Saturday, February 10, 2007

Zero Day Analysis & Antivirus Rankings

One of the conversation threads prevalent right now is malware detection. Specifically, what methods should be relied upon to determine the success of an anti-malware product? Does it really make sense to rank AV products using signatures and years-old samples any more?

Clearly, the answer is "no". We need a better approach - one that purchasers can rely on to protect their systems from the threats of tomorrow. From a purchasing standpoint, ranking systems need to be truly informative. Most of the people that I talked to at RSA this week were not concerned about detection rates of viruses from five years ago - what they are looking for is a ranking system that can show them how the various antimalware companies deal with real-time detection of brand-new threats.

The guys who work on tuning the Authentium Antimalware heuristics engine understand this, and they are doing an incredible job. According to Robert Sandilands, our head virus researcher, our heuristics-based malware detection methods are stopping an increasing amount of malware on the fly - including 90% of everything we encountered in the wild on Jan 29th. See Robert's blog for the graph.

Signature-only systems are working overtime, locked in hand-to-hand combat with Warezov and Storm, the two worst pieces of malware currently circulating. Our guys are spending their time tuning the engine, with far better results, both in terms of detection and speed to market of protection.

Certifying authorities - it's time for a "zero day detection" bake-off. Let's see who's really got the goods when it comes to detecting malware.

No comments: