Anti-virus suites still can't block Google China attack
Protection layer flunks independent tests
Analysis The vast majority of consumer anti-virus products are still failing to block the Operation Aurora exploits used in the high profile attack against Google and other blue-chip firms last December, according to independent tests.
NSS Labs evaluated the effectiveness of seven popular consumer endpoint security products to see which blocked variants of the Operation Aurora attack. The security testing firm reckoned that most, if not all, of the products would block the exploit and malicious code payloads associated with an ultra-high profile attack that has been a mainstay of talk in the information security biz for the last six weeks.
However, only security software from McAfee out of all the seven tested products "correctly thwarted multiple exploits and payloads, demonstrating vulnerability-based protection", NSS discovered to its surprise. Other tested security suites - AVG Internet Security, ESET Smart Security 4, Kaspersky Internet Security, Norton Internet Security 2010, Sophos Endpoint Protection for Enterprise and Trend Micro Internet Security 2010 - all failed.
NSS Labs argues that its research, unveiled at the BSidesAustin security conference on Saturday - highlights the importance of providing greater vulnerability-based protection.
"Rather than reactively blocking individual exploits or malware, vendors should focus on minimizing their customers’ risk of exposure by insulating the vulnerability," Rick Moy, president of NSS Labs explained in a statement.
The research has received a mixed reception from security vendors. Trend Micro, which received a thumbs-down in the test, nonetheless welcomed the research.
"NSS Labs is building up a series of tests that measure the protection at various 'protection layers'," said Anthony Arrott, product manager of security analytics at Trend Micro. "Individually, these tests do not attempt to measure end-to-end protection across all layers – ultimately what matters most to users."
Modern endpoint protection products rely on multiple layers of protection - including malicious attachment blocking, preventing access to malicious URLs and behaviour blocking as well as shielding the underlying vulnerability on the endpoint from being exploited - but the NSS tests only looked at the last of these layers, in concluding that only one in seven tested products snuffed out the exploit.
"Trend Micro agrees with this assessment. This is why Trend Micro recently acquired Third Brigade and is currently integrating the Canadian firm's excellent vulnerability layer protection technology into Trend Micro's enterprise and consumer products," Arrott told El Reg.
"Trend Micro is looking forward to the day when the independent security product testing laboratories develop tests that measure the end-to-end protection provided against threats regardless which layer thwarts the threat."
Non-vulnerability-shielding countermeasures in Trend Micro's arsenal already block the threat, he added.