I just noticed a blog on "Security vendor’s “top-threat” list proof for their less-than-perfect performance?" at http://hype-free.blogspot.com/2010/01/security-vendors-top-threat-list-proof.html. The essential point seems to be that periodic virus detection statistics (like our monthly ThreatSense reports) are likely to be based in part on infections spotted on a protected machine when a signature/update is released that wasn't available when the infective code was first run on that machine. He states further:

 I find the idea that marketing material put “out there” can backfire amusing :-).

He's right, of course, that a subset of reports will be malware detected after infection (and I'm not in a position to estimate the size of that subset, even for ESET: source information is not usually fine-grained enough to distinguish between pre- and post-infection context).

However, I wouldn't regard it as a backfire when a product detects something post-infection on the protected system. Yes, it's a failure of a product's proactive capability, but such failures are to be expected on the slippery continuum between false negatives and false positives. It doesn't make the statistics less (or more) valid.

It's only funny if you think of such reports purely as marketing collateral. Personally, I think such statistics are of limited value (especially to those who don't really know the field well enough to interpret them properly, largely because of the naming issues that seem to keep cropping up in my blogs lately). If properly done, though, they do give people a better perception of what the current trends in malware are, and thus a better idea of how they can protect themselves. Besides, there's a difference between marketing and giving people something they keep asking for.  :)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/