Preventing Known and Unknown Threats

Benny CzarnyCEO & FounderOPSWATbenny@opswat.com

February 9, 2016

Preventing Known and Unknown Threats Agenda

How much malware is out there

How to measure the quality of anti-malware products

The value of multi-scanning

Threat prevention

How much malware is out there?

Known threats

Unknown threats Targeted attack Outbreak

How much malware is out there?

How much malware is out there?How many known threats are we up against?

2010 2011 2012 2013 2014 20150

100,000,000

200,000,000

300,000,000

400,000,000

500,000,000

600,000,000

Differences in Reporting the Total Amount of Threats

AV-Test McAfee

How much malware is out there?How many new known threats are we up against?

2010 2011 2012 2013 2014 2015020,000,00040,000,00060,000,00080,000,000

100,000,000120,000,000140,000,000160,000,000180,000,000200,000,000

Differences in Detection Rates for New Malware

AV-Test McAfee

How much malware is out there?Why are different measurements being used?

Different detection logic

Different engines

Different data sources

Different market share Different honeypots

How much malware is out there?The power of crowdsourcing

How much malware is out there?

Detection coverage Response time for an outbreak Amount of False Positives Product quality and stability Product Vulnerabilities Operating system compatibility Other metrics

How to Measure the Quality of Anti-malware Products

How to Measure the Quality of Anti-malware Products

Engine Name AV -Comparatives Performance Rating

AV-Test PerformanceRating

Avira 90% 100%

AVG 85% 70%

Avast 83% 80%

Panda 80% 90%

McAfee 80% 80%

Threat Track 80% 40%

Trend Micro 78% 90%

Sources:1. AV-Test2. AV- Comparatives

Comparing AV-Test to AV-Comparatives

How to Measure the Quality of Anti-malware Products

Measuring the quality of anti-malware engines – from AV-Comparatives

AV Name Mar 2013 Sep 2013 Mar 2014 Sep 2014 Mar 2015 Sep 2015

Avira 99.6% 99.7% 99.2% 99.9% 99.9% 99.8%

F-Secure 99.5% 99.7% 99.6% 99.6% 99.8% 99.7%

Bitdefender 99.3% 99.5% 99.5% 99.6% 99.7% 99.8%

Kaspersky 99.2% 99.0% 99.8% 99.7% 99.9% 99.5%

Fortinet 98.6% 98.2% 99.6% 97.9% 99.6% 98.8%

Trend Micro 98.4% 98.3% 99.0% 99.5% 95.1% 95.5%

AVG 98.4% N/A 97.5% 98.4% 98.1% 93.4%

McAfee 98.0% 98.2% 99.3% 99.8% 99.7% 97.5%

Sophos 98.0% 96.5% 98.3% 98.2% 98.1% 97.2%

Avast 97.8% 97.1% 97.7% 98.6% 99.4% 99.2%

ESET 97.5% 97.1% 98.8% 98.7% 98.6% 99.2%

AhnLab 92.0% 90.6% 89.0% 93.7% N/A N/A

Microsoft 92.0% 90.1% 90.0% 90.2% 86.3% 91.4%

How to Measure the Quality of Anti-malware Products Individual Engine Vulnerabilities

Avira

Kaspe

rsky

Avast

Window

s Defe

nder

ESET

Bitdefe

nder

Trend

Micro

0

4

8

12

Engine Vulnerabilities Over Last 4 Years

2015 2014 2013 2012

Source: National Vulnerability Database

Do not know exactly how much malware is out there

No accurate/standard measure on quality of anti-malware engines

Quality of anti-malware engines changes from year to year

Anti-malware engines suffer from vulnerabilities

Well known vendors miss over 10% of known threats

How to Measure the Quality of Anti-malware Products Conclusions

Advantages

Detect both known and unknown threats

Some engines detect over 80% of known threats

How to Measure the Quality of Anti-malware Products The value of a single anti-malware solution

Disadvantages

Single point of failure Vulnerabilities Misdetection

Detection of outbreaks may be slower/delayed

The Value of Multi-scanning

Advantages

Improved malware detection Decreased detection time for

a new outbreak Flexible patching for anti-

malware engine vulnerabilities

The Value of Multi-scanning Multi-scanning

Disadvantages

More false positives Decreased performance Higher costs more vulnerabilities

The Value of Multi-scanning Advantage 1 - Improved malware detection

Antivirus 1

X1%Detection Rate:

100%

Antivirus 2

X2%Detection Rate:P(A ∪ B) = P(A) + P(B) - P(A ∩ B)

The Value of Multi-scanning Advantage 2 – Decreased detection time for an outbreak

https://www.metadefender.com/#!/results/file/5268027b71414692b64649318619e33f/history

The Value of Multi-scanning Advantage 2 – Decreased detection time for an outbreak

*Simulated time

The Value of Multi-scanning Disadvantage 1 – more false positives

Azarus packageTrojan.Generic.6304836Buchdruck packageGen:Variant.Zbot.29Intrapact packageGen:Trojan.Heur.VP2.fm0@a5KoffgiShellex packageGen:Variant.Kazy.17493Skriptum packageExploit.CVE-2011-0977.GenVirtualization packageGen:Trojan.Heur.KT.4.bq8@aqLITyfWinnerTw packageGen:Variant.Kazy.18603WoodMahjongg packageGen:Variant.Kazy.14979

Antivirus 1

8 False Positives

AbsoluteBlue package Win32:Malware-genDateCalc package

Win32:Trojan-genDB2EXE package

Win32:Malware-genFiman package

Win32:Malware-genFTPcontrol package

Win32:Malware-genJoshua package

Win32:Malware-genSardu package

Win32:Dropper-FRUShannel package

Win32:FasecShellPicture package

Win32:Malware-genxComposer package

Win:32:SMorph

Antivirus 2

10 False Positives

Source: www.av-comparatives.org

14AbsoluteBlue package

Win32:Malware-genAzarus package

Trojan.Generic.6304836Buchdruck packageGen:Variant.Zbot.29DateCalc package Win32:Trojan-genDB2EXE package

Win32:Malware-genFiman package

Win32:Malware-genFTPcontrol package Win32:Malware-genIntrapact package

Gen:Trojan.Heur.VP2.fm0@a5Koffgi

Joshua package Win32:Malware-gen

ShellPicture packageWin32:Malware-gen

Virtualization packageGen:Trojan.Heur.KT.4.bq8@aqLIT

yfWinnerTw package

Gen:Variant.Kazy.18603WoodMahjongg package

Gen:Variant.Kazy.14979xComposer package

Win:32:SMorph

The Value of Multi-scanning Disadvantage 2 – decreased performance

The Value of Multi-scanning Disadvantage 2 – decreased performance reality

The Value of Multi-scanning Disadvantage 3 – more costly

Hardware requirements Additional IT training Licensing cost Bandwidth consumption Other costs

The Value of Multi-scanning Reduce the risk of malware that is targeting specific engines

02468

101214

Engine Vulnerabilities Over Last 4 Years

2015 2014 2013 2012

Source: National Vulnerability Database

Advantages

Improved malware detection Decreased detection time for

a new outbreak Flexible patching for anti-

malware engine vulnerabilities

The Value of Multi-scanning Multi-scanning

Disadvantages

More False Positives Decreased performance Higher costs more vulnerabilities

The Value of Multi-scanning

Known Threats Unknown Threats

The value of multi-scanning

Known Threats Unknown Threats

Threat prevention Data sanitization

File may be harmful

Data sanitization Different file Harmless

Threat prevention Data sanitization

File may be harmful

Reconstruct file Converting format Removing elements

Different file Harmless

Q & A

Benny CzarnyBenny@opswat.com