Is Anti-Virus Effective for Email Security?

Many security professionals and IT admins have asked the question, “How can I better protect my emails from various viruses?” and “How effective is the current anti-virus for email security?”

There is no easy answer because many different factors need to be unfolded to understand the backdrop. Let’s break down the details of the latest findings we have.

Given the above figures, it is not surprising that 91% of cyberattacks start with an email and remain the largest attack vector for malicious actors, as it is cheap, easy to use, and provides a direct communication channel into an organization. To understand why malware is still so successful and how malicious actors deliver their harmful script/content to the user mailbox, refer to this list of the main attachment types used for distributing them:

  • archive files (38% – up from 17.26%),
  • Word documents (23% – while the RTF docs 38%),
  • spreadsheets (17%),
  • and executable files (16%)

The scale of the malware threat is enormous. By the time you read this article thousands of new malware will have been released to find their victims.

Increasing Number of Malware

Anti-virus protection is the foundation of an organization's defense against most malware. Unfortunately, companies often lose these battles against attackers, and that’s no coincidence given the huge volumes involved. According to a graph by, the number of new malware discovered is around 14,000 per hour, which companies must constantly fight. Please be assured that no antivirus vendor can provide adequate protection on its own, as the update window (exposure time) of the AV signature database is typically between 2-16 hours, but it is also very common to have only daily updates.

The Danger of Exposure Time

In fact, there is a significant lag between the appearance of new malware and its detection, which is further compounded by the update latency of virus definition databases, which can reach several (2 - 16 or 24) hours. There is no doubt that the larger the update window (exposure time) of the virus definition database, the greater the vulnerability to email protection. It results in a window of vulnerability for organizations and significantly increases the risk of malware outbreaks. Gateway protection and hence email protection become limited.

Rise of Polymorphic Viruses

The rise of polymorphic viruses can be seen as a response by virus writers to the increasing sophistication of anti-virus scanners. Antivirus solutions mostly use signatures that are mainly effective in detecting known threats. Polymorphic viruses use code modification and encryption to hide from AV scanners. To design such viruses, polymorphic generators have been created to hide the actual code under the cloak of polymorphism.

How to Proceed?

Needless to say, email security is a multi-faceted solution, and although everyone uses a secure email gateway with various anti-virus engines the differences in effectiveness between the vendors are so huge that Gartner itself recommends that security and risk managers should consider reevaluating the capabilities of the current solution because if there is a problem, it is a problem at scale.

The challenge with any given anti-virus solution is how efficiently they detect malware, how quickly they reduce exposure times, and if they are susceptible to false positives.

Most secure email gateways have one anti-malware engine, and no matter how often virus definitions are updated, any given anti-malware engine is going to miss some threats. The general best practice is to add more AV scanning engines to empower security controls to increase the detection rate of malware. By using more than 20 anti-malware engines companies can reach a detection rate of more than 99 percent so that a new threat can be quickly detected and remediated.

The Secret Weapon?

OPSWAT Multiscanning provides simultaneous analysis with multiple AV engines, making it an advanced threat detection and prevention technology that increases detection rates and reduces outbreak response time.

To reduce the security risk of emails and fill in security gaps, MetaDefender Email Gateway Security uses OPSWAT's patented key technology, Multiscanning. Every email is scanned by more than 20 anti-malware engines, resulting in a detection rate of up to 99%.

Example of Threat Detection Matrix:

Along with ensuring a high detection rate of malware, Multiscanning also identifies malware outbreaks more efficiently by consolidating virus definition database updates. It can be observed that as the number of antivirus engines increases, the time of exposure to malware decreases. With more than 20 anti-malware engines, an organization can significantly reduce exposure to malware to less than 10 minutes. It enables more efficient email protection against the nearly 14,000 malware that appear every hour, while reducing false positives, and further eliminating distractions.

The Average Update Frequency of AV Signature Database

OPSWAT's Multiscanning technology works to improve the detection of outbreaks by using a variety of engines by using a mix of heuristic, machine learning, and signature-based detection. It’s a simple fact that some AV engines support pattern (or signature) matching to detect malware variants that exhibit similar behavior to other variants in the same malware family. AV engines using only definition databases are less suitable for this purpose, while engines using artificial intelligence and behavioral heuristics are likely capable to identify even polymorphic viruses using the above method. The MetaDefender Cloud Enterprise offering includes 24 vendors, some of them featuring engines with heuristics and machine learning techniques that enable the OPSWAT customers to fight polymorphic and unknown (zero-day) viruses. Saving the best for the last: MetaDefender Email Gateway Security enables access to these MetaDefender Cloud scanning resources, so its users can benefit from real-time protection against — not only known malware — but also zero-day attacks.

Finally, a diverse set of anti-virus engines from different geographic locations enables more comprehensive protection as new outbreaks emerge from different hot spots. OPSWAT's commitment is to continue to distribute anti-malware vendors from around the world in every package, so you'll be covered 24 hours a day.

Ultimately, malware and viruses are just one aspect of email security, so anti-virus is only one part of the solution. Threat actors may employ malicious URLs or phishing links, impersonate trusted users and domains, or leverage more advanced attacks that evade more traditional detection. We have covered all these subjects in more depth in our recent blog.

Compared to the scale of the damage caused by for example a ransomware attack, the cost of taking email security to an advanced level is negligible. OPSWAT's mission is to reduce enterprise security risks, fill the gaps and make email security more effective. The MetaDefender Email Gateway Security product features unique capabilities to take email protection to a higher level of effectiveness.

Contact OPSWAT today and ask how we can help improve your anti-virus detection rates with multi-scanning or download our free whitepaper to learn more about best practices for email security.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.