In 2012, Imperva, with a group of students from The Technion – Israeli Institute of Technology, conducted a study of more than 80 malware samples to assess the effectiveness of antivirus software. Based on our review, we believe:
1. The initial detection rate of a newly created virus is less than 5%. Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero. We believe that the majority of antivirus products on the market can’t keep up with the rate of virus propagation on the Internet.
2. For certain antivirus vendors, it may take up to four weeks to detect a new virus from the time of the initial scan.
3. The vendors with the best detection capabilities include those with free antivirus packages, Avast and Emsisoft, though they do have a high false positive rate.
These findings have several ramifications:
1. Enterprises and consumers spend on antivirus is not proportional to its effectiveness. In 2011, Gartner reported that consumers spent $4.5 billion on antivirus, while enterprises spent $2.9 billion, a total of $7.4 billion. This represents more than a third of the total of $17.7 billion spent on security software. We believe both consumers and enterprises should look into freeware as well as new security models for protection.
2. Compliance mandates requiring antivirus should ease up on this obligation. One reason why security budgets devote too much money to antivirus is compliance. Easing the need for AV could free up money for more effective security measures.
3. Security teams should focus more on identifying aberrant behavior to detect infection. Though we don’t recommend removing antivirus altogether, a bigger portion of the security focus should leverage technologies that detect abnormal behavior such as unusually fast access speeds or large volume of downloads.