08:55 PM
George V. Hulme
George V. Hulme

Think Your Anti-Virus Is Working? Think Again

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.During July and August of this year, independent test lab and product analyst firm, NSS Labs conducted real-world tests of anti-virus and endpoint software suites against socially engineered, Web-based malware. And we know that's one of the most pressing, rapidly growing threats. Some counts have Web-based malware pegged as more than 50% of all malware delivered today.

And as we've covered, Social Network Users Are Increasingly Under Siege as their accounts are hacked, phished, and pilfered. That's a good enough reason for me to see how well antivirus firms do to protect against socially engineered attacks utilizing Web-based malware. And that's exactly what NSS Labs set out to do.

The vendors tests included AVG, ESET, F-Secure, Kaspersky Labs, McAfee, Norman, Norton, Panda, and Trend Micro.

Speaking with Vik Phatak, CEO at NSS Labs and Rick Moy, president, they explains that the lab conduced 17 days of 24x7 testing, with 59 separate test runs -- occurring every 8 hours. Each test used the most current version of the anti-malware application. They conducted both a consumer and an enterprise version of the tests.

As it turned out there was a vast difference in the ability of vendors to catch malware. Both their ability to stop it as it's coming down the net onto the user's system, and (should it successfully make it) as it attempts to execute itself. The results are eye opening.

The vendor that did best, Trend Micro, only managed to stop 91 % of malware as the download to the test system was underway, as well as an additional 5.5% as it executed. That's a 96.5% success rate. The worst performer, according to NSS Lab's testing, ESET blocked only 65.4% of Web-based malware as it tried to download, and 2.5% as it tried to execute. That's a 67.9% success rate. All of the other vendors tested landed somewhere in between.

I don't know about you: but I'm not feeling safer now.

Another interesting finding is that those vendors with cloud-based reputation systems performed much better at stopping nasties. From the consumer version of the report:

These reputation systems leverage client feedback and web crawlers to categorize additional URLs and files; either by adding them to a black or white list, or assigning a score (depending on the vendor's approach). This may be performed manually, automatically, or some combination thereof. The endpoint protection product can then request reputation information from the in-the-cloud systems about specific URLs and files in order to make a determination. Again, this data can be used differently by each vendor's product to warn the user or block the file download or execution.

That makes perfect sense to me, and as more end points are added to the system, the more protection for everyone else in the vendor's network.

"Three or four years ago, anti-virus was a commodity. But with the rise of social networks and micro-blogging, malware authors are leveraging that growth to launch attacks. That means anti-virus vendors need to re-invent themselves around the new threatscape," Phatak said.

Moy advises, and I agree, that consumers and enterprises need to ignore the claims of anti-virus vendors and test the anti-virus applications they're using today, as well as any vendors they're considering before deployment. "The message for the enterprise is that you think you may be okay, but the reality is that you very well may not be okay. The quality and effectiveness of these applications need to be measured more than ever," he says.

After reading these reports, I'd say there's no doubt. A few years ago, I was in the camp that believed anti-malware applications were edging toward the commodity bucket. However, the morphing threat and the complexity of modern Web-based attacks have changed that.

The consumer report is available for no charge, and can be found here. The enterprise edition is $1,800.

For my mobile security and technology observations, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.