Bad News: Your Antivirus Detection Rates Have Dramatically Declined In 12 Months

We all had the nagging suspicion that antivirus is not cutting it anymore, but the following numbers confirm your intuition. I have not seen more powerful ammo for IT security budget to transform your employees into an effective "last line of defense": a human firewall.

I have covered Virus Bulletin here many times, and have kept track over the years since this is the industry I lived in for 10 years before KnowBe4, and why I started this company in 2010.

Virus Bulletin (VB) is the AV industry's premier "insider site", and shows how good/bad endpoint detection rates are, but VB also covers spam filters, and tests them on a regular basis.

Both antivirus (aka endpoint protection) and spam filter tests are published in quadrants graphing the results. What most people do not know, is that participants in this industry all share the same samples, and it's often just a matter of who gets the definition out first, because soon enough everyone else has that malware sample and blocks the hash. 

Well, there is bad news: your proactive antivirus detection rates have dramatically declined in 12 months.

Don't take my word for it. Just look at the quadrants for Jun-Dec 2015 and compare it to the most recent one for 2016. Note the fact that in 2015, the proactive detection is a bit spread out, but the midpoint hovers around 80%, and the reactive midpoint sits at roughly 90-95%. (Reactive means they know this sample, have a hash, and can block it, Proactive means this is an unknown sample and the security software's heuristics need to recognize the malware behavior.)

Next, look at the same midpoints a year later for April-Oct 2016. 

The bad guys are winning

Note that reactive detection dropped a little bit and now clusters on the 90% line, but if you eyeball proactive detection, it has dramatically dropped to 67-70%. You would expect that with modern machine-learning techniques, proactive protection would improve, but it is going the opposite direction. By the way, if your AV is not here, the vendor declined to participate, and you can draw your own conclusions about why. 

Now you might think that if AV does not catch it, your spam filter will. Think again.

Martijn Grooten at VB commented on VB's most recent spam filter test that ransomware would be much worse if it wasn't for email security solutions: "Many experts believe that ransomware is set to become an even worse problem in 2017 than it was in 2016 — which is rather bad news, given the damage it has already done.

"Still, the problem could be much worse: a test of security products performed by Virus Bulletin in November/December 2016 showed that at least 199 out of every 200 emails with a malicious attachment were blocked by email security solutions (or spam filters). Of course, the fact that spam is sent out in large volumes means that even a very low success rate is sufficient for attackers to make a good return on investment — and thus to cause a lot of damage."  Here is the quadrant for spam filters:

Now, let's have a look at that number of 1 in 200 making it through. 

Statistics, extrapolations and counting by the Radicati Group from February 2015, estimate the number of email users worldwide was 2.6 billion, and the amount of emails sent per day (in 2015) to be around 205 billion.  That is likely higher now.  DMR offers these other fascinating statistics on email, compiled in August 2015:

  • The average office worker receives 121 emails a day
  • Percentage of email that is spam: 49.7%
  • Percentage of emails that have a malicious attachment: 2.3%

Simple math shows that 100+ billion spam emails are sent every day. Of those, 2.3 billion have a malicious attachment. One half of one percent (one in 200) of those makes it through the filters, showing a surprisingly high number of 11,500,000 every day. But let's be conservative and just say millions.

That puts the potential for malware making it in your users' inbox into the millions… every day

And that is just looking at malicious attachments, of which these days 93% are ransomware.

Keep in mind that the bad guys are also very active with CEO Fraud using a spoofed "From" email address, and even more important, the most vicious attacks (like the hacks into the Clinton campaign) were based on a simple social engineering spear phish.   

The above makes a very strong case for a brand new look at your last line of defense, your users.

It makes all the sense in the world to transform them into a human firewall ASAP, and keep them on their toes with security top of mind. Step them through new-school security awareness training which combines on-demand interactive, engaging web-based training with frequent simulated phishing attacks right in their inbox. This is a very effective approach, with the best ROI of practically any IT security tool. 


Source: blog KnowBe4