empleat

New Member
Hello,
i was wondering, why there is not many multi-engine antivirus solutions. Better multiple than one right ? I didn't see many antivirus programs like that. Thing with 1 antivirus engine, it is hard to decide to trust a file. With multiple engines, if file is detected by 1 from 12, than it is probably false positive.
 

RoboMan

Level 30
Verified
Content Creator
Malware Tester
Hi @empleat! I believe you're looking at this from the "wrong direction". To start with, static detection "malware engines" are a bit obsolete. They're... let's say the first line of defense; but certainly the less powerful. So one engine is most probably always enough since it's a companion for behaviour blockers, anti-ransomware modules, HIPS, etc.

As well, it's not as simple as "multi-engine antivirus". Those engines equip millions of signatures, which need to be placed somewhere.

Now, which is the most common location for these to be stored in order to be accessed quick and easy? That's right, RAM. Not a good idea. Else you'd be internet-dependant.

Aforementioned, the more engines != best protection. Focus on a suite that gives you a decent engine and mixes it with great modules like BB, Application Control. :)

Some examples:
  • ESET: great signatures, fast to add them, good HIPS and firewall
  • Kaspersky: solid behaviour blocker, Application Control, Ransomware rollback, great signatures
  • BitDefender: one of the best signatures out there, ransomware remediation, great behaviour blocker
If you believe your signatures are not enough, you can always download second opinion scanners (on demand)! As well, you could upload the suspicious files to VirusTotal.
 

silversurfer

Level 61
Verified
Trusted
Content Creator
Malware Hunter
Some examples:
  • ESET: great signatures, fast to add them, good HIPS and firewall
  • Kaspersky: solid behaviour blocker, Application Control, Ransomware rollback, great signatures
  • BitDefender: one of the best signatures out there, ransomware remediation, great behaviour blocker
Agreed about signatures are less important nowadays but what you said about Bitdefender signatures is wrong for sure,
You know it better when you going to check samples every day at VT:
BD signatures are delayed comparing to ESET and Kaspersky, but probably samples are earlier detected by BD-Cloud.
 

MacDefender

Level 11
Verified
Disadvantages of multi-engine scanning include:
  • Increased scanning times. If you have two engines it takes twice as long to scan. If you have 10 engines it's 10x slower.
  • Increased resource usage -- BD sigs can be hundreds of megabytes, and for fast performance they're loaded almost entirely into RAM too. And these have to be updated sometimes hourly.
  • Unclear strategy for conflicting answers. What happens if only 1 or 2 engines out of all detect something? Could those be really good at zero-day threats while the other engines snooze, or could they be false positives? How do you pick an alerting strategy for what the overall disposition is when engines give you conflicting answers? As a human, you might be able to make an educated decision looking over 70 results from VirusTotal and deciding what the overall status of your file is. Perhaps AI can help here but that's an unexplored avenue
  • High licensing costs -- how expensive is the product going to be if you have to license multiple flagship engines?
  • Unclear cloud story -- almost every flagship engine has a cloud component where you send a fingerprint of the file and the cloud tells you if it's good or bad. Even in the best case if you can license a dozen such engines, you've just dramatically increased the amount of network traffic and network dependent lag for each executable.
  • Doesn't address behavior blockers -- other than ESET, almost every other product relies at least equally as much on their behavior blocker as they do on signatures. It's almost impossible to get multiple behavior blockers to coexist on the same machine because of the way they inject into and monitor binaries. Plus behavior blockers have some of the biggest performance impacts since it puts an intercepting layer on basically every Windows API a process can call.
Overall, the winning strategy for multiple engines has been to thoughtfully layer them together. For example, F-Secure uses 4 or so engines each with a specific purpose (one signature engine, one script-based engine, one pure heuristics engine, one certificate white/blacklisting engine). That way they rarely overlap and give you disagreeing results over the same file. Emsisoft uses two signature scanning engines, BitDefender and their own in-house engine which was meant to concentrate more on PUPs but lately I find that they seem to use their engine to cover holes in BitDefender's coverage too.

Even products like Norton, though they don't advertise multiple engines, really do have multiple internal engines. They have a few different machine learning models that give you generic "AdvML" detections based off how they're trained.


So yes, multi-engine/multi-approach is something that a lot of AV software uses. Creating basically "VirusTotalAV" where you throw each file to every scanner, it's questionable if you will end up with a better product. There's a bunch of cost and performance tradeoffs you'd make, and a very difficult decision-making process to make on top of that.
 

geminis3

Level 13
Verified
Malware Tester
Too much computing resources and development cost overhead, I guess maintaining several 3rd party engines and ensuring interoperability in a single product is a PITA for the dev team. Maybe a cloud detection system powered by threat intelligence from multiple vendors paired with a local in-house engine would be more doable from a cost-effective standpoint.
 

Spawn

Administrator
Verified
Staff member
It's highly ineffective.

Layered security is superior, where all parts of the OS are protected by different technologies.

Everything should be taken in Moderation including sugar intake.
 

I3rYcE

Level 11
Verified
Hello,
i was wondering, why there is not many multi-engine antivirus solutions. Better multiple than one right ? I didn't see many antivirus programs like that. Thing with 1 antivirus engine, it is hard to decide to trust a file. With multiple engines, if file is detected by 1 from 12, than it is probably false positive.
Static detection method is the past. In the future the companies will focus on increase proactive detection techniques.
 

fabiobr

Level 9
Verified
Agreed about signatures are less important nowadays but what you said about Bitdefender signatures is wrong for sure,
You know it better when you going to check samples every day at VT:
BD signatures are delayed comparing to ESET and Kaspersky, but probably samples are earlier detected by BD-Cloud.
As far as I know there's no Bitdefender cloud on VT, only Bitdefender signatures and Theta (Machine Learning), of course there's no Advanced Threat Defense too.
 

MacDefender

Level 11
Verified
As far as I know there's no Bitdefender cloud on VT, only Bitdefender signatures and Theta (Machine Learning), of course there's no Advanced Threat Defense too.
But FWIW many others withhold their cloud tech from VT too — Avira and F-Secure often detect samples while VT claims they don’t. I’ve seen this with Kaspersky too. Multiple vendors hold their cards close to their chest when it comes to VT, so it’s not a great indication of who responded first.
 

SeriousHoax

Level 28
Verified
Malware Tester
But FWIW many others withhold their cloud tech from VT too — Avira and F-Secure often detect samples while VT claims they don’t. I’ve seen this with Kaspersky too. Multiple vendors hold their cards close to their chest when it comes to VT, so it’s not a great indication of who responded first.
Weirdly sometimes even ESET detection don't show up on VT at all even though detected by the product itself.
 
Top