1 + 1 != 2 in malware scanning

Taeil Goh OPSWAT

  download slides (PDF)

No single anti-malware product has delivered 100% detection of threats, and this fact will most likely not change in the near future. Developers of security solutions can choose to integrate multiple anti-malware products to minimize the risk of missing threats to their system. This is because one anti-malware product has better or worse detection rate than others, based on several factors such as types of threats. However, the benefit of increasing detection rate by utilizing multiple anti-malware products comes at a price:

    1. Performance degradation of the solution multiplied by multiple tasks on same data,
    2. Increased solution vulnerability by exposing threats to more anti-malware products or data analysis tools such as file type detection libraries,
    3. Increased potential of false positives reported by the solution and no standards concerning making final decision based on different results from different products.

In this paper, we will examine the potential and pitfalls of aggregating multiple anti-malware products into a single security solution, drawing upon our experience of working with as many as dozens of engines in parallel.

Various test results on different products, which will be presented later in the paper, shows at least two things. Even an anti-malware product with the best detection rate can simply miss threats from detection. Furthermore, the anti-malware with the best detection will not be the best in another testing configuration. Integrating multiple anti-malware engines (multi-scanning) comes into play in covering the imperfections of a single anti-malware product. This has already attracted many developers and services including Microsoft Forefront Security for SharePoint and Google Postini Services.

In this paper, we first examine several outstanding test results from different test labs such as AV-Comparatives and other anti-malware test labs and then examine a few use cases of multi-scanning.

Next, we will identify the redundant tasks of different anti-malware products and introduce ways to optimize total scanning speed without losing detection.

In the third part of our paper, we will discuss a resilient design of integrating multiple anti-malware products into a single security solution without being affected by the failure of any component. Further, we will introduce a reliable way of detecting failure and ensuring the sanity of each solution component in order to maximize the benefit of multi-scanning.

Finally, our paper will address the reduction of false positives with whitelisting and frequent updates without pausing ongoing scans.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.