Most AV Suites Fail

NSS Labs: Testing shows most AV suites fail against exploits - Computerworld

If anyone buys the full report, will be interesting to see who they recommend.

Find more posts tagged with

Comments

Ahriakin

This is a little dubious. Mitigation of exploits is not the prime function of an AV suite, patching is the priority here, next up is soft-patching with a good IPS, last should be the host based AV. Also without shelling out for the full report we do not know what versions of the software packages were used. E.g. Kaspersky AV does not include the full HIPS package (much more suited to mitigating exploits), their Internet Security package does, yet they just list 'Kaspersky'.

Devilsbane

Any antivirus will fail if a hacker has direct access to it. General antivirus is really only intended to stop a routine attack. If the hacker singles you out and goes for the kill, your little av program will likely die, especially if he can gain physical access.

I wouldn't take it too seriously, I also wouldn't shell out the $495 for the report, although it would be interesting to read.

dynamik

Ahriakin wrote: »

Mitigation of exploits is not the prime function of an AV suite, patching is the priority here

I guess, but shouldn't it be? Isn't the core purpose of AV to protect against malicious code? Do we need to add Anti-E to the Anti-X mix?

Unfortunately, patching may lag months behind the release of an exploit. This may be due to lack of support from a vendor or an organization's testing procedures. Some patches may never be applied due to incompatibilities. AV is able to respond significantly more quickly with less testing and compatibility concerns.

Do you consider this to be more a responsibility of HIDS and not AV? I think a HIDS would be important for detecting abnormal activity once an exploit was executed, but I don't see any reason why AV can't do basic signature checks against common exploits from Metasploit, Exploit DB, etc.

It's not like AV can't be circumvented, but I still think well-known exploits should be filtered.

I was surprised to see ESET do so poorly though; they're usually one of the top performers.

Ahriakin

dynamik wrote: »

I guess, but shouldn't it be? Isn't the core purpose of AV to protect against malicious code? Do we need to add Anti-E to the Anti-X mix?

Yes it is, and a pure AV package is only really effective with signatures (I don't trust any package's Heuristics), the code used to exploit a vuln does not have to be based on a commonly available profiled set. My point is an exploit does not necessary mean the use of identifiable code, it is usually down to attacking existing code vulnerabilities in a multitude of ways (you know this probably far better than I do). I definitely think a package that incorporates a HIPS function is the only way any suite could even attempt to mitigate exploits effectively. You'd need to be monitoring internal processes, network activity etc. for anomalies and/or match on a known pattern of behavior for application-X rather than a known file.
All of course with a big 'IMHO' attached

dynamik

Ok, I think we're on the same page. I was just saying that there's no reason AV shouldn't detect common exploits where signature-based detection is effective. It sounded like the results were abysmal, but it's difficult to know without seeing the actual report.

it_consultant

Bokeh - in my world 'bokeh' means the out of focus area of a photograph. Is that where you get your moniker?