Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Robert Lemos

Antivirus' Multiengine Mess

Using more than one antivirus engine helps users detect threats faster, but the legality of using another company’s scanner is questionable.

  • August 21, 2009

When Immunet announced its new product, called Immunet Protect, earlier this week, a core advantage of it was going to be that if a group of users ran a collection of different antivirus software, the Protect metaengine could use those products’ threat alerts to inform its own population.

“Immunet Protect provides protection by harnessing the collective wisdom of the security products that you already run, as well as knowledge on the applications installed across Immunet’s entire user population,” the company states in its press release on the technology. “Immunet Protect collects security judgments on what is, and what is not safe from its community. These aggregated judgments are coalesced in the cloud, and, if they are sound, made available to the rest of the Immunet Community immediately.”

Yet, by Wednesday, the company had decided not to include that attribute in the program.

“One of the more controversial [attributes] was whether or not a file [could be] detected by another [antivirus] product,” Oliver Friedrichs, CEO of Immunet, wrote in an e-mail on Thursday. “After considering the implications, we have decided to not do this moving forward.”

The idea posed a problem because companies who want to use the results of multiple antivirus engines to protect their users typically are required to license the engines. Using the results of another antivirus engine’s scan on a user’s computer could have been seen as a copyright infringement of antivirus databases.

In some cases, however, the industry apparently looks the other way. Antivirus firms frequently exchange the threats that they have identified as a way to protect the general population against mass outbreaks, says Pedro Bustamante, senior research adviser with Panda Security. Moreover, many antivirus firms use computers that run rivals’ antivirus software to act as canaries and detect threats that the firms might have missed. Then the firm’s analysts take a part the file to see if it’s actually malicious.

“It’s the industry’s dirty little secret,” Bustamante says. “We are all doing the same thing in terms of using competitors’ products to add detections to our products. When one group sees a threat, other people will quickly add the detection.”

Doing so only makes sense.

In a research paper published by three University of Michigan researchers, 10 major antivirus programs were tested against a collection of malicious code. Even the best antivirus engine could only initially detect three-quarters of newly packed malicious code. It took three months for the best antivirus engine to detect 90 percent of the dangerous software.

Where one engine fails, multiple engines can succeed, says Jon Oberheide, a PhD student at the University of Michigan and the lead author of the paper.

Scanning potential malicious software with two or more engines improves accuracy dramatically. (Source: Oberheide et al.)

“Combining the intelligence of multiple antivirus engines can result in significant gains in detection coverage of globally scoped malware,” he says.

In the paper, Oberheide and his colleagues found that any single engine detects 40 to 80 percent of viruses in the first week–using more than one antivirus engine to scan the same program increases the detection rate to between 75 and 95 percent in the first week. The University of Michigan researchers call the technique n-version protection.

While the technique could help companies recognize threats faster, licensing three or four engines per user would be prohibitively expensive. So, for now, automated detection based on multiple antivirus scanners seems to be a dead end.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.