Is antivirus getting worse?

Do you think AV software is getting better or worse at detecting new and known threats

  • Getting better

    Votes: 16 64.0%
  • Getting worse

    Votes: 4 16.0%
  • About the same

    Votes: 5 20.0%

  • Total voters


Community Manager
Staff member
Oct 23, 2012
A very interesting article on whether anti-virus software is getting worse in detection of both new and known threats.
What do you think?

Is anti-virus software getting worse at detecting both known and new threats?

Earlier this week, Stu Sjouwerman, CEO of security awareness training company KnowBe4, looked at the data published by the Virus Bulletin, a site that tracks anti-virus detection rates. And the numbers didn't look good.

Average detection rates for known malware went down a couple of percentage points slightly from 2015 to 2016, he said, while detection rates for zero-days dropped in a big way - from an average of 80 percent down to 70 percent or lower.

"If the industry as a whole is dropping 10 to 15 points in proactive protection, that's really bad," he said. "Anti-virus isn't exactly deal, but it sure smells funny."

According to Sjouwerman, the Virus Bulletin is the industry's premier testing site. The tests are comprehensive, and consistent from year to year, so that a historical comparison is valid.

■ RELATED: 14 tips to secure cloud applications
Several major vendors aren't included in these statistics, he said, because they declined to participate -- and implied that there might be a reason for that.

What's happening is that current anti-virus vendors aren't able to keep up with the attackers, he said, who can generate new malware on the fly.

"The bad guys have completely automated this process," he said. "It's now industrial strength, millions of new variants daily, in an attempt to overwhelm the existing anti-virus engines -- and guess what, the bad guys are winning."

He's not alone in pointing out the problems that anti-virus has been having lately, and other agree with the main thrust of his analysis.

INSIDER: Traditional anti-virus is dead: Long live the new and improved AV
"The report does sound pretty much in sync with what my feeling is, and what the industry is talking about," said Amol Sarwate, director of vulnerability labs at Qualys. "It's not an easy problem to solve. If they make antivirus too aggressive, it causes too many false positives. I think the hope for the future is a combination of multiple technologies. Anti-virus by itself cannot cut it any more."


It's bad, and it will continue to get worse, said Justin Fier, director of cyber intelligence and analysis at Darktrace.

"I would never tell a customer not to invest in it," he said. "But in regards to whether anti-virus is working any more -- I don't think so."

At its core, security reacts to events.

"It's hard to predict what the next big wave of malware or the next big attack platform is going to be and protect against it," he said.

Ransomware in particular is causing problems, said KnowBe4's Sjouwerman, because the malware is so profitable that the cybercriminals are putting more and more resources into development.

Criminals earned $1 billion from their ransomware last year, showing that it's consistently getting through defenses.

But there are some new, early-stage products that specifically target ransomware, he added.

■ RELATED: Antivirus doesn’t work. So why are you still using it?
"Some of them work, some of them don't -- this is still very early days," he said. "Sophos has acquired one of those companies and now have an additional module that specifically protects against ransomware, and that actually works fine, so Sophos is actually scoring well but they're one of the few that do."

Sophos, which offers both network and endpoint security products, is not included in the Virus Bulletin, but received a 100 percent score for blocking zero-day attacks in the latest antivirus reports.

"One of our major advantages is that we don't rely on any one technology," explained Dan Schiappa, senior vice president and general manager of end user and network security groups at Sophos. "We have a little mini analytics engine, and when it's scanning a file or looking at a behavior, it can call on a bunch of different pieces of technology to determine if it's malware."

The new Intercept X product, which is designed specifically for zero-day threats, looks at how malware attacks systems.

"There are only about 24 different ways that you can exploit a vulnerability," he said. "We might get a couple of new techniques a year, and as long as we keep up with those techniques, we're in pretty good shape. For example, one new technique is to get into the pre-boot environment, and we're building protections against that."

Some vendors dispute whether the results of this one set of tests is conclusive.

"Test scores tend to fluctuate as attackers create new techniques and defenders continue to innovate," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Trend Micro was not included in the Virus Bulletin report.

"I can't speak to why we did not participate in this specific round of testing, we do have a lot of respect for Virus Bulletin," said Nunnikhoven.

Instead, he pointed out to his company's performance with AV Test. There, Trend Micro scored at 100 percent in 11 out of the last 14 zero-day detection tests for Windows 7 and Windows 10, and 99 percent on the other three tests.

In fact, average scores on the AV Test of zero-day detection have been going up, from under 97 percent in early 2015 to over 99.7 percent during the last Windows 10 testing round.

Another problem with some tests is how they measure successful detection, said David Dufour, senior director of engineering at Webroot.

Signature-based antivirus can spot malware early, but behavior-based systems have to wait for the malware to actually try to do something.

"Many testing methodologies still rely on older techniques measuring the number of threats that land on a machine," he said, "Rather than taking the time to understand that zero day and unknown malware will take time to identify."

Webroot was absent from both the Virus Bulletin and the AV Test reports.


"Criminals earned $1 billion from their ransomware last year, showing that it's consistently getting through defenses."

Right, so if some schlub out there not running an AV or patching his OS and Applications gets hit with ransomware and pays up that means Kaspersky, Bitdefender, Norton, Comodo, Avast etc are all failing!

Seems like half the people in this article have their head in the sand and are refusing to recognize the cutting edge protection many traditional AV companies are now employing.


Seems like half the people in this article have their head in the sand and are refusing to recognize the cutting edge protection many traditional AV companies are now employing.

Polls over the years have consistently shown that more than 50 % of all computer users have little to no IT security focus.

The security focused users here at MT represent less than 0.10 % of all computer users.

So, it doesn't matter to more than 50 % of computer users how good security softs are nowadays, because those people could care less.

Another thing that people fail to realize is that a lot of users expect that their antivirus\internet security suite softs will be 100 % effective, 100 % of the time.

Sorry, it don't work that way. I don't care how much resources, technological innovation, and effort is put into behavioral, virtualization or whatever security software - they will all fail to protect the system at some point.
Last edited by a moderator:


Level 27
Content Creator
Dec 29, 2014
It's just my belief that security software is becoming a high degree better in the broad scope (large number of very actively improving security options), while it's also becoming more complex to configure. Malware is getting better too is also an impression I have. Thanks for the poll. I think it's a very good question.


Level 12
Aug 31, 2016
This report helps validate my decision to install Sophos Intercept X on all our endpoints at work.
My choice was made as soon as I found out Sophos had acquired Surfright and had integrated Hitman Pro.Alert technology into their software.


Level 85
Mar 15, 2011
I think that percentage of majority AV's are not worst but rather stuck on that neutral percentage.

Relying too much on traditional approach is something you kill little but multiply fast on production of threats.

Although you cannot really blame where AV's are the sole solution besides on standalone components that requires knowledge to determine the suspicious activity.

Zero Knowledge

Level 7
Dec 2, 2016
Old signature based technologies are dead. There is just too much malware in the wild these days.

But anti-executable, anti-exploit, artificial intelligence and machine learning are very much alive.

However there are just too many players in the AV/Malware industry. Look for a lot of mergers and buy out's in the next 5 years.
  • Like
Reactions: Der.Reisende