1 + 1 != 2 in malware scanning presented at Virus Bulletin 2011

by Taeil Goh (Opswat),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2011/abstracts/Goh.xml

Summary : No single anti-malware product has delivered 100% detection of threats, and this fact will most likely not change in the
near future. Developers of security solutions can choose to integrate multiple anti-malware products to minimize the risk
of missing threats to their system. This is because one anti-malware product has better or worse detection rate than
others, based on several factors such as types of threats. However, the benefit of increasing detection rate by utilizing
multiple anti-malware products comes at a price:
1. Performance degradation of the solution multiplied by multiple tasks on same data,
2. Increased solution vulnerability by exposing threats to more anti-malware products or data analysis tools such as
file type detection libraries,
3. Increased potential of false positives reported by the solution and no standards concerning making final decision based
on different results from different products.
In this paper, we will examine the potential and pitfalls of aggregating multiple anti-malware products into a single
security solution, drawing upon our experience of working with as many as dozens of engines in parallel.
Various test results on different products, which will be presented later in the paper, shows at least two things. Even an
anti-malware product with the best detection rate can simply miss threats from detection. Furthermore, the anti-malware
with the best detection will not be the best in another testing configuration. Integrating multiple anti-malware engines
(multi-scanning) comes into play in covering the imperfections of a single anti-malware product. This has already attracted
many developers and services including Microsoft Forefront Security for SharePoint and Google Postini Services. In this
paper, we first examine several outstanding test results from different test labs such as AV-Comparatives and other anti-malware
test labs and then examine a few use cases of multi-scanning.
Next, we will identify the redundant tasks of different anti-malware products and introduce ways to optimize total
scanning speed without losing detection.
In the third part of our paper, we will discuss a resilient design of integrating multiple anti-malware products into
a single security solution without being affected by the failure of any component. Further, we will introduce a reliable
way of detecting failure and ensuring the sanity of each solution component in order to maximize the benefit of
multi-scanning.


Finally, our paper will address the reduction of false positives with whitelisting and frequent updates without pausing ongoing scans.