Protection metrics trends – First quarter 2014 results

​It's been a few months since our last post on our metrics. I wanted to give you an update on families that are declining, new ones that are moving in, and on the way we're calculating our protection metrics to make them more accurate.

Overall, our infection impact (0.29% for January to March) has remained consistently low since December. A few families have declined, but others have moved into their place. Our incorrect detections have stayed under 0.001% and our performance metrics remain fairly consistent.

Declining families

The "Sefnit trio", mentioned in several of our prior blog posts, have declined significantly (although Sefnit itself has picked up in March through exploring new distribution methods). At the peak in October 2013, these families were contributing to nearly one-fifth of the customer infections we saw that month. Now they are down to 7%.

New families

Spacekito and Clikug are recent additions. Spacekito is distributed through a software bundler and claims to be a "browser protector." It exfiltrates data about the system upon which it's installed, serves ads, and aggressively reinstalls itself, so it's difficult for our customers to remove if they don't want it anymore.

Clikug uses your computer for click-fraud, which happens in the background. You may simply notice that your computer is sluggish.

Zbot isn't new, but since late last year it has been aggressively distributed by Upatre (through spam), which is another family that is edging up the ranks in our top 20 list impacting our customers.

Wysotot, which we first mentioned in our Nov results, is also still a top player in terms of customer impact. Wysotot is typically installed on your computer through software bundlers that advertise free software or games.

Protection metrics update

You may notice a few changes on the Evaluating our protection performance and capabilities page: we've updated the way we calculate our infection and incorrect detection impact. In the past, we counted the number of computers that downloaded an update for one of our real-time protection products. Although most of our customers opt in to report threat telemetry to us, some don't.

In the past, our products weren't instrumented to give us accurate counts of people that opted to share their telemetry, and thus the potential population that could report a threat wasn't easy to discern – we had to rely on our update numbers.

In 2013, we shipped a new feature to alleviate this. Essentially, on regular intervals, computers running Microsoft antimalware that have opted to provide this information will send a signal that lets us know they're still protected and helps us count the true number of computers that could report a threat to us.

The feature was deployed to all of our customers starting in July, so our new trends on the Evaluating our protection performance and capabilities page start in Aug 2013. This new denominator provides a much more accurate figure for our infection and incorrect detection impact.

In our upcoming Security Intelligence Report (SIRv16), we'll also be using this same denominator to report the malware encounter rate.

I hope this post provides you with insight into how we're measuring our protection and performance for our customers that choose us for protection. We truly strive to be transparent in how we measure ourselves, and also to provide our customers with an optimal balance of protection and performance.


-Holly Stewart

Microsoft Malware Protection Center

You may also like...

Popular Posts