Qualys Blog


AV or no AV

Last week Brian Krebs published an excellent blog post that shows how badly antivirus solutions fare against modern e-mail based threats. The research was conducted by a team at UAB, which focused on malware received through e-mail, either directly attached or linked through a URL. The malware was then run through Virustotal and detection rates were captured in a database. 

big_snapshot_bkrebs.png The results show that detection rates were only at about 25%, and confirm that malware authors have become experts at constantly generating new "unknown to AV" versions of their malware. By the way, take the results with a grain of salt; in the real world detection rates might be higher, due to behavioral blocking in modern AV solutions. (Here is a short discussion on the topic).

Vaccinate, rather than cure

In the human health sector, we have all accepted that prevention is better than remediation. The same reasoning applies to our IT infrastructures: avoiding the malware infection is superior to curing it after the fact. Ordering UAB’s spreadsheet, we see that two-thirds of the e-mails implemented their attack through a link to a web site running an ExploitKit, using its catalog of exploits for known flaws in the browser or its plug-ins to install the malware. Here is the easiest way to prevent infection. Update your browser and its plugins to the latest level and you will be immune to browser-borne attacks. Update your applications, such as Microsoft Office, Adobe Reader and Apple Quicktime and you will be immune to document attachment attacks as well.


Zero-days are hard to defend against, but due to pure economics, it is unlikely that you will encounter zero-days in normal malware attacks. The vulnerabilities that companies such as Adobe, Apple and Microsoft address are found by security researchers and are worth between $500 and $5,000 USD on the official market. If the vulnerability comes with an exploit, where the security researcher does not only point out the flaw, but actually includes working code for its use, the value goes up at least 10 times. Google recently paid $60,000 USD to two security researchers for an exploit in Chrome, but a third group rejected the offer as too low. The high cost for a zero-day exploit means that attackers are going to use them only for very valuable targets. In addition, using them on a larger scale only leads to detection by security companies and the patching of the underlying vulnerability by the vendor. As an example, take a look at Stuxnet, which was only discovered when it broke out of its initial target set.

AV or no AV

While AV tools may have lost value for IT admins, they still provide protection for known threats and can be used to extract valuable security metrics, such as realtime vs. batch scan protection rations. However they should not be your highest priority in IT security. I recommend first investing in patch management and verification tools. AV will not go away though; the coming Windows 8 includes it now in the base operating system and most organizations will have to continue to implement managed AV solutions even if only to attend compliance requirements.

Leave a Reply