Security Software Suites No Match for Custom Attacks
The all-in-one security software suites from the major anti-virus vendors fail spectacularly at detecting custom-made malware that exploits the latest software vulnerabilities, according to testing done by security analysis firm Secunia.
Secunia tested how well nearly a dozen security suites fared against malicious files and direct attacks that leveraged more than 150 known software flaws. All of the vulnerabilities used in the test are publicly documented -- details of them can be found in the Common Vulnerabilities and Exposures (CVE) database -- and most of the vulnerabilities can be fixed by applying a software update currently available from the program's maker.
Secunia says that out of the 300 test cases, 126 are particularly important because they affect very popular products and have either been discovered as zero-day threats or Secunia has developed working exploits. Secunia CTO Thomas Kristensen said all of the vulnerabilities used in the test merit a moderate security rating or higher, meaning they can be used to remotely install software on the victim's PC, with little or no help from the user aside from opening or viewing the malicious file.
The company found that nearly all of the security suites -- including those from McAfee, F-Secure, Microsoft and TrendMicro -- detected between just 1 percent and 3 percent of the attacks. Symantec's Norton Internet Security 2009, dramatically outperformed the rest, detecting more than 20 percent of all threats and more than 30 percent of the most dangerous threats, according to the results.
Still, that means in at least 7 out of 10 cases, the bad guys using a targeted exploit will slip past Norton's defenses. That also suggests that the other products detect roughly 3 percent of targeted attacks.
At any rate, readers can find a detailed breakdown of Secunia's test results and interesting methodology here (PDF).
I emphasize the word "targeted" because most anti-virus products are still reactive, in that they focus on protecting customers by figuring out what people are getting attacked by and then creating custom "signatures" to detect that specific threat going forward. While most anti-virus companies claim to have incorporated technology capable of detecting programs that exhibit suspicious behavior or that attack specific software vulnerabilities, it appears that Symantec is alone in making significant strides in this respect, at least as it relates to the latest, known vulnerabilities in widely-used software.
Secunia's study is useful, but it ignores the unfortunate reality of today's threats, which rely not on software vulnerabilities but mainly on tricking people into installing software. Interestingly, Symantec itself documents this fact in its Internet Security Threat Report, which found that in the second half of 2007, only 10 percent of the new malicious code threats affecting consumers used software flaws.
At the very least, Secunia's study is a stark reminder that having security software installed is no substitute for keeping the rest of the software you use up-to-date with the latest security patches. On this front, I've recommended Secunia's vulnerability scanners, which work either through the company's Web site or a free, installable program. Some readers have said they refuse to use Secunia's scanners because they require users to have Java installed, a program that needs frequent security updates itself and clutters the user's system with old, outdated versions of itself. My take on it is that 90 percent of the planet already has Java installed. What's more, anything that raises the average user's awareness on the need for regular patching is overall a good thing, Sun's clumsiness with its Java software notwithstanding.
Incidentally, if you're looking to see how well the products named in this study detect the latest threats that are actually in circulation, check out the stats released in September by AV-test.org(Microsoft Excel file). The group's battery of tests also examined how the software suites fared in terms of system memory usage, proactive malware detection, false positive rates and on-demand scanner performance.
October 13, 2008; 4:44 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Microsoft Stock Price Routinely Dinged by Security Patches
Next: Microsoft's Patch Tuesday Includes New Rating Index
Posted by: Kfritz | October 13, 2008 9:00 PM | Report abuse
Posted by: brucerealtor | October 13, 2008 9:15 PM | Report abuse
Posted by: TJ | October 13, 2008 10:03 PM | Report abuse
Posted by: BRUCEREALTOR | October 14, 2008 1:36 AM | Report abuse
Posted by: Angus S-F | October 14, 2008 1:46 AM | Report abuse
Posted by: TJ | October 14, 2008 12:30 PM | Report abuse
Posted by: brucerealtor | October 15, 2008 4:07 AM | Report abuse
Posted by: Jay | October 15, 2008 10:49 AM | Report abuse
Posted by: Intrusion Prevention | October 15, 2008 11:27 AM | Report abuse
Posted by: http://www.eradicatespyware.net/blog | October 16, 2008 5:11 AM | Report abuse
Posted by: http://www.eradicatespyware.net/blog | October 16, 2008 5:13 AM | Report abuse
Posted by: Ilya Rabinovich | October 17, 2008 7:51 AM | Report abuse
Posted by: TJ | October 17, 2008 9:52 AM | Report abuse
Posted by: TJ | October 17, 2008 10:11 AM | Report abuse
The comments to this entry are closed.