Anti-virus Software: Is it Getting Any Better?
I attended a presentation by a major anti-virus product vendor at an ISSA chapter meeting yesterday, something that got me thinking and brooding sufficiently to motivate me to write this blog entry. In some of my previous entries I have stated that the proficiency of detecting and eradicating of viruses and worms by today’s generation of anti-virus software is with a few exceptions o.k., but not spectacular. The detection and eradication of Trojan horse software is another matter, however–most current anti-virus products are deficient in these areas. But how do these products fare in detecting “client-side exploits,” attempts to exploit vulnerabilities in browsers (e.g., Internet Explorer and Firefox), browser plug-ins, desktop applications, and other software frequently run by users? NSS Labs, which is rapidly becoming one of my heroes in the information security arena because of its vendor-independent stance and sound testing procedures, conducted such tests earlier this year and announced the results only a few weeks ago.
The results were somewhat disappointing, but certainly not surprising. If an anti-virus program detects only, say, a little over half of Trojan horse programs that have infected systems, it would be surprising if that program were able to detect a considerably higher percentage of vulnerability exploitation attempts against client-side tools. NSS Labs reported that the average exploitation detection rates for ten anti-virus products hovered around 66 percent. The average detection score for original exploits for all products was 76 percent, whereas the average score for these products for variant exploits was 58 percent. One of the products identified every one of the 123 exploit attempts using both original and variant exploits! (Can you imagine that buzz that is going around the vendor of this product’s marketing department?) Another one detected all of the original exploits, but only 29 percent of the variant exploits.
Sadly, all the vulnerabilities as well as the exploitation methods used in the tests have been around for years. It thus appears that the majority of the products tested are being developed with a focus on signatures, which still may help in malware detection but are more inadequate now against malware than ever before, and some behavior detection–but not actual exploitation attempts. Clearly, AV vendors need to devote more time and resources to this neglected area.
What the latest round of NSS Labs testing tells us is that no matter what AV vendors claim, with one very notable exception their hype is much stronger than the actual performance of their products. What recourse do we have? Should we not use AV software? The answer to my question is a definite “no.” We know that AV software is for the most part flawed, but it is not so badly flawed that we need to turn our backs on this technology. AV product testing shows that the amount of residual risk remaining after we deploy (and constantly update) this software is higher than we had expected and hoped. But this is not the first time this kind of thing has happened. It was not all that long ago that NSS Labs tested intrusion prevention systems. Although a few fared well in the testing, some did not–one product detected and blocked only 17 percent of the attacks that were launched. We thus must be more careful in our calculations of residual risk for commonly used security technologies. We must also work harder at finding which technologies work better than others so that we can select those with the least residual risk–like the AV product that detected all original and variant exploits in the recent NSS Testing. Finally, we need to continue to think in terms of defense-in-depth. One control will fail and another will perform marginally, but if we have a series of orchestrated defenses, we will obtain better protection than if we do not.
A last thought–hats off once again to NSS Labs. They may not make any points with many security vendors because they expose the raw truth, but they certainly help information security professionals like you and myself who must make decisions about vendor products.