How Multi-Scanning Can Detect Outbreaks Sooner

The efficacy of antivirus products often comes into question, especially as advanced persistent threats (APTs) become more feared due to the media attention they receive. While it is clear that organizations should not focus their security only on the detection of APTs, a question still remains about how antivirus products can protect against the sheer volume of emerging threats. We'd like to present an example of how multi-scanning can be used to amplify the powers of antivirus products to detect outbreaks as soon as possible; similar research is now easy for anyone to perform using the new scan history feature in Metascan Online.

To demonstrate the power of multi-scanning, we took a look at the Upatre malware outbreak earlier this year. When we first received the malware sample, we scanned it using more than 40 anti-malware engines and then rescanned it periodically over a four day period. Over time, the number of engines detecting the threat increased significantly.

At the initial scan, only 1 engine detected the Upatre malware. With this scan result, there was a possibility that the engine flagging it had a false positive, an incorrect detection. Ocver the next few days, more and more engines detected the file as a threat, until it was detected by a total of 25 engines on the last day of our test, providing a strong indication that the file was truly malicious - an outbreak rather than a false positive.

OPSWAT Test Results

Day 1 results for Upatre malware

Day 2 results for Upatre malware

Day 3 results for Upatre malware

Day 4 results for Upatre malware

Our small test shows that an emerging threat can be detected by as few as one out of the most common antivirus products. While most engines will add detection to their signature databases within a few days, based on the circulation of the malware and the sharing of samples in the anti-malware community, using a range of anti-malware engines will help ensure the earliest detection for any given threat. The extra time provided by identifying a threat sooner can allow organizations to take any necessary actions needed to limit damage and remediate the issue. Our test also indicates that following scan results over time can help in analyzing whether samples with low antivirus detection rates are false positives or malware outbreaks.

At the time this post was published, the latest scan results showed that 32 out of 43 antivirus engines had detected the threat. It's interesting to note that once the number of detecting engines hit the low 30s, the increases seemed to stall out. A snapshot from the malware scan history page makes a compelling argument for the value of multi-scanning; even in the face of a well-established threat, some engines are still not detecting the malware.

Try out Metascan Online and the scan history feature to learn more about suspicious samples you obtain. You can also get a free Metascan Online API key by creating an account on the OPSWAT Portal to make use of the many Metascan Online APIs. Contact sales if you are interested in using high-volume hash lookups (or other Metascan Online services) for your business.

For more information, please contact one of our cybersecurity experts.