CCM – Our Threat Indices in the Security Intelligence Report

At the recent Virus Bulletin 2010 Conference in Vancouver, BC, I made a presentation highlighting infection data collected from the Malicious Software Removal Tool and data collected from Microsoft Security Essentials in its first year. The presentation (coincidentally on the Security Essentials one year anniversary), entitled "Observations and lessons learned from comparing point-in-time cleaning against real-time protection", showed the MSRT as a baseline removal tool to keep the ecosystem clean and called out the end users to run a full AV solution as a step further to proactively protect themselves from the malware attacks. One of the indices we use as we examine the results of our removal and protection tools is the CCM (Computers Cleaned per Mille [Thousand] MSRT Executions) Index.

In that presentation, I also showcased that the MSRT and other Microsoft security updates have a much lower install ratio in China than elsewhere worldwide. This is partially attributed to some prominent security software vendors in China who turn off automatic updating or attempt to disable Windows Update so they can offer their own update services. The update services provided through these security vendors may not consistently apply all security updates for Windows or other Microsoft software, and we have observed that most of the security vendors do not actively encourage users to install MSRT. It is either listed as a low priority update or not offered at all. We are working with these vendors to build a stronger security practice, and to build their security solutions on top of the protections offered by Microsoft, not attempt to replace it. It's worth mentioning that MSRT, like all Windows security updates, is available to all Windows systems regardless of license state - MSRT removes the prevalent threats to help improve the security of the Internet for all users. Because of the broad reach of the MSRT we are able to piggyback the detection data, in combination with other security datasets from Microsoft products and services, to provide the semi-year security intelligence reports.

Now, we’ve released our volume 9 of the Security Intelligence Report (SIR) which covers the threat landscape, observations and analysis in 1H10. In the SIR, a commonly used concept originating from the MSRT data sources is the CCM. The CCM index presents the infection rate of the ecosystem, and it can be broken down by geographic location, by operating system, or by threat family. Because the MSRT targets the subset of the most prevalent malware, this index shows how the different countries or platforms are impacted by these active threats, and allows end users, IT professionals and other readers to take action in building their security fence. For example, this figure shows Windows 7 is less botted (infected by bots or zombies and recruited by a botnet) than older platforms, and server platforms are less likely to be infected.

Computers cleaned


And this heatmap shows how different countries are likely to be infected by bots.

Heatmap per country 2Q10


In addition the CCM provided important data points to help track Waledac activity during the Waledac takedown event. The CCM concept is now widely adopted in the SIR and is used to interpret other datasets such as phishing and malicious site indices. We expect to expand CCM indices to describe other datasets in future SIR releases.


Heatmap - infection 2

Phishing heatmap

The full report is available at

--Scott Wu

Comments (0)

Skip to main content