NSS Labs created variants of the Aurora exploit and tested whether seven consumer AV packages would catch them. The exploits attacked the Internet Explorer vulnerability used in the Aurora attacks. Only McAfee Internet Security 2010 with SecurityCenter, Version 9.15.160, stopped the variants. Other products tested were AVG Internet Security Version 9.0.733; ESET Smart Security 4 Version 4.0.474.0; Kaspersky Internet Security 2010 Version 220.127.116.116; Symantec Norton Internet Security 2010 Version 18.104.22.168; Sophos Endpoint Protection for Enterprise Anti-Virus Version 9.0.0; and Trend Micro Internet Security 2010 Version 17.50.1366.0000.
"Vendors need to put more focus on the vulnerability than on exploit protection," says Rick Moy, president of NSS Labs. "They pay more attention to the payload, and that's the problem."
Moy says vulnerability-based protection from AV companies basically serves as a way to plug the hole in the door. "And if you patch, the door goes away altogether," he says. He says he had expected that most, if not all, of the AV tools would have detected variants of the malware given the time that has elapsed since the attacks and the widely published information on the malware.
But Marc Maiffret, chief security architect for FireEye, says it's the reactive approach to catching malware that's all wrong. "The thinking on this [test] is very old-school: Vulnerability-based protection is stupid because you're saying you have to know about the vulnerability. The whole point of Aurora and most modern, significant attacks is that we don't know about the vulnerability," Maiffret says. "They should have been testing to see who actually would have stopped Aurora regardless of known vulnerability prevention. Reactive vulnerability signatures are just another losing battle."
Maiffret says it's a systemic problem. "One of the biggest farces in our industry recently is that all of these vendors are claiming zero-day protection, but what they are really saying is that they went from writing reactive signatures for exploits to writing reactive signatures for vulnerabilities."
Randy Abrams, director of technical education for ESET, says vulnerabilities must be patched by the vendor, not protected by the AV product. "We all detect some attempts to exploit vulnerabilities, but this isn't always feasible with every attempted exploit. In some cases, such scanning would bring systems to their knees," Abrams says. "In some cases, there would be false positives induced as some programmers do not realize they have found a vuln and write in-house programs that make use of the vuln," which sometimes happens, he says.
Abrams says it's all about defense-in-depth. "Right now one of the biggest battles is to simply get people to patch in a timely manner," he says. "Conficker showed how bad patch management is at the corporate and governmental levels. Aurora demonstrated that it really is important to use current Web browsers."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.