Our guiding vision at the Microsoft Malware Protection Center (MMPC) is to keep every customer safe from malware. Both our research team and automated systems work around the clock in an effort to achieve this vision.

The volume of threats that attackers are developing continues to increase. For example, last month we collected and analyzed 20 million new potential malware files. Six percent of these files were classified as malware. From that six percent, just over 100,000 files resulted in the development of new signatures to detect these files - all to protect as many customers as possible and as quickly as possible. These new signatures prevented three million customers from getting infected by four million unique malware files, while our existing signatures protected an additional eleven million customers from 72 million files.

Our automated systems process many samples submitted to the MMPC and automatically add signatures for new malware. For more established malware families, our researchers need to look deeper and overcome the new techniques the family is using to evade our protection. Dorkbot is an example of one such family. Last month we protected 729,000 customers from Dorkbot infections; however, if we didn’t analyze the latest incoming files and write 361 new signatures fast enough, 70,000 of our customers would have been infected by Dorkbot’s evasions.

Prioritizing the analysis of 20 million new files each month, in order to protect as many customers as quickly as possible, is a huge challenge for us.

Our prioritization strategy is customer-focused. Subsequently, we rely on data from over a billion customer computers to determine malware impact, and hundreds of millions of customer computers have enlisted to help us identify and gather new malware files. Because we can clearly see which malicious files are affecting our customers, we are able to prioritize our response process by using real world measurements for prevalence and impact.

The anti-malware industry has a long-established system for sharing collected malware files. We analyze these files in order to fine-tune our own sensors, and we may even write signatures when we believe they will protect our customers against threats they haven’t yet seen. We use a customer impact evaluation process that queries our sensors to look for similar malicious files across the ecosystem to help us make that determination.

As proactive and effective as this customer-focused prioritization approach has been, there have been infrequent occasions when we had to remediate an infection because a new signature didn’t reach our customers in time to block it. For example, last month this impacted a fraction of one percent of our customers. Although we are proud of the protection service level we do provide, we are constantly striving for better results by fine-tuning our systems and sensors, and continuing to invest in automation and cloud-based technologies that allow us to deploy the latest protection to our customers even faster.

We realize that the way we prioritize our protection may not always align with how the independent anti-virus product testers measure our effectiveness. We believe that adhering to a customer-focused prioritization process allows us to protect and keep our customers safe.

 

Dennis Batchelder
Partner Program Manager
Microsoft Malware Protection Center