Mary Landesman nailed it with a couple of posts on her about.com “Antivirus Software Blog”, when she commented on the numbers games that AV vendors play when attempting to inflate their credibility in the eyes of consumers and corporate decision-makers. Her comments relate to both the numbers themselves and Microsoft’s underlying MSRT tool’s effectiveness.
I recommend checking out her blog.
Her first post, “Tunnel Vision“, criticized Microsoft’s claims of insight into the volumes of malware actually running on user systems. She points out that Microsoft asserts ‘Zlob is among the most common type of Trojan downloaded onto Windows machines.” The assertion was based on data collected by Microsoft’s Malicious Software Removal Tool (MSRT). But the MSRT is only programmed to see 111 (as of today’s date) malware families.’
Microsoft frequently implies grand claims of their own strong perpective into (here comes my oh-so-favorite marketing term) the “malware landscape”, based on the reported findings of this MSRT tool, simply because it runs on 400 million systems. She contradicts their ability to make these MSRT-based claims with her own estimates of the tool’s effectiveness:
‘”In other words, Zlob is not “among the most common type of Trojan downloaded onto Windows machines”. Instead, Zlob is among the most common malware detected by the MSRT, which currently detects only about 5% of active malware families.’
On yesterday’s “The Numbers Behind Detection“, she updates that number by extrapolating numbers from a recent straightforward, informative and respectable post from McAfee, humorously shouting “and I say we are detecting between 400,000 and 10,000,000 malware!“:
‘That makes my comments in Tunnel Vision even more pertinent as it effectively drops the MSRT detection percentage from 5% of all families to .03%.’
Tunnel vision? The MSRT tool may be very beneficial to the Windows community at large, but the sight that tool provides is more myopic than anything. Put some glasses on it and send it to class!
On a daily basis, the ThreatFire community provides us with some insight into not only what malware users really are running on their desktops (and not just showing up in their inbox, a P2P directory, or downloaded and not run), but the unfortunate volumes of malware that go undetected by AV scanners when first released into the wild. Even time-worn and sophisticated scanners developed by talented groups have a difficult time detecting and keeping up with the volumes, the changing nature, and the evasive techniques of today’s “cash is king malware” while not bogging down users’ systems. It is often difficult to best classify these changing samples as well for these burdened groups. Keeping on top of those volumes to make sweeping claims about percentages takes a keen vision indeed.