Malicious Software Detection Becomes More Evasive

Recent results of Virus Bulletin’s state of the art Reactive and Proactive (RAP) tests show that computer malware is becoming increasingly hard to detect. Modern malware mutates rapidly, and employs a wide variety of attack methods. More importantly, huge numbers of new malware are introduced every day.

Heuristic methods have been the primary mode of detecting new and mutated forms of malware. The trend observed now is that such methods are getting less effective in detecting new threats, although there were a few products that achieved 80% detection.

The RAP test for effective malware detection hopes to create more effective threat protection by employing more demanding and thorough analysis of products that are designed to guard our computers from harmful software. They measure how security products react to two types of threats. One test measures how the products react to latest malware. This test is called the proactive test because it is assumed that the products do not have copies of the threat signature in their databases. The product is supposed to rely on heuristics or rules of thumb in order to protect our computers.

The test for the other type of threat measures the product’s ability to provide protection from older (3-week old) malware. It has been assumed that the threat signature is already known therefore, the reactive test measures how fast the product is able to incorporate the signatures into their threat databases. Some anti-malware products reached a high score of 90 percent detection when tested for reactive protection.

Obviously, all the products need to improve their heuristic methods because new forms of malware are created everyday and the older ones are either modified by others or undergo mutation.  It is certain that extremely malevolent threats will arise. Reactive protection won’t be good enough for this type of threat.