Advice Request Why is there not many multi-engine antivirus solutions?

Please provide comments and solutions that are helpful to the author of this topic.

empleat

Level 1
Thread author
Mar 23, 2020
27
Hello,
i was wondering, why there is not many multi-engine antivirus solutions. Better multiple than one right ? I didn't see many antivirus programs like that. Thing with 1 antivirus engine, it is hard to decide to trust a file. With multiple engines, if file is detected by 1 from 12, than it is probably false positive.
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Hi @empleat! I believe you're looking at this from the "wrong direction". To start with, static detection "malware engines" are a bit obsolete. They're... let's say the first line of defense; but certainly the less powerful. So one engine is most probably always enough since it's a companion for behaviour blockers, anti-ransomware modules, HIPS, etc.

As well, it's not as simple as "multi-engine antivirus". Those engines equip millions of signatures, which need to be placed somewhere.

Now, which is the most common location for these to be stored in order to be accessed quick and easy? That's right, RAM. Not a good idea. Else you'd be internet-dependant.

Aforementioned, the more engines != best protection. Focus on a suite that gives you a decent engine and mixes it with great modules like BB, Application Control. :)

Some examples:
  • ESET: great signatures, fast to add them, good HIPS and firewall
  • Kaspersky: solid behaviour blocker, Application Control, Ransomware rollback, great signatures
  • BitDefender: one of the best signatures out there, ransomware remediation, great behaviour blocker
If you believe your signatures are not enough, you can always download second opinion scanners (on demand)! As well, you could upload the suspicious files to VirusTotal.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Some examples:
  • ESET: great signatures, fast to add them, good HIPS and firewall
  • Kaspersky: solid behaviour blocker, Application Control, Ransomware rollback, great signatures
  • BitDefender: one of the best signatures out there, ransomware remediation, great behaviour blocker
Agreed about signatures are less important nowadays but what you said about Bitdefender signatures is wrong for sure,
You know it better when you going to check samples every day at VT:
BD signatures are delayed comparing to ESET and Kaspersky, but probably samples are earlier detected by BD-Cloud.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Disadvantages of multi-engine scanning include:
  • Increased scanning times. If you have two engines it takes twice as long to scan. If you have 10 engines it's 10x slower.
  • Increased resource usage -- BD sigs can be hundreds of megabytes, and for fast performance they're loaded almost entirely into RAM too. And these have to be updated sometimes hourly.
  • Unclear strategy for conflicting answers. What happens if only 1 or 2 engines out of all detect something? Could those be really good at zero-day threats while the other engines snooze, or could they be false positives? How do you pick an alerting strategy for what the overall disposition is when engines give you conflicting answers? As a human, you might be able to make an educated decision looking over 70 results from VirusTotal and deciding what the overall status of your file is. Perhaps AI can help here but that's an unexplored avenue
  • High licensing costs -- how expensive is the product going to be if you have to license multiple flagship engines?
  • Unclear cloud story -- almost every flagship engine has a cloud component where you send a fingerprint of the file and the cloud tells you if it's good or bad. Even in the best case if you can license a dozen such engines, you've just dramatically increased the amount of network traffic and network dependent lag for each executable.
  • Doesn't address behavior blockers -- other than ESET, almost every other product relies at least equally as much on their behavior blocker as they do on signatures. It's almost impossible to get multiple behavior blockers to coexist on the same machine because of the way they inject into and monitor binaries. Plus behavior blockers have some of the biggest performance impacts since it puts an intercepting layer on basically every Windows API a process can call.
Overall, the winning strategy for multiple engines has been to thoughtfully layer them together. For example, F-Secure uses 4 or so engines each with a specific purpose (one signature engine, one script-based engine, one pure heuristics engine, one certificate white/blacklisting engine). That way they rarely overlap and give you disagreeing results over the same file. Emsisoft uses two signature scanning engines, BitDefender and their own in-house engine which was meant to concentrate more on PUPs but lately I find that they seem to use their engine to cover holes in BitDefender's coverage too.

Even products like Norton, though they don't advertise multiple engines, really do have multiple internal engines. They have a few different machine learning models that give you generic "AdvML" detections based off how they're trained.


So yes, multi-engine/multi-approach is something that a lot of AV software uses. Creating basically "VirusTotalAV" where you throw each file to every scanner, it's questionable if you will end up with a better product. There's a bunch of cost and performance tradeoffs you'd make, and a very difficult decision-making process to make on top of that.
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
Too much computing resources and development cost overhead, I guess maintaining several 3rd party engines and ensuring interoperability in a single product is a PITA for the dev team. Maybe a cloud detection system powered by threat intelligence from multiple vendors paired with a local in-house engine would be more doable from a cost-effective standpoint.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
It's highly ineffective.

Layered security is superior, where all parts of the OS are protected by different technologies.

Everything should be taken in Moderation including sugar intake.
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
You can use a good security suite and combine it with SecureAPlus or Voodooshield (both scan with multiple scan engines with the aid of VT). You can also use Hitman Pro as a second-opinion scanner (it uses multiple engines too).
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Just checked Trustport website and I was surprised. Home product are no longer available.

Screenshot (3).pngScreenshot (4).pngScreenshot (5).png
 

I3rYcE

Level 12
Verified
Top Poster
Well-known
Nov 4, 2011
575
Hello,
i was wondering, why there is not many multi-engine antivirus solutions. Better multiple than one right ? I didn't see many antivirus programs like that. Thing with 1 antivirus engine, it is hard to decide to trust a file. With multiple engines, if file is detected by 1 from 12, than it is probably false positive.

Static detection method is the past. In the future the companies will focus on increase proactive detection techniques.
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
561
Agreed about signatures are less important nowadays but what you said about Bitdefender signatures is wrong for sure,
You know it better when you going to check samples every day at VT:
BD signatures are delayed comparing to ESET and Kaspersky, but probably samples are earlier detected by BD-Cloud.
As far as I know there's no Bitdefender cloud on VT, only Bitdefender signatures and Theta (Machine Learning), of course there's no Advanced Threat Defense too.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
As far as I know there's no Bitdefender cloud on VT, only Bitdefender signatures and Theta (Machine Learning), of course there's no Advanced Threat Defense too.
But FWIW many others withhold their cloud tech from VT too — Avira and F-Secure often detect samples while VT claims they don’t. I’ve seen this with Kaspersky too. Multiple vendors hold their cards close to their chest when it comes to VT, so it’s not a great indication of who responded first.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
But FWIW many others withhold their cloud tech from VT too — Avira and F-Secure often detect samples while VT claims they don’t. I’ve seen this with Kaspersky too. Multiple vendors hold their cards close to their chest when it comes to VT, so it’s not a great indication of who responded first.
Weirdly sometimes even ESET detection don't show up on VT at all even though detected by the product itself.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top