SlideShare una empresa de Scribd logo

Can consumer av products protect

Anatoliy Tkachev
Anatoliy Tkachev
Tecnología
1 de 7
Descargar para leer sin conexión
Analysis Brief August 15, 2012 Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? Tested Products Avast Internet Security 7 AVG Internet Security 2012 Avira Internet Security 2012 CA Total Defense Internet Security Suite ESET Smart Security 5 F-Secure Internet Security 2012 Kaspersky Internet Security McAfee Internet Security 2012 Microsoft Security Essentials Norman Security Suite Pro Norton Internet Security 2012 Panda Internet Security 2012 Trend Micro Titanium + Internet Security This analysis brief was produced as part of NSS Labs’ independent testing information services. Leading vendors were selected for participation at no cost, and NSS Labs received no vendor funding to produce this analysis brief. 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
Overview NSS Labs conducts significant research on the capabilities of endpoint protection (AV) products. As NSS researchers were preparing for the impending Consumer Endpoint Protection Group Test, two critical vulnerabilities against popular Microsoft products were disclosed. The first vulnerability resides within Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 and the second within Internet Explorer 8. Microsoft has since delivered critical patches for both CVE’s in June and July 2012, respectively. Unfortunately, exploits against both vulnerabilities are already being observed in the wild, and users that have not yet patched their systems are at risk. Many users who have not yet patched, or have delayed patching, assume their endpoint protection suite is defending their system in the interim. The mission of endpoint protection is to defend users against exploits and malware when a patch is not available or has not yet been applied. NSS Labs conducted testing on 13 popular consumer anti-virus (AV) products, to see how well they repelled attacks on systems not yet patched for the CVE-2012-1875 and CVE-2012-1889 vulnerabilities. Consumer-grade AV products that offer effective protection against these vulnerabilities allow users time to patch systems (particularly important in enterprise environments with “bring your own device” (BYOD) policies in place.) However, the successful exploitation of either of these critical vulnerabilities would reflect a significant product failure, especially given the high profile and critical nature of these vulnerabilities. Product HTTP HTTPS Overall Note Avast 100% 100% 100% Kaspersky 100% 100% 100% McAfee 100% 100% 100% Trend 100% 100% 100% ESET 100% 50% 75% HTTPS Problem Norton 100% 50% 75% HTTPS Problem AVG 100% 0% 50% HTTPS Problem Avira 100% 0% 50% HTTPS Problem F-Secure 50% 0% 25% HTTPS Problem Microsoft Security Essentials 50% 0% 25% HTTPS Problem Norman 25% 25% 25% Panda 25% 25% 25% CA Total Defense 50% 0% 25% HTTPS Problem Figure 1: Summary of Findings 2 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
NSS Labs Findings: • Consumers who delay patching, or fail to patch more than their operating system alone, are at elevated risk of compromise. • Only 4 of the 13 products blocked all attacks; exploit prevention remains a challenge for most products. • More than half of the products failed to protect against attacks over HTTPS that were blocked over HTTP, a serious deficiency for a desktop AV / host intrusion prevention system (HIPS.) • Where BYOD policies are in place in enterprise environments, delays in patching leave corporate networks at serious risk of compromise. • NSS Labs researchers are not the only ones testing security products - criminal organizations also have sophisticated testing processes in order to determine which product detects which malware, and how the various products can be evaded. Some crimeware will include various one-click buttons to “Bypass Vendor X,” for example. NSS Labs Recommends: • Users of products that failed to block these attacks should update/patch immediately or otherwise mitigate. • Where feasible, do not rely on AV software alone to protect your system; install a HIPS product or “Internet security” suite (AV+HIPS) to provide an additional layer of protection. • Enterprises with BYOD policies should carefully monitor for unpatched systems and consider enforcing defense in depth strategies (“Internet security” suites, for example) on all BYOD systems. • Users of Gmail, Facebook, and other services that utilize HTTPS should consider endpoint protection (AV) products that can defend against threats being transported across this protocol. • Consumers should consider using patch management tools such as the Secunia Personal Software Inspector Analysis NSS Labs conducted testing on 13 popular consumer anti-virus (AV) products, to see how well they repelled attacks on systems not yet patched for the CVE-2012-1875 and CVE-2012-1889 vulnerabilities. The successful exploitation of either of these critical vulnerabilities can result in arbitrary remote code execution by the attacker, thus posing a significant threat to users. To test the antivirus products, NSS Labs researchers crafted one payload containing shellcode to launch calc.exe, and a second payload that invoked a reverse Meterpreter shell over HTTPS. Additional testing was done to see if the products could easily be disabled upon successful exploitation of the vulnerability and if basic obfuscation tactics would defeat protection. Raw exploits were augmented with common evasion tactics, such as Base 64, Unicode, and JavaScript encoding. In addition to attacks over HTTP, NSS Labs also used the HTTPS protocol. 3 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
Three distinct patterns of capabilities begin to emerge throughout this test. However a much more comprehensive end-point protection test, scheduled for completion later this year, will provide a better indication of comparative capabilities of the products. One surprising finding was that Base 64, Unicode, and JavaScript encoding failed to trip up antivirus products as they have in previous NSS Labs tests. NSS Labs researchers will include several more evasions in the end- point product tests later this year. Basic Exploit Protection The first test was to see which products could block the exploitation of two recent, high-risk vulnerabilities and identify at which stage the product stopped the attack. Did the product block the exploit from triggering the vulnerability or simply the content delivered by the exploit? Avast, AVG, Avira, ESET, Kaspersky, McAfee, Norton, and Trend Micro all blocked both attacks against CVE-2012-1889 when NSS engineers attempted to exploit the two vulnerabilities. Avast AVG Avira CA ESET F-Secure CVE-2012-1875-calc CVE-2012-1875-reverse shell Kaspersky CVE-2012-1889-calc McAfee CVE-2012-1889-reverse shell Microsoft Norman Norton Panda Trend 0% 25% 50% 75% 100% Figure 2: Exploits Delivered Via HTTP F-Secure blocked both exploits against CVE-2012-1889 while failing to prevent either exploit against CVE-2012- 1875. Conversely, CA and Microsoft blocked both attacks against CVE-2012-1875, while failing to prevent either exploit against CVE-2012-1889. Norman and Panda also failed to prevent both exploits against CVE-2012- 4 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
1889 and blocked only one of the two exploits against CVE-2012-1875, indicating that their protection relies on detecting the malicious content being delivered after an exploit has successfully compromised the system as opposed to preventing the exploit itself. The World Is Going To HTTPS / SSL In addition to banking and e-commerce sites, HTTPS is being used exclusively by some of the most popular Internet-based applications such as Google’s webmail service, Gmail. For the next phase NSS Labs researchers transmitted the exploits over an encrypted channel using the HTTPS protocol. In these tests, only Avast, Kaspersky, McAfee, and Trend Micro successfully blocked both exploits while nine (9) of the 13 products fully or partially failed to protect the victim. Avast AVG Avira CA ESET F-Secure CVE-2012-1875-calc CVE-2012-1875-reverse shell Kaspersky CVE-2012-1889-calc McAfee CVE-2012-1889-reverse shell Microsoft Norman Norton Panda Trend 0% 25% 50% 75% 100% Figure 3: Exploits Delivered Via HTTPS AVG, Avira, CA, F-secure, and Microsoft failed to block any of the exploits, even though they had partial, or even complete, success in blocking the same attack when delivered over HTTP, indicating a failure to implement protection against exploits delivered via HTTPS. ESET and Norton failed to block both attacks against CVE- 2012-1875 when delivered via HTTPS, indicating a flaw in how the products handle attacks delivered via HTTPS against the browser itself. 5 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
Where attackers elect to use SSL, it is quite possible that even known malware will slip past the faulty intrusion prevention found in these products. En Garde Once an endpoint defense mechanism of any kind has been bypassed, the next step taken by most attackers is to attempt to disable it completely. This would, for example, enable further malicious software to be downloaded without risk of it being detected by the protection mechanism. There are significant differences in the abilities of market-leading products to defend themselves against being disabled. Unfortunately both Microsoft and CA offerings presented virtually no defensive capabilities. Both products could be disabled with a simple “kill” command. Other products presented varying degrees of resilience and full details will be in the reports of the EPP testing results in late 2012. The Good, The Bad, And The Ugly Avast, Kaspersky, McAfee, and Trend were able to block all four attempted exploits when delivered via HTTP or HTTPS protocols. ESET and Norton both blocked the four initial attacks, but when HTTPS was added to the mix they failed to block either attack exploiting CVE-2012-1875. AVG and Avira both blocked all four attempted exploits, but were unable to deal with the HTTPS variations. Avast AVG CVE-2012-1875-calc-HTTP Avira CVE-2012-1875-reverse shell-HTTP CA ESET CVE-2012-1889-calc-HTTP F-Secure CVE-2012-1889-reverse shell-HTTP Kaspersky McAfee CVE-2012-1875-calc-HTTPS Microsoft CVE-2012-1875-reverse shell-HTTPS Norman Norton CVE-2012-1889-calc-HTTPS Panda Trend CVE-2012-1889-reverse shell-HTTPS 0% 20% 40% 60% 80% 100% Figure 4: Combined Results 6 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
CA, Microsoft, Norman, and Panda, were all able to block only two of the eight total variations of the attacks. While Norman and Panda only blocked one exploit over HTTP, the same exploit was blocked over HTTPS, indicating that HTTPS does not appear to be an issue for either product. The combinations of failures and successes are dramatic and necessitate further research. It is clear that many of the products are not blocking exploits. However, more testing is required to determine if those that scored well in this test had signatures for calc.exe and Meterpreter traffic, or actually block the exploits regardless of payload. The failure to deal with HTTPS would seem conclusive, but NSS Labs will further validate the results in more comprehensive testing that will include a several more exploits and a battery of new and existing malware, both known and unknown to the products under test. ©2012 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: The information in this brief is subject to change by NSS Labs without notice. The information in this brief is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this brief are at the reader’s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY THE NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This brief does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this brief. All trademarks, service marks, and trade names used in this brief are the trademarks, service marks, and trade names of their respective owners. 7 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com

Recomendados

Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Global Knowledge Training
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploitКомсс Файквэе
 
Avc fdt 201303_en
Avc fdt 201303_enAvc fdt 201303_en
Avc fdt 201303_enAnatoliy Tkachev
 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit ProtectionKim Jensen
 
Avc fdt 201209_en
Avc fdt 201209_enAvc fdt 201209_en
Avc fdt 201209_enAnatoliy Tkachev
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_enAnatoliy Tkachev
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 

Recomendados

Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Global Knowledge Training
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploitКомсс Файквэе
 
Avc fdt 201303_en
Avc fdt 201303_enAvc fdt 201303_en
Avc fdt 201303_enAnatoliy Tkachev
 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit ProtectionKim Jensen
 
Avc fdt 201209_en
Avc fdt 201209_enAvc fdt 201209_en
Avc fdt 201209_enAnatoliy Tkachev
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_enAnatoliy Tkachev
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Skybox Security
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Skybox Security
 
Presentation cisco cloud security strategy
Presentation cisco cloud security strategyPresentation cisco cloud security strategy
Presentation cisco cloud security strategyxKinAnx
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
IronPort
IronPortIronPort
IronPortNetwax Lab
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
инструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программинструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программbelhonka
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security ArchitectureCisco Canada
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ ProfileiViZ Security
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroudUT, San Antonio
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
IRJET-Design and Implementation of Efficient Adder using Various Logic Styles
IRJET-Design and Implementation of Efficient Adder using Various Logic StylesIRJET-Design and Implementation of Efficient Adder using Various Logic Styles
IRJET-Design and Implementation of Efficient Adder using Various Logic StylesIRJET Journal
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...Kaspersky
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 

Más contenido relacionado

La actualidad más candente

Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Skybox Security
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Skybox Security
 
Presentation cisco cloud security strategy
Presentation cisco cloud security strategyPresentation cisco cloud security strategy
Presentation cisco cloud security strategyxKinAnx
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
инструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программинструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программbelhonka
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security ArchitectureCisco Canada
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
IRJET-Design and Implementation of Efficient Adder using Various Logic Styles
IRJET-Design and Implementation of Efficient Adder using Various Logic StylesIRJET-Design and Implementation of Efficient Adder using Various Logic Styles
IRJET-Design and Implementation of Efficient Adder using Various Logic StylesIRJET Journal
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...Kaspersky
 

La actualidad más candente (20)

Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
 
Presentation cisco cloud security strategy
Presentation cisco cloud security strategyPresentation cisco cloud security strategy
Presentation cisco cloud security strategy
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security report
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
IronPort
IronPortIronPort
IronPort
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
инструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программинструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программ
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security Architecture
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ Profile
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
IRJET-Design and Implementation of Efficient Adder using Various Logic Styles
IRJET-Design and Implementation of Efficient Adder using Various Logic StylesIRJET-Design and Implementation of Efficient Adder using Various Logic Styles
IRJET-Design and Implementation of Efficient Adder using Various Logic Styles
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
 

Similar a Can consumer av products protect

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!Parasoft
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierCTE Solutions Inc.
 
Building an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSAmazon Web Services
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015SLBdiensten
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationTI Safe
 
Cybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to KnowCybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to KnowKaseya
 
ATA meetup - Feb 2020 - DevSecOps
ATA meetup - Feb 2020 - DevSecOpsATA meetup - Feb 2020 - DevSecOps
ATA meetup - Feb 2020 - DevSecOpsAlex Altman
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

Similar a Can consumer av products protect (20)

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
Avc aph 201207_en
Avc aph 201207_enAvc aph 201207_en
Avc aph 201207_en
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry Tessier
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
ESET on cybersecurity.
ESET on cybersecurity.ESET on cybersecurity.
ESET on cybersecurity.
 
Building an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWS
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - Ecuador
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop Presentation
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
Cybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to KnowCybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to Know
 
ATA meetup - Feb 2020 - DevSecOps
ATA meetup - Feb 2020 - DevSecOpsATA meetup - Feb 2020 - DevSecOps
ATA meetup - Feb 2020 - DevSecOps
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 

Último

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Can consumer av products protect

  • 1. Analysis Brief August 15, 2012 Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? Tested Products Avast Internet Security 7 AVG Internet Security 2012 Avira Internet Security 2012 CA Total Defense Internet Security Suite ESET Smart Security 5 F-Secure Internet Security 2012 Kaspersky Internet Security McAfee Internet Security 2012 Microsoft Security Essentials Norman Security Suite Pro Norton Internet Security 2012 Panda Internet Security 2012 Trend Micro Titanium + Internet Security This analysis brief was produced as part of NSS Labs’ independent testing information services. Leading vendors were selected for participation at no cost, and NSS Labs received no vendor funding to produce this analysis brief. 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
  • 2. Overview NSS Labs conducts significant research on the capabilities of endpoint protection (AV) products. As NSS researchers were preparing for the impending Consumer Endpoint Protection Group Test, two critical vulnerabilities against popular Microsoft products were disclosed. The first vulnerability resides within Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 and the second within Internet Explorer 8. Microsoft has since delivered critical patches for both CVE’s in June and July 2012, respectively. Unfortunately, exploits against both vulnerabilities are already being observed in the wild, and users that have not yet patched their systems are at risk. Many users who have not yet patched, or have delayed patching, assume their endpoint protection suite is defending their system in the interim. The mission of endpoint protection is to defend users against exploits and malware when a patch is not available or has not yet been applied. NSS Labs conducted testing on 13 popular consumer anti-virus (AV) products, to see how well they repelled attacks on systems not yet patched for the CVE-2012-1875 and CVE-2012-1889 vulnerabilities. Consumer-grade AV products that offer effective protection against these vulnerabilities allow users time to patch systems (particularly important in enterprise environments with “bring your own device” (BYOD) policies in place.) However, the successful exploitation of either of these critical vulnerabilities would reflect a significant product failure, especially given the high profile and critical nature of these vulnerabilities. Product HTTP HTTPS Overall Note Avast 100% 100% 100% Kaspersky 100% 100% 100% McAfee 100% 100% 100% Trend 100% 100% 100% ESET 100% 50% 75% HTTPS Problem Norton 100% 50% 75% HTTPS Problem AVG 100% 0% 50% HTTPS Problem Avira 100% 0% 50% HTTPS Problem F-Secure 50% 0% 25% HTTPS Problem Microsoft Security Essentials 50% 0% 25% HTTPS Problem Norman 25% 25% 25% Panda 25% 25% 25% CA Total Defense 50% 0% 25% HTTPS Problem Figure 1: Summary of Findings 2 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
  • 3. NSS Labs Findings: • Consumers who delay patching, or fail to patch more than their operating system alone, are at elevated risk of compromise. • Only 4 of the 13 products blocked all attacks; exploit prevention remains a challenge for most products. • More than half of the products failed to protect against attacks over HTTPS that were blocked over HTTP, a serious deficiency for a desktop AV / host intrusion prevention system (HIPS.) • Where BYOD policies are in place in enterprise environments, delays in patching leave corporate networks at serious risk of compromise. • NSS Labs researchers are not the only ones testing security products - criminal organizations also have sophisticated testing processes in order to determine which product detects which malware, and how the various products can be evaded. Some crimeware will include various one-click buttons to “Bypass Vendor X,” for example. NSS Labs Recommends: • Users of products that failed to block these attacks should update/patch immediately or otherwise mitigate. • Where feasible, do not rely on AV software alone to protect your system; install a HIPS product or “Internet security” suite (AV+HIPS) to provide an additional layer of protection. • Enterprises with BYOD policies should carefully monitor for unpatched systems and consider enforcing defense in depth strategies (“Internet security” suites, for example) on all BYOD systems. • Users of Gmail, Facebook, and other services that utilize HTTPS should consider endpoint protection (AV) products that can defend against threats being transported across this protocol. • Consumers should consider using patch management tools such as the Secunia Personal Software Inspector Analysis NSS Labs conducted testing on 13 popular consumer anti-virus (AV) products, to see how well they repelled attacks on systems not yet patched for the CVE-2012-1875 and CVE-2012-1889 vulnerabilities. The successful exploitation of either of these critical vulnerabilities can result in arbitrary remote code execution by the attacker, thus posing a significant threat to users. To test the antivirus products, NSS Labs researchers crafted one payload containing shellcode to launch calc.exe, and a second payload that invoked a reverse Meterpreter shell over HTTPS. Additional testing was done to see if the products could easily be disabled upon successful exploitation of the vulnerability and if basic obfuscation tactics would defeat protection. Raw exploits were augmented with common evasion tactics, such as Base 64, Unicode, and JavaScript encoding. In addition to attacks over HTTP, NSS Labs also used the HTTPS protocol. 3 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
  • 4. Three distinct patterns of capabilities begin to emerge throughout this test. However a much more comprehensive end-point protection test, scheduled for completion later this year, will provide a better indication of comparative capabilities of the products. One surprising finding was that Base 64, Unicode, and JavaScript encoding failed to trip up antivirus products as they have in previous NSS Labs tests. NSS Labs researchers will include several more evasions in the end- point product tests later this year. Basic Exploit Protection The first test was to see which products could block the exploitation of two recent, high-risk vulnerabilities and identify at which stage the product stopped the attack. Did the product block the exploit from triggering the vulnerability or simply the content delivered by the exploit? Avast, AVG, Avira, ESET, Kaspersky, McAfee, Norton, and Trend Micro all blocked both attacks against CVE-2012-1889 when NSS engineers attempted to exploit the two vulnerabilities. Avast AVG Avira CA ESET F-Secure CVE-2012-1875-calc CVE-2012-1875-reverse shell Kaspersky CVE-2012-1889-calc McAfee CVE-2012-1889-reverse shell Microsoft Norman Norton Panda Trend 0% 25% 50% 75% 100% Figure 2: Exploits Delivered Via HTTP F-Secure blocked both exploits against CVE-2012-1889 while failing to prevent either exploit against CVE-2012- 1875. Conversely, CA and Microsoft blocked both attacks against CVE-2012-1875, while failing to prevent either exploit against CVE-2012-1889. Norman and Panda also failed to prevent both exploits against CVE-2012- 4 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
  • 5. 1889 and blocked only one of the two exploits against CVE-2012-1875, indicating that their protection relies on detecting the malicious content being delivered after an exploit has successfully compromised the system as opposed to preventing the exploit itself. The World Is Going To HTTPS / SSL In addition to banking and e-commerce sites, HTTPS is being used exclusively by some of the most popular Internet-based applications such as Google’s webmail service, Gmail. For the next phase NSS Labs researchers transmitted the exploits over an encrypted channel using the HTTPS protocol. In these tests, only Avast, Kaspersky, McAfee, and Trend Micro successfully blocked both exploits while nine (9) of the 13 products fully or partially failed to protect the victim. Avast AVG Avira CA ESET F-Secure CVE-2012-1875-calc CVE-2012-1875-reverse shell Kaspersky CVE-2012-1889-calc McAfee CVE-2012-1889-reverse shell Microsoft Norman Norton Panda Trend 0% 25% 50% 75% 100% Figure 3: Exploits Delivered Via HTTPS AVG, Avira, CA, F-secure, and Microsoft failed to block any of the exploits, even though they had partial, or even complete, success in blocking the same attack when delivered over HTTP, indicating a failure to implement protection against exploits delivered via HTTPS. ESET and Norton failed to block both attacks against CVE- 2012-1875 when delivered via HTTPS, indicating a flaw in how the products handle attacks delivered via HTTPS against the browser itself. 5 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
  • 6. Where attackers elect to use SSL, it is quite possible that even known malware will slip past the faulty intrusion prevention found in these products. En Garde Once an endpoint defense mechanism of any kind has been bypassed, the next step taken by most attackers is to attempt to disable it completely. This would, for example, enable further malicious software to be downloaded without risk of it being detected by the protection mechanism. There are significant differences in the abilities of market-leading products to defend themselves against being disabled. Unfortunately both Microsoft and CA offerings presented virtually no defensive capabilities. Both products could be disabled with a simple “kill” command. Other products presented varying degrees of resilience and full details will be in the reports of the EPP testing results in late 2012. The Good, The Bad, And The Ugly Avast, Kaspersky, McAfee, and Trend were able to block all four attempted exploits when delivered via HTTP or HTTPS protocols. ESET and Norton both blocked the four initial attacks, but when HTTPS was added to the mix they failed to block either attack exploiting CVE-2012-1875. AVG and Avira both blocked all four attempted exploits, but were unable to deal with the HTTPS variations. Avast AVG CVE-2012-1875-calc-HTTP Avira CVE-2012-1875-reverse shell-HTTP CA ESET CVE-2012-1889-calc-HTTP F-Secure CVE-2012-1889-reverse shell-HTTP Kaspersky McAfee CVE-2012-1875-calc-HTTPS Microsoft CVE-2012-1875-reverse shell-HTTPS Norman Norton CVE-2012-1889-calc-HTTPS Panda Trend CVE-2012-1889-reverse shell-HTTPS 0% 20% 40% 60% 80% 100% Figure 4: Combined Results 6 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com
  • 7. CA, Microsoft, Norman, and Panda, were all able to block only two of the eight total variations of the attacks. While Norman and Panda only blocked one exploit over HTTP, the same exploit was blocked over HTTPS, indicating that HTTPS does not appear to be an issue for either product. The combinations of failures and successes are dramatic and necessitate further research. It is clear that many of the products are not blocking exploits. However, more testing is required to determine if those that scored well in this test had signatures for calc.exe and Meterpreter traffic, or actually block the exploits regardless of payload. The failure to deal with HTTPS would seem conclusive, but NSS Labs will further validate the results in more comprehensive testing that will include a several more exploits and a battery of new and existing malware, both known and unknown to the products under test. ©2012 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: The information in this brief is subject to change by NSS Labs without notice. The information in this brief is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this brief are at the reader’s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY THE NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This brief does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this brief. All trademarks, service marks, and trade names used in this brief are the trademarks, service marks, and trade names of their respective owners. 7 6207 Bee Caves Road, Suite 350 • Austin, TX 78746 • 512.961.5300 • www.nsslabs.com