back to article Study: If your antivirus doesn't sniff 'new' malware in 6 days, it never will

Mainstream antivirus software only has small window for detecting and blocking attacks, according to a controversial new study. Host-based intrusion prevention firm Carbon Black found that if an antivirus package had failed to detect a piece of 'new' (recently discovered) malware within six days of its first being detected by …


This topic is closed for new posts.
  1. Graham Cluley

    Flawed methodology

    From VirusTotal's own website:

    "Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology"

    In a nutshell, it ain't a real world test, as VirusTotal does not (and doesn't claim to) mimic the protection that users would experience in the real world where they may have multiple levels of protection, cloud-based lookup, runtime behavioural analysis etc etc..

    1. LarsG

      Re: Flawed methodology

      Realistically it's the one you don't see that causes the most damage.

    2. Gordon Fecyk

      So what does Sophos do instead?

      So Graham Cluely is here. I wondered where my downvotes were coming from... :-)

      Seriously, six minutes is too long a time window, never mind six days. Malware scanners all fail to catch new malware because of their design, including scanners from Sophos.

      How does Sophos avoid being infected when their customers get infected? I want that solution and I want a quote for it.

      1. Anonymous Coward
        Anonymous Coward

        Re: So what does Sophos do instead?

        1. Sophos run Linux Desktops

        2. Symantec helpdesk once had a virus infection, I witnessed it. Hours of shutting down all workstations, cleaning them one by one, putting them onto the net again ...

        ./inTheBunker -i beer

        1. Gordon Fecyk
          Thumb Down

          [citations needed]

          1. Sophos has to run Windows if at least to test their own retail products.

          2. A major AV firm falling victim to malware would be a headline in mainstream media, let alone the IT press. A cursory search revealed nothing to me.

  2. Anonymous Coward


    "What this means is that, on average, if AV doesn’t detect a piece of malware almost immediately, it likely never would."

    "Stuxnet and its siblings have proved pretty conclusively that the entire security industry can completely miss a significant threat for extended periods,"

    Don't these statements blatantly contradict each other?

    1. Anonymous Coward
      Anonymous Coward

      Re: Eh?


  3. AlbertH

    What do you expect if you "run" Windows?

    There is a simple solution:

    Don't "run" Windows.

    MS have always left their products open to malware and other abuse (probably deliberately) and have always hoped to maintain "security through obscurity". Their approach is so fundamentally flawed that their products are just not suitable for any serious use. Business users really do need to look elsewhere.

    Fanboys need to note: Apple isn't significantly better. We're seeing ever more malware for Apple products, and some of the stupid "usability" decisions taken in Cupertino are now biting back. They're only a few years behind MS in their vulnerability!

    1. Callam McMillan

      Re: What do you expect if you "run" Windows?

      Have you considered that many people don't get a choice of what system to run? Furthermore, it doesn't matter what O/S you run, you're at risk of malware, all that changes is the chance and likelihood of infection. That's why enterprise Linux servers will still run an AV program because it's better to do so than take on the additonal risk.

      As for "MS have always left their products open to malware and other abuse (probably deliberately)", whether you like Microsoft or not, this is seriously venturing into Tin-Foil hat territory!

      1. Anonymous Coward
        Anonymous Coward

        @Callam McMillan - Re: What do you expect if you "run" Windows?

        You're wrong. Enterprise Linux servers will run antivirus because they are managed by Windows minded people but it doesn't make it less laughable. Besides that those poor Linux machines will wast their time scanning for Windows malware.

        1. Callam McMillan

          Re: @Callam McMillan - What do you expect if you "run" Windows?

          Actually, everywhere I have ever worked, the Unix systems have been run by Unix guys because the Windows lot (myself included) have little more than a rudimentary grasp of the command line and Unix administration. That is neither here nor there though - there is a small amount of malware for Linux which could still cause problems in a production environment - hence the reason for AV software. As for scanning for Windows viruses, if your Linux server provides mail or file server capabilities to Windows desktops then I'd damn well expect it to scan for Windows malware.

          Oh, and yes, I know I shouldn't feed the trolls, but I love to argue!

          1. Anonymous Coward
            Anonymous Coward

            @Callam McMillan - Re: @Callam McMillan - What do you expect if you "run" Windows?

            So, you don't really like to quit it! First of all, I said those poor Unix servers are being managed by Windows minded people (of which you seem to be one) not administered by them. Second, are you trying to tell me a Windows shop will allow Linux file servers ? And mail instead of their beloved Exchange servers ? On our Planet Earth ? I am not a troll and I have a long experience in IT by now, although not in Windows environments and I've worked for small and large companies in almost every field of activity and yet I have to see one with Unix servers running AV software. Oh, and just so you don't ask me, I'm not from the third world.

      2. AlbertH

        Re: What do you expect if you "run" Windows?

        I LOVE MS!

        They've kept me in business for years! Their lack of any real security has built my security business

    2. Captain Scarlet Silver badge

      Re: What do you expect if you "run" Windows?

      Even better solution turn it off, no matter what OS you run there will be bugs or issues with the way its designed.

    3. Wize

      Re: What do you expect if you "run" Windows?


      Surely you are using "security through obscurity" yourself.

      If all the banks, government, etc had Linux (or what ever brand of operating system that has a group of users claiming its 100% virus free) then there would be viruses written for it.

      But as things stand, there is no worth in trying to hack them. No big financial gain compared to going for the bigger target of Windows machines.

      One might argue that its 'poorly configured Windows machines' being infected. I'm sure in the hands of the same users, Linux will be just as badly configured.

  4. Comments are attributed to your handle

    I was waiting for the part where Carbon Black introduces it's new antivirus package that guarantees detection in 5 days or less.

  5. Steve Evans

    uh hur...

    I have pseudocode for this:

    - If article subject = AV_scare then scan article for study author.

    "Host-based intrusion prevention firm Carbon Black" - Check

    - If author in interested parties then salt=salt+10000

    Hmmmm... salty.

  6. Ian K

    "However David Harley, a senior research fellow at antivirus vendor Eset"

    Can you really be a "senior research fellow" just because your commercial employer calls you one?

    If you believe the online dictionaries, it's a position that's either academic or at the very least granted by a learned society...

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022