Take ‘em for what their worth; this is a collection of events logged from 277 hosts located in 12 different office locations with five unique, central AV servers managed by five different IT departments.

The statistics have been collected over 11 days:

The failure to open a file is attributed to, according to the event log, “extraction errors encountered by the Decomposer Engines” which I assume are the engines that translate the file to something the AV software can scan, whether the file is an executable file, compressed file, text file, etc.

Now, is it really possible that on 277 laptops there have only been a total of 7 pieces of malware that have made it all the way to the machine? I’d love to say this number is accurate and the result of defense in depth, but I’m not ready to say that just yet.

What countermeasures do we have in place that would help?

1. Strict email attachment filters based on file extension alone
2. ‘Course grain’ AV at the spam gateway, before the email hits our servers
3. ‘Fine grain’ AV at the email gateway before the email hits the inboxes
4. IPS units protecting web browser attacks, but only while hosts are on our network
5. Behavioral HIPS on all laptops

Does that battery of defenses look like something that could reduce the number of threats that make it to our laptops to only 7 in 11 days for 277 hosts?

That’s a pretty good success story if its true. However, given that we have 1,253 cases of a failure to open a file, we have possibly 1,253 additional viruses that we can’t detect, not to mention the 969 alerts that the AV software is failing to auto-protect some hosts.

But as my grandpappy always says; if it seems too good to be true, it likely is too good to be true.

*The AV software logs multiple events on a single host, therefore I’ll have to distill these events to find an accurate count of the number of unique hosts or files affected.