AV Products "weak"
Results 1 to 5 of 5

Thread: AV Products "weak"

  1. #1
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191

    AV Products "weak"

    Not really a surprise that traditional AV products are not terribly good at detecting exploits, but the extent to which they fail is perhaps a bit of a shock?

    Antivirus (AV) products and traditional "Internet security suites" generally don't detect about 80 percent of the exploits and vulnerabilities they see, according to a study published earlier this week by security software vendor Secunia.
    Possibly a bit of FUD, but I think that the idea that patching your OS and applications is just as if not more important, is a valid one.

    Article:

    http://www.darkreading.com/document....ng_section_296

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    I read the Secunia report, as well as the responses from testing groups, AV vendors and various other people... and I tend to agree with the AV vendors. This Secunia report is extremely useless. They dumped files containing in-house developed exploits onto the system and ran on-demand av scans. They used these on-demand AV Scans to say that the 'Internet Security Suites' are useless. They also claim to have tested via urls, however they didn't include test results for that scenario.

    The problem is that on-demand is a lot of signatures and some heuristics... The portions of an 'Internet Security Suite' that defends against active exploitation of the box isn't going to necessarily be the AV. It's going to be run time scanning, HIDS and any sort of buffer overflow protection or sandboxing that may be implemented.

    While the results of the tests are reported accurately... the testing methodology was horribly failed.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    They dumped files containing in-house developed exploits onto the system and ran on-demand av scans.
    I don't have a problem with the source of the exploits, and would point out that they claim to have run on-access scanning as well.

    What I do have a problem with is that a lot of the "exploits" were only POCs and didn't have a payload, so they weren't actually trying to do anything threatening. Given the rapidity with which new malware or variants are being produced, I am hardly surprised that there aren't signatures or patterns for them............ behavioral analysis would seem to be the more effective way to go?

    Another thing I noticed was that they used WinZip or whatever............ I am willing to bet that if I used my copy of UPX to pack the files it would be a different story

    Basically all they appear to have done is "read" the files and it is unclear what would have happened if the "exploit" had attempted to write to the Registry, install an application, alter files, phone home, and so on?

    I still maintain that a "vulnerability" is a function of the application and the correct approach is to patch it, not expect your security suite to protect you. Unfortunately I know far too many people who do not appreciate that subtlety.

  4. #4
    Banned
    Join Date
    Jan 2008
    Posts
    605
    I could see someone mashing an apostrophe key... and then some antiviral software crashes out with warnings about SQL injection. I'd laugh.

  5. #5
    Junior Member
    Join Date
    Jul 2008
    Posts
    15
    The only thing that I could assume when I read the report is that testers thought that using POCs should be enough to fire an alert from the AV based on the fact that they work using signatures, but oviously, an unknown method (to the AV) used in a POC won't match signatures and won't fire up an alert

    I'm completly agree that this is not a valuable method to test AV nor even its heuristics, isn't the same a file containing a system call that a file actually "making" a system call and as nihil said, isn't work of AVs to patch vulnerability issues nor even taking the time to alert you, that's software's developing team work

    I think that this is just another of those reports that stand that AVs don't work just by pleasure, I mean AVs have their problems, they always have been, but many expect AVs to act like a magic piece of software to prevent "every" security problem when isn't the case, AVs have their particular part on system's security but they can't be in charge of every security aspect of such systems
    Simplicity is power!

Similar Threads

  1. FireFox Security Problems, released 4/17
    By Galiath in forum Web Security
    Replies: 7
    Last Post: April 21st, 2006, 03:57 AM
  2. Multiple Firewall Products Bypass Vulnerability
    By dirtyrider in forum Firewall & Honeypot Discussions
    Replies: 4
    Last Post: January 4th, 2005, 09:15 PM
  3. Vulnerabilities in several antivirus products
    By DjM in forum AntiVirus Discussions
    Replies: 7
    Last Post: January 29th, 2004, 01:33 AM
  4. We're adding Security News and Products to the main page
    By intmon in forum Site Feedback/Questions/Suggestions
    Replies: 5
    Last Post: May 29th, 2003, 01:53 AM
  5. Lol Now I Know Why Everyone Hates Microsoft!!!
    By NUKEM6 in forum Non-Security Archives
    Replies: 10
    Last Post: January 24th, 2002, 06:21 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •