Risk
9/21/2009
08:55 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Think Your Anti-Virus Is Working? Think Again

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.During July and August of this year, independent test lab and product analyst firm, NSS Labs conducted real-world tests of anti-virus and endpoint software suites against socially engineered, Web-based malware. And we know that's one of the most pressing, rapidly growing threats. Some counts have Web-based malware pegged as more than 50% of all malware delivered today.

And as we've covered, Social Network Users Are Increasingly Under Siege as their accounts are hacked, phished, and pilfered. That's a good enough reason for me to see how well antivirus firms do to protect against socially engineered attacks utilizing Web-based malware. And that's exactly what NSS Labs set out to do.

The vendors tests included AVG, ESET, F-Secure, Kaspersky Labs, McAfee, Norman, Norton, Panda, and Trend Micro.

Speaking with Vik Phatak, CEO at NSS Labs and Rick Moy, president, they explains that the lab conduced 17 days of 24x7 testing, with 59 separate test runs -- occurring every 8 hours. Each test used the most current version of the anti-malware application. They conducted both a consumer and an enterprise version of the tests.

As it turned out there was a vast difference in the ability of vendors to catch malware. Both their ability to stop it as it's coming down the net onto the user's system, and (should it successfully make it) as it attempts to execute itself. The results are eye opening.

The vendor that did best, Trend Micro, only managed to stop 91 % of malware as the download to the test system was underway, as well as an additional 5.5% as it executed. That's a 96.5% success rate. The worst performer, according to NSS Lab's testing, ESET blocked only 65.4% of Web-based malware as it tried to download, and 2.5% as it tried to execute. That's a 67.9% success rate. All of the other vendors tested landed somewhere in between.

I don't know about you: but I'm not feeling safer now.

Another interesting finding is that those vendors with cloud-based reputation systems performed much better at stopping nasties. From the consumer version of the report:

These reputation systems leverage client feedback and web crawlers to categorize additional URLs and files; either by adding them to a black or white list, or assigning a score (depending on the vendor's approach). This may be performed manually, automatically, or some combination thereof. The endpoint protection product can then request reputation information from the in-the-cloud systems about specific URLs and files in order to make a determination. Again, this data can be used differently by each vendor's product to warn the user or block the file download or execution.

That makes perfect sense to me, and as more end points are added to the system, the more protection for everyone else in the vendor's network.

"Three or four years ago, anti-virus was a commodity. But with the rise of social networks and micro-blogging, malware authors are leveraging that growth to launch attacks. That means anti-virus vendors need to re-invent themselves around the new threatscape," Phatak said.

Moy advises, and I agree, that consumers and enterprises need to ignore the claims of anti-virus vendors and test the anti-virus applications they're using today, as well as any vendors they're considering before deployment. "The message for the enterprise is that you think you may be okay, but the reality is that you very well may not be okay. The quality and effectiveness of these applications need to be measured more than ever," he says.

After reading these reports, I'd say there's no doubt. A few years ago, I was in the camp that believed anti-malware applications were edging toward the commodity bucket. However, the morphing threat and the complexity of modern Web-based attacks have changed that.

The consumer report is available for no charge, and can be found here. The enterprise edition is $1,800.

For my mobile security and technology observations, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.