Fighting malware and spam

1 + 1 != 2 in malware scanning

Taeil Goh OPSWAT

No single anti-malware product has delivered 100% detection of threats, and this fact will most likely not change in the near future. Developers of security solutions can choose to integrate multiple anti-malware products to minimize the risk of missing threats to their system. This is because one anti-malware product has better or worse detection rate than others, based on several factors such as types of threats. However, the benefit of increasing detection rate by utilizing multiple anti-malware products comes at a price:

1. Performance degradation of the solution multiplied by multiple tasks on same data,

2. Increased solution vulnerability by exposing threats to more anti-malware products or data analysis tools such as file type detection libraries,

3. Increased potential of false positives reported by the solution and no standards concerning making final decision based on different results from different products.

In this paper, we will examine the potential and pitfalls of aggregating multiple anti-malware products into a single security solution, drawing upon our experience of working with as many as dozens of engines in parallel.

Various test results on different products, which will be presented later in the paper, shows at least two things. Even an anti-malware product with the best detection rate can simply miss threats from detection. Furthermore, the anti-malware with the best detection will not be the best in another testing configuration. Integrating multiple anti-malware engines (multi-scanning) comes into play in covering the imperfections of a single anti-malware product. This has already attracted many developers and services including Microsoft Forefront Security for SharePoint and Google Postini Services.

In this paper, we first examine several outstanding test results from different test labs such as AV-Comparatives and other anti-malware test labs and then examine a few use cases of multi-scanning.

Next, we will identify the redundant tasks of different anti-malware products and introduce ways to optimize total scanning speed without losing detection.

In the third part of our paper, we will discuss a resilient design of integrating multiple anti-malware products into a single security solution without being affected by the failure of any component. Further, we will introduce a reliable way of detecting failure and ensuring the sanity of each solution component in order to maximize the benefit of multi-scanning.

Finally, our paper will address the reduction of false positives with whitelisting and frequent updates without pausing ongoing scans.