Antivirus software can't keep up with new malware, Lastline Labs analysis finds

Brand new malware is detected by only around half of antivirus programs on the day it first appears, an analysis by security startup Lastline Labs has found after running samples through the VirusTotal online scanner.

Over the last year, the firm ran hundreds of thousands of pieces of malware it had encountered through the service to see how many of the 47 antivirus products correctly identified the files as malicious.

On the first day the overall detection percentage averaged 51 percent of the programs, which rose slowly until suddenly ramping up to 61 percent about two weeks after the malware's first submission.

Measuring detection rates using VirusTotal is not a new idea and the firm's results were more or less as might be expected; antivirus software gets better and better at spotting malware as time passes, but the detail reveals some important caveats. When no program on VirusTotal spotted a piece of malware on the first day, it took an average of two days for at least one program to detect it.

Without naming any names, it is clear that some antivirus programs are still better (i.e. faster) at detecting new malware than others, with some examples managing to elude one in ten scanners a full year after their first appearance.

So does all this tell us whether antivirus software works or not? On the basis of Lastline's findings, the answer probably depends on what is understood by the word 'works'.

The firm found that around 1 percent of malware is stubbornly hard to detect using the signature technology that is the core of antivirus software. This unusual and presumably rare malware sits undetected for months and might never make it into signature databases of any product. Indeed, they were probably specially crafted to evade signature detection by simply not being common enough to be quickly spotted and fingerprinted.

This is not good if you happen to be one of the small group of firms being targeted by these programs but that's been true for some time.

"We think that 'traditional' AV technology is not dead, but needs to be complemented with other approaches (e.g., based on dynamic analysis of samples, network anomaly detection) that provide additional signals for detection," argued Lastline Labs' CTO, Giovanni Vigna.

"For us, this preliminary dataset leaves us with as many questions as answers."

As ever, it's a line that chimes with the argument by a range of more recently-founded security firms that the technology employed by the established brands is no longer good enough as a single line of defence and should be supplemented with newer technology.

Ironically, it's a message that increasingly works for the larger traditional AV vendors such as Symantec, which recently surprised the security world after an executive recently told the Wall Street Journal that antivirus software was "dead." But Symantec increasingly wants its business user base to move to more recent products too and timed its historic admission to coincide with the announcement of new systems.

Lastline itself jumped the Atlantic, launching a UK wing in London's Tech City last November.