Skip to Content

Antivirus’ Multiengine Mess

Using more than one antivirus engine helps users detect threats faster, but the legality of using another company’s scanner is questionable.
August 21, 2009

When Immunet announced its new product, called Immunet Protect, earlier this week, a core advantage of it was going to be that if a group of users ran a collection of different antivirus software, the Protect metaengine could use those products’ threat alerts to inform its own population.

“Immunet Protect provides protection by harnessing the collective wisdom of the security products that you already run, as well as knowledge on the applications installed across Immunet’s entire user population,” the company states in its press release on the technology. “Immunet Protect collects security judgments on what is, and what is not safe from its community. These aggregated judgments are coalesced in the cloud, and, if they are sound, made available to the rest of the Immunet Community immediately.”

Yet, by Wednesday, the company had decided not to include that attribute in the program.

“One of the more controversial [attributes] was whether or not a file [could be] detected by another [antivirus] product,” Oliver Friedrichs, CEO of Immunet, wrote in an e-mail on Thursday. “After considering the implications, we have decided to not do this moving forward.”

The idea posed a problem because companies who want to use the results of multiple antivirus engines to protect their users typically are required to license the engines. Using the results of another antivirus engine’s scan on a user’s computer could have been seen as a copyright infringement of antivirus databases.

In some cases, however, the industry apparently looks the other way. Antivirus firms frequently exchange the threats that they have identified as a way to protect the general population against mass outbreaks, says Pedro Bustamante, senior research adviser with Panda Security. Moreover, many antivirus firms use computers that run rivals’ antivirus software to act as canaries and detect threats that the firms might have missed. Then the firm’s analysts take a part the file to see if it’s actually malicious.

“It’s the industry’s dirty little secret,” Bustamante says. “We are all doing the same thing in terms of using competitors’ products to add detections to our products. When one group sees a threat, other people will quickly add the detection.”

Doing so only makes sense.

In a research paper published by three University of Michigan researchers, 10 major antivirus programs were tested against a collection of malicious code. Even the best antivirus engine could only initially detect three-quarters of newly packed malicious code. It took three months for the best antivirus engine to detect 90 percent of the dangerous software.

Where one engine fails, multiple engines can succeed, says Jon Oberheide, a PhD student at the University of Michigan and the lead author of the paper.

Scanning potential malicious software with two or more engines improves accuracy dramatically. (Source: Oberheide et al.)

“Combining the intelligence of multiple antivirus engines can result in significant gains in detection coverage of globally scoped malware,” he says.

In the paper, Oberheide and his colleagues found that any single engine detects 40 to 80 percent of viruses in the first week–using more than one antivirus engine to scan the same program increases the detection rate to between 75 and 95 percent in the first week. The University of Michigan researchers call the technique n-version protection.

While the technique could help companies recognize threats faster, licensing three or four engines per user would be prohibitively expensive. So, for now, automated detection based on multiple antivirus scanners seems to be a dead end.

Keep Reading

Most Popular

Geoffrey Hinton tells us why he’s now scared of the tech he helped build

“I have suddenly switched my views on whether these things are going to be more intelligent than us.”

Meet the people who use Notion to plan their whole lives

The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.

Learning to code isn’t enough

Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

Deep learning pioneer Geoffrey Hinton has quit Google

Hinton will be speaking at EmTech Digital on Wednesday.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.