How Do You Find 200,000 Unique Samples a Day?

I recently received a couple of questions about signatures from a reader.

1- You said that ESET receives around 200000 unique malware samples daily, so does ESET detect most of them or detect only the malwares that their signatures are listed here: http://www.eset.com/threat-center/threatsense-updates ?

2- Nowadays why signatures are written? Are they written to detect malwares initially, or to cover the gap that heuristic can’t cover? Otherwise, is the main task of detection is of heuristics and signatures are considered supplement for that?

Let’s start with question 1. When detecting brand new unique threats, regular signatures are useless. There are a variety of heuristic approaches and one of them that is particularly effective is called generic detection. With generic detection we can identify new threats that are based upon existing threats. With a traditional signature a very slight modification to a virus or Trojan will break detection, but with a generic signature detection is not affected by minor changes. Some of the threats are detected with our passive heuristics. The scanner looks at the file and makes a determination that if the file is allowed to execute it will do something bad. Many other threats are detected with our active heuristics. With the active heuristics we build a virtual computer inside the scanning engine and actually run the samples. This allows us to observe what the program is actually doing. The signatures you see in the threatsense updates are only some of the malware we detect.

Now on to question 2. There are a variety of reasons for traditional signatures. In some cases we must update the heuristics to detect new threats and traditional signatures can be a quick way to do that. A bigger reason for traditional signatures is performance. Heuristic analysis takes far more CPU cycles than using traditional signatures. By using traditional signatures we can keep the performance of the product high. Sometimes for very high profile threats a signature is needed because some manager wants his IT person to show them that the threat is detected and not being technical they believe that a name is required for detection.

In reality, the number of signatures a product has is not a good measure of its effectiveness. If one product has 10 million signatures and detects 10 million threats, and another product has 6 million signatures but detects 15 million threats, which product is better?

Traditional signatures and heuristic are complementary technologies. Both are used to increase the effectiveness of virtually every antivirus product today.

Randy Abrams
Director of Technical Education
ESET LLC