Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research Director
1 year with Gartner
12 years IT industry

Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

Survey on Anti-malware Effectiveness Perception

by Anton Chuvakin  |  December 19, 2013  |  4 Comments

This is NOT about how effective today’s anti-virus technology is. This is about how effective people THINK it is!

So, go and answer one question: What percentage of incoming malware do you think is caught by traditional anti-malware products at a typical organization?

If you need additional context, this question should cover both endpoint (such as EPP) and gateway (such as email) anti-malware tools and technologies, using traditional AV engines with blacklisting and heuristics.

Click here to begin the survey

P.S. This poll has nothing to do with my research agenda, I need this data to win a bet :-)

Previous surveys and results:

4 Comments »

Category: announcement malware     Tags:

4 responses so far ↓

  • 1 Pete Herzog   December 20, 2013 at 8:40 am

    I wasn’t sure if you meant total or unique. I figured you meant total. AV is pretty good at doing repetitive tasks so if it’s getting the same malware-laden SPAM regularly then it could filter that out and crush the score. If I have 50K users on my network and everyone receives the same mail with malware then it will remove 50K of the malware assuming it identifies it. But if you’re talking unique pieces well then that number drops significantly. And then it doesn’t even have to be very unique.

  • 2 Anton Chuvakin   December 20, 2013 at 4:10 pm

    An excellent question indeed. I actually meant to avoid the topic of total vs unique since counting unique is hard (since we count what is NOT seen) and this is a question about perception. I really should have clarified it.

    I suspect answering as total is better, as total can serve as a VERY ineffective proxy for unique (eh..sort of…since mass malware that hits all users is less common nowadays)

  • 3 Karel Obluk   December 25, 2013 at 11:09 am

    Depends on what you consider ‘traditional anti-malware product’. Most _good_ products nowadays use sophisticated combination of behaviour monitoring, prevalence checks, sandboxed emulation etc. combined with (for performance reasons) ‘checksum’ checks – that also happen to use emulation and other advanced techniques.
    So if you only use ClamAV and similar ‘checksum only’ product set up on gateway, my guess would be anywhere btw 40-60%. If you use any good product set up on endpoints as well, you get well above 95%. Unless your organisation is an ‘interesting target’ (spearheaded attacks) and if it’s of decent size, you can get above 98% for sure.
    My guesstimate ;)

  • 4 Anton Chuvakin   December 26, 2013 at 3:55 pm

    @karem Traditional AV does use techniques “other than blacklisting”, sure. However, there are still [relatively] clear boundaries between “the AV guys” and the newer entrants into the market.

    Thanks for the response. 95-98% on a well-tuned AV and 40-60% on basic blacklisting makes sense as a response.