Observations and lessons learned from comparing point-in-time cleaning against real-time protection

Scott Wu Microsoft

While our main point-in-time removal tool has grown its base to over 500 million machines with many millions of malware removed monthly, its database of signatures is limited to only the most widespread of malware. And now, as its counterpart real-time protection solution approaches its one-year anniversary in September 2010, we have an opportunity to compare the effect on the ecosystem between these two different utilities. This paper offers a deep dive into these rich data sets.

The paper divides the threat events into several areas using the two approaches as a case study. Out of the prevalent threats covered by the in-time cleaning aspect, different threats and threat categories resulted in a variety of detection stories by the real-time solution in terms of total detection volume, trending, reinfection rate, etc. The full package of technologies offered by a complete AV solution shows clear protection advantages versus a monthly one-time on-demand cleaning tool. Observations are made on the discrepancy of these detections.

This study will include the following threat types:

  • Bots: Win32/Rustock, Win32/Srizbi, Win32/Waledac, Win32/Hamweq, Win32/Rimecud, Win32/Pushbot
  • Rogues: Win32/FakeRean, FakeXPA, FakeWebsec, Win32/InternetSecurity
  • Password stealers: Win32/Taterf, Win32/Frethog, Win32/Zuten, Win32/Banker, Win32/Bancos, Win32/Banload
  • Web 2.0 threats: Win32/Koobface, Win32/Renos
  • Drive-by downloaders: Win32/Bredolab, Win32/Zlob
  • Conficker

The study will also provide any other interesting effects caused by overlaying the monthly schedule of the removal tool over a constant updating stream and anything else that the data will divulge as we investigate further.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

Jobs Recruit Sidebar

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,313 registered users.