Protection metrics trends – First quarter 2014 results

​It’s been a few months since our last post on our metrics. I wanted to give you an update on families that are declining, new ones that are moving in, and on the way we’re calculating our protection metrics to make them more accurate.

Overall, our infection impact (0.29% for January to March) has remained consistently low since December. A few families have declined, but others have moved into their place. Our incorrect detections have stayed under 0.001% and our performance metrics remain fairly consistent.

Declining families

The “Sefnit trio”, mentioned in several of our prior blog posts, have declined significantly (although Sefnit itself has picked up in March through exploring new distribution methods). At the peak in October 2013, these families were contributing to nearly one-fifth of the customer infections we saw that month. Now they are down to 7%.

New families

Spacekito and Clikug are recent additions. Spacekito is distributed through a software bundler and claims to be a “browser protector.” It exfiltrates data about the system upon which it’s installed, serves ads, and aggressively reinstalls itself, so it’s difficult for our customers to remove if they don’t want it anymore.

Clikug uses your computer for click-fraud, which happens in the background. You may simply notice that your computer is sluggish.

Zbot isn’t new, but since late last year it has been aggressively distributed by Upatre (through spam), which is another family that is edging up the ranks in our top 20 list impacting our customers.

Wysotot, which we first mentioned in our Nov results, is also still a top player in terms of customer impact. Wysotot is typically installed on your computer through software bundlers that advertise free software or games.

Protection metrics update

You may notice a few changes on the Evaluating our protection performance and capabilities page: we’ve updated the way we calculate our infection and incorrect detection impact. In the past, we counted the number of computers that downloaded an update for one of our real-time protection products. Although most of our customers opt in to report threat telemetry to us, some don’t.

In the past, our products weren’t instrumented to give us accurate counts of people that opted to share their telemetry, and thus the potential population that could report a threat wasn’t easy to discern – we had to rely on our update numbers.

In 2013, we shipped a new feature to alleviate this. Essentially, on regular intervals, computers running Microsoft antimalware that have opted to provide this information will send a signal that lets us know they’re still protected and helps us count the true number of computers that could report a threat to us.

The feature was deployed to all of our customers starting in July, so our new trends on the Evaluating our protection performance and capabilities page start in Aug 2013. This new denominator provides a much more accurate figure for our infection and incorrect detection impact.

In our upcoming Security Intelligence Report (SIRv16), we’ll also be using this same denominator to report the malware encounter rate.

I hope this post provides you with insight into how we’re measuring our protection and performance for our customers that choose us for protection. We truly strive to be transparent in how we measure ourselves, and also to provide our customers with an optimal balance of protection and performance.


-Holly Stewart

Comments (6)

  1. John Scott says:

    I have less confidence in Microsoft security of late (last year or so) from recent reviews and tests of your Microsoft Security Essentials coming in at the bottom of malware detection. So much so MSE is considered by many as minimal protection for a user. For myself who typically use a product like Malwarebytes as a secondary detection product. I find that MSE is not weak in typical attacks od viruses, trojans, and worms. But rather the detection of more annoying and badly engineered spyware that invades a persons PC. My Father in law had a lot of the later and brought his Vista laptop to a standstill. I do think Microsoft security needs to focus on detecting more of this type of
    issue. It has been my experience that the "PUP" malware is more of a problem then anything on my 3 Windows 7 PC's. I myself think Windows 7 is very secure in preventing security threats on its own. A big step over Windows XP.
    But it still faces these pesky unwanted spyware that affect the user just as much.

  2. chickenbiggle says:

    Just remember there is a difference between true malware and "PUPs." You seem to be saying that you think MSE should detect and prevent all levels of PUPs that most people would consider malware. Which would be a nice option to have, for example avast! does have an optional setting to detect PUPs that is off by default.

  3. mahati lakara says:


  4. Eoin says:

    @John Scott – I'd agree with you, but just to point out that MS announced improvements in that regard a week or two before your comment. The new Adware policies come into force on July 1st, and they can only be good!

  5. luyolo says:

    Jh this means no confidence