Anti-malware Vendor and Product Market Share Report Anti-malware Vendor and Encryption Product Market Share Report Table of Contents Introduction .................................................................................. 1 Windows Anti-malware Vendor Market Share ......................... 2 Windows Encryption Product Market Share ............................. 3 Mac and Windows Device Security Comparison ....................... 4 Windows Device Health: Threat Analysis ................................... 5 Data Collection .............................................................................. 6 Company and Reproduction Information .................................. 7 Report Highlights 15.9% Microsoft takes the lead among anti-malware vendors with a 15.9% market share Introduction Once a quarter, OPSWAT® releases a Market Share Report, containing information on the market share of anti-malware vendors or products as well as a variety of other data such as device security statistics. Our November 2015 report covers the top anti-malware vendors, market share for Windows encryption products, a comparison of Mac versus Windows device security data, and threat data for Windows devices. The data in this report was collected on October 22nd, 2015, from Metadefender Endpoint Management, a device security and compliance platform (free for up to 25 users with subscriptions available). Metadefender Endpoint Management is able to collect information about the security applications installed on endpoint devices as well as certain settings applied to these applications. The aim of this report is to inspire discussion about the unique data represented. OPSWAT is not a research institution, and does not make any claims of the accuracy of this data in the real world marketplace or about why changes in the data have occurred. To see a description of how the data in the report was collected, please see the data collection section at the end of this report. About OPSWAT OPSWAT is a San Francisco-based software company that provides solutions to protect and manage enterprise data and devices. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and helps organizations protect against zero-day attacks by using multiple antivirus engines for scanning and document sanitization. OPSWAT’s intuitive applications and comprehensive development kits are deployed by SMB, enterprise and OEM customers to more than 100 million endpoints worldwide. To learn more about OPSWAT’s innovative and unique solutions, please visit www.opswat.com. 21.1% TrueCrypt is the most popular encryption product for Windows users (excluding Bitlocker) with a 21.1% market share 57.2% Only 57.2% of Mac devices have an anti-malware product installed compared to 71.5% of Windows devices 3.3% 3.3% of Windows devices have threats or PUAs that may have gone undetected by their installed anti-malware 2 Windows Anti-Malware Vendor Market Share As explained in our August 2015 report, our market share reports now provide data on the market share of anti-malware vendors and products instead of focusing solely on antivirus providers. We believe this shift in our reports parallels the shift in the security industry towards developing products that offer protection from a larger spectrum of threats than just computer viruses. Anti-malware products offer protection from threats such as PUAs, ransomware, spyware, keyloggers and botnets that antivirus products do not always detect. For this report, we analyzed the market share of 59 anti-malware vendors, and the following three anti-malware vendors came out on top: In first place, Microsoft with 15.9% market share, in second place Avast with 15.0%, and in third place Malwarebytes with 11.6%. Other vendors that appeared in the top rankings, listed in descending order, include (but are not limited to) ESET, Symantec, AVG, Avira and Kaspersky Lab. For the purposes of this report, only vendors that offer RTP capabilities were included in our data. A list of the top 12 anti-malware vendors and their corresponding market share can be seen in the graph above. While the above comparison only includes data from products with real time protection (RTP) enabled, we also analyzed data for all installed security products, including those that may have expired or been disabled. In this additional data set, Malwarebytes is the leading anti-malware provider, with a market share of 14.3%. Microsoft and Avast follow, with 10.6% and 9.7% market share respectively. Although Windows Defender is heavily saturated in the anti-malware product market, we exclude it because we feel that it does not accurately represent the user’s product of choice as it comes pre-installed on many Windows systems and cannot be removed. 3 Windows Encryption Product Market Share This section of the report covers the popularity of Windows encryption products detected on devices using Metadefender Endpoint Management. This is the first time this data has been included since our September 2011 Market Share Report. In our September 2011 report, the top three encryption products were TrueCrypt (22.29%), Bitdefender (21.69%), and Kaspersky (12.46%). For this report, Bitlocker takes an overwhelming lead with an 82.1% market share, followed by TrueCrypt at 3.8% and AVG Internet Security at 2.5%. Bitlocker holds the majority mostly due to the fact that it comes pre-installed on many Windows devices and thus is not actively acquired by the user. If Bitlocker is excluded from encryption product market share results, the top spot is taken by TrueCrypt with a 21.1% market share, followed by AVG Internet Security at 13.9% and Bitdefender Total Security at 12.8%. Interestingly, TrueCrypt is one of the top three encryption products for Windows users, despite the fact that development of the product ceased in May of 2014. Because product development has stopped, so has support for security issues, leaving the product exposed to potential vulnerabilities. James Forshaw, a member of Project Zero at Google, recently exposed two critical flaws in the encryption product. When the development of TrueCrypt was ceased, warnings from its creators were issued explaining that there could be “unfixed security issues” in the program. One of the reasons that TrueCrypt has remained popular for hard disk encryption among Window users is because the product is free and Bitlocker is not available for those using home editions of Windows. Home users account for 63.4% of the devices included in this report, which could account for the higher than expected popularity of TrueCrypt. a b 4 Mac and Windows Device Security Comparison When compared to Mac users, Windows users are much more likely to have an anti-malware product installed. According to our data, 71.5% (excluding Windows Defender) of Windows devices have at least one anti-malware product installed compared to only 57.2% of Mac users. The question is: why does this discrepancy exist? In the past, Windows-based threats were much more prevalent than Mac-based malware. The increase of malware targeting OS X is not a recent development. Although the number of Mac-specific samples have greatly increased in the last few years, Mac-based malware has actually been around since the early 1980’s. According to the Naked Security blog, the first virus capable of infecting Apple computers was the Elk Cloner virus, created in 1982. What’s interesting about this particular virus is that it preceded many IBM PC viruses by several years. Since the 80’s, Mac-based malware has been steadily increasing, and more so recently as the popularity of OS X continues to rise. For example, Kaspersky developed 30% more signatures in 2012 compared to 2011 to detect Trojan viruses for Macs. For these reasons, it is equally important for Mac devices to have protection from malware and PUAs (Potentially Unwanted Applications), by installing an anti-malware product even if the threat of infection isn’t quite as severe as Windows devices. For Windows devices that have at least one anti-malware product installed, 53.2% have RTP (Real Time Protection) enabled. By comparison, only 41.7% of Mac devices with at least one anti-malware product installed have RTP enabled. If RTP is not enabled on a device, then the device is more likely to become infected by malware or PUAs. It is important to reiterate that the data shown for the usage of anti-malware software and RTP only includes third-party anti-malware vendors, or those products that are installed by the user. For Windows devices, this excludes Windows Defender, and for OS X devices this excludes File Quarantine and Gatekeeper, as none of these products are actively acquired by the user. This section seeks to show how many users are voluntarily adding anti-malware protection to their devices. It is important to note that the Mac data in this section was taken from a much smaller sample size compared to the Windows data represented, though it is still large enough to be useful for comparison. a b 5 Windows Device Health: Threat Analysis Metadefender Endpoint Management uses two methods to determine the infection state of a device. The device compliance tool has the ability to automatically analyze the logs of installed anti-malware products and apply pattern matching to identify repeated detections of the same malware. This repeated detection analysis therefore identifies devices with one or more persistent malware infections that originate from numerous scenarios: (1) malware is detected but cannot automatically be removed, (2) malware is detected, quarantined and subsequently restores itself (e.g. upon reboot), (3) malware is detected, quarantined and subsequently reencountered (e.g. unsafe user behavior). These scenarios are considered infections because they require manual intervention to remediate which may not be apparent from the anti-malware product alone. This type of infection occurred in 2.7% of Windows devices, using a threshold of 4 or more detections the same threat by the installed anti-malware within a 7-day period. of The second detection method used by Metadefender Endpoint Management allows it to identify which devices may be infected by analyzing the running processes and their respective linked libraries with multiple commercial anti-malware engines, a technique called multi-scanning. This scan is powered by Metadefender Cloud, OPSWAT’s cloud-based multi-scanning technology, which includes over 40 anti-malware engines. This scan looks for threats that could have been missed by the user’s installed antimalware, especially evasive malware that is packaged to avoid detection by common PC anti-malware products, or PUAs like keyloggers that the installed anti-malware solution may not consider malicious. Typically users only have 1 or 2 anti-malware programs installed on their device, so Metadefender Cloud’s multiple antimalware engines may catch threats missed by the installed anti-malware program. This is due to relative strengths and weaknesses of each included commercial anti-malware engine. Differences in signatures, heuristic capabilities and even geographical origin cause detection to vary from engine to engine. By combining these multiple anti-malware engines, multiscanning technology combines the strength of each engine while also offsetting weaknesses. This is similar to the practice of financial diversification. Inclusion of PUAs in this report may be subjective as PUAs are not inherently dangerous, but they can come bundled with malware and serve as a vehicle for attack. For this reason, if a device has PUAs detected on its system, it is considered to be at-risk of infection. Metadefender Cloud uses multiple anti-malware products to check for PUAs, which is important because not all endpoint anti-malware products have strong PUA detection. For this report, we looked at malware and PUAs that were detected on devices by at least 4 anti-malware engines at the same time and discovered that 3.3% of included devices were considered infected or at-risk. a b 6 Data Collection This report shows comparisons for applications on Windows and Mac systems from data collected from free users of Metadefender Endpoint Management, a device security and compliance platform that is free to monitor up to 25 devices, available at www.opswat.com/products/metadefender/endpoint/management. Free Metadefender Endpoint Management users permit OPSWAT to collect information regarding the applications installed on endpoint computers and certain settings applied to these applications. Metadefender Endpoint Management is used around the world by home and business users, both by expert and inexperienced users of security software. For the purpose of the report, the sample of over 12,200 users is assumed to be representative of the market, based on the wide accessibility of the tool to a large range of users. However, these results are likely to differ from those in the real world (see below for more details). Metadefender Endpoint Management runs continuously on a user’s system as a security tool. This allows for continuous reports over time from each device that is connected, as long as Metadefender Endpoint Management is installed. The data in this report reflects the state of each user’s computer from the most recent data transfer prior to the time of collection on October 22, 2015. The most recent data transfer from each device ranges from July 22, 2015 to October 22, 2015. Several attributes related to the data collection process may cause the results in this report to differ from that of the realworld. OPSWAT makes no claims as to the accuracy of the data in the real world market and, when possible, is continuously working to overcome the following potential anomalies: • n average, Metadefender Endpoint Management users are more likely to have high-functioning security on O their computers than would be seen in the market as a whole. Metadefender Endpoint Management allows IT administrators to monitor users who are not security compliant, so the act of gathering OPSWAT’s market share data also serves as a reminder to users to increase their security capabilities. • hough the sample size is large enough to give reliable data, some cross-comparisons and more detailed T comparisons result in lower confidence levels. The sample size will continue to increase in each report since the data is collected from every current user of these products. More data in the future will allow for several new indepth comparisons that have not been included in past reports. • The data includes both home and corporate users. Because this data only includes free Metadefender Endpoint Management accounts, there are a larger number of home users represented. Corporate accounts usually need to manage a large number of devices so they upgrade from the free account as it only supports 25 devices or fewer. The graph below shows the distribution of corporate versus home users included in this report. • These applications are marketed through OPSWAT’s own channels. Users sampled may not be representative of the general population. For example, this report may contain a different distribution of Windows operating systems and device types compared to what exists in the real world. While this report contains more than 25% Windows 10 devices, Net Applications, a web analytics firm, reports that around 7.94% of all Windows devices currently operate under Windows 10. • or the first time, this report includes Windows 10 users in the operating system market share data. After the F release of Windows 10 in July of 2015, we had expected to see a shift in Metadefender Endpoint Management users switching to the newest Windows operating system, which can be seen in these results. 7 Data Collection • The purpose of OPSWAT’s Market Share Reports is not to make any claims on which anti-malware vendors are the best or to compare these products in terms of quality or performance. The purpose of this report is simply to report on the security practices of our free Metadefender Endpoint Management users. • e are unable to identify devices W that have uninstalled Metadefender Endpoint Management and have later reinstalled the program. For this reason, there is a possibility that a small number of devices in this report may have been represented more than once. • hile Metadefender Endpoint W Management is used on devices around the world, its use is not commensurate with worldwide population distribution. Only Englishlanguage versions of this tool are available, so countries with higher numbers of English speakers are expected to use these applications at higher rates, as well as countries that have been exposed to more coverage of these tools by press and partners. • he Mac device data included in this report was taken from a small sample as this is only the third report where Mac data T has been included. For this reason, Mac data points have a lower confidence level. OPSWAT is working to increase global usage of Metadefender Endpoint Management. Stay tuned for the next market share report this winter, which will feature new comparisons and an in-depth look at product usage. Vendors of anti-malware, P2P, patch management, backup, encryption, and other applications interested in inclusion in these reports, Metadefender Endpoint Management, or the OESIS Framework are encouraged to contact www.opswat.com/ certified to learn how to partner with OPSWAT. Follow OPSWAT Get updates about the latest reports as well as company and product information by connecting with us online. Sign up to receive OPSWAT’s monthly newsletters by visiting www2.opswat.com/connect, or follow OPSWAT: www.opswat.com/blog www.twitter.com/opswat www.facebook.com/opswat www.linkedin.com/company/opswat 8 Company and Reproduction Information Please contact OPSWAT sales for more information on Metadefender Endpoint Management. For more information about this report, please contact marketing@opswat.com. Parties interested in hosting this report are free to do so as long as credit is given to OPSWAT, Inc., and a link is provided to www.opswat.com/resources/reports. About OPSWAT OPSWAT® is a San Francisco based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against zeroday attacks by using multiple antivirus engine scanning and document sanitization. OPSWAT’s intuitive applications and comprehensive development kits are deployed by SMB, enterprise and OEM customers to more than 100 million endpoints worldwide. To learn more about OPSWAT’s innovative and unique solutions, please visit www.opswat. com. Products Metadefender Endpoint Management Metadefender Endpoint Management is an enterprise device security and compliance tool that enables organizations to directly assess and manage the endpoint security posture of their devices through a unified view of mobile and PC endpoints, and their applications/security issues. Administrators can take rapid action to remediate issues on non-compliant devices and improve endpoint security. Monitor up to 25 devices free! Visit the product page to learn more and sign up. OESIS OESIS Framework is a cross platform development framework that enables software engineers and technology vendors to develop products that detect, classify, remediate and manage thousands of third-party software applications. OESIS is perfect for SSL VPN, network access control (NAC) and other manageability solutions, and is already deployed on an estimated 100 million endpoints worldwide. Incorporating the AppRemover SDK, OESIS enables quick and thorough removal of potentially unwanted applications to ensure devices remain compliant and secure. OPSWAT Certification The OPSWAT Certification Program is a free interoperability program designed to enable technology partnerships between independent software vendors and leading network and technology solution vendors, by verifying that their security applications will work seamlessly with solutions employing the OESIS Framework. Additional information is available at www.opswat.com/certified. Multi-scanning and Secure Work Flow OPSWAT offers several solutions to secure the flow of data into and through organizations that need maximum security. Because no single antivirus engine can detect every threat, using signatures and heuristics from multiple engines simultaneously improves the likelihood of detecting malware. Metadefender Core technology powers each of OPSWAT’s multi-scanning solutions, enabling IT professionals and software engineers to enhance network security by scanning with up to 30 built-in antivirus engines from market leaders such as ESET, Avira, Bitdefender, AVG and many others. Metadefender Core also provides document sanitization, file filtering and more to prevent advanced threats, and can be used for rapid malware analysis and to implement secure data upload and transfer systems. Metadefender Email allows organizations to scan email attachments and files with multiple anti-malware engines, ensuring that all emails and files are free of malware before being uploaded or delivered. Metadefender Core also powers Metadefender Kiosk, a checkpoint designed to process files to detect and prevent known and unknown threats and protect networks from the risks presented by unknown portable media devices. To learn more about these technologies or to request a free demo please visit the OPSWAT Portal. Learn more at www.opswat/products/oesis-framework. Disclaimer of Warranty OPSWAT Inc. makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. Copyright Notice OPSWAT®, OESIS, Metadefender Core, Metadefender Kiosk, Metadefender Endpoint Management and the OPSWAT logo are trademarks and registered trademarks of OPSWAT, Inc. All other trademarks, trade names and images mentioned and/or used herein belong to their respective owners. No patent liability is assumed with respect to the use of the information contained herein. While every precaution has been taken in the preparation of this publication, OPSWAT Inc. assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. 9