Observations and lessons learned from comparing point-in-time cleaning against real-time protection

Scott Wu Microsoft

While our main point-in-time removal tool has grown its base to over 500 million machines with many millions of malware removed monthly, its database of signatures is limited to only the most widespread of malware. And now, as its counterpart real-time protection solution approaches its one-year anniversary in September 2010, we have an opportunity to compare the effect on the ecosystem between these two different utilities. This paper offers a deep dive into these rich data sets.

The paper divides the threat events into several areas using the two approaches as a case study. Out of the prevalent threats covered by the in-time cleaning aspect, different threats and threat categories resulted in a variety of detection stories by the real-time solution in terms of total detection volume, trending, reinfection rate, etc. The full package of technologies offered by a complete AV solution shows clear protection advantages versus a monthly one-time on-demand cleaning tool. Observations are made on the discrepancy of these detections.

This study will include the following threat types:

  • Bots: Win32/Rustock, Win32/Srizbi, Win32/Waledac, Win32/Hamweq, Win32/Rimecud, Win32/Pushbot
  • Rogues: Win32/FakeRean, FakeXPA, FakeWebsec, Win32/InternetSecurity
  • Password stealers: Win32/Taterf, Win32/Frethog, Win32/Zuten, Win32/Banker, Win32/Bancos, Win32/Banload
  • Web 2.0 threats: Win32/Koobface, Win32/Renos
  • Drive-by downloaders: Win32/Bredolab, Win32/Zlob
  • Conficker

The study will also provide any other interesting effects caused by overlaying the monthly schedule of the removal tool over a constant updating stream and anything else that the data will divulge as we investigate further.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Jobs
In Virus Bulletin's jobs pages among others:

Virus Bulletin currently has 231,350 registered users.