Do % Detections matter ?

Discussion in 'other anti-virus software' started by CloneRanger, Mar 22, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    On average there are between 15,000 and 50,000 new malware samples released EVERY day out into the wild. Which also means at mimimum OVER 100,000 per week, and quite possibly well over a Million in any month. That's a Phenomenal amount by anybodys standards. Makes you wonder how the AV etc peeps manage to keep up with all ? I know some products have heuristics etc which can go a long way in helping the situation, but still.

    Each month just 1% point equates to a potential 10,000 samples missed based on a Million, and it can be even more. 0.1% missed is still a high 1,000 missed.

    So i'd say % points really do matter when considering/comparing products.
     
  2. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    That's why I've recently started using Appguard along with ClamAVwin. Appguard stops what the AV might miss.
     
  3. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    In my personal opinion no. If it protects me the AV is doing it's job very well.
     
  4. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    ClamAV's detection is dismal.

    I think percentages do matter in detection, but prevention is a much better route along with a disaster recovery plan. Its easier to prevent infection that it is to clean an infection after its infiltrated your system, stolen your passwords and your money.
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I agree and would say the same! ;)

    TH
     
  6. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Out of the 15,000-50,000 how much do we usually encounter while browsing anyway? I agree that prevention is much more desireable than detection. My whole family shares our main computer to do almost all of the browsing, including my kids, and maybe 3 or 4 times have I come across any malware in the last year or so. That's not to say that their are not thousands of new malwares coming out daily.

    On another note, I wonder what percentage of this new malware is actually new and not just a repacked variant?
     
  7. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    The one sample that is not detected that you execute is the one sample too much.

    Let me explain the high number of new samples per day. Some malware writers keep automatically updating their samples on the servers that are hosting the malware. Some generate new samples every few hours, some generate new samples every minute, some generate a new sample for each user that downloads a sample, a new sample per IP and so on.

    So you have many samples but not so many different malware families actually. The question is, can your AV detect the entire family with a generic detection or does it just add static detection for each sample that the AV company got?

    I think Microsoft stated somewhere on their malware information blog that they grab something like 50.000.000 MD5 unique samples each day of these server-side polymorphic malware families. Numbers mean nothing here.

    If I remember correctly, AV-Comparatives reduces those large families to 500 or 1000 samples maximum in order to clean up the test set.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    if executed...
    from my point it makes not really a difference if i catch 99% or 97% - from
    the possibility to get some. i need to focus my activity to judge what is best
    for me and the section - more scripts, more macros - or more executable - or...
    example: while using ms office i am more vulnerable than using any other office.
    Or adobe reader versus Foxit or PDFX-Change Viewer. IE versus any other browser.
    some users are recommended to use the program with highest detection rate.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Here's why i feel detection is paramount.

    If your AV is able to detect a very high proportion of nasties, and is FULLY configured to intercept/block them ALL on execution and/or download, then you won't be infected :D unless you allow them :p

    So even if the removal % is less good, it won't matter because there is nothing to remove :D In theory, you could have an AV etc with Zero removal capability, but excellent detection. Not advocating that ;) just illustrating the fact.

    Obviously this excludes the few % or 0.% that it might not know about yet. But that trait is common to all Anti's, some more than others !
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    You have not really gave an argument for detection. It is the same case with prevention using other layers of protection other than an on-demand scanner. Both should come hand in hand. Detection is a method of prevention, but not the only method of prevention.
     
  11. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    It seems to me that many discussions on this forum would benefit greatly if there existed commonly accepted and clear definitions for terms such as “detection,” “prevention,” “protection,” “compromised,” “defended,” and “neutralized” (among others).

    Perhaps an independent organization (such as AV-Comparatives) will rise to the challenge and create a glossary of terms to facilitate communication about the performance of anti-malware products? Or, does such a glossary already exist?

    In my opinion, it's difficult to have meaningful dialog in the absence of a shared vocabulary.
     
  12. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    there is a working group in AMTSO consisting of smart people (and I think they are all english-native speakers) which will bring out in future a glossary/definitions of various terms (used in AMTSO papers).
     
  13. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Thank you, IBK, for sharing this information.

    It is good to know that others see the same problem -- and, that a solution is in progress.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @dawgg

    Yes i know, as i said
    ;)

    @Pleonasm

    Good point :thumb: Looks like your wish might come true.

    @IBK

    That's what we want :D
     
Loading...
Thread Status:
Not open for further replies.