Risk
9/21/2009
08:55 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Think Your Anti-Virus Is Working? Think Again

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.During July and August of this year, independent test lab and product analyst firm, NSS Labs conducted real-world tests of anti-virus and endpoint software suites against socially engineered, Web-based malware. And we know that's one of the most pressing, rapidly growing threats. Some counts have Web-based malware pegged as more than 50% of all malware delivered today.

And as we've covered, Social Network Users Are Increasingly Under Siege as their accounts are hacked, phished, and pilfered. That's a good enough reason for me to see how well antivirus firms do to protect against socially engineered attacks utilizing Web-based malware. And that's exactly what NSS Labs set out to do.

The vendors tests included AVG, ESET, F-Secure, Kaspersky Labs, McAfee, Norman, Norton, Panda, and Trend Micro.

Speaking with Vik Phatak, CEO at NSS Labs and Rick Moy, president, they explains that the lab conduced 17 days of 24x7 testing, with 59 separate test runs -- occurring every 8 hours. Each test used the most current version of the anti-malware application. They conducted both a consumer and an enterprise version of the tests.

As it turned out there was a vast difference in the ability of vendors to catch malware. Both their ability to stop it as it's coming down the net onto the user's system, and (should it successfully make it) as it attempts to execute itself. The results are eye opening.

The vendor that did best, Trend Micro, only managed to stop 91 % of malware as the download to the test system was underway, as well as an additional 5.5% as it executed. That's a 96.5% success rate. The worst performer, according to NSS Lab's testing, ESET blocked only 65.4% of Web-based malware as it tried to download, and 2.5% as it tried to execute. That's a 67.9% success rate. All of the other vendors tested landed somewhere in between.

I don't know about you: but I'm not feeling safer now.

Another interesting finding is that those vendors with cloud-based reputation systems performed much better at stopping nasties. From the consumer version of the report:

These reputation systems leverage client feedback and web crawlers to categorize additional URLs and files; either by adding them to a black or white list, or assigning a score (depending on the vendor's approach). This may be performed manually, automatically, or some combination thereof. The endpoint protection product can then request reputation information from the in-the-cloud systems about specific URLs and files in order to make a determination. Again, this data can be used differently by each vendor's product to warn the user or block the file download or execution.

That makes perfect sense to me, and as more end points are added to the system, the more protection for everyone else in the vendor's network.

"Three or four years ago, anti-virus was a commodity. But with the rise of social networks and micro-blogging, malware authors are leveraging that growth to launch attacks. That means anti-virus vendors need to re-invent themselves around the new threatscape," Phatak said.

Moy advises, and I agree, that consumers and enterprises need to ignore the claims of anti-virus vendors and test the anti-virus applications they're using today, as well as any vendors they're considering before deployment. "The message for the enterprise is that you think you may be okay, but the reality is that you very well may not be okay. The quality and effectiveness of these applications need to be measured more than ever," he says.

After reading these reports, I'd say there's no doubt. A few years ago, I was in the camp that believed anti-malware applications were edging toward the commodity bucket. However, the morphing threat and the complexity of modern Web-based attacks have changed that.

The consumer report is available for no charge, and can be found here. The enterprise edition is $1,800.

For my mobile security and technology observations, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: yup
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6628
Published: 2015-05-28
Aruba Networks ClearPass Policy Manager (CPPM) before 6.5.0 allows remote administrators to execute arbitrary code via unspecified vectors.

CVE-2015-1389
Published: 2015-05-28
Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action.

CVE-2015-1392
Published: 2015-05-28
Multiple SQL injection vulnerabilities in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allow remote administrators to execute arbitrary SQL commands via unspecified vectors.

CVE-2015-1550
Published: 2015-05-28
Directory traversal vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote administrators to execute arbitrary files via unspecified vectors.

CVE-2015-1551
Published: 2015-05-28
Directory traversal vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.4 allows remote administrators to read arbitrary files via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?