Feeds

Internet security suites fail to block exploits

Tests expose 'chocolate teapot' shortcomings

Top 5 reasons to deploy VMware with Tegile

Internet security suites do little to protect users against exploits, according to security notification firm Secunia.

The Danish security notification firm is urging a root and branch rethink on how security suites are designed, moving away from "ineffective signature-based detection" to a smarter form of defence.

However, an anti-virus expert whose firm's products were not involved in the tests said Secunia's approach only tested against one aspect of how security suites protect consumers, and were therefore potentially misleading.

Secunia tested 12 suites (which typically bundle firewall, anti-malware and anti-spam functions) against a range of 300 exploits targeting vulnerabilities in various high-profile programs.

Even though it blocked only 64 out of 300 exploits, Symantec's Norton Internet Security 2009 came out best from the test, detecting almost ten times more exploits than its nearest competitor. Security suites from the likes of Kaspersky, Check Point, Microsoft, AVG and McAfee all flopped.

Security product bundles are marketed as comprehensive Internet Security Suites, leaving the impression that the user is fully protected against internet threats. Secunia's tests suggest the products fail to do what they say on the tin. Symantec has recently begun introducing behaviour-based detection, which helps to explain why its software did the best of a bad bunch.

Thomas Kristensen, chief technology officer at Secunia, said that the shortcomings of security suites combined with the fact users rarely keep systems fully patched made a recipe for trouble.

"While we did suspect that the popular security vendors would score quite poorly in detecting exploits, the extremely low detection rate took us by surprise and this really begs the question: Does the customer get their money's worth?"

Computer users therefore need to keep up to date with patches in order to have any hope of withstand hacking attacks. Secunia's free Personal Software Inspector (PSI)* and the similar functionality within Kaspersky Internet Security 2009 make it easier to keep up to date with patching.

Graham Cluley, senior technology consultant at Sophos, which focuses on the corporate market and did not take part in the tests, agreed that applying patches was important. "There's no such thing as a perfect security suite, but security software reduces threats and people shouldn't come away from these tests with the conclusion that they these products are ineffective."

Cluley added that the tested problems might do better in real world conditions rather than in the lab because of run time protection. Security products commonly scan files before they are run as well as monitoring what they are doing once they begin running. That means that although Word files harbouring 0day exploits, for example, may make it past scanners they might be prevented from running.

"They [Secunia] haven't actually "run" these exploits on the computer - so it's not really a "real-life" test of how well these security suites would perform," Cluley explained. "It sounds like only one aspect of the suites was tested, rather than all of the ways in which they might have been able to protect the users."

Secunia said its tests illustrated the shortcomings of signature-based security suites. Generic detection of exploits would be a better approach because what triggers a vulnerability (unlike the payload of an attack) doesn't alter, Kristensen pointed out.

"Even with a very rapid creation of payload-based signatures, all their customers are still left exposed for a considerable amount of time from the point when the criminals start distributing their new payload until it has been 'caught', analysed, a signature has been created, the signature has undergone quality assurance testing, the signature is published, and finally downloaded and activated by the security software," Kristensen said.

"Determining the characteristics of a vulnerability is somewhat more complicated and takes longer than than creating a payload based signature, however, it need only be created once," he continued. "Often the security vendors can finish their analysis and create a signature in the same time as the criminals can develop an exploit and start their criminal attacks."

Cluley argued that this criticism was misplaced, as security firms all moved away from signature-based detection years ago. He said modern security suites made far greater use of generic and behaviour-based detection as a way of dealing with the growing volume of malware-sample production.

A full round-up of the exploits and vulnerabilities used in the tests and a rundown of results can be found here (pdf). ®</p

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.