Study: Most Used Antivirus Take up to 6 Months to Catch Threats

The four most used antivirus have been put to the test and found wanting. We are not surprised.

Comodo long ago concluded that the conventional approach to Internet security, which relies on preventing harm by detecting known threats, is fundamentally flawed. That’s why we have architected solutions that go beyond detection to prevent and contain threats that detection cannot address.

A recent study by the security firm Damballa provides ample evidence that our premise is correct, documenting their fundamental flaw which they refer to as malware “dwell time”. This the time period from when a malware file compromises a system and the time the antivirus is able to detect it.

In a test of the four most used antivirus software, 36% of the test malware were not detected within the first 24 hours. A full week later 28% remained undetected. In fact, it took more than six months before these products detected 100% of the test intrusions!

Damballi concludes that infection dwell time is a by product of the failure of the detection approach to prevention. Most antivirus leave you unprotected and vulnerable to the infections during this period.

All it takes is one failure to open the door for hackers to have free reign with worst case consequences, and the volume of threats to respond to is truly overwhelming. Damballa cites a 2015 Poneman Institute report that shows that the average enterprise receives 17,000 malware alerts weekly from their IT security products and that a mere 4% of these alerts triggered investigations by the IT staff.

Conventional security is typically augmented with additional layers, most significantly behavior analysis that looks for known malicious behavior. While such approaches go a step beyond reliance on the signature file of known threats, they have not been able to prevent worst case scenarios at high profile organizations

antivirus software is like a bomb disposal unit that has not yet figured out where the bomb is. They have to find the bomb to defuse it. Even worse, if the bomb goes off before it is detected the surroundings are unprotected!

If the bomb disposal unit knows about a threat they can usually deal with it. It is the unknown threats that blow up!

Sandboxing vs Auto-Sandboxing

Some antivirus provides a secure system area called a Sandbox where you can safely run a suspicious. Think about it like a criminal suspect who is held in jail while the police investigate a crime. Unfortunately, they rely on the user to make the decision to put the file in the sandbox. Most users are not able to make that call or make it correctly on a consistent basis.

Unknown files that turn out to be malicious are often called “zero-day threats”. These are threats that are being spread by hackers but have not yet been identified by security experts and security software vendors have not yet been able to update their systems with a solution. For conventional antivirus this a worse case scenario.

For Comodo Internet Security software, a zero day threat is just another day at the office and not to be feared by our users.

Comodo Security Solutions various endpoint solutions include a unique architecture called default-deny Auto-Sandboxing. Unlike conventional PC security which allow access unless a threat  is confirmed, Comodo Systems deny access to the system if it is an unknown file. The file may run in a sandbox where it can be further analyses, but can do no harm to your system or files.

This is part of a broader strategy called application containerization where you can operate safely even on an infected endpoint. What does a bomb disposal unit do with a bomb they have located? If possible they put in a secure containment unit where they can still work with it, but if it explodes all will still be safe. A sandbox accomplishes much the same thing with potentially malicious software. Comodo can analyze it, but if turns malicious the threat is contained.