So, let's suppose somebody who is involved with incident response at a typical US public University has collected a few recent malware samples from the compromised machines and then submitted all the samples to VirusTotal for scanning with pretty much ALL current anti-virus and anti-virus-like products.
What do you think the average detection rate (i.e. a malware sample was identified as "something bad") was?
Any guesses? Here are a few numbers to help you choose:
- 100%
- 94%
- 90%
- 70%
- 50%
- 33%
- 22%
- 14%
- 2%
- Something else?
Let the games begin!
UPDATE: answer postedUPDATE2: after much deliberation, I finally replaced anti-virus on my own systems with another technology. Read the details here.
6 comments:
Somebody said "14%" but I accidentally moderated it away so I am reposting.
most if not all the products used by virustotal are of the known-malware scanner variety so i would expect any new malware to be detected by relatively few of them... anywhere below 50% sounds reasonable (anything above and the malware isn't really all that new)...
the exact percentage will depend on a lot of things but usually the age and the difference between 2% and 14% can be simply a matter of hours...
Another guess I got via email - 60%
BTW, I never said "new malware" - malware was collected days if not weeks before submission to VirusTotal.
I would give 70% or less. I'm assuming that the malware was detected by at least one vendor on something more than "hrmm, kinda suspicious, I don't really get it, but the safe answer is to be skeptical..."
As far as each vendor, I'd dip down to 50% and less...
I would not disclose the answer yet - I want to keep the game running for a bit longer, but, LonerVamp, you are sorely, sadly wrong :-)
>I'm assuming that the malware was detected
>by at least one vendor on something
I too indulge in wishful thinking sometimes :-)
Less than 5% for sure.rxrimled
Post a Comment