Why do so many antivirus programs miss the same, old exploits?
- By William Jackson
- Feb 27, 2013
SAN FRANCISCO — Why do so many viruses get onto computers even when they're running updated antivirus products? The problem is two-fold, according to independent testing company NSS Labs.
Analysis of test results on popular antivirus products showed that not only do they miss known exploits, but the different products tend to miss the same exploits, opening up unexpected windows of opportunity for attackers.
"It was a major eye-opener," said Frank Artes, NSS research director and one of the authors of the report, which was released at the RSA Conference this week. "This is particularly important for government," he said, because of the large number of legacy systems agencies often maintain that are not supported by vendors or cannot be easily updated. "These machines are exponentially more at risk," because they must rely heavily on defenses such as antivirus software for protection.
NSS is demonstrating at the conference a tool, still in the early stages of development, that visualizes the gaps left by products in order to help users select the best combinations of security tools and prioritize patching and updating.
That antivirus products are porous comes as no surprise. "Many endpoint/AV vendors state that they are now processing well over 100,000 malware samples per day," NSS noted in a recent test report. "Yet NSS testing shows that the majority fail to block some of the most widely used and dangerous exploits from the past few years."
This apparently is because vendors sometimes drop older exploit signatures from their products to "make room" for new ones without impeding performance.
In a test by NSS of 13 widely used AV products in late 2012, success in blocking 144 well known exploits on machines running recent Windows operating systems ranged from a high of 92 percent to a low of 34 percent. Most products blocked less than 70 percent of the exploits.
The surprise came when researchers began looking at which exploits were successful. Conventional wisdom suggested that multiple products used in sequence would be more successful than using just one, with each catching something that the others had missed. "What we found instead is that there are large areas of correlation between products," Artes said — in some cases, they all missed the same thing.
Testers do not know why these overlaps occur. But using data modeling to see the correlations in results from NSS product tests, different combinations of products were tried to find optimal configurations. "There is not one combination of products that would result in blocking all 1,400 exploits used," he said. "We've beaten ourselves up trying to come up with a combination and we still see things being attacked."
NSS is working with vendors to help them correlate their signature defenses with commonly used exploits, but the bottom line for protecting IT systems remains the same has it has been for some time: Patch systems and keep antivirus up-to-date, but do not rely solely on signature-based defenses.
William Jackson is freelance writer and the author of the CyberEye blog.