Statistics

Why Multi-scanning?

We compile the most searched-for threats from the Metascan Online database over the past week, and you can see them below along with data about how well they are detected by our Metascan Packages. Please note that the detection data comes from Software Development Kit (SDK) and Command Line Interface (CLI) package versions of these anti-malware engines, using static analysis only, and not from endpoint desktop applications which may be capable of enhanced behavioral and other dynamic analysis, so detection results may differ significantly from commercial endpoint performance. The data below should not be used for comparing performance of desktop or server anti-malware applications. To emphasize the value of multi-scanning, we wanted to show how the OPSWAT Metascan packages can detect the top threats in our list. As more scan engines are added, more of the top threats are detected, indicating the value added with each Metascan package increment.

Hover over the packages to see the included anti-malware engines.

Learn more about the data and how it is collected by reading the documentation and disclaimers about the top threats.

Top searched threats

 


How do you get this data?

  • Most searched threats on Metascan Online over the past 7 days
  • Must be detected as malicious by at least 5 engines
  • Rescanned every day to update the number of engines detecting the threat
  • Many Windows and Mac system and process files

The threats listed above are the most searched-for threats from our database of hashes over the last seven days. The hashes come from files that have been uploaded through our multi-scanning tool, Metascan Online, and we filter these down to those that have been flagged as malicious by five or more antivirus engines: we do this in order to limit false positives, or incorrect threat detections. We did a few internal tests to find the "sweet spot" of the minimum number of engines to detect the threat and determined that five worked best for our data; we didn’t want too low of a minimum, which could yield too many false positives, but too high of a minimum could eliminate real, new, interesting threats.

We update this list daily and rescan each of the threats listed every day to determine if the number of engines detecting them has changed. Many of the hash searches on Metascan Online are performed as part of endpoint risk assessment, so many of the top threats you will see are Windows and Mac system and process files. Threats that are found most commonly in email attachments, for example, may not show here. Scan engines designed exclusively for Android malware have been excluded from these statistics because the top searched threats in our database tend to be non-Android malware. We do include Potentially Unwanted Programs (PUPs) and Potentially Unwanted Applications (PUAs) in the top threats; while they may not actually be considered malware, their behavior and use can still have unintended security or privacy impacts, and many antivirus engines are flagging these types of applications as adware, grayware, toolbars, etc.

Are these engines used by Metascan what my installed antivirus detects?

No. The anti-malware engines we use on Metascan Online are SDK and CLI packages using signature and heuristic-based detection methods, or static analysis. With static analysis, the file is not executed, but is analyzed for malicious patterns and checked for known malware signatures. Antivirus products installed on your computer often also make use of dynamic analysis, in which the behavior of the file is observed. Behavioral detection methods, often using a sandbox environment to execute the file, can identify malicious activity that only occurs at runtime and that would not be caught by static analysis. For this reason, as well as because of the variability in configurations in any individual or company’s deployment of their antivirus product, the results we show here may not match the results you would observe from your installed antivirus software.

The results here only indicate detection of a threat, not necessarily the ability to quarantine, clean, delete or otherwise remediate the threat. When determining the effectiveness of any anti-malware product for protecting an endpoint machine, it is important to evaluate its ability to detect as well as to remediate threats. This data does not address threat remediation.

To compare the performance of anti-malware products, we recommend using comprehensive anti-malware tests from companies like AV-Test, AV Comparatives, Virus Bulletin, ICSA Labs, West Coast labs, and others.

How can I use this data?

No single anti-malware engine is perfect 100% of the time, and using multiple engines to scan for threats allows you to take advantage of the strengths of each individual engine and to guarantee the earliest possible detection. While the data above shows only a subset of the most common threats in the wild and utilizes only the Windows-based anti-malware engines in Metascan Online, it provides an indication of the variability of detection rates of common malware by the anti-malware community. You can use this data to investigate current threats as well as to watch detection of new threats grow over time.

In addition, command line versions of anti-malware products are often integrated into a spam filter or web security product, and these results may provide more insight for those implementations, though the specific configuration can also affect detection rates.

Disclaimers

This data is not for comparing engine solutions

Metascan Online intends to be an unbiased service, not promoting one engine over another, and the data above is not intended for comparing the performance of specific engines, for reasons including:

  • This data comes from SDK and CLI packages, not from endpoint or desktop applications
  • This data uses static analysis only, not dynamic analysis
  • This data comes from Metascan Online search traffic only
  • This data does not provide an indication for how well an application can protect your computer

A note on privacy and sample sharing

Files uploaded to Metascan Online are shared with the antivirus engine vendors to help in improving their services and products. We believe that by doing so, this will lead to better protection for end users. Some users of the Metascan Online API opt to keep their files private; these will not be stored on Metascan Online or shared with anti-malware engines, and threats from these customers will not appear in the data above.

Contact us to learn more about this data.