Introduction
Antiviruses (AVs) remain an important basic protection tool from known malware threats. To enhance security and eliminate the dependency on a single engine, many organizations opt to use multiple AV scanners (AV multi-scan).
In this document, we will discuss the advantages and disadvantages of AV multi-scanning and share Resec’s view on the optimal number of AV scanners to use. The data is based on recent AV accuracy tests conducted by AV-Comparatives.
The Advantage of Multiple Scan Engines
Scanning with multiple antiviruses yields better detection rates. The more AVs used, the better the chances of detecting newly-discovered malware.
The following table shows real-life detection rates of AVs versus recently-discovered malware:
As seen in the table, most antiviruses handle known malware very well, with all of them detecting more than 98% of malicious samples tested.
While certainly a high rate, a 98% detection rate means that a very real danger of missing malware still remains. For example, a customer who bases their entire protection on a single engine such as ESET would be compromised by 1.6% of the malicious files that pass through the system. For a high-risk enterprise environment processing large amounts of data every day, this is obviously unacceptable.
Adding more scan engines would clearly improve detection rates. The average detection rate of the 17 engines that were tested is 99.4%, but this still means that 0.6% of the malware tested slipped past AV scanning.
Combining two (2) AV engines (assuming the AVs are independent of one another) would, on average, reduce that number to 0.0036%. Five (5) Engines would only miss 0.0000000007776%, and so forth.
While we can safely conclude that more scan engines equal higher detection rates, the return on investment is questionable. Here is the gain from each additional engine:
It easy to see in the table above that the improvement in detection quickly becomes marginal.
The Disadvantages of Adding More Scan Engines
There are some disadvantages of adding more scan engines, the obvious ones being increased latency and the need for more computing resources.
However, the primary disadvantage of using many scan engines is the increase in false positives – benign files mistakenly identified as malicious. False positives consume IT attention and time, while also hurting productivity.
Here are the false-alarm test results from the same study:
Almost all scan engines returned some false positives. Comparing these results with the previous graph shows that the engines that yield higher detection rates often return many false positives, while engines with lower detection rates have fewer false positives. Even when ignoring the two extreme outliers on the graph, the average false positive rate is 3.0833%.
This means that an average scan engine would return approximately 3 erroneous alerts for every 100 files that pass through the system. As we add more engines, the rate only increases:
Using 16 standard scan engines yields ~40% false positive rate for files (!). These numbers are clearly unmanageable. They tell us that a system using many scan engines must disregard some of the alerts that they raise. However, doing so defeats the main purpose of multi-scanning. If we require that a quorum of N engines agree that a file is infected before blocking it, we may actually fail to detect some of the malicious files that would have been detected by just a single scan engine.
Summary
Antivirus multi-scanning is an important tool in an organization’s security stack, increasing detection rates from known malware threats. However, research clearly shows a direct correlation between the number of engines used (with diminishing gains from each additional scan engine) and a steady increase in false positives.
Therefore, optimizing the correct number of AV engines is key for an organization to achieve a positive balance between high detection rates and relatively low false positives.
Resec’s Position
Resec upholds a Zero Trust prevention approach, which is far more stringent than that of antiviruses (or other detection solutions for that matter). While the AV multi-scan plays an important role in Resec’s platform, Resec merely relies on this engine for known malware detection, blocking, and reporting. Based on the conclusions from studies such as those in this document, Resec uses five (5) reliable AV engines. We have found that this number yields strong detection rates, while minimizing false positives to prevent unnecessary noise for the IT department.
To achieve complete prevention and overcome the limitations of antiviruses (false negatives, unknown malware), Resec’s assumes that every file is a threat and uses proprietary Content Disarm and Reconstruction (CDR) technology to rebuild threat-free replicas of all files that were found “clean” by the AV multi-scan engines. Resec’s unique approach relies on whitelisting, ensuring that only permitted components are rebuilt into the new document. This enables Resec to eliminate all false negatives and “zero day” attacks, while maintaining native file format and functionality at scale, and faster than any comparable solution.
This approach combines the best of both detection and prevention, achieving airtight security along with productivity and usability.