How big are your chances to be infected?

[Andy Ful]

How big are your chances to be infected?

My idea is simple. First I will gather the data from 2 last years about the samples missed by popular AVs and compare this to the total number of samples. Next, I will calculate the chances to be infected in the next 10 years, assuming that the user can see his/her AV to block one Real-World (0-day) and three Malware Protection (non-0-day) malware a year.
The users who can see such malware more frequently (happy clickers) have to increase the chances proportionally.

In this post, I have in mind the most important infection vectors tested by popular AV labs (AV-Comparatives, AV-Test, SE Labs). I included the tests from the years 2019 and 2020 (until October) for the popular AVs (Home versions).
AV-Comparatives used to publish two kinds of reports: Real-World and Malware Protection. The first is related to web-based threats and the second to the threats originated from USB drives & network drives.
AV-Test combines Real-World and Malware Protection results into one report, but it is possible to separate the results (I will do it later in this post).
SE Labs used to publish only the results for Real-World type tests.

I have used the (Real-World-------Malware Protection) notation to separate the Real-World and Malware Protection data.

2019-2020 (October) missed samples all types of tests (sorted by the sum of missed samples)
(SE Labs, AV-Comparatives Real-World, Malware Protection, AV-Test)
1.Norton (Symantec)........... (08------04)
2.F-Secure............................ (16------26)
3.Kaspersky Lab.................. (18------29)
4.Microsoft.......................... (36------25)
5.Avira.................................. (42------26)
6.Avast................................. (37------59)
7.McAfee............................. (76------37)
8.TrendMicro...................... (11------257)

The horrible scoring for Trend Micro follows from AV-Comparatives Malware Protection tests from the year 2020:

Malware Protection Test September 2020

The Malware Protection Test September 2020 assesses program’s ability to protect a system against malicious files before, during or after execution.

www.av-comparatives.org

Malware Protection Test March 2020

The Malware Protection Test March 2020 assesses program’s ability to protect a system against malicious files before, during or after execution.

www.av-comparatives.org

The average number of missed samples in the Real-World scenario ~ 30 samples.
The total number of samples in Real-World scenario ~ 7340 samples
c1 ~ 10 * 30/7340 * 100% ~ 4%

The average number of missed samples in the Malware Protection scenario ~ 60 samples.
The total number of samples in Real-World scenario ~ 213000 samples
c2 ~ 10 * 3 * 60/213000 * 100% ~ 1%


So, the chance to be infected in the next 10 years is close to 5% (the chance is always smaller than c1+c2).
If one can see the AV alarms more frequently than one 0-day and three widespread malware a year, then the chances have to be increased proportionally.
The c1 chance of the 0-day (web-based malware) infection can be decreased to 1% (or less) when using the AV with aggressive reputation checking (like Norton) or using Edge web browser (SmartScreen+PUA protection enabled).

Edit1
The calculation details are included in the attachment: chances_to_be_infected.txt

Edit2
The above calculation method is suitable only for a sufficiently small number of years. The precise formula is slightly more complex:
c = {1 - { [ (1 - r)^a ]*[ (1 - R)^b ] }^n } * 100%
In our example: a=1, b=3, r=30/7340, R=60/213000, n=10, c= 4.82%

Edit3
This result could be refined by including the increasing number of new malware each year. But in fact, the number of new malware a year seems approximately constant. According to AV-Test, it is about 140 mln new malware a year.
Malware Statistics & Trends Report | AV-TEST (av-test.org)

Edit4.
Sorting the AVs by the sum of missed samples is not an especially good idea, because such a sum is like adding apples to oranges. The more appropriate sorting is presented there:
How big are your chances to be infected? | MalwareTips Community

 

[FireHammer]

Hey @Andy Ful where is Bitdefender, just asking.

 

[Andy Ful]

Hey @Andy Ful where is Bitdefender, just asking.

Absent in SE Lab tests.

 

[ForgottenSeer 89360]

All AVs I use alarm about 20-30 times each day.
What are my chances to get an infection in the next 10 years?

Very interesting work, tho it doesn’t take into account many variables and unknowns, I wouldn’t have thought about this formula.

 

[Andy Ful]

All AVs I use alarm about 20-30 times each day.
What are my chances to get an infection in the next 10 years?

Very interesting work, tho it doesn’t take into account many variables and unknowns, I wouldn’t have thought about this formula.

The formulas used by me are rough approximations.

 

[Minimalist]

Thanks for sharing. Good test to put things into perspective.
Although I don't remember when was last time I encountered real malware so for me IMO chances are really small.

 

[Andy Ful]

Thanks for sharing. Good test to put things into perspective.
Although I don't remember when was last time I encountered real malware so for me IMO chances are really small.

Eset was absent in AV-Test reports from the year 2019.

 

[Behold Eck]

Thanks for sharing. Good test to put things into perspective.
Although I don't remember when was last time I encountered real malware so for me IMO chances are really small.

My thoughts exactly

Bit of a bummer about K7`s fp score but as long as it does what it`s supposed to do and is light, I`m happy enough.

Regards Eck

 

[Andy Ful]

The chances of 5% for 10 years may look innocent. But, for 100 years the chances are about 40% (the exact formula must be used: c = {1 - { [ (1 - r)^a ]*[ (1 - R)^b ] }^n } * 100%). So still, 40% of home users would have a fair chance to be infected at least once in a life.
Of course, no one can predict anything sensible for a 100 year period on the base of current tendencies.

 

[ForgottenSeer 89360]

This is all with the assumptions that:

• Last 2 year trends will continue with no change, which by itself includes several assumtpions:
  • New threats count will remain the same​
  • Threat type will remain the same​
  • Detection technologies will remain the same​
  • Attack surface will remain the same
    
    ​
• Threat hunters look for and cover all infection vectors for these testing companies.​

 

[Thales]

Thank you @Andy Ful
I'm not afraid. My browsing habits are more than enough to avoid the most of them

 

[Andy Ful]

This is all with the assumptions that:

• Last 2 year trends will continue with no change, which by itself includes several assumtpions:
  • New threats count will remain the same​
  • Threat type will remain the same​
  • Detection technologies will remain the same​
  • Attack surface will remain the same
    ​
• Threat hunters look for and cover all infection vectors for these testing companies.​

We have to remember that AV vendors adjust their products to maintain or improve the protection. The criminals try to improve their attack techniques to get profit. There is a kind of balance between these two sides.
In my opinion, it is probable that:

1. New threats count will still increase as it could be seen for several years.
2. Threat type and attack surface will increase too.
3. Detection technologies and threat hunting will improve to keep balance in relation to points 1 and 2.
4. The probability of infection will not change substantially in the next few years.

I mean the above in the context of home users. I am not sure how this will change in the business environment. But, I cannot see the signs that could suggest the big changes there, too. Anyway, I even did not try to calculate the infection chances in businesses. This would be probably a lost cause.

 

[ForgottenSeer 89360]

We have to remember that AV vendors adjust their products to maintain or improve the protection. The criminals try to improve their attack techniques to get profit. There is a kind of balance between these two sides.
In my opinion, it is probable that:

1. New threats count will still increase as it could be seen for several years.
2. Threat type and attack surface will increase too.
3. Detection technologies and threat hunting will improve to keep balance in relation to points 1 and 2.
4. The probability of infection will not change substantially in the next few years.

I mean the above in the context of home users. I am not sure how this will change in the business environment. But, I cannot see the signs that could suggest the big changes there, too. Anyway, I even did not try to calculate the infection chances in businesses. This would be probably a lost cause.

Yes, it would be, because in business you normally have the human factor + EDR/XDR, Policies and many other tools. You don’t rely on automated identification and classification, as it is with the home products. So it would be impossible to predict.

But the threat actors seem to be getting more aggressive and sophisticated with every new toolkit they release.
New devices appear, gradually replacing Windows-based computers in more and more tasks, but they are open to new and unstudied attacks.

 

[Andy Ful]

....
But the threat actors seem to be getting more aggressive and sophisticated with every new toolkit they release.
New devices appear, gradually replacing Windows-based computers in more and more tasks, but they are open to new and unstudied attacks.

There is a lot of work to do by AV vendors, especially to protect the home networks from attacks performed via IoT devices (connected to the network). The Covid-19 pandemic will also change the way of using home computers for work and teaching. This will increase the attacks on home networks. We will see if the AV vendors will manage to keep the balance to neutralize the increase of infection rate.

 

[Dhruv2193]

Thank you @Andy Ful
I'm not afraid. My browsing habits are more than enough to avoid the most of them

Right. 99- 100% will be prevented by this(safe downloads included) and scanning external devices even with an on demand scanner and deploying a good browser security extension.

 

[ZeePriest]

Thank you @Andy Ful
I'm not afraid. My browsing habits are more than enough to avoid the most of them

Same here

 

[BoraMurdar]

If you get infected, the chance is 100%

 

[Andy Ful]

If you get infected, the chance is 100%

Ha, ha.
But in fact, the chances to be infected in the next 10 years will be smaller than 5%. The user will be even more cautious. Some users may start reading MT.

 

[ForgottenSeer 89360]

Ha, ha.
But in fact, the chances to be infected in the next 10 years will be smaller than 5%. The user will be even more cautious. Some users may start reading MT.

Of course they will start reading MT... so much quality input here!

 

[Andy Ful]

@McMcbrad has focused my attention on the potential problem of increasing the new malware samples. If so, then this effect should be also included in the formula (it is not for this moment).

Although this will not probably cause a change in the infection rate, but it can increase the average number of AV alerts (about 10% of total malware in the year 2020). So instead of 10, we should use (1.1+1,2+1.3+...2.0) = 15.5
The chance will grow proportionally by 1.55:
4.82% * 1.55 ~ 7.5%

Edit.
The exact formula:
c = {1 - { [ (1 - r)^(a*1.55) ]*[ (1 - R)^(b*1.55) ] }^n } * 100% ~ 7.4%
a=1, b=3, r=30/7340, R=60/213000, n=10

Edit.
I had to update/edit this post. The table does not show the increase of new malware a year as @Minimalist noticed in his posts. The number of new malware a year is about 140 mln (2013-2020) and it is approximately constant. So, the correction in the formula is not required.