Multi-Scanning

With multi-scanning, you can avoid exposures caused by the potential limitations of a single vendor. This could be a technology issue, like a particular vendor being unable to detect a vulnerability because of a technical limitation, or it could be a business reason, like a vendor not being allowed to operate in certain geographic regions or government agencies. For example:

• Symantec vulnerability
• Kaspersky U.S. government ban

Over-reliance on a single vendor can prove challenging, but these issues are avoided with multi-scanning approaches. Multi-scanning also gives you the flexibility of removing a problematic vendor from your deployment environment if vendor issues occur.

False positives, where files are reported as malicious when they are not, surface as a side-effect of any malware scanning solution, and can adversely affect business operations. To further complicate the issue, false positives are often only reported by a few anti-malware vendors at a time, and they are not always consistent or reproducible during testing.

False positive rates are reduced because many malware vendors work together through malware data sharing programs. This means that vendors work together to help codify true positives and false positives, so that overlapping vendor data has many fewer false positives, thus improving the results of using multi-scanning.

Also vendors share whitelist (trusted file) data. Our whitelist database accumulates the data from many vendors, which also reduces false positive detection rates.

Every engine returns some false positives, but it is incorrect to assume that using two engines results in double the number of false positives. Overlap in the detection of false positives using multi-scanning, limits the number of new false positives added by each new engine, as our multi-scanning research demonstrates. When we use more engines, the amount of false positives does go up, but only by a small, fractional amount, which is outweighed by the many benefits of multi-scanning.

Scanning with multiple engines takes slightly longer than scanning with a single engine, but with our multi-scanning methods, performance loss is minimized. Our methods take into account redundant tasks such as opening archives and detecting file types, and we also leverage the fact that various engines specialize in detecting threats in specific file types.  This means that many multi-scanning tasks can be parallelized by using methods like distributed computing, multi-core processing and scanning in memory.

Because multi-scanning requires multiple anti-malware engines from various vendors, cost is a factor. However, we partner with vendors to deliver optimized multi-scanning engine package options to provide beneficial Total Cost of Ownership (TCO) over time. By serving as a single point of contact, we reduce complexity in multiple scanning deployments for our global client base of government entities and organizations in virtually every industry including other security firms, aerospace and defense, healthcare services, critical infrastructure, and supply chain manufacturing.