Malware Stats: 72 Percent of Threats are Unique


There was a time when signature based antivirus was good enough to protect a PC. Those days are long gone, as increasing amounts of research point to the rise of unique and advanced persistent threats (APT) that are not detectable with signature based systems. Security vendor Sourcefire (NASDAQ:FIRE) is the latest to say they are seeing a rise in unique forms of malware. Cisco announced earlier this monththat it has seen a doubling in unique malware over of the last four months as has Symantec.

Sourcefire's latest stats come from its Immunet 3.0 antivirus solutionthat leverages the open source Clam antivirus engine as well as cloud powered detection engines.

According to data collected from Immunet installations for the month of July , 72 percent of the detected threats were isolated cases. That is, they were unique forms of malware not seen before. Out of the Sourcefire Immunet user base, 16 percent experienced at least one form of malware infection. Additionally, among those infected users, 70 percent had one or more infections on their system.

The findings don't come as a surprise to Sourcefire.

"With Immunet we set out with the expectation that individual threats would become so numerous that actually pushing a database down to an end-user would become onerous," Adam O'Donnell, chief architect in the Sourcefire Cloud Technology Group told

Immunet uses an in the cloud detection engine to help spot threats. O'Donnell noted that it's no longer entirely possible or cost effectively to catch everything on a single individual machine without the cloud resources. He explained that if for example there was only a thousand viruses out in the wild and Sourcefire put out a database with a thousand definitions, each detection has a value of one out of a thousand. O'Donnell added that when you got a million or ten million viruses the probability of detection is very small, so the cost ends up being higher to deliver the same level of protection.

Immunet 3.0 has both a free product and a paid product that provides an additional layer of scanning. According to O'Donnell, 84 percent of the detected threats were found by the core product while 16 percent was found by the additional scanning found in the paid product. O'Donnell credits the cloud engine and its ability to correlate data and threats as helping Immunet to catch more malware than a non-cloud solution.

Moving forward, Sourcefire is currently working on an enterprise version of Immunet named Immunet 4.0 that provides additional capabilities.

"Our technology from very early on was built to understand what is implicitly good and what is implicitly bad and then looks at things in the grey space in between," O'Donnell said. "That allows us to be able to give a more precise definition of what is malware and act more aggressively on malware outbreaks."

"It's an issue of what software can be trusted and us acting as an intermediary to help make a decision," O'Donnell added.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.