Pierluigi Paganini May 31, 2014

A recent research conducted by experts at Lastline Labs have demonstrated that AV alone is not enough to protect computers from zero-day malware.

A recent research conducted by security company Lastline Labs revealed that only 51% of security solutions tested in a study are able to detect zero-day malware.

Experts at Lastline Labs have analyzed hundreds of thousands of pieces of malware they detected for 365 days from May 2013 to May 2014, evaluating detection capabilities of new malware against the 47 vendors featured in VirusTotal.

As explained by the researchers the principal problem is the time spent by providers of security solutions to distribute updates able to make their product efficient in the mitigation of the zero-day malware.

Experts discovered that in the cases where none of the tested AV solution detected a malware instance on the first day, it took an average of two days for its discovery, this means that in the best scenario end users will receive updates to protect their computers up to 2 days.

“On any given day, according to Lastline Labs’ analysis, much of the newly detected malware went undetected by as much as half of the AV vendors. Even after 2 months, one third of the AV scanners failed to detect many of the malware samples.” states Lastline.

The most alarming data in my opinion is that after two weeks, detection rates were up to 61 percent, demonstrating the latency in the distribution of the updates once discovered the zero-day malware.

“The least-detected malware – that is the malware in the 1-percentile ‘least likely to be detected’ category – went undetected by the majority of AV scanners for months, and in some cases was never detected at all.” according experts at Lastline Labs.

The reults of the research conducted by Lastline Labs demonstates the necessity to integrate Anti-virus protection with other security solutions. A layered approach is necessary to detect and block zero-day malware.

“We think that “traditional” AV technology is not dead, but needs to be complemented with other approaches (e.g., based on dynamic analysis of samples, network anomaly detection) that provide additional signals for detection.” added the experts.

Below key findings from Lastline Labs reports.

• On Day 0, only 51% of AV scanners detected new malware samples
• When none of the AV scanners detected a malware sample on the first day, it took an average of two days for at least one AV scanner to detect it
• After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for AV vendors
• Over the course of 365 days, no single AV scanner had a perfect day – a day in which it caught every new malware sample
• After a year, there are samples that 10% of the scanners still do not detect

Pierluigi Paganini

(Security Affairs –  Zero-day malware, Lastline Labs)