Advanced Threat Prevention with Simultaneous Antimalware Engines

Multiscanning is an advanced threat detection and prevention technology that increases detection rates, decreases outbreak detection times and provides resiliency to antimalware vendor issues. OPSWAT pioneered the concept of multiscanning files with over 30 antimalware engines available to deliver enhanced protection from a variety of cyber threats.

Signature-based, heuristics-based, and machine learning detection methods are not perfect. Single antimalware engines detect at best up to 91.8 percent of common cyber threats, and the majority of them only have a 40 to 80 percent detection rate.

Why Multiscanning

Multiscanning Benefits and Limitations

Improved Malware Detection

Research shows that as more antimalware engines are added, malware detection rates improve, since each engine may not detect certain types of threats. Each individual engine specializes in different categories. Since each antimalware engine uses different algorithms, malware analysts are in different time zones and different geographically-based labs, the value of combining multiple antimalware engines significantly increases detection.

As shown in our Multiscanning test of more than 10,000 of the most active threats, we achieved over 95 percent detection with 12 combined engines, over 97 percent detection with 16 engines, and over 99 percent detection with 20 or more engines. 

Reduced Outbreak Exposure Times

During malware outbreaks the time it takes to detect a new threat is critical. Even small changes in detection rates can add days, weeks or months to the time it takes for various antimalware engines to respond to emerging threats. conducted a test that shows that the detection mechanisms used by different antimalware engines are faster at detecting certain malware compared to others. By combining the results of multiple scanning engines, we can reduce outbreak exposure times and achieve virtually zero exposure.

These gaps in detection are cause for concern because they expose organizations that use only a single antimalware engine that hasn't yet detected a specific threat. For example, the Nemucod.KP trojan was initially detected by three antimalware engines on March 16th, 2016. Within two days eleven antimalware engines had detected the threat, and after one week sixteen engines had detected it. But months later, 24 engines still had not detected the Nemucod.KP threat.

The ability for multiscanning to dramatically reduce the exposure gaps of using one or a small number of antimalware engines makes it a valuable approach for the early detection of emerging and actual outbreaks.

Reduced Exposure from Vendor Issues

With multiscanning, you can avoid exposures caused by the potential limitations of a single vendor. This could be a technology issue, like a particular vendor being unable to detect a vulnerability because of a technical limitation, or it could be a business reason, like a vendor not being allowed to operate in certain geographic regions or government agencies. For example:

Over-reliance on a single vendor can prove challenging, but these issues are avoided with multiscanning approaches. Multiscanning also gives you the flexibility of removing a problematic vendor from your deployment environment if vendor issues occur.

Low False Positives ( 1 + 1 < 2 )

False positives, where files are reported as malicious when they are not, surface as a side-effect of any malware scanning solution, and can adversely affect business operations. To further complicate the issue, false positives are often only reported by a few antimalware vendors at a time, and they are not always consistent or reproducible during testing.

False positive rates are reduced because many malware vendors work together through malware data sharing programs. This means that vendors work together to help codify true positives and false positives, so that overlapping vendor data has many fewer false positives, thus improving the results of using multiscanning.

Also vendors share whitelist (trusted file) data. Our whitelist database accumulates the data from many vendors, which also reduces false positive detection rates.

Every engine returns some false positives, but it is incorrect to assume that using two engines results in double the number of false positives. Overlap in the detection of false positives using multiscanning, limits the number of new false positives added by each new engine, as our multiscanning research demonstrates. When we use more engines, the amount of false positives does go up, but only by a small, fractional amount, which is outweighed by the many benefits of multiscanning.

Enhanced Performance ( 1 + 1 < 2 )

Scanning with multiple engines takes slightly longer than scanning with a single engine, but with our multiscanning methods, performance loss is minimized. Our methods take into account redundant tasks such as opening archives and detecting file types, and we also leverage the fact that various engines specialize in detecting threats in specific file types.  This means that many multiscanning tasks can be parallelized by using methods like distributed computing, multi-core processing and scanning in memory.

Low Total Cost of Ownership (TCO)

Because multiscanning requires multiple antimalware engines from various vendors, cost is a factor. However, we partner with vendors to deliver optimized multiscanning engine package options to provide beneficial Total Cost of Ownership (TCO) over time. By serving as a single point of contact, we reduce complexity in multiple scanning deployments for our global client base of government entities and organizations in virtually every industry including other security firms, aerospace and defense, healthcare services, critical infrastructure, and supply chain manufacturing.

OPSWAT Products That Use Multiscanning