Efficiency creating signatures viruses

Efficiency creating signatures directly affects the detection of viruses

Company Carbon Black, which is engaged in the development of solutions for the detection of viruses using the online services, conducted an interesting study. According to the findings Carbon Black, if the signature of the virus just misses the virus database product for the first six days after the first detection, is likely the virus will never appear in the database, so that it will be impossible to detect.


Manufacturers of more traditional anti-virus immediately responded to these Carbon Black, rightly pointing out that the method of the study had a number of serious flaws.

Conclusion specialists Carbon Black disappointing - the antivirus vendors have a very small "window" to identify and block attacks. The study involved 84 samples of the virus taken from a shared directory VirusTotal, and 43 commercial antivirus products from reputable suppliers. Statistics have shown that if the anti-virus signatures have not received the "new" malware in the first six days after the first detection, in most cases, this signature does not appear in the database of the antivirus and after 30 days.

Criticism of conclusions immediately made Carbon Black, David Harley, senior research fellow at antivirus company ESET. Hurley pointed to a number of methodological errors that may distort the results and lead to incorrect conclusions. In particular, samples are available on the website VirusTotal, not an exact copy of a real virus on client machines. In addition, the company Carbon Black acknowledges that investigated only static detection of the virus signatures - just one of many methods used in today's security systems to block malicious code. Another potential problem to which Hurley said, is that some virus samples online malc0de.com, is running the study, may be the only "junk" applications that are not considered anti-virus as a significant threat, so finding them is simply ignored.

Be that as it may, the results can legitimately argue that a number of viruses forever remain unnoticed for protective systems, if their signatures are not included in the base detection immediately. Experiment Carbon Black once again showed that several antivirus programs better than one - that was expected. On the other hand, the findings of Carbon Black are a real slap in the face of all the anti-virus industry, which has long urged consumers is that given enough time, every virus will become vulnerable to anti-virus solutions.

The same David Hurley admits that example Stuxnet virus and its variants demonstrated that the entire industry protective systems may completely lose sight of the whole class of threats for a long time. However, Hurley added that most of the protection is really urgent and dangerous threats provided with reasonable promptness in most real-life situations

Another experiment Carbon Black has shown that some anti-virus products in 30 days after the start of the test with a fixed set of samples is determined less virus than conventional first day of the epidemic. According to experts of Carbon Black, this may be due to the fact that the anti-virus companies remove virus signatures that are no longer relevant. David Hurley disputes this statement: he believes that the reason may be, and others, including the removal of false positives, the reclassification of threats and even errors in the processing of samples.

 Based on site The Register