Antivirus’ Multiengine Mess

When Immunet announced its new product, called Immunet Protect, earlier this week, a core advantage of it was going to be that if a group of users ran a collection of different antivirus software, the Protect metaengine could use those products’ threat alerts to inform its own population.

“Immunet Protect provides protection by harnessing the collective wisdom of the security products that you already run, as well as knowledge on the applications installed across Immunet’s entire user population,” the company states in its press release on the technology. “Immunet Protect collects security judgments on what is, and what is not safe from its community. These aggregated judgments are coalesced in the cloud, and, if they are sound, made available to the rest of the Immunet Community immediately.”

Yet, by Wednesday, the company had decided not to include that attribute in the program.

“One of the more controversial [attributes] was whether or not a file [could be] detected by another [antivirus] product,” Oliver Friedrichs, CEO of Immunet, wrote in an e-mail on Thursday. “After considering the implications, we have decided to not do this moving forward.”

The idea posed a problem because companies who want to use the results of multiple antivirus engines to protect their users typically are required to license the engines. Using the results of another antivirus engine’s scan on a user’s computer could have been seen as a copyright infringement of antivirus databases.

In some cases, however, the industry apparently looks the other way. Antivirus firms frequently exchange the threats that they have identified as a way to protect the general population against mass outbreaks, says Pedro Bustamante, senior research adviser with Panda Security. Moreover, many antivirus firms use computers that run rivals’ antivirus software to act as canaries and detect threats that the firms might have missed. Then the firm’s analysts take a part the file to see if it’s actually malicious.

“It’s the industry’s dirty little secret,” Bustamante says. “We are all doing the same thing in terms of using competitors’ products to add detections to our products. When one group sees a threat, other people will quickly add the detection.”

Doing so only makes sense.

In a research paper published by three University of Michigan researchers, 10 major antivirus programs were tested against a collection of malicious code. Even the best antivirus engine could only initially detect three-quarters of newly packed malicious code. It took three months for the best antivirus engine to detect 90 percent of the dangerous software.

Where one engine fails, multiple engines can succeed, says Jon Oberheide, a PhD student at the University of Michigan and the lead author of the paper.

“Combining the intelligence of multiple antivirus engines can result in significant gains in detection coverage of globally scoped malware,” he says.

In the paper, Oberheide and his colleagues found that any single engine detects 40 to 80 percent of viruses in the first week–using more than one antivirus engine to scan the same program increases the detection rate to between 75 and 95 percent in the first week. The University of Michigan researchers call the technique n-version protection.

While the technique could help companies recognize threats faster, licensing three or four engines per user would be prohibitively expensive. So, for now, automated detection based on multiple antivirus scanners seems to be a dead end.