Threat Research & Response Blog
How important is it really to run antivirus software? That’s a question that has been asked by many people: your average user who might question the effort required to install it or keep their subscription up-to-date, the tech-savvy user who feels their knowledge and safe Internet skills are enough to keep them out of trouble, and the technology decision-maker who has to justify the cost to their business are just a few examples.
However, every single one of those people who question the importance of antivirus has to admit that it’s much easier to prevent infection than to clean up after it. So, how much difference does antivirus software actually make when faced with prevalent malware threats?
Research that we developed for Volume 14 of the Microsoft Security Intelligence Report, released today, includes a detailed analysis to help answer that question. Based on data from more than a billion systems worldwide in the second half of 2012, the study found that unprotected computers – those without up-to-date antivirus software installed – were 5.5 times more likely on average to have an infection than protected computers.
We carried out this research using data from the Malicious Software Removal Tool (MSRT), which runs every month along with Windows and Microsoft Updates. Recent releases of the MSRT collect and report details about the state of real-time antivirus software on the scanned computer if the machine has been opted-in to provide data to Microsoft.
Infection rates are represented by the number of computers cleaned per mille (CCM). This is the number of computers cleaned after an infection for every 1,000 computers scanned by the MSRT. The CCM for unprotected computers ranged from 11.6 to 13.6 each month during the last half of 2012, while the CCM for protected computers ranged from 1.4 to 3.8.
Figure 1: Infection rate CCM for protected and unprotected computers each month during the last half of 2012.
Between July and December 2012, on average we found 24 percent of computers scanned with MSRT were not protected.
Figure 2: Percentage of unprotected computers during each month during the last half of 2012.
In addition to the overall 5.5 times higher CCM infection rate for unprotected computers we identified two key trends: in countries or regions where there is a high percentage of unprotected computers, infection rates were higher for both protected and unprotected computers. Furthermore, the infection rate gap between protected and unprotected computers in those countries/regions is much higher than average. This is illustrated by the trends observed in countries or regions with high and low malware infection rates.
For example, in the country of Georgia on average 33 percent of computers were unprotected, which is almost ten percentage points higher than the worldwide average. Infection rates were higher in Georgia as well: the CCM infection rates for protected computers ranged from 4.6 to 6.4 and unprotected computers ranged from 75.0 to 95.5! Unprotected users were 14 times more likely to be infected in Georgia, but even protected users had a higher than average infection rate. It’s likely that the large unprotected population with a high infection rate had a negative impact on protected users there.
On the other side of that coin, Finland boasts a below-average rate of unprotected computers - a mere 14.6 percent. Unprotected computers in Finland had infection rates ranging from 1.9 to 5.4, which is lower than protected computers in Georgia! Meanwhile protected computers in Finland had infection rates of 0.2 to 0.8. Clearly, the lower the percentage of unprotected computers, the lower the infection rate. Thus, everyone benefits from the protection running on the protected computers.
The other trend we found was that for computers running Windows XP SP3 – which doesn’t have the security features of modern operating systems – being protected didn’t offer the same benefit as on modern platforms with greater security features. On average, unprotected Windows XP SP3 users were only 4.6 times more likely to be infected than protected users, which is about one point lower than the global average.
If that wasn’t enough to convince you to take action and install antivirus software, we found still more compelling information. For computers that were cleaned during the last half of 2012, unprotected computers were about 2.5 times more likely to be infected with multiple different malware families than protected computers. Not only are unprotected users more likely to be infected, but when they are infected, the impact is more likely to be higher.
Figure 3: Percentage of cleaned computers with more than one malware family during the last half of 2012.
Although there’s no perfect solution, it’s clear that antivirus products offer crucial value. Running real-time antivirus products and keeping them up-to-date is an essential step in reducing the risks from malware. Simply installing and using real-time antivirus software can help individuals and organizations reduce malware infection by more than 80 percent. In addition, if you do have an infection you reduce your chances of being infected with multiple malware families by 56 percent. Have a look at our list of Consumer security software providers for vendors that provide consumer security software solutions for Windows.
This research does raise a few questions: is there a difference in infection rates between computers with out-of-date antivirus software and computers with no antivirus software at all? How is the infection rate affected when users change from one antivirus vendor to another?
Given that having more protected computers generally results in lower infection rates, is there a percentage of protected computers that will make malware development too expensive to be worth it? My colleague Bill Pfeifer and I will attempt to answer these questions at a presentation at the Virus Bulleting 2013 conference in Berlin in October. For more information check out the VB2013 conference website.