Risk
4/9/2013
11:02 AM
50%
50%

Microsoft Windows 8 Security Software Lacks Teeth

Microsoft's free corporate and consumer endpoint security software needs more malware-stopping power, finds independent German firm AV-Test.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Not all Windows 8 endpoint security tools are created equal.

That's one takeaway from a recent study of Windows 8 antivirus products conducted by the independent German lab behind AV-Test, which reviews the effectiveness of endpoint security products.

The firm found that out of nine corporate endpoint security products tested earlier this year, Microsoft's System Center Endpoint Protection security software was the low scorer. Although Microsoft's software was certified by AV-Test for corporate use, it also served as the testing firm's baseline, meaning AV-Test recommends businesses avoid using any software that didn't score at least to that level.

[ Find out why the Ukraine is one of the riskiest places in the world to use a computer. Read Alleged Carberp Botnet Ringleader Busted. ]

"During January and February 2013 we continuously evaluated nine endpoint protection products using settings as provided by the vendor," said AV-Test's study. "We always used the most current publicly available version of all products for the testing. They were allowed to update themselves at any time and query their in-the-cloud services. We focused on realistic test scenarios and challenged the products against real-world threats. Products had to demonstrate their capabilities using all components and protection layers."

The Microsoft software performed the worst on all tested corporate products on the "protection" front, earning just 1.5 out of 6 possible points. That was based on the software stopping 80% of zero-day attacks, compared with an industry average of 95%. The software did far better at spotting 98% of "widespread and prevalent malware discovered in the past four weeks," although it was still below the industry average of 100%.

For comparison's sake, F-Secure's Client Security 10 and Kaspersky's Endpoint Security 10.1 both led the protection charts with 6.0 scores, followed by Fortinet's FortiClient 5.0 (5.5), Symantec's Endpoint Protection 12.1 (5.0), Webroot's SecureAnywhere Endpoint Protection 8.0 (5.0), Sophos' Endpoint Security and Control 10.2 (5.0), McAfee's VirusScan Enterprise with EPO 8.8 (5.0) and Trend Micro's Office Scan 10.6 (4.5).

Microsoft's System Center Endpoint Protection did, however, perform relatively well in the two other categories assessed by AV-Test: performance (5.0) and usability (6.0).

On the consumer front, meanwhile, Microsoft's Windows Defender 4 -- known as Microsoft Security Essentials (MSE) with previous versions of Windows -- was also certified for use by AV-Test, but likewise placed last in the protection rankings, making Microsoft's offering again the baseline for the comparison test of 26 different consumer antivirus products. The software scored well in both performance (3.5) and usability (6.0), though.

The Microsoft endpoint security product test results represented an improvement for the company's software, which previously failed to pass muster with AV-Test. In November 2012, the testing firm pulled its seal of approval for Microsoft Security Essentials when the product's zero-day attack blocking rate dropped to 64%, compared with an industry average of 89%, and its detection rate for malware that's a few months old dropped to 90%, compared with an industry average of 97%.

Another positive aspect of Microsoft's Windows 8 security software -- known as Microsoft Security Essentials (MSE) in previous version of Windows -- is that's it's free. In Windows 8, furthermore, the software does come enabled by default for all users, unless other endpoint security software has been installed by an OEM, or user install their own endpoint security software. In other words, although Microsoft's free security software might not top the corporate or consumer protection charts, AV-Test CEO Andreas Marx has said that it's literally better than nothing.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.