Friday, July 07, 2006

"mine's bigger"

yeah, i know it's a pretty provocative statement, but that's pretty much what authentium are saying in this blog post...

mcafee lets everyone know their product is about to reach the 200,000 threats detected milestone and authentium pipes and and says 'well we're about to reach 300,000'... classic - no really, i'm surprised there are anti-virus companies still playing this particular numbers game... i thought it went out of style years ago...

now let me ask you something, do you really think there are 100,000 pieces of malware being missed by mcafee's product? you can't trust the raw numbers reported by vendors, unfortunately, and not just because some of them have apparent inferiority complexes...

this is old news for some of us but for those who don't know yet, here's how it works... say you have 2 malware samples that are related to each other (they belong to the same malware family) - scanner-A detects both pieces of malware using 2 separate signatures and scanner-B detects both pieces of malware using only 1 signature... now both detect the same number of real world threats, but the way they count is by counting the number of distinct malware definitions in the scanner's database so scanner-A will say it detects 2 pieces of malware where scanner-B will only say it detects 1 piece of malware because they're similar enough that they look the same to scanner-B...

now whether a scanner needs 1 or 2 signatures in the scenario above doesn't really have any bearing on which scanner is better, there are benefits and drawbacks for on both sides and it's not always scanner-A that requires more signatures... that said, you should be able to easily see how one scanner's numbers can be very different from those of another... now a 50% difference is considerable and i find that very suspicious, especially when f-secure pegged the number at 185,000 earlier this year which is much more in line with mcafee's 200,000 figure...

regardless, the numbers that vendors report just do not mean what they otherwise seem to mean... comparing the number of signatures between different products is a pointless exercise and it ultimately misleads the reader into thinking that one product is better than another when it may not be true... and if you're detecting the scent of snake oil in that practise, well me too...

0 comments: