Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Yesterday we released the latest volume of the Microsoft Security Intelligence Report. Among the ~800 pages of new threat intelligence is a new study that attempts to quantify the benefit of running up-to-date anti-virus (AV) software. The study leveraged data from over a billion systems worldwide and it turns out that systems that do not have up-to-date AV are 5.5 times more likely to be infected with malware than systems that are protected. It’s also noteworthy that almost 270 million systems worldwide did not have up-to-date AV installed in the second half of 2012; many people that could be benefiting from the protection that AV offers, are not.
Didn’t we already know this?While it might seem like common sense that AV software is a good thing to have, I think much of the evidence I have seen to support this notion has mostly been anecdotal. I have attended and spoken at numerous security industry conferences over the past couple of years where I have heard more and more industry security experts question the efficacy of AV. The typical argument against AV is the erroneous assumption that since it can’t block or detect 100% of threats, including some of the high-profile targeted attacks that have been reported over the last few years, then it’s entirely worthless and not worth running.
To me, this point of view seems less than pragmatic as part of the challenge the industry has is to protect the billions of devices that are now continuously connected to the Internet from the flood of new threats that continually emerge. Since both the number of connected devices and the number of threats will only increase in the future, how to scale protections will always be important. More and more attackers are using automation and sophisticated techniques like server-side polymorphism to generate massive numbers of threats; Figure 1 below illustrates the estimated growth of malware since 1991 and Figure 2 shows 29,451,883 computers had detections/removals of malware in the ten most active countries in the 90 days of the fourth quarter of 2012 alone. In this type of environment AV is becoming more important, not less important.
Figure 1 (left): Approximate growth of malware since 1991 as published in the Microsoft Security Intelligence Report, Special Edition: The evolution of malware and the threat landscape – a 10-year review; Figure 2 (right): Trends for the locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 2012 by quarter, as reported in volume 14 of the Microsoft Security Intelligence Report
New quantitative data clearly shows AV is a necessityWe now have quantitative data from a new study with probably the largest sample base you could hope for, to get insights from. The data in Figure 3 shows that the population of systems that do not run up-to-date AV have a much higher incidence of infection than the population that do run up-to-date AV. This was consistent over the time period studied in the second half of 2012 (2H12), across all Windows operating systems, and across geographies.
Figure 3 (left): Infection rates (computers cleaned per mille) for protected and unprotected computers each month in the second half of 2012 (2H12); Figure 4 (right): Infection rates for computers with and without up-to-date real-time antimalware protection in 2H12, by operating system version and service pack level
Figure 5 (left): Infection rates for computers running Windows XP and Windows Vista with and without up-to-date real-time antimalware protection in 2H12, by month; Figure 6 (right): Infection rates for computers running Windows 7 and Windows 8 with and without up-to-date real-time antimalware protection in 2H12, by month
The benefits of anti-virus software are especially easy to see when looking at locations that have high malware infection rates. I have written about the threat landscape in Pakistan before. But this new data sheds more light on what’s happening in regions with high malware infection rates like Pakistan and the country of Georgia. Pakistan and Georgia, which both had significantly more computers without up-to-date real-time protection than the world as a whole (38.6 percent in Pakistan, 33.5 percent in Georgia) also displayed a larger infection rate gap between protected and unprotected computers than the world overall. In Pakistan, unprotected computers were 11.7 times more likely to be infected than protected computers, which translates to a CCM over 100.0 in 5 out of the 6 months in 2H12—in other words, the MSRT found that more than 1 of every 10 unprotected computers in Pakistan was infected with malware. In Georgia, unprotected computers were 14.0 times more likely to be infected than protected computers, with CCM figures between 75.0 and 95.5 each month, compared to a range of 4.6 to 6.4 for protected computers in Georgia.
Figure 7 (left): Infection rates for protected and unprotected computers in two locations with high CCM in 2H12; Figure 8 (right): Infection rates for protected and unprotected computers in three locations with low CCM in 2H12
As Figure 8 illustrates, even in locations that consistently have the lowest malware infection rates in the world (which I have written about before), AV helps reduce malware infection rates on the systems it protects.
Call to actionAccording to our new study, almost 270 million systems do not have up-to-date AV installed on them. The study also shows that unprotected systems are 5.5 times likely to be infected than protected systems. Given that compromised systems can be used to attack people, organizations and even governments, it’s important that all systems are protected.
Figure 9: Computers lacking up-to-date real-time antimalware protection in 2H12, by operating system version and service pack level
So while it’s true that no anti-virus software can provide protection from 100% of malware because new variants are literally created every second, if you don’t run any anti-virus software, you won’t be protected from any malware. The call to action is:
You can get all the details of the new study I have described here by downloading volume 14 of the Security Intelligence Report available at http://microsoft.com/sir.
Tim RainsDirectorTrustworthy Computing