08:55 PM
George V. Hulme
George V. Hulme

Think Your Anti-Virus Is Working? Think Again

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.During July and August of this year, independent test lab and product analyst firm, NSS Labs conducted real-world tests of anti-virus and endpoint software suites against socially engineered, Web-based malware. And we know that's one of the most pressing, rapidly growing threats. Some counts have Web-based malware pegged as more than 50% of all malware delivered today.

And as we've covered, Social Network Users Are Increasingly Under Siege as their accounts are hacked, phished, and pilfered. That's a good enough reason for me to see how well antivirus firms do to protect against socially engineered attacks utilizing Web-based malware. And that's exactly what NSS Labs set out to do.

The vendors tests included AVG, ESET, F-Secure, Kaspersky Labs, McAfee, Norman, Norton, Panda, and Trend Micro.

Speaking with Vik Phatak, CEO at NSS Labs and Rick Moy, president, they explains that the lab conduced 17 days of 24x7 testing, with 59 separate test runs -- occurring every 8 hours. Each test used the most current version of the anti-malware application. They conducted both a consumer and an enterprise version of the tests.

As it turned out there was a vast difference in the ability of vendors to catch malware. Both their ability to stop it as it's coming down the net onto the user's system, and (should it successfully make it) as it attempts to execute itself. The results are eye opening.

The vendor that did best, Trend Micro, only managed to stop 91 % of malware as the download to the test system was underway, as well as an additional 5.5% as it executed. That's a 96.5% success rate. The worst performer, according to NSS Lab's testing, ESET blocked only 65.4% of Web-based malware as it tried to download, and 2.5% as it tried to execute. That's a 67.9% success rate. All of the other vendors tested landed somewhere in between.

I don't know about you: but I'm not feeling safer now.

Another interesting finding is that those vendors with cloud-based reputation systems performed much better at stopping nasties. From the consumer version of the report:

These reputation systems leverage client feedback and web crawlers to categorize additional URLs and files; either by adding them to a black or white list, or assigning a score (depending on the vendor's approach). This may be performed manually, automatically, or some combination thereof. The endpoint protection product can then request reputation information from the in-the-cloud systems about specific URLs and files in order to make a determination. Again, this data can be used differently by each vendor's product to warn the user or block the file download or execution.

That makes perfect sense to me, and as more end points are added to the system, the more protection for everyone else in the vendor's network.

"Three or four years ago, anti-virus was a commodity. But with the rise of social networks and micro-blogging, malware authors are leveraging that growth to launch attacks. That means anti-virus vendors need to re-invent themselves around the new threatscape," Phatak said.

Moy advises, and I agree, that consumers and enterprises need to ignore the claims of anti-virus vendors and test the anti-virus applications they're using today, as well as any vendors they're considering before deployment. "The message for the enterprise is that you think you may be okay, but the reality is that you very well may not be okay. The quality and effectiveness of these applications need to be measured more than ever," he says.

After reading these reports, I'd say there's no doubt. A few years ago, I was in the camp that believed anti-malware applications were edging toward the commodity bucket. However, the morphing threat and the complexity of modern Web-based attacks have changed that.

The consumer report is available for no charge, and can be found here. The enterprise edition is $1,800.

For my mobile security and technology observations, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.