Detecting Malware Outbreaks Faster Using Multiple Anti-malware Engines

At OPSWAT, we often encounter questions such as, "What is the value of multi-scanning?" and "Which MetaDefender Core package is right for me?" Although we analyze large quantities of malware samples and deploy thousands of instances of MetaDefender Core packages across many organizations, the answers to these questions are always the same — it depends. OPSWAT's multi-scanning technology works to improve detection of outbreaks by using a variety of engines from different geographical locations and by using a mix of both heuristic and signature-based detection. Heuristic analysis is especially useful for detecting new or unknown threats that emerge at the beginning of an outbreak.

Two notable values of multi-scanning are:

1. Increased detection rates
2. Faster detection of malware outbreaks

Measuring detection time for outbreaks is difficult to calculate, though not impossible. To demonstrate this, we pulled a sample of 50 outbreaks from files scanned on MetaDefender.com and looked at detection times for each of MetaDefender Core's package options. For the purposes of this research, we defined an outbreak as a threat that was eventually detected by at least 10 anti-malware engines, and we focused on detection by the 6 available MetaDefender Core Windows packages.

To measure detection rates for different packages, we looked at the anti-malware engine(s) that first detected the outbreak and then matched that detection with the package that contained the engine(s). For example, if Avira was the first engine to detect an outbreak, we would conclude that MetaDefender Core 4 packages and higher would have detected the threat first, since Avira is included in all MetaDefender Core packages. However, if Ikarus was the first engine to detect an outbreak, then only MetaDefender Core 12 packages and higher would have detected the threat at first upload. If outbreaks were only detected by higher packages at first, we examined scan results after the initial detection to determine the point at which engines from lower packages detected a threat.

For those that wish to see the individual detection times for each outbreak sample we pulled, we have provided the full data set. We have also provided links to the first detection of the outbreak with the name of the engine(s) that detected it, and links to the scan history of each outbreak.

Research Statistics - From Full Data Sample

• The fastest outbreak detection was 0 days and the slowest detection was over 18 days
• Average outbreak detection time for each package was as follows:
  
  • MetaDefender Core 4 - 4 days, 1 hour, 18 minutes, 23 seconds (4.05 days)
  • MetaDefender Core 8 - 3 days, 8 hours, 42 minutes, 53 seconds (3.36 days)
  • MetaDefender Core 12 - 1 day, 11 hours, 15 minutes, 47 seconds (1.47 days)
  • MetaDefender Core 16 - 17 hours, 32 minutes, 12 seconds (0.73 days)
  • MetaDefender Core 20 - 9 hours, 3 minutes, 29 seconds (0.38 days)
  • MetaDefender Core 20 + Custom - 10 minutes, 41 seconds (0.007 days)

Disclaimer: This data was collected from malware samples uploaded to MetaDefender.com, and the detection rates are based on the static analysis functionality of those engines. As such, detection may differ from versions of these engines that incorporate both static and dynamic analysis. The small sample size (50 outbreaks), while qualitatively showing the benefits of scanning with additional engines, means there is a larger confidence interval around the quantitative times included in this analysis. Additionally, a majority of the threats analyzed in this sample have been detected by at least one anti-malware engine. At the time this sample was taken, MetaDefender Core 8 packages and higher included ThreatTrack as an engine. These packages no longer contain this engine as it was replaced by Zillya! to provide the best protection to our customers.