How Do You Find 200,000 Unique Samples a Day?

I recently received a couple of questions about signatures from a reader.

1- You said that ESET receives around 200000 unique malware samples daily, so does ESET detect most of them or detect only the malwares that their signatures are listed here: http://www.eset.com/threat-center/threatsense-updates ?

2- Nowadays why signatures are written? Are they written to detect malwares initially, or to cover the gap that heuristic can’t cover? Otherwise, is the main task of detection is of heuristics and signatures are considered supplement for that?

Let’s start with question 1. When detecting brand new unique threats, regular signatures are useless. There are a variety of heuristic approaches and one of them that is particularly effective is called generic detection. With generic detection we can identify new threats that are based upon existing threats. With a traditional signature a very slight modification to a virus or Trojan will break detection, but with a generic signature detection is not affected by minor changes. Some of the threats are detected with our passive heuristics. The scanner looks at the file and makes a determination that if the file is allowed to execute it will do something bad. Many other threats are detected with our active heuristics. With the active heuristics we build a virtual computer inside the scanning engine and actually run the samples. This allows us to observe what the program is actually doing. The signatures you see in the threatsense updates are only some of the malware we detect.

Now on to question 2. There are a variety of reasons for traditional signatures. In some cases we must update the heuristics to detect new threats and traditional signatures can be a quick way to do that. A bigger reason for traditional signatures is performance. Heuristic analysis takes far more CPU cycles than using traditional signatures. By using traditional signatures we can keep the performance of the product high. Sometimes for very high profile threats a signature is needed because some manager wants his IT person to show them that the threat is detected and not being technical they believe that a name is required for detection.

In reality, the number of signatures a product has is not a good measure of its effectiveness. If one product has 10 million signatures and detects 10 million threats, and another product has 6 million signatures but detects 15 million threats, which product is better?

Traditional signatures and heuristic are complementary technologies. Both are used to increase the effectiveness of virtually every antivirus product today.

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • Gigi

    However, even the best heuristic detection could be tricked. I’ve seen that at Palevo and Buzus IM virus.

    • Randy Abrams

      Correct. There is no silver bullet. Virtually anything that can be done with software can be undone. Security software is no substitute for education and good practices.

  • Yegor

    Randy, are these files malicious: 815CDE7E9DCA26F3D068E0A6F84E16AE, 9B6F382C747DB6612CB7DC6C2A9E269A, 65A85CE93CB719E26B9780280A4286C8, 8161DFEB605C37E0645B7BB107A7C3C2, 1BEA2A16A9398DC88CA051D471DC8A4D, 34952B1F80473ACF029EB78176B64807, 266219FA3CDB41F7F4EAA25DD4665AF6, 223B3018E1517BCED4DB020E2E8E80CB, EBC3A7547361B5C1CB255F9A3651CF74, 4507B8072AB8441E04C6570F61FC15C9? If yes, why signatures not added?

  • palaniyappan

    With all these limitations do u justify selling an AV product for $69.99

  • Randy Abrams

    palaniyappan
    There are no solutions that guarantee complete security. ESET products help reduce risk. It takes considerable time, effort, and skill to accomplish this and people need to be paid for their efforts.

  • Randy Abrams

    Yegor,

    I haven't looked up the hashes you provided. There are no vendors that detect everything or can even add detection as fast as the samples come in. Detection is prioritized based upon a variety of factors, including prevalence and damage potential. All AV vendors face the same problem… a backlog of malicious files to add detection for. All AV vendors have different ways of prioritizing what gets detected next.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.