A lack of consistency in the way vendors define and recognize malware makes it impossible to enumerate the number of instances that each product recognizes. One vendor might inflate its count by including several kinds of browser cookies, while another might inflate its count by treating slight variations in a malware instance as multiple instances.

A vendor that says it recognizes 5,000 distinct malware instances might actually thwart more malware than a vendor that touts a count of 50,000. We're happy to report that the vendors in this test are among the most honest in their counting methodologies.

Few vendors have fully embraced the proposed standards at www.antispywarecoalition.org. To compound the problem, each vendor typically uses a different name to refer to the same spyware instance.

Even the tools that vendors use to thwart malware often have little relationship to the number of malware instances they handle. One vendor might recognize a particular malware instance via a file-specific signature, while another blocks the same instance by recognizing the exploit that it uses. Yet another handles that same malware instance via disallowing access to certain IP addresses or URLs.

The antimalware industry clearly needs a standard definition of malware and a standard method of expressing how many instances a vendor recognizes.

< Previous: New approaches on attacking malware | Next: How we tested antimalware >