and I say we are detecting between 400,000 and 10,000,000 malware!
Thursday June 19, 2008 at 1:15 pm CST
Posted by Francois Paget
This week in Paris, a friend asked me how the anti-virus situation was going and how we will be able to face up to the unexpected increase in malware number. “In a day, one of your competitors announces more than 1.7 million new detections. Its total detection jumped from 74,000 to 1,800,000! If this keep this up, the level of 2 million viruses will be overtook rapidly”, he said. Humorously, the man I was talking to concluded: “and you [McAfee], you still detect less than 400,000 threats?”
Counting malware can be quite a tricky business. At McAfee, and with each anti-virus definitions for VirusScan, we announce how many threats we are detecting with each new DAT release. This figure, however, is a *family* count. Yesterday (June 17th, 2008), the clock said 407125.
In September 2004 with DAT release 4391we reached 100,000 threats detected. With the 4800 release on May 2006 the number of threats detected reached 200,104 detections. This figure doubled in 2 years, and the situation could be analyzed as follow:
To explain how it was possible to pass from 74,000 to 400,000 or to 1,800,000 malware, I informed my friend we had to take into consideration AV researchers “zoos” - in other words: “collections” – consisting of several million malware samples (sometimes we use the term “unique samples”) collected each day. I explained to him we had, roughly, in our high-security servers, 10,000,000 files:
- classified by family
- often with a vast number of variants
- sometimes with multiple infected files from a single malware variant (when it is parasitic or polymorphic), or when malware authors configure their threats to serve a binary-unique version with each download. In that case, some zoos contain 1 or 2 *versions* while others will have 10,000 and others still 100,000!!
- without forgetting the terrific “miscellaneous” subfolder for files that we cannot pigeonhole
Of course, I said almost all were detected and consequently all these prediction numbers were not gospel truth. I added they were only useful to establish a long-term trend on condition that their computation complies with a single rule as time goes by.
To end my demonstration I searched for real figures. Firstly I fell on AV-test.org statistics. On their site, they explain they manage 60 terabytes of testing data, including several million malware samples and clean files. They tests malware on all important desktop and server platforms, including all currently supported versions of Windows, Linux, Solaris, Unix, Lotus Domino/Notes and MS Exchange. Having just recently received from Germany some figures summarizing their malware collection items, I precisely heard of the size of their collection which exceeded 11 million unique samples (11,002,741 in April 2008).
Strengthened by this number, I was pretty sure we had - at McAfee - the same volume including parasitic and polymorphic malware for which we had to own multiple samples. I asked for a confirmation and received some figures I entered in this other chart:
While I wrote this blog entry, I imagined the reader surprise: in 3 months (from January 31 to April 30) collections increased by 2,880,000 million samples (at McAfee) and by 1,700,000 million samples (at AV-test.org); an average of 760,000 new files each month… This is true, and it is why we constantly work on new technologies to answer this challenge.
To conclude this blog entry, I propose to you the following……. It demonstrates that it is possible to announce that we detected, at the end of 2007, “between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And I predict we will detect at the end of 2008 between 450,000 and 22,000,000 malware”. OK, I joke a bit, but I also want to demonstrate there are many manners to count malware and you must not judge a product only by the announced number of detections.
June 20th, 2008 at 09:29
Wouldn’t it be better to write a security system which prevented the threats which have not yet occurred, rather than those which you already know about? If there are 760k new samples in a month, how many of those were detected a-priori, that is before the detector was modified to include them?
June 20th, 2008 at 16:26
Lots of China’s Trojans cannot be detected.
Add more detections about them.
Analysis and analysis malwares….
June 21st, 2008 at 19:19
I dont think so… just this year, we find a lot of kind o viruses that McAfee didnt detect, and others like karspersky did.
June 22nd, 2008 at 02:38
It’s up to McAfee to decide assign a new name for a new virus or categorize in old virus. All experienced experts know these huge numbers that new anti-virus products declare what means!
But the unacceptable thing is McAfee delay with new threats.
Some days ago I found an unknown virus that copies itself in each folder with the same name as the folder and makes all folders hidden. I submitted it to WebImmune. I expected that WebImmune would respond me after doing some tests. I waited for almost three days but no solution was provided by McAfee. Finally I decided to send an email to McAfee and asked them to provide me a solution or better still an EXTRA.DAT. Their answer that was full of questions that McAfee is supposed to answer me (like why do you suspect this file?) disappointed me. After replying the email and answering all questions, they asked me some log files. I have provided all of them but unfortunately nothing was provided by McAfee. Meanwhile, our network was going done under this new virus. I have traced all other anti-virus reactions for this threat in VirusTotal (www.virustotal.com). For first day there was no anti-virus that can detect this threat. But this number was going up. After almost 10 days finally I could find an EXTRA in WebImmune.
Although, the description of viruses are too old and for many new viruses there isn’t any description on NAI.com.
Many people around the world are proud that they use McAfee products. They believe McAfee is an experienced company in dealing with viruses.
You, your colleagues and also we as customers can improve it.
June 26th, 2008 at 04:50
We use McAfee in the Enterprise and our average detection rate this year has been 60% McAfee versus 40% detected using IDS signatures. In the last month that’s down to 35% detection rate for McAfee. To be fair that’s pretty typical of what we’ve seen from all of the vendors but it doesn’t bode well for anyone who deploys antivirus as the solution for malware.
July 1st, 2008 at 11:02
[...] While reading my colleague François Paget’s recent blog about detection numbers, I noticed that something about the graph illustrating the growth of the [...]
July 1st, 2008 at 11:02
[...] While reading my colleague François Paget’s recent blog about detection numbers, I noticed that something about the graph illustrating the growth of the [...]
July 6th, 2008 at 01:16
[...] reading my colleague François Paget’s recent blog about detection numbers, I noticed that something about the graph illustrating the growth of the [...]
July 11th, 2008 at 07:40
[...] reading my colleague François Paget’s recent blog about detection numbers, I noticed that something about the graph illustrating the growth of the [...]
September 20th, 2008 at 03:41
[...] and on blogs of articles referring to the detection capacity of various security firms. Sophos, McAfee and F-Secure are among those who have been publishing figures regarding the number of malicious [...]
February 5th, 2009 at 06:29
[...] another look at the complexity of counting malware detections, please see Francois Paget’s blog as [...]