Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Lab Test Results: Symantec, Kaspersky Lab, PC Tools, AVG, Detect The Most Zero-Day Attacks

AV-Test finds detection rates of 83 to 90 percent, but rival lab says rates are actually 29 to 64 percent

Top Internet security suite products scored high when detecting zero-day attacks during a three-month period, according to new data released today from independent German lab AV-Test, with Symantec and Kaspersky Lab finding 98 and 97.5 percent, respectively.

AV-Test tested 10 zero-day threats during a three-month period on Windows XP SP3 machines running Symantec Norton Internet Security 2010, Kaspersky Internet Security 2010, PC Tools Internet Security 2010, AVG Internet Security 9.0, G Data Internet Security 2010, Panda Internet Security 2010, Avira Premium Security Suite 9.0, McAfee Internet Security 2010, CA Internet Security 2010, F-Secure Internet Security 2010, BitDefender Internet Security 2010, and Trend Micro Internet Security 2010.

PC Tools caught 95.8 percent of the threats, followed by AVG, 92.2 percent; G Data, 90 percent; Panda, 90 percent; Avira, 87.7 percent; McAfee, 87.2 percent; CA, 86.7 percent; F-Secure, 85.8 percent; BitDefender, 84.3 percent; and Trend Micro, 83.3 percent.

"The majority of the products are performing 97 to 99.9 percent in large on-demand scanner tests. The products are often tested against millions of old samples which have not been seen spreading or distributing during the past few months. However, when ... current, zero-day [samples] are used ... the products show very different results," says Andreas Marx, CEO of AV-Test. "These results reflect the product capabilities in a much better way, as they simulate what the user would see in a real-world infection scenario. The results differ a lot now, and no product scored 99.9 percent anymore."

But Rick Moy, president of NSS Labs, another independent test lab, says the recent AV-Test numbers are inflated. "There's no way AV products are catching 98 percent of attacks," he says. "This seems counter to the [results of the] real-world testing we do."

Moy says a more realistic rate of zero-day detection for an AV product would be 29 to 64 percent, which is the range his lab got in its recent tests of AV products. And vendors tell him off the record that they typically can catch about 40 to 45 percent of zero-day attacks, Moy says.

AV-Test emphasized that its testing project was independent and not sponsored by any AV company. The lab performed 600 malware and 400 clean-file tests for the 12 AV products during three months, with 14 full-time employees and up to 150 PCs and servers.

AV-Test also tested the 12 products for their ability to block the malware. PC Tools Internet Security 2010 scored the highest, blocking 94.8 percent, followed by Symantec Norton Internet Security Suite 2010, with 92.8 percent; Kaspersky Internet Security 2010, 89.8 percent; Panda Internet Security 2010, 88.7 percent; Avira Premium Security Suite 9.0, 87.2 percent; McAfee Internet Security 2010, 86.7 percent; AVG Internet Security 9.0, 84.2 percent; G Data Internet Security 2010, 83.0 percent; Trend Micro Internet Security 2010, 81.3 percent; F-Secure Internet Security 2010, 80.2 percent; BitDefender Internet Security 2010, 77.8 percent; and CA Internet Security 2010, 73.5 percent.

The lab also found the average growth rate of new malware is at around 8.8 percent, based on the malware it has collected during the past two years.

NSS Labs' Moy argues that focusing on zero-day attacks favors strong behavioral detection engines. "Focusing on just 10 zero-days does not reflect the current threat spectrum on the Internet," he says. "Many of the threats out there are older, such as SQLslammer, Koobface, and Conficker. This is why we test whatever we find, not just zero-day. And zero-day should be the hardest to detect of fall of these."

Marx, meanwhile, says AV-Test ran up-to-date versions of all of the products in its test. "The products were able to query the cloud during the testing. All samples were 100 percent working at the time we used them for reviewing the products," he says.

AV-Test's results demonstrate how even with the best tools, users are still at risk of infection, he says. "Therefore it's important that the user doesn't think that AV and ISS [Internet Security Suite] will prevent him from an infection at all times. He also needs to accept the fact that more needs to be done to protect the system in a better way. For example, security updates need to be applied, and the user shouldn't click on all attachments and visit all Websites he gets via spam mails," he says. "Precaution is always a good idea. AV and ISS tools will help him, of course."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.