by Constantine von Hoffman

NYT Twists Imperva Antivirus Study into Utter Nonsense

Jan 03, 20133 mins

A recent New York Times report suggests antivirus programs are useless because they don't always detect new threats. But the report is misleading because it overlooks the fact that antivirus software can detect older threats that are just as dangerous as new ones, according to blogger Constantine von Hoffman.

The media recently twisted a modest Imperva study of antivirus effectiveness into a sensationalized industry expose.

On Monday The New York Times ran a story that said: “The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses.” It based this on a study by Imperva, even though that’s not what Imperva’s study said.

From the study:

“1. The initial detection rate of a newly created virus is less than 5 percent. Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero. We believe that the majority of antivirus products on the market can’t keep up with the rate of virus propagation on the Internet.

2. For certain antivirus vendors, it may take up to four weeks to detect a new virus from the time of the initial scan.

3. The vendors with the best detection capabilities include those with free antivirus packages, Avast and Emsisoft, though they do have a high false positive rate.”

Imperva’s study clearly focuses on new viruses, not all viruses. This is something the Times story doesn’t point out until the fifth paragraph.

“By the time [antivirus] products are able to block new viruses, it is often too late. … A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.”

While new attacks are constantly being developed, the huge numbers of older viruses–which can be detected and stopped–represent just as big a threat. And, by the way, the new viruses eventually become old viruses.

That’s why the study’s conclusions don’t say anything about not using antivirus programs. They recommend understanding the limitations of these programs and acting accordingly. Those conclusions are:

  1. Enterprises and consumers spend on antivirus is not proportional to its effectiveness
  2. Compliance mandates requiring antivirus should ease up on this obligation
  3. Security teams should focus more on identifying aberrant behavior to detect infection

Let me be clear: Antivirus software is marketed to make you think it will keep you absolutely safe from everything short of a meteor strike. Consumers often don’t realize the limitations of the programs and that needs to change, either through more honest marketing or better education on the topic by the media. The Times article does not do this.

I hope it wasn’t Imperva’s PR people who oversold the study, but even if they did it’s still the reporter’s fault for going along with it. It is a modest study which is honest enough to include reasonable questions about its methodology at the end. If only the associated news coverage matched that modesty.