems to me that many discussions on this forum would benefit greatly if there existed commonly accepted and clear definitions for terms such as “detection,” “prevention,” “protection,” “compromised,” “defended,” and “neutralized” (among others).

Perhaps an independent organization (such as AV-Comparatives) will rise to the challenge and create a glossary of terms to facilitate communication about the performance of anti-malware products? Or, does such a glossary already exist?

In my opinion, it's difficult to have meaningful dialog in the absence of a shared vocabulary.

 

there is a working group in AMTSO consisting of smart people (and I think they are all english-native speakers) which will bring out in future a glossary/definitions of various terms (used in AMTSO papers).

 

Thank you, IBK, for sharing this information.

It is good to know that others see the same problem -- and, that a solution is in progress.

 

@dawgg

Yes i know, as i said

@Pleonasm

Good point Looks like your wish might come true.

@IBK

That's what we want