IT Jobs
Security suites fail exploit tests
Atrocious preformance by leading suites.
By Gregg Keizer, Computerworld US
Published: 08:48 GMT, 14 October 08
Security suites don't protect users from real-world exploits, a bug tracking company has claimed after launching 300 test attacks against a dozen programs, including popular software from McAfee, Symantec and Trend Micro.
"The Internet security suites are marketing themselves as the one solution users need to be safe online," said Thomas Kristensen , chief technology officer of Secunia, which ran the tests. "In our opinion, that's just not true."
Secunia sicced hundreds of vulnerability exploits - some proof-of-concept code that triggered a vulnerability, others that included payloads - on 12 suites, including Symantec's Norton Internet Security 2009, Microsoft's Windows Live OneCare, AVG Technologies' Internet Security 8.0 and McAfee's Internet Security Suite 2009.
The attack code was delivered by files of various formats, including Office documents and malformed images, and by malicious websites that triggered browser and ActiveX bugs. The target was a Windows XP SP2 machine missing "certain patches and with a number of vulnerable programs," according to Secunia.
While Symantec's Norton Internet Security 2009 took honours, it detected only 64 out of 300 exploits, or just 21 percent of the total. Even so, that beat most rivals by substantial margins. Trend Micro's Internet Security 2008, for example, only detected 2.3 percent of the exploits, while McAfee's Internet Security Suite 2009 identified 2 percent and Microsoft's OneCare spotted just 1.8 percent of the exploits.
The reason why current security suites had such trouble detecting the 300 exploits, Kristensen explained, is that anti-virus software vendors are geared toward cranking out signatures for hacker payloads: the worms, Trojan horses and spyware that are identified in the wild, given names and then spotted by adding a new detection "fingerprint" to the software.
"They don't focus on detecting vulnerabilities, they focus on detecting the payload," Kristensen said. "But the problem with detecting the payload is that you're always behind [the hackers]. It's easy for the bad guys to create a new payload that's not detected by the scanning mechanisms and current signatures."
In order to craft a signature for a specific payload, security companies must first capture a sample, analyse the malware and write a detection fingerprint. Then they must push that new signature to users. The process, said Kristensen can take hours at best, and then must be repeated as soon as a new piece of malware is bundled with an exploit.
But by looking for vulnerability exploits rather than for payloads, argued Kristensen, security software could stop multiple pieces of malware with just one signature, essentially making a more efficient defence in the long run.
"If there's a vulnerability in [Microsoft] Office and someone is exploiting that in an Office document, you'll be able to block that attack with just one signature," he said, no matter how many different payloads hackers may try to load into a vulnerable PC. "It's a much better way, we think, even though it's somewhat more time consuming to come up with a vulnerability signature."
Although Secunia sells its vulnerability research and proof-of-concept exploits to legitimate security vendors, Kristensen maintained that was not the reason why the company tested the 12 suites. Instead, he said, the take-away should be to patch, patch promptly and patch all software, not just the operating system.
"Security software alone isn't sufficient" to protect a PC," Kristensen said. "People need to patch all their programs. Patching is absolutely necessary, and not just the main programs, but third-party software as well."
Secunia has posted a paper that describes its suite testing procedure and lists results on its website.
.gif)
Add your commentComments
Search-and-destroy Antispyware. | Published: 06:22 GMT, 15 December 2008
Have you ever tried Search-and-destroy Antispyware? If you answered no, then you should give it a try. Over the years I have used many different types of antispyware and this is one of the best that I have ever tried. I was surprised and delighted to find that I could purchase it for a lower price than I could buy Norton and other similar scans that produce the same results. That makes it even better. Antispyware solution from Search-and-destroy can find the same kinds of bugs as these more expensive programs and is easy to get. Just click here http://www.Search-and-destroy.com/antispyware.html and you can see how well it really works for yourself.
R.Askew | Published: 23:41 GMT, 14 October 2008
I am happy someone took the efforts to test the mentioned AV programs.But Like "Dane" just mentioned "Tell us something we don't know".Because all of the mentioned AV Programs tested failed me in the past to losing HD's,expensive software & Data,because the bugs also when along for the ride with the B/U's even getting thru after A/V scans I did.So Maybe Please do a report on: Zone Alarm Internet Suite,& Panda, Nod 32, Kaspersky, Malwarebytes Products .Overall,This is Good Info For everyone.
Dane Nelson - Owner .COM Computers | Published: 19:58 GMT, 14 October 2008
My biggest question is why were the best programs left out of the test? Panda, Nod 32, Kaspersky, Malwarebytes? At least some of these programs have hurestic scanning abilities that should be tested to see if they are working properly. Most good techs will tell you that the programs test here do not do well. Tell us something we don't know.
Joseph Takahashi | Published: 17:51 GMT, 14 October 2008
The test was run on XP with SP2 with certain patches missing. If the patches were present, would it increase the detection amount? What about the use of SP3 upgrade? Will these tests be repeated against a full SP2 and SP3?