Yesterday we released the latest volume of the Microsoft Security Intelligence Report. Among the ~800 pages of new threat intelligence is a new study that attempts to quantify the benefit of running up-to-date anti-virus (AV) software.  The study leveraged data from over a billion systems worldwide and it turns out that systems that do not have up-to-date AV are 5.5 times more likely to be infected with malware than systems that are protected.  It’s also noteworthy that almost 270 million systems worldwide did not have up-to-date AV installed in the second half of 2012; many people that could be benefiting from the protection that AV offers, are not.   

Didn’t we already know this?
While it might seem like common sense that AV software is a good thing to have, I think much of the evidence I have seen to support this notion has mostly been anecdotal.  I have attended and spoken at numerous security industry conferences over the past couple of years where I have heard more and more industry security experts question the efficacy of AV.  The typical argument against AV is the erroneous assumption that since it can’t block or detect 100% of threats, including some of the high-profile targeted attacks that have been reported over the last few years, then it’s entirely worthless and not worth running. 

To me, this point of view seems less than pragmatic as part of the challenge the industry has is to protect the billions of devices that are now continuously connected to the Internet from the flood of new threats that continually emerge.  Since both the number of connected devices and the number of threats will only increase in the future, how to scale protections will always be important.  More and more attackers are using automation and sophisticated techniques like server-side polymorphism to generate massive numbers of threats; Figure 1 below illustrates the estimated growth of malware since 1991 and Figure 2 shows 29,451,883 computers had detections/removals of malware in the ten most active countries in the 90 days of the fourth quarter of 2012 alone.  In this type of environment AV is becoming more important, not less important. 

Figure 1 (left): Approximate growth of malware since 1991 as published in the Microsoft Security Intelligence Report, Special Edition: The evolution of malware and the threat landscape – a 10-year review; Figure 2 (right): Trends for the locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 2012 by quarter, as reported in volume 14 of the Microsoft Security Intelligence Report

   

New quantitative data clearly shows AV is a necessity
We now have quantitative data from a new study with probably the largest sample base you could hope for, to get insights from.  The data in Figure 3 shows that the population of systems that do not run up-to-date AV have a much higher incidence of infection than the population that do run up-to-date AV.  This was consistent over the time period studied in the second half of 2012 (2H12), across all Windows operating systems, and across geographies.

Figure 3 (left): Infection rates (computers cleaned per mille) for protected and unprotected computers each month in the second half of 2012 (2H12); Figure 4 (right): Infection rates for computers with and without up-to-date real-time antimalware protection in 2H12, by operating system version and service pack level

 

Figure 5 (left): Infection rates for computers running Windows XP and Windows Vista with and without up-to-date real-time antimalware protection in 2H12, by month; Figure 6 (right): Infection rates for computers running Windows 7 and Windows 8 with and without up-to-date real-time antimalware protection in 2H12, by month

   

The benefits of anti-virus software are especially easy to see when looking at locations that have high malware infection rates.  I have written about the threat landscape in Pakistan before.  But this new data sheds more light on what’s happening in regions with high malware infection rates like Pakistan and the country of Georgia.  Pakistan and Georgia, which both had significantly more computers without up-to-date real-time protection than the world as a whole (38.6 percent in Pakistan, 33.5 percent in Georgia) also displayed a larger infection rate gap between protected and unprotected computers than the world overall. In Pakistan, unprotected computers were 11.7 times more likely to be infected than protected computers, which translates to a CCM over 100.0 in 5 out of the 6 months in 2H12—in other words, the MSRT found that more than 1 of every 10 unprotected computers in Pakistan was infected with malware. In Georgia, unprotected computers were 14.0 times more likely to be infected than protected computers, with CCM figures between 75.0 and 95.5 each month, compared to a range of 4.6 to 6.4 for protected computers in Georgia.

Figure 7 (left): Infection rates for protected and unprotected computers in two locations with high CCM in 2H12; Figure 8 (right): Infection rates for protected and unprotected computers in three locations with low CCM in 2H12

   

As Figure 8 illustrates, even in locations that consistently have the lowest malware infection rates in the world (which I have written about before), AV helps reduce malware infection rates on the systems it protects.

Call to action
According to our new study, almost 270 million systems do not have up-to-date AV installed on them.  The study also shows that unprotected systems are 5.5 times likely to be infected than protected systems.  Given that compromised systems can be used to attack people, organizations and even governments, it’s important that all systems are protected.

Figure 9: Computers lacking up-to-date real-time antimalware protection in 2H12, by operating system version and service pack level

So while it’s true that no anti-virus software can provide protection from 100% of malware because new variants are literally created every second, if you don’t run any anti-virus software, you won’t be protected from any malware.  The call to action is:

  • Computer owners should verify that they have up-to-date AV from a trusted source installed on their systems.  If they don’t, there are many different options available including free AV and AV for purchase.  You can see some of these options on Microsoft’s security partner webpage. Microsoft offers Microsoft Security Essentials to consumers for free and Windows 8 comes with full AV installed by default called Windows Defender.
  • If you are running Windows XP, it’s time to start getting serious about moving to an operating system that was developed in this century.  :) Seriously, as recently I wrote , Windows XP has the highest malware infection rate of any Windows platform and is less than a year away from the end of support.  It’s time to move to a modern system that can better mitigate modern day threats.  If you can’t move off of Windows XP just yet, ensure that you are running up-to-date AV as the data shows protected XP systems have less than a third the infection rate of unprotected XP systems.  Windows 8 is a good choice as the infection rate of 64-bit Windows 8 systems is near zero – the lowest we have reported in the Microsoft Security Intelligence Report.

You can get all the details of the new study I have described here by downloading volume 14 of the Security Intelligence Report available at http://microsoft.com/sir.

Tim Rains
Director
Trustworthy Computing