Security outfit FireEye claims that there are huge holes in the way that AV security software works.

Chief scientist at the company, Stuart Staniford, said that only 40 percent of AV products can detect a given malware binary within three days of that binary hitting the net.

This detection rate improves significantly as time passes, but never reaches 100 percent, even months after the initial executable was uploaded to VirusTotal.com. The time lag represents the amount of time that everyone in the universe is unprotected against viruses.

While it has been known that the time it takes companies to undate their software is a huge security risk, no one has known how bad the AV companies really were.

More here.