For many years the security industry has been saying that in order to be correctly protected, users should have an anti-malware and firewall solution installed and up-to-date with the latest signatures at all times. However malware today is really specialized in bypassing signature and heuristic detection and effectively infecting users. We all know that users with outdated signature databases are at risk. But how about users with the latest and completely up-to-date signature files? How protected or unprotected are they?
We have conducted two studies in consumer PCs and corporate networks, auditing over 1.5 million PCs and 1,200 networks respectively. We audited computers protected by over 40 different security vendors to see if they were at risk even if they were protected by the products' latest and up-to-date signature database.
Of the 1.5 million home PCs, only 37.45% were correctly protected with an active anti-malware solution with the latest signature database. Of these protected PCs, 22.97% still had active malware infections. One could argue that the sample selection is biased as people who scan their PCs are suspicious that something is wrong. But even taking this important fact into consideration, the results we found still indicate that a significant portion of PCs with correctly installed up-to-date protection are infected by malware.
In the corporate study a total of 1,206 companies' networks were audited. These networks were protected by a variety of different security vendors and in 69.34% of the cases they were correctly protected (active resident driver with the latest signature database). However out of the companies with more than 100 workstations audited, we found malware actively infecting computers in 71.79% of the networks.
Almost half of the infections where due to Trojans, Rootkits, Downloaders, Spyware, Bots and Banking Trojans. There is also a large portion of Adware infections as it is usual to see Trojanized or Botted machines to also host Adware or Rogue Anti-spyware. We believe this has a lot to do with how malware writers make money with pay-per-installs of unwanted programs on compromised machines.
We used a very restrictive definition of infection for the purposes of these studies. Only malware actively running in memory was considered an infection. Latent malware, i.e. malware quitely stored in a .PST file or hard disk directory, tracking cookies and jokes were not considered as infections.
The objective of this study is to show that anti-malware, and even complete HIPS solutions, are not enough to protect against today's threats. New approaches to proactive protection such as runtime behavioral analysis and telemetry from the community are absolutely necessary layers in order to protect customers more effectively and efficiently.
The complete study can be downloaded from here.