This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
IBM ISS came next. On the client side, it detected and blocked the VML exploit. However, the alert messages for the IE CreateObject and Firefox attacks didn't indicate that the product had detected the exploit action, only that it identified a Microsoft Windows shell banner passing across the network. An attacker could launch such an exploit without creating a banner, thereby dodging this form of detection.
IBM ISS identified and blocked all services-based attacks, with an alert that cited the specific exploit we used, the ideal behavior for the product under these tests.
It allowed our zero-day attack, again merely alerting to the presence of a Win-dows shell banner.
Sophos delivered reasonable performance in our client-side testing, alerting on two exploits as "Buffer Overflow" behavior, but missing the CreateObject exploit. The default action is to alert, but Sophos can be configured to block the attacks.
All of our services attacks were detected, but by default they were allowed through, giving the attacker control of the system. Sophos neither detected nor blocked our zero-day exploit.
McAfee detected and blocked our VML and Firefox exploits, but failed to detect our CreateObject exploit. McAfee detected and blocked all of our service exploits. For zero-day defenses, McAfee requires administrators to configure specific applications to be protected
| on a machine. By default, nothing other than specific Win-dows components is protected, so our zero-day attack went undetected. As an experiment, we configured McAfee to add zero-day protection to our custom vulnerable application. Unfortunately, our exploit still went undetected.
This was first published in November 2007