In past blog posts we’ve discussed the detection rates for antivirus engines and the true value of utilizing multiple antivirus engines to scan for malware. The latest study we’ve performed shows that using multiple scan engines as well as multiple types of scanning (for example, static vs. dynamic file analysis) provides greater insight as to what potential risks may be present on a machine.
We have been scanning a file with key logger winpe/KeyLogger.SYK embedded in it daily for the past two weeks using our free online malware scanner Metascan Online. While there are several legitimate reasons for a key logger to be installed and running, IT administrators may want to be aware that this type of software is present on a machine within their security network. For this file, we’ve been tracking whether the key logger is detected as a potential threat by looking at results from more than 40 anti-malware engines; only one of these scan engines detected the file over a period of two weeks. While only one antivirus engine detected the key logger, a single detection can alert network administrators to files they may want to investigate further.
In addition to scanning the file with Metascan Online, we also installed the key logger on a local machine and scanned the running process using our endpoint scanner Metascan Client (leveraging the Metascan 16 package). After a quick scan of running processes, none of the engines flagged the key logger’s process. The third-party standalone anti-malware product running on the machine also did not flag the file through its behavioral analysis. As stated previously, this shows that a single solution by itself, including both static and dynamic file analysis, is not a sure fire way to detect every potential threat.
Studies like these show how certain files can still be tricky to detect even using multiple methods. A great takeaway from this example is that multiple antivirus engines and multiple scanning methods can give you a greater insight into presence of potentially risky files on an endpoint machine!