As opposed to a traditional antivirus, a network antivirus does not run on the endpoints but runs in a single dedicated network appliance that can protect any device that accesses your network. An effective network antivirus solution detects and blocks malicious content that enters your network before it is executed or opened in any of your endpoints.
MetaFlows Network Antivirus Advantages
It does not require the installation and management of antivirus software on each of the endpoints on your network. This is becoming extremely important today because of the wide use of smart phones which cannot be reliably covered by endpoint solutions.
Intelligence updates to the antivirus system are centralized to a single location thus avoiding constant updates to large number of endpoints (which may be intermittently turned off or may be out of range).
Suspect content (like unsigned binaries, Microsoft documents, etc) unknown to the available antivirus solutions can be executed or opened in a controlled environment (sandbox) to see if it poses a security threat before it is opened by the endpoint.
The relative detection rate of an endpoint solution with respect to all of its rivals ranges from 10% to 50% (the average is 20%). Things get even worse if we also count unknown malware that can only be detected through a sandbox. A network antivirus, can significantly improve the overall detection rate because it can relay on multiple antivirus solutions at once (like the ones provided by VirusTotal). To illustrate this point, please take a look at the latest antivirus performance measurements below.
Severity of Malware Detected
The table shows the best 15 antivirus relative detection rates for the week 12/19/2019 11:25pm to 12/26/2019 11:25pm UTC. The bar graph above shows the estimated average severity of the malware they detected. Hover over the bars to see which table row they represent.
Measured Endpoint Antivirus Relative Detection Rate(12/19/2019 11:25pm to 12/26/2019 11:25pm UTC)
|Antivirus Vendor||Detection Rate|
Our network antivirus relies on the following threat feeds:
- Approximately 700k new Virus signatures per day.
- 60+ Independent antivirus solutions at once to detect known threats.
- 100+ Sandbox behavioral signatures to detect unknown threats (updated monthly).
- 40k IDS signatures (updated daily).
- Over 200k IPv4 and URL threat indicators (updated daily)
As an integral part of the MetaFlows Security System, our unique technology can be deployed as a Network IDS appliance of varying processing capacity or as a software subscription on Linux CentOS 7+ for on-premise and/or cloud-based deployments. Please contact us to find out more.
How it works
Metaflows appliances monitor the transmission of all notable files (.exe, .dll, .pdf, .zip, Microsoft Office formats, etc.) transmitted on your network. The digest of each file is passed to the Network Antivirus system, which consists of 55+ Antivirus solutions provided by Virus Total giving us the broadest possible base of signatures to use for Malware Detection. All files that test positive on 3 or more Antivirus solutions generate high-priority alerts. Any host involved in the transmission of such files can be safely blocked and taken off the network because it is mot likely compromised.
Content which is unknown to Virus Total is executed in our proprietary sandbox available as a cloud based or on premise solution. A mix of proprietary and open source tools analyze the behavior of the content as it is executed/opened to determine whether it is well behaved. If the behavior is consistent with dangerous Malware, the sandbox issues a high priority alert with a detailed report of why the content is bad.