This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
Antimalware vendors are loading up-with traditional signature-based detection, heuristic detection, detection based on common attack characteristics and exploits of known vulnerabilities, application controls, host firewall...whew!
But how well is all this working? Recent tests from a couple of sources- Virus Bulletin (VB) and Secunia-didn't have all the answers, but the findings were interesting enough to make us wonder, yet again, how effective are these products and how do you test that effectiveness.
The annual VB100 certification test-which has been around since 1998- didn't tell us much except that AV vendors can shoot fish in a barrel-in this case, a WildList virus sampling they surely all have signatures for. But other test results, detailed in the October Bulletin, detecting bots and worms, polymorphic viruses and especially Trojans, were more revealing.While all the major vendors scored perfectly on the VB100 test, they missed 5 to 15 percent on the Trojans test. The reason? First, this was a fresh batch of specimens, so the products had to depend on their other detection techniques, with disappointing results. John Hawes, VB technical consultant, says the Bulletin is moving rapidly to ensure fresh samples for each evaluation-bots and worms as well-to test the mettle of these endpoint security suites. And, Trojans are a particular challenge.
"Trojans are difficult because there are so many of them; 90 to 95 percent of new malware reported are Trojans,"
Secunia's Internet Security Suite test was designed to test a dozen products' ability to detect exploits. Secunia turned 144 malicious files and 156 malicious Web pages against XP SP2 with missing patches and a number of vulnerable programs. The results were dismal. Symantec was tops with 64 hits. The rest? Look at your hand. Count the fingers.
"For a long time, I've viewed signature-based detection as a commodity," says Ed Skoudis, co-founder and senior security consultant of Intelguardians. "The other stuff is where all the interesting detection happens, especially as signature-based detection grows less effective over time because the bad guys are moving so fast."
A case in point was this year's Defcon Race to Zero, in which a team of three researchers from Mandiant used obfuscation techniques to get 10 well-known viruses and exploits-including Slammer and the 20-year-old Stoned virus- past major AV scanners. It took them six hours.
Secunia CTO Thomas Kristensen thinks things might be even worse if the bad guys tried harder.
"What makes people lucky is that the bad guys still have quite a bit to learn," he says. "They are not that good at exploiting the latest vulnerabilities on a massive scale. If their attempts to exploit are caught, it's simply because they're using some old payload that is already known by the different security solutions."
The bottom line? Security suites are essential, but don't get lulled by vendor claims, especially when it comers to zero-day exploits. A combination of good software, up-to-date patches and user education mitigates the problem, but there is no solution.
This was first published in January 2009