More than half of malware is not blocked by anti-virus, as vendors can only deal with known malware.

Speaking to SC Magazine, M86 Security CEO John Vigouroux said that the approach taken by most anti-virus vendors is not good enough, as most claim to block 99 per cent of known malware, but most cyber criminals use unknown variants.

Vigouroux said that the security industry has ‘done a miserable job of protecting customers and industry'. He said: “With a firewall you have built a wall and it does a good thing, but that is not doing so well. Anti-virus is a 20-year-old technology and you have to care about the three to six per cent of malware and that is what has changed, as now 92 per cent of malware is on the web.

He said: “Most of the web-based malware is hosted on legitimate websites and while 40 per cent gets blocked, 60 per cent gets through because it is new malware that hasn't been seen before. Every single anti-virus product on the market is running off the same database idea and to make a database up you need to first find the malware to analyse signatures and then match the code of new attacks to the database in order to block it.

“This is a calamity, as 60 per cent of malware is new, it's not been seen before and so it's not being blocked. The only thing being blocked is known malware. New signatures are going through the roof. I do not care how fast they can update, it is so simple for the cyber criminals to generate new malware that it is scary. The attackers keep coming with new malware and the industry is doing a terrible job of keeping up.”


David Harley, senior research fellow at ESET and anti-malware testing standards organisation (AMTSO) director, said that Vigouroux was not completely wrong, but he had no idea where his statistics had come from.

He said: “I wouldn't advise anyone to place their trust in a security company that says ‘use me and you're safe', or to assume that any product or layer of security will detect and/or block everything malicious.

“He is repeating the ancient fallacy that anti-virus only detects known malware, using a database of signatures. That hasn't been the case for many years: that's what heuristics, whitelisting and reputations services are for, to supplement exact identification and generic identification.

“The model of one signature for each variant or sub-variant is totally extinct: in fact, Vigouroux's claims suggests a misunderstanding of what a signature is. A signature isn't a simple string of bytes in a database: it's an algorithm.

“A single algorithm may look for a known string (there are still enough old worms and viruses around to make it worth recognising them, though most of them require more than a simple byte sequence to identify them), but others look for code that resembles known malcode (that's a heavily oversimplified summary of a generic signature) or for behaviour that suggests malicious intent (behavioural analysis, active heuristics and so on). Rather as M86 apparently does.”