Risk

9/21/2009
08:55 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Think Your Anti-Virus Is Working? Think Again

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.During July and August of this year, independent test lab and product analyst firm, NSS Labs conducted real-world tests of anti-virus and endpoint software suites against socially engineered, Web-based malware. And we know that's one of the most pressing, rapidly growing threats. Some counts have Web-based malware pegged as more than 50% of all malware delivered today.

And as we've covered, Social Network Users Are Increasingly Under Siege as their accounts are hacked, phished, and pilfered. That's a good enough reason for me to see how well antivirus firms do to protect against socially engineered attacks utilizing Web-based malware. And that's exactly what NSS Labs set out to do.

The vendors tests included AVG, ESET, F-Secure, Kaspersky Labs, McAfee, Norman, Norton, Panda, and Trend Micro.

Speaking with Vik Phatak, CEO at NSS Labs and Rick Moy, president, they explains that the lab conduced 17 days of 24x7 testing, with 59 separate test runs -- occurring every 8 hours. Each test used the most current version of the anti-malware application. They conducted both a consumer and an enterprise version of the tests.

As it turned out there was a vast difference in the ability of vendors to catch malware. Both their ability to stop it as it's coming down the net onto the user's system, and (should it successfully make it) as it attempts to execute itself. The results are eye opening.

The vendor that did best, Trend Micro, only managed to stop 91 % of malware as the download to the test system was underway, as well as an additional 5.5% as it executed. That's a 96.5% success rate. The worst performer, according to NSS Lab's testing, ESET blocked only 65.4% of Web-based malware as it tried to download, and 2.5% as it tried to execute. That's a 67.9% success rate. All of the other vendors tested landed somewhere in between.

I don't know about you: but I'm not feeling safer now.

Another interesting finding is that those vendors with cloud-based reputation systems performed much better at stopping nasties. From the consumer version of the report:

These reputation systems leverage client feedback and web crawlers to categorize additional URLs and files; either by adding them to a black or white list, or assigning a score (depending on the vendor's approach). This may be performed manually, automatically, or some combination thereof. The endpoint protection product can then request reputation information from the in-the-cloud systems about specific URLs and files in order to make a determination. Again, this data can be used differently by each vendor's product to warn the user or block the file download or execution.

That makes perfect sense to me, and as more end points are added to the system, the more protection for everyone else in the vendor's network.

"Three or four years ago, anti-virus was a commodity. But with the rise of social networks and micro-blogging, malware authors are leveraging that growth to launch attacks. That means anti-virus vendors need to re-invent themselves around the new threatscape," Phatak said.

Moy advises, and I agree, that consumers and enterprises need to ignore the claims of anti-virus vendors and test the anti-virus applications they're using today, as well as any vendors they're considering before deployment. "The message for the enterprise is that you think you may be okay, but the reality is that you very well may not be okay. The quality and effectiveness of these applications need to be measured more than ever," he says.

After reading these reports, I'd say there's no doubt. A few years ago, I was in the camp that believed anti-malware applications were edging toward the commodity bucket. However, the morphing threat and the complexity of modern Web-based attacks have changed that.

The consumer report is available for no charge, and can be found here. The enterprise edition is $1,800.

For my mobile security and technology observations, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.