How big are your chances to be infected?

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How big are your chances to be infected?

My idea is simple. First I will gather the data from 2 last years about the samples missed by popular AVs and compare this to the total number of samples. Next, I will calculate the chances to be infected in the next 10 years, assuming that the user can see his/her AV to block one Real-World (0-day) and three Malware Protection (non-0-day) malware a year.
The users who can see such malware more frequently (happy clickers) have to increase the chances proportionally.

In this post, I have in mind the most important infection vectors tested by popular AV labs (AV-Comparatives, AV-Test, SE Labs). I included the tests from the years 2019 and 2020 (until October) for the popular AVs (Home versions).
AV-Comparatives used to publish two kinds of reports: Real-World and Malware Protection. The first is related to web-based threats and the second to the threats originated from USB drives & network drives.
AV-Test combines Real-World and Malware Protection results into one report, but it is possible to separate the results (I will do it later in this post).
SE Labs used to publish only the results for Real-World type tests.

I have used the (Real-World-------Malware Protection) notation to separate the Real-World and Malware Protection data.

2019-2020 (October) missed samples all types of tests (sorted by the sum of missed samples)
(SE Labs, AV-Comparatives Real-World, Malware Protection, AV-Test)
1.Norton (Symantec)........... (08------04)
2.F-Secure............................ (16------26)
3.Kaspersky Lab.................. (18------29)
4.Microsoft.......................... (36------25)
5.Avira.................................. (42------26)
6.Avast................................. (37------59)
7.McAfee............................. (76------37)
8.TrendMicro...................... (11------257)

The horrible scoring for Trend Micro follows from AV-Comparatives Malware Protection tests from the year 2020:

The average number of missed samples in the Real-World scenario ~ 30 samples.
The total number of samples in Real-World scenario ~ 7340 samples
c1 ~ 10 * 30/7340 * 100% ~ 4%

The average number of missed samples in the Malware Protection scenario ~ 60 samples.
The total number of samples in Real-World scenario ~ 213000 samples
c2 ~ 10 * 3 * 60/213000 * 100% ~ 1%


So, the chance to be infected in the next 10 years is close to 5% (the chance is always smaller than c1+c2).
If one can see the AV alarms more frequently than one 0-day and three widespread malware a year, then the chances have to be increased proportionally.
The c1 chance of the 0-day (web-based malware) infection can be decreased to 1% (or less) when using the AV with aggressive reputation checking (like Norton) or using Edge web browser (SmartScreen+PUA protection enabled).

Edit1
The calculation details are included in the attachment: chances_to_be_infected.txt

Edit2
The above calculation method is suitable only for a sufficiently small number of years. The precise formula is slightly more complex:
c = {1 - { [ (1 - r)^a ]*[ (1 - R)^b ] }^n } * 100%
In our example: a=1, b=3, r=30/7340, R=60/213000, n=10, c= 4.82%

Edit3

This result could be refined by including the increasing number of new malware each year. But in fact, the number of new malware a year seems approximately constant. According to AV-Test, it is about 140 mln new malware a year.
Malware Statistics & Trends Report | AV-TEST (av-test.org)

Edit4.
Sorting the AVs by the sum of missed samples is not an especially good idea, because such a sum is like adding apples to oranges. The more appropriate sorting is presented there:
How big are your chances to be infected? | MalwareTips Community
 

Attachments

  • chances_to_be_infected.txt
    7.2 KB · Views: 95
Last edited:
F

ForgottenSeer 89360

All AVs I use alarm about 20-30 times each day. 🤔
What are my chances to get an infection in the next 10 years? 😅

Very interesting work, tho it doesn’t take into account many variables and unknowns, I wouldn’t have thought about this formula. 👍🏻👍🏻
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
All AVs I use alarm about 20-30 times each day. 🤔
What are my chances to get an infection in the next 10 years? 😅

Very interesting work, tho it doesn’t take into account many variables and unknowns, I wouldn’t have thought about this formula. 👍🏻👍🏻
The formulas used by me are rough approximations.
 

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
Thanks for sharing. Good test to put things into perspective.
Although I don't remember when was last time I encountered real malware so for me IMO chances are really small.
My thoughts exactly(y)

Bit of a bummer about K7`s fp score:rolleyes: but as long as it does what it`s supposed to do and is light, I`m happy enough.

Regards Eck:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The chances of 5% for 10 years may look innocent. But, for 100 years the chances are about 40% (the exact formula must be used: c = {1 - { [ (1 - r)^a ]*[ (1 - R)^b ] }^n } * 100%). So still, 40% of home users would have a fair chance to be infected at least once in a life.
Of course, no one can predict anything sensible for a 100 year period on the base of current tendencies.:)
 
F

ForgottenSeer 89360

This is all with the assumptions that:
  • Last 2 year trends will continue with no change, which by itself includes several assumtpions:
    • New threats count will remain the same​
    • Threat type will remain the same​
    • Detection technologies will remain the same​
    • Attack surface will remain the same

  • Threat hunters look for and cover all infection vectors for these testing companies.​
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This is all with the assumptions that:
  • Last 2 year trends will continue with no change, which by itself includes several assumtpions:
    • New threats count will remain the same​
    • Threat type will remain the same​
    • Detection technologies will remain the same​
    • Attack surface will remain the same
  • Threat hunters look for and cover all infection vectors for these testing companies.​
We have to remember that AV vendors adjust their products to maintain or improve the protection. The criminals try to improve their attack techniques to get profit. There is a kind of balance between these two sides.
In my opinion, it is probable that:
  1. New threats count will still increase as it could be seen for several years.
  2. Threat type and attack surface will increase too.
  3. Detection technologies and threat hunting will improve to keep balance in relation to points 1 and 2.
  4. The probability of infection will not change substantially in the next few years.
I mean the above in the context of home users. I am not sure how this will change in the business environment. But, I cannot see the signs that could suggest the big changes there, too. Anyway, I even did not try to calculate the infection chances in businesses. This would be probably a lost cause. :)
 
F

ForgottenSeer 89360

We have to remember that AV vendors adjust their products to maintain or improve the protection. The criminals try to improve their attack techniques to get profit. There is a kind of balance between these two sides.
In my opinion, it is probable that:
  1. New threats count will still increase as it could be seen for several years.
  2. Threat type and attack surface will increase too.
  3. Detection technologies and threat hunting will improve to keep balance in relation to points 1 and 2.
  4. The probability of infection will not change substantially in the next few years.
I mean the above in the context of home users. I am not sure how this will change in the business environment. But, I cannot see the signs that could suggest the big changes there, too. Anyway, I even did not try to calculate the infection chances in businesses. This would be probably a lost cause. :)
Yes, it would be, because in business you normally have the human factor + EDR/XDR, Policies and many other tools. You don’t rely on automated identification and classification, as it is with the home products. So it would be impossible to predict.

But the threat actors seem to be getting more aggressive and sophisticated with every new toolkit they release.
New devices appear, gradually replacing Windows-based computers in more and more tasks, but they are open to new and unstudied attacks.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
....
But the threat actors seem to be getting more aggressive and sophisticated with every new toolkit they release.
New devices appear, gradually replacing Windows-based computers in more and more tasks, but they are open to new and unstudied attacks.
There is a lot of work to do by AV vendors, especially to protect the home networks from attacks performed via IoT devices (connected to the network). The Covid-19 pandemic will also change the way of using home computers for work and teaching. This will increase the attacks on home networks. We will see if the AV vendors will manage to keep the balance to neutralize the increase of infection rate.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@McMcbrad has focused my attention on the potential problem of increasing the new malware samples. If so, then this effect should be also included in the formula (it is not for this moment).


1606761944982.png


Although this will not probably cause a change in the infection rate, but it can increase the average number of AV alerts (about 10% of total malware in the year 2020). So instead of 10, we should use (1.1+1,2+1.3+...2.0) = 15.5
The chance will grow proportionally by 1.55:
4.82% * 1.55 ~ 7.5%

Edit.
The exact formula:
c = {1 - { [ (1 - r)^(a*1.55) ]*[ (1 - R)^(b*1.55) ] }^n } * 100% ~ 7.4%
a=1, b=3, r=30/7340, R=60/213000, n=10


Edit.
I had to update/edit this post. The table does not show the increase of new malware a year as @Minimalist noticed in his posts. The number of new malware a year is about 140 mln (2013-2020) and it is approximately constant. So, the correction in the formula is not required.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top