Observations and lessons learned from comparing point-in-time cleaning against real-time protection
Scott Wu Microsoft
download slides (PDF)
While our main point-in-time removal tool has grown its base to over 500 million machines with many millions of malware
removed monthly, its database of signatures is limited to only the most widespread of malware. And now, as its counterpart
real-time protection solution approaches its one-year anniversary in September 2010, we have an opportunity to compare the
effect on the ecosystem between these two different utilities. This paper offers a deep dive into these rich data sets.
The paper divides the threat events into several areas using the two approaches as a case study. Out of the prevalent
threats covered by the in-time cleaning aspect, different threats and threat categories resulted in a variety of detection
stories by the real-time solution in terms of total detection volume, trending, reinfection rate, etc. The full package of
technologies offered by a complete AV solution shows clear protection advantages versus a monthly one-time on-demand
cleaning tool. Observations are made on the discrepancy of these detections.
This study will include the following threat types:
- Bots: Win32/Rustock, Win32/Srizbi, Win32/Waledac, Win32/Hamweq, Win32/Rimecud, Win32/Pushbot
- Rogues: Win32/FakeRean, FakeXPA, FakeWebsec, Win32/InternetSecurity
- Password stealers: Win32/Taterf, Win32/Frethog, Win32/Zuten, Win32/Banker, Win32/Bancos, Win32/Banload
- Web 2.0 threats: Win32/Koobface, Win32/Renos
- Drive-by downloaders: Win32/Bredolab, Win32/Zlob
The study will also provide any other interesting effects caused by overlaying the monthly schedule of the removal tool
over a constant updating stream and anything else that the data will divulge as we investigate further.