Antivirus detection rates have declined

Antivirus is no longer the only ammo for IT. As technology evolves, so does the threat landscape. With the new year, a new threat landscape has emerged that puts your employees as the “first line of defense”: the human firewall.

As part of C3Compliant, which started in 2013, we have since been focused on emerging threats and helping our customers educate their employees on the ongoing security challenges that face us on a regular basis. It is our responsibility to help our clients be aware of these emerging threats, to help protect themselves and their employees from critical business impacts.

Virus Bulletin (VB) is a security information portal, testing and certification body with a formidable reputation for providing users with independent intelligence about the latest developments in the global threat landscape.

Antivirus, also known as endpoint protection and spam filter tests are published as detailed below, in quadrants, graphing the results. You all know that in the antivirus industry every company shares the signatures based on who creates it first. Moreover, usually it is the larger or, the smarter ones who get it first, either based on their resources or skill sets. Thus the race is always on to see who gets the definition out first, because soon enough everyone else that has the malware sample can block the hash.

Definition: What is a hash: In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending on the type of scanner or the antivirus vendor being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based, i.e. if this file tries to do X,Y,Z, flag it as suspicious and prompt the user for a decision.

A single signature may be consistent with a large number of viruses. This allows the scanner to detect a brand new virus it has never even seen before. This ability is commonly referred to as either heuristics or generic detection. Generic detection is less likely to be effective against completely new viruses and more effective at detecting new members of an already known virus ‘family’ (a collection of viruses that share many of the same characteristics and some of the same code). The ability to detect heuristically or generically is significant, given that most scanners now include in excess of 250k signatures and the number of new viruses being discovered continues to descrease dramatically year after year.


Let’s look at the various graphs published by VB over the last few years.

Legend: The “Reactive” measure is the average of three test runs against samples seen in the ten days before the test date, allowing the products to use the latest updates with full access to any cloud-based resources and reputation systems. For the “Proactive” measure, products and updates are frozen, then products are run offline, without access to cloud systems, against samples seen in the ten days following freezing.

Now looking at the April to October 2016 samples, compared to the 2015 graph, the reactive detection has dropped considerably, as well as the proactive detection also dropped dramatically up to  70%. With the advent of the modern machine-learning techniques, proactive protection should improve, but in reality it’s going in the opposite direction. Thus reducing the effectiveness of the anti-virus solutions.

Note: If your particular Antivirus company is not listed, it is because they declined to participate in the survey.

Now looking at your Spam filter tests…

Martijn Grooten at Virus Bulletin (“VB”) commented in a VB Bulletin dated January 5th, 2017 that “Many experts believe that ransomware is set to become an even worse problem in 2017 than it was in 2016 — which is rather bad news, given the damage it has already done.”

Here is the quadrant for spam filters:

As tested by VB: OnlyMyEmail stood out for missing just three spam emails in the spam corpus, while ESET, Bitdefender, and Fortinet all blocked at least 99.98% of spam as well. These four products did not block any legitimate emails either, earning them VBSpam+ awards, along with Libra Esva and Vade Retro MailCube. ‘Clean sheets’ – where the product did not block any legitimate emails or any emails from the newsletter feed – were achieved by ESET and Libra Esva.


As per the Radicati Group’s Email Statiscs Report, in February 2015, the number of business emails sent and received per user per day totaled 122 emails per day. This figure continues to show growth and is expected to average 126 messages sent and received per business user by the end of 2019.

The figures for the amount of spam received, illustrated below, reflect only spam that is delivered to the mailbox after bypassing all spam/security filters. These figures include actual spam, as well as what is referred to as “graymail”.

Business Email 2015 2016 2017 2018 2019
Average Number of Emails Sent/Received 122 123 124 125 126
Average Number of Emails Received 88 90 92 94 96
Average Number of Legitimate Emails 76 76 76 76 77
Average Number of Spam Emails 12 14 16 18 19
Average Number of Emails Sent 34 33 32 31 30

Based on the above statistics it shows that 100+ billion spam emails are sent every day. Of those, approximately 2.5 billion have a malicious attachment. One half of one percent (one in 200) of those makes it through the filters, showing a suprisingly high number of 11,500,000 every day.

So, how do you protect yourself from such events? You should be looking at the new line of defense, using tools like Log Management, Intrusion Detection System (IDS) and Web filtering, including enabling your first line of defense, the “Human Firewall” to be aware of these challenges. You need to train your first line of defense with the right knowledge so they can report this event and help your technology team be proactive. This takes consistent effort and messaging via your security awareness training platforms like PhishPro, which is integrated with Microsoft Office 365, to help safeguard your enterprise information. As you know, Microsoft Office 365 has a comprehensive safe list which works based on your whitelist and blacklist configuration, including countries that can be blocked for your enterprise. Together, with malware and link detonation feature, along with a Security Awareness Platform like PhishPro, can enhance your “Human Firewall” to be more efficient in protecting your sensitive information ¾ which is your Corporate and Individual identity.