In the interests of full disclosure, FireEye is a security solutions provider, and Stuart Staniford is their chief scientist. This casts his conclusions in a somewhat different light, but Staniford makes no effort to hide his affiliations as he details the experiment he performed in his blog entry. Staniford walks through his assumptions, data sets, and procedures in some depth; I recommend consulting his full entry if you're curious about the experiment.
The good news here is that FireEye's own custom security software tends to detect new malware more-or-less at the same time as VirusTotal. Unfortunately, the lag time between VirusTotal learning to recognize a new MD5 hash and a majority of AV scanners being able to recognize that same bit of malware is substantial.
Based on Staniford's results, only 40 percent of AV products can detect a given malware binary within three days of that binary hitting the 'Net. This detection rate improves significantly as time passes, but never reaches 100 percent, even months after the initial executable was uploaded to VirusTotal.com. The implications of this lag time are significant, as it identifies a span of days when the malware (whatever it happens to be) is free to move about online more-or-less undetected. Even if we assume Staniford's measurements are off by 15-20 percent, it's still clear that the majority of AV products leave significant coverage gaps.
The antimalware companies themselves are aware of this; McAfee intends to offer a cloud-based solution it believes will reduce an AV engine's update time. Examine Staniford's data compared to the McAfee article I linked above, however, and you'll note a distinct difference in how long it takes AV companies to roll out solutions (as measured using VirusTotal) versus how long McAfee claims it takes (1-3 days). This isn't proof that McAfee is wrong; FireEye's chief scientist doesn't break out results by scanner, but it's statistically doubtful that McAfee is always one of the 40 percent Staniford measured.
Based on Staniford's results, only 40 percent of AV products can detect a given malware binary within three days of that binary hitting the 'Net. This detection rate improves significantly as time passes, but never reaches 100 percent, even months after the initial executable was uploaded to VirusTotal.com. The implications of this lag time are significant, as it identifies a span of days when the malware (whatever it happens to be) is free to move about online more-or-less undetected. Even if we assume Staniford's measurements are off by 15-20 percent, it's still clear that the majority of AV products leave significant coverage gaps.
The antimalware companies themselves are aware of this; McAfee intends to offer a cloud-based solution it believes will reduce an AV engine's update time. Examine Staniford's data compared to the McAfee article I linked above, however, and you'll note a distinct difference in how long it takes AV companies to roll out solutions (as measured using VirusTotal) versus how long McAfee claims it takes (1-3 days). This isn't proof that McAfee is wrong; FireEye's chief scientist doesn't break out results by scanner, but it's statistically doubtful that McAfee is always one of the 40 percent Staniford measured.