A brief survey of AntiVirus Engines in production in 2021.
When we first started researching AntiVirus Engines and companies we thought there were a handful of them and that it would be a pretty quick job to make an inventory of all the names, their origins, and general capabilities. Once we got started, we quickly realized how wrong we were!
Did you know? There are over 100 AntiVirus Engines and they are all over the world? Some of them even use the same back end through a licensing arrangement or white label such as the following which are all leveraging the BitDefender engine and signature database internally.
When you are scanning with most of these engines, most likely you will get the exact same scan results because they leverage the same internal system and database!
Kaspersky does something similar for a handful of engines, but to our knowledge it doesn't have anywhere near the same market penetration.
Following are some AntiVirus Engines based on BitDefender:
Tencent - tencent.com - China
Baidu - baidu.com - China
Trustport - trustport.com - Czech Republic
F-Secure - f-secure.com - Finland
Gdata - gdata-software.com - Germany
Quickheal - quickheal.com - India
Escan AV [Microworld] - escanav.com - India
SourceNext - sourcenext.com - Japan
Fuva Brain - fuva-brain.co.jp - Japan
Emsisoft [SpyHunter] - emsisoft.com - New Zealand
Arcabit [MKS Vir] - arcabit.pl - Poland
SafeNSoft - safensoft.com - Russia
Hauri - hauri.net - South Korea
ESTSecurity [ALYac] - estsecurity.com - South Korea
Nprotect - nsos.nprotect.com - South Korea
J2 Global [VIPRE Threatrack] - vipre.com - United States
TotalDefense - totaldefense.com - United States
Ad-Aware [Lavasoft] - adaware.com - United States
HitmanPro - hitmanpro.com - United Kingdom
Ready for the rest of the list of non-BitDefender AntiVirus Engines?
Hang on to your hats because it's quite a doozy.
Amsterdam
ReaQta - ReaQta.com
Austria
Ikarus - ikarussecurity.com
Belarus
VirusBlokAda [VBA32] - anti-virus.by
Brazil
AVware [Bluepex] - bluepex.com.br
Psafe - psafe.com
China
Antiy Labs - antiy.net
Qihoo-360 - 360.cn
Rising - rising-global.com
Kingsoft - ir.kingsoft.com, ijinshan.com
Jiangmin - Jiangmin.com
Alibaba - alibaba.com
Huorong - Huorong.cn
Czech Republic
Avast - avast.com
Zoner - zonerantivirus.com
Denmark
Bullguard - Bullguard.com
Estonia
Trapmine - trapmine.com
France
Fortinet - fortinet.com
Tehtris [Egambit] - egambit.app
Quarkslab - quarkslab.com
Germany
Avira - avira.com
Inlyse - Inlyse.com
Wardwiz - Wardwiz.in
India
K7 Antivirus - k7computing.com
MaxSecure - maxpcsecure.com
Net Protector - npav.net
Iran
Padvish - padvish.com
Ireland
Safer Networking - safer-networking.org
Israel
Quttera - Quttera.com
Resec Technologies - resec.co
Votiro - Votiro.com
Minerva - minerva-labs.com
Airo Security - airoav.com
Vdoo - vdoo.com
ZoneAlarm - zonealarm.com
Japan
Trendmicro - trendmicro.com
Lithuania
Wipersoft [Aceso.Network] - wipersoft.com
Portugal
Xvirus Personal Guard - xvirus.net
Romania
Bitdefender - bitdefender.com
Russia
NanoAV - nano-av.com
Drweb - drweb.com
Kaspersky - kaspersky.com
Yandex - yandex.com
Singapore
Trustwave - trustwave.com
Slovak Republic
Eset - eset.com
South Korea
Ahnlab - ahnlab.com
Tachyon - tachyonlab.com
Max Antiirus - maxsecureantivirus.com
Jiran Security - en.jiransecurity.com
Spain
Panda - pandasecurity.com
Switzerland
Acronis - acronis.com
Taiwan
Lionic [Aegis] - aegislab.com
Turkey
Zemana Anti-Malware - zemana.com
Ukraine
Grindinsoft - grindinsoft.com
Zillya - zillya.com
United Kingdom
Qualys - qualys.com
Deep Secure - deep-secure.com
Sophos - sophos.com
Glasswall - glasswallsolutions.com
United States
Clamav - clamav.net
Area One Security - area1security.com
Inquest - inquest.net
Symantec - symantec.com
Palo Alto Networks - paloaltonetworks.com
Webroot - webroot.com
Crowdstrike - crowdstrike.com
Intezer - intezer.com
SentinelOne - sentinelone.com
Trustlook - trustlook.com
Bromium - bromium.com
Deep Instinct - deepinstinct.com
Forcepoint - forcepoint.com
Cyren - cyren.com
Cisco AMP [Immunet] - immunet.com
Comodo - antivirus.comodo.com
Second Write - secondwrite.com
Morphisec - morphisec.com
K2IO - k2io.com
Cyber Adapt - cyberadapt.com
Slashnext - Slashnext.com
Virsec - virsec.com
Zimperium - zimperium.com
PC Matic - pcmatic.com
Sonicwall - sonicwall.com
Malwarebytes - malwarebytes.com
SecureWorks - secureworks.com
Veracode - veracode.com
SUPERAntiSpyware - superantispyware.com
Mcafee - mcafee.com
Cylance - blackberry.com/us/en/cylance
FireEye - fireeye.com
Lastline - lastline.com
Microsoft - microsoft.com
Lookout - lookout.com
Proofpoint - proofpoint.com
Cybereason - cybereason.com
Endgame - endgame.com
Vietnam
CMC - cmccybersecurity.com
BKAV - bkav.com
That is quite a mouthful! Even looking at this list and having put it together ourselves, it's quite hard to believe that there are in fact so many AntiVirus vendors out there which begs the natural question:
Why are there so many AntiVirus Engines?
Since the dawn of malware and the first Internet virus, the holy grail of virus defense has been in developing the ability to tell the difference between malicious and innocuous code. As it turns out, the problem is much harder than it seems. Most antivirus engines take their own approach when it comes to detecting malicious payloads and it has become an arms race to try to be better than the next guy and prove that one is the "top dog" in the industry of malicious file detection.
Companies like VirusTotal.com, Jotti.org, Virscan.com, opswat.com, and others have sprouted up which then attempt to aggregate results from multiple AV engines in order to show the comparisons between the signature matches and the actual detection. Unfortunately this has only accelerated the malware file creation because in so doing, it also allows the bad guys to see the results of the scans more easily and to make adjustments to their strategies accordingly to evade detection.
There are many reasons why antivirus detection is a difficult challenge. Following are some of the hurdles that companies need to jump through in order to maximize their chances of detection success:
Packing and ever evolving methods of code obfuscation has made it increasingly difficult for engines to simply run their detection database against a file normally because additional layers of trickery are added to the process in order to make the process more difficult.
Not every AntiVirus engine has a complete view of the world in seeing all the possible malware that might exist. More often than not, they can only build in detections and protections against the types of files and methods that they have seen before. New files and new methods make that process more difficult. That's why companies like ours help to bridge the gap because we add more visibility into files they might not otherwise have access to on their own.
Malicious files can be written for many platforms, and although an engine may be good at detection within a single platform, it has to develop the same capabilities on other platforms (such as Android, IOS, Linux, or Mac) in order to increase the horizontal footprint. However, in doing this it takes more resources, man power, and troubleshooting to support many systems and platforms.
The spread of malicious activity can be localized to a specific region, or even worse, it can be associated with very specific individuals or groups where the AntiVirus engine may not have visibility. This too increases the odds of not being able to detect a given file or payload as malicious.
The risk of false positives is equally great because tools like virustotal.com have caused other engines to try to keep up with the detection rates of others. Sometimes, engines will flag a file as malicious which is actually benign, but other engines subsequently start doing the same in order to have a similar detection rate and to not be left behind. This can actually have a detrimental effect on the overall accuracy of the results.
There are many different methods that have been developed over the years and some of them require very different strategies to deal with the problem. Many types of companies have sprouted up to try to address the problem in their own unique proprietary way such as: Next Gen AV, In Memory Scanning, Crowdsourcing, WhiteListing Systems, Real-Time Sandboxing, Protected Memory Space, Content Disarming and Reassembly, and much more.
Sometimes malicious intent can be buried very deep in the dark corners of a file, system, or bit of code which can be terribly difficult to get access to. It is nearly impossible to determine intent, especially in a realtime fashion, so often times systems are left to be reactive rather than proactive due to their limited visibility potential. The reactive process can be effective, but also limited if it is not built to understand a specific threat or method.
Even the best engine on the planet would still have to go out and get users through the process of marketing. Many engines exist because they are reaching a different customer base. There might be local country language challenges, or enterprise versus retail, or Windows versus Mobile specialization, or Proactive versus Reactive strategies, and much more.
AntiVirus Mergers and Acquisitions
These dynamics have kept the industry segmented and despite the occasional Mergers and Acquisitions from time to time, it remains largely bifurcated. Some acquisitions in the past include companies like:
Fortinet acquired Ensilo
Avast acquired AVG and Norman
Checkpoint acquired ZoneAlarm
Symantec acquired Appthority
SecureWorks acquired CarbonBlack / Bit9
Sophos acquired HitManPro
J2 Global acquired Vipre / Sunbelt
Microsoft acquired Sybari
Symantec acquired Avira who had been acquired by Investcorp
Intel acquired Mcafee.
Webroot acquired Sophos
Crowdstrike acquired Preempt
Blackberry acquired Cylance
Cisco Systems acquired ClamAV and ThreatGrid
... and many more!
Even keeping up with the M&A activity can be daunting, but for every acquisition perhaps more vendors keep popping up with new and interesting capabilities as well as new and interesting user bases. This pattern will continue for the foreseeable future.
The Diverse Detection Landscape is Here To Stay
As long as the Internet is running and there are humans to cause mischief, the vast landscape of AntiVirus engines is here to stay.
The number of engines is truly daunting, but one thing is for sure: there is never a dull moment when it comes to keeping up with malware and all the subtle intricacies that take place on collection, detection, and prevention!