Gartner Blog Network


Survey on Anti-malware Effectiveness Perception

by Anton Chuvakin  |  December 19, 2013  |  4 Comments

This is NOT about how effective today’s anti-virus technology is. This is about how effective people THINK it is!

So, go and answer one question: What percentage of incoming malware do you think is caught by traditional anti-malware products at a typical organization?

If you need additional context, this question should cover both endpoint (such as EPP) and gateway (such as email) anti-malware tools and technologies, using traditional AV engines with blacklisting and heuristics.

Click here to begin the survey

P.S. This poll has nothing to do with my research agenda, I need this data to win a bet 🙂

Previous surveys and results:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: announcement  malware  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Survey on Anti-malware Effectiveness Perception


  1. Pete Herzog says:

    I wasn’t sure if you meant total or unique. I figured you meant total. AV is pretty good at doing repetitive tasks so if it’s getting the same malware-laden SPAM regularly then it could filter that out and crush the score. If I have 50K users on my network and everyone receives the same mail with malware then it will remove 50K of the malware assuming it identifies it. But if you’re talking unique pieces well then that number drops significantly. And then it doesn’t even have to be very unique.

  2. An excellent question indeed. I actually meant to avoid the topic of total vs unique since counting unique is hard (since we count what is NOT seen) and this is a question about perception. I really should have clarified it.

    I suspect answering as total is better, as total can serve as a VERY ineffective proxy for unique (eh..sort of…since mass malware that hits all users is less common nowadays)

  3. Karel Obluk says:

    Depends on what you consider ‘traditional anti-malware product’. Most _good_ products nowadays use sophisticated combination of behaviour monitoring, prevalence checks, sandboxed emulation etc. combined with (for performance reasons) ‘checksum’ checks – that also happen to use emulation and other advanced techniques.
    So if you only use ClamAV and similar ‘checksum only’ product set up on gateway, my guess would be anywhere btw 40-60%. If you use any good product set up on endpoints as well, you get well above 95%. Unless your organisation is an ‘interesting target’ (spearheaded attacks) and if it’s of decent size, you can get above 98% for sure.
    My guesstimate 😉

  4. @karem Traditional AV does use techniques “other than blacklisting”, sure. However, there are still [relatively] clear boundaries between “the AV guys” and the newer entrants into the market.

    Thanks for the response. 95-98% on a well-tuned AV and 40-60% on basic blacklisting makes sense as a response.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.