Myopic Vision

Mary Landesman nailed it with a couple of posts on her about.com “Antivirus Software Blog”, when she commented on the numbers games that AV vendors play when attempting to inflate their credibility in the eyes of consumers and corporate decision-makers. Her comments relate to both the numbers themselves and Microsoft’s underlying MSRT tool’s effectiveness.
I recommend checking out her blog.

Her first post, “Tunnel Vision“, criticized Microsoft’s claims of insight into the volumes of malware actually running on user systems. She points out that Microsoft asserts ‘Zlob is among the most common type of Trojan downloaded onto Windows machines.” The assertion was based on data collected by Microsoft’s Malicious Software Removal Tool (MSRT). But the MSRT is only programmed to see 111 (as of today’s date) malware families.’
Microsoft frequently implies grand claims of their own strong perpective into (here comes my oh-so-favorite marketing term) the “malware landscape”, based on the reported findings of this MSRT tool, simply because it runs on 400 million systems. She contradicts their ability to make these MSRT-based claims with her own estimates of the tool’s effectiveness:
‘”In other words, Zlob is not “among the most common type of Trojan downloaded onto Windows machines”. Instead, Zlob is among the most common malware detected by the MSRT, which currently detects only about 5% of active malware families.’

On yesterday’s “The Numbers Behind Detection“, she updates that number by extrapolating numbers from a recent straightforward, informative and respectable post from McAfee, humorously shouting “and I say we are detecting between 400,000 and 10,000,000 malware!“:
‘That makes my comments in Tunnel Vision even more pertinent as it effectively drops the MSRT detection percentage from 5% of all families to .03%.’
Tunnel vision? The MSRT tool may be very beneficial to the Windows community at large, but the sight that tool provides is more myopic than anything. Put some glasses on it and send it to class!

On a daily basis, the ThreatFire community provides us with some insight into not only what malware users really are running on their desktops (and not just showing up in their inbox, a P2P directory, or downloaded and not run), but the unfortunate volumes of malware that go undetected by AV scanners when first released into the wild. Even time-worn and sophisticated scanners developed by talented groups have a difficult time detecting and keeping up with the volumes, the changing nature, and the evasive techniques of today’s “cash is king malware” while not bogging down users’ systems. It is often difficult to best classify these changing samples as well for these burdened groups. Keeping on top of those volumes to make sweeping claims about percentages takes a keen vision indeed.

This entry was posted in Online Fraud. Bookmark the permalink.

One Response to Myopic Vision

  1. Mary says:

    Hi Kurt,

    Thanks for furthering this topic. All threat reports have value – but it’s critical their authors be very specific about what exactly is being reported upon. If the focus is on desktop and consumer, say so. If the focus is a small subset of families, be very clear about that and provide the number of families covered. Another example would be prevalence lists that routinely portray Bagle or Netsky as top threats without clarifying the impact email volume has on these numbers. In short, this is not a Microsoft problem, but rather an industry-wide problem.

    Transparent reporting is critical – accurate portrayal assists in risk analysis. By combining *accurately portrayed* data from multiple sources, the reader can glean the bigger picture of a term you hate: the malware/threat landscape. :-)

    In other words, if a vendor only sees apples and cannot see oranges and bananas, then position the paper as an expert look at apples and tell me everything I could possibly want to know about crab apples, red apples, green apples, etc. But don’t try to pretend that the apples are representative of the entire fruit basket. That’s just misleading.

    Not to sure I would call this myopic though. Myopic vision (or near-sightedness) implies the view is perfectly fine up close. In reality, no matter how closely these misrepresentations are held to one’s eyes, they never stand up to scrutiny. Tunnel vision, conversely, implies a narrower view – i.e. tunneling in only on what one can see. ALL vendors by necessity have tunnel vision – they can only report on what it is they see through their products/customers. That’s fine, expected, as it should be. Just tell the reader upfront so there’s less confusion.

    – Mary

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>