AV Products "weak"

[nihil]

Not really a surprise that traditional AV products are not terribly good at detecting exploits, but the extent to which they fail is perhaps a bit of a shock?

Antivirus (AV) products and traditional "Internet security suites" generally don't detect about 80 percent of the exploits and vulnerabilities they see, according to a study published earlier this week by security software vendor Secunia.

Possibly a bit of FUD, but I think that the idea that patching your OS and applications is just as if not more important, is a valid one.

Article:

http://www.darkreading.com/document....ng_section_296

[HTRegz]

I read the Secunia report, as well as the responses from testing groups, AV vendors and various other people... and I tend to agree with the AV vendors. This Secunia report is extremely useless. They dumped files containing in-house developed exploits onto the system and ran on-demand av scans. They used these on-demand AV Scans to say that the 'Internet Security Suites' are useless. They also claim to have tested via urls, however they didn't include test results for that scenario.

The problem is that on-demand is a lot of signatures and some heuristics... The portions of an 'Internet Security Suite' that defends against active exploitation of the box isn't going to necessarily be the AV. It's going to be run time scanning, HIDS and any sort of buffer overflow protection or sandboxing that may be implemented.

While the results of the tests are reported accurately... the testing methodology was horribly failed.

[nihil]

They dumped files containing in-house developed exploits onto the system and ran on-demand av scans.

I don't have a problem with the source of the exploits, and would point out that they claim to have run on-access scanning as well.

What I do have a problem with is that a lot of the "exploits" were only POCs and didn't have a payload, so they weren't actually trying to do anything threatening. Given the rapidity with which new malware or variants are being produced, I am hardly surprised that there aren't signatures or patterns for them............ behavioral analysis would seem to be the more effective way to go?

Another thing I noticed was that they used WinZip or whatever............ I am willing to bet that if I used my copy of UPX to pack the files it would be a different story

Basically all they appear to have done is "read" the files and it is unclear what would have happened if the "exploit" had attempted to write to the Registry, install an application, alter files, phone home, and so on?

I still maintain that a "vulnerability" is a function of the application and the correct approach is to patch it, not expect your security suite to protect you. Unfortunately I know far too many people who do not appreciate that subtlety.

[The-Spec]

I could see someone mashing an apostrophe key... and then some antiviral software crashes out with warnings about SQL injection. I'd laugh.

[LKP]

The only thing that I could assume when I read the report is that testers thought that using POCs should be enough to fire an alert from the AV based on the fact that they work using signatures, but oviously, an unknown method (to the AV) used in a POC won't match signatures and won't fire up an alert

I'm completly agree that this is not a valuable method to test AV nor even its heuristics, isn't the same a file containing a system call that a file actually "making" a system call and as nihil said, isn't work of AVs to patch vulnerability issues nor even taking the time to alert you, that's software's developing team work

I think that this is just another of those reports that stand that AVs don't work just by pleasure, I mean AVs have their problems, they always have been, but many expect AVs to act like a magic piece of software to prevent "every" security problem when isn't the case, AVs have their particular part on system's security but they can't be in charge of every security aspect of such systems