Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?



Similar documents
CORPORATE AV / EPP COMPARATIVE ANALYSIS

ENTERPRISE EPP COMPARATIVE REPORT

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Evolutions in Browser Security

DATA CENTER IPS COMPARATIVE ANALYSIS

Internet Advertising: Is Your Browser Putting You at Risk?

SSL Performance Problems

Breach Found. Did It Hurt?

CORPORATE AV / EPP COMPARATIVE ANALYSIS

An Old Dog Had Better Learn Some New Tricks

DATA CENTER IPS COMPARATIVE ANALYSIS

Mobile App Containers: Product Or Feature?

TEST METHODOLOGY. Endpoint Protection Evasion and Exploit. v4.0

BROWSER SECURITY COMPARATIVE ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Multiple Drivers For Cyber Security Insurance

How to Protect against the Threat of Spearphishing Attacks

Security Industry Market Share Analysis

Security Industry Market Share Analysis

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

PCSL. PCSL IT Consulting Institute 手 机 安 全 软 件 病 毒 检 测 率 测 试. Malware Detection Test. Celebrating Technology Innovation

Online Banking and Endpoint Security Report October 2012

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Achieve Deeper Network Security

Online Payments Threats

How To Sell Security Products To A Network Security Company

MRG Effitas Online Banking / Browser Security Assessment Project Q Results

Why Is DDoS Prevention a Challenge?

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Fully supported Antivirus software (Managed Antivirus)

Types of cyber-attacks. And how to prevent them

Android Malware Detection Test 手 机 安 全 软 件 病 毒 检 测 率 测 试 Dec. Celebrating Technology Innovation

Streamlining Web and Security

Beyond the Hype: Advanced Persistent Threats

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

Achieve Deeper Network Security and Application Control

Anti-Virus Comparative

The CISO s Guide to the Importance of Testing Security Devices

Nessus and Antivirus. January 31, 2014 (Revision 4)

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Henry Ford Health System Remote Access Support Details

Anti-Virus Comparative

Covert Operations: Kill Chain Actions using Security Analytics

Anti-Virus Protection and Performance

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How To Test For Performance On A 64 Bit Computer (64 Bit)

Tracking Anti-Malware Protection 2015

Anti-Virus Comparative

Fighting Advanced Threats

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

A New Approach to Assessing Advanced Threat Solutions

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

Proven LANDesk Solutions

Cyber Advanced Warning System

Supported Anti Virus from ESAP 2-6-1

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

WEB APPLICATION FIREWALL PRODUCT ANALYSIS

TEST METHODOLOGY. Web Application Firewall. v6.2

The Hillstone and Trend Micro Joint Solution

OUR MISSION IS TO PROTECT EVERYONE FROM CYBERCRIME

Reference Architecture: Enterprise Security For The Cloud

INSTANT MESSAGING SECURITY

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Home Anti-Virus Protection

Anti-Virus Comparative - Performance Test (AV Products) May 2014

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Real World and Vulnerability Protection, Performance and Remediation Report

The Evolving Threat Landscape and New Best Practices for SSL

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Defending Against Cyber Attacks with SessionLevel Network Security

Symantec Endpoint Protection Integration Component 7.5 Release Notes

Simphony v2 Antivirus Recommendations

Transcription:

ANALYST BRIEF Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? Author Randy Abrams Tested Products Avast Internet Security 7 AVG Internet Security 2012 Avira Internet Security 2012 CA Total Defense Internet Security Suite ESET Smart Security 5 F- Secure Internet Security 2012 Kaspersky Internet Security McAfee Internet Security 2012 Microsoft Security Essentials Norman Security Suite Pro Norton Internet Security 2012 Panda Internet Security 2012 Trend Micro Titanium + Internet Security

Overview NSS Labs conducts significant research on the capabilities of endpoint protection (AV) products. As NSS researchers were preparing for the impending Consumer Endpoint Protection Group Test, two critical vulnerabilities against popular Microsoft products were disclosed. The first vulnerability resides within Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 and the second within Internet Explorer 8. Microsoft has since delivered critical patches for both CVE s in June and July 2012, respectively. Unfortunately, exploits against both vulnerabilities are already being observed in the wild, and users that have not yet patched their systems are at risk. Many users who have not yet patched, or have delayed patching, assume their endpoint protection suite is defending their system in the interim. The mission of endpoint protection is to defend users against exploits and malware when a patch is not available or has not yet been applied. NSS conducted testing on 13 popular consumer anti- virus (AV) products, to see how well they repelled attacks on systems not yet patched for the CVE- 2012-1875 and CVE- 2012-1889 vulnerabilities. Consumer- grade AV products that offer effective protection against these vulnerabilities allow users time to patch systems (particularly important in enterprise environments with bring your own device (BYOD) policies in place.) However, the successful exploitation of either of these critical vulnerabilities would reflect a significant product failure, especially given the high profile and critical nature of these vulnerabilities. Product HTTP HTTPS Overall Note Avast 100% 100% 100% Kaspersky 100% 100% 100% McAfee 100% 100% 100% Trend 100% 100% 100% ESET 100% 50% 75% HTTPS Problem Norton 100% 50% 75% HTTPS Problem AVG 100% 0% 50% HTTPS Problem Avira 100% 0% 50% HTTPS Problem F- Secure 50% 0% 25% HTTPS Problem Microsoft Security Essentials 50% 0% 25% HTTPS Problem Norman 25% 25% 25% Panda 25% 25% 25% CA Total Defense 50% 0% 25% HTTPS Problem Figure 1 Summary of Findings 2

NSS Labs Findings Consumers who delay patching, or fail to patch more than their operating system alone, are at elevated risk of compromise. Only 4 of the 13 products blocked all attacks; exploit prevention remains a challenge for most products. More than half of the products failed to protect against attacks over HTTPS that were blocked over HTTP, a serious deficiency for a desktop AV / host intrusion prevention system (HIPS.) Where BYOD policies are in place in enterprise environments, delays in patching leave corporate networks at serious risk of compromise. NSS researchers are not the only ones testing security products - criminal organizations also have sophisticated testing processes in order to determine which product detects which malware, and how the various products can be evaded. Some crimeware will include various one- click buttons to Bypass Vendor X, for example. NSS Labs Recommendations Users of products that failed to block these attacks should update/patch immediately or otherwise mitigate. Where feasible, do not rely on AV software alone to protect your system; install a HIPS product or Internet security suite (AV+HIPS) to provide an additional layer of protection. Enterprises with BYOD policies should carefully monitor for unpatched systems and consider enforcing defense in depth strategies ( Internet security suites, for example) on all BYOD systems. Users of Gmail, Facebook, and other services that utilize HTTPS should consider endpoint protection (AV) products that can defend against threats being transported across this protocol. Consumers should consider using patch management tools such as the Secunia Personal Software Inspector 3

Analysis NSS conducted testing on 13 popular consumer anti- virus (AV) products, to see how well they repelled attacks on systems not yet patched for the CVE- 2012-1875 and CVE- 2012-1889 vulnerabilities. The successful exploitation of either of these critical vulnerabilities can result in arbitrary remote code execution by the attacker, thus posing a significant threat to users. To test the antivirus products, NSS researchers crafted one payload containing shellcode to launch calc.exe, and a second payload that invoked a reverse Meterpreter shell over HTTPS. Additional testing was done to see if the products could easily be disabled upon successful exploitation of the vulnerability and if basic obfuscation tactics would defeat protection. Raw exploits were augmented with common evasion tactics, such as Base 64, Unicode, and JavaScript encoding. In addition to attacks over HTTP, NSS also used the HTTPS protocol. Three distinct patterns of capabilities begin to emerge throughout this test. However a much more comprehensive end- point protection test, scheduled for completion later this year, will provide a better indication of comparative capabilities of the products. One surprising finding was that Base 64, Unicode, and JavaScript encoding failed to trip up antivirus products as they have in previous NSS tests. NSS researchers will include several more evasions in the end- point product tests later this year. Basic Exploit Protection The first test was to see which products could block the exploitation of two recent, high- risk vulnerabilities and identify at which stage the product stopped the attack. Did the product block the exploit from triggering the vulnerability or simply the content delivered by the exploit? Avast, AVG, Avira, ESET, Kaspersky, McAfee, Norton, and Trend Micro all blocked both attacks against CVE- 2012-1889 when NSS engineers attempted to exploit the two vulnerabilities. 4

Avast AVG Avira CA ESET F-Secure Kaspersky McAfee Microsoft CVE-2012-1875-calc CVE-2012-1875-reverse shell CVE-2012-1889-calc CVE-2012-1889-reverse shell Norman Norton Panda Trend 0% 25% 50% 75% 100% Figure 2 Exploits Delivered via HTTP F- Secure blocked both exploits against CVE- 2012-1889 while failing to prevent either exploit against CVE- 2012-1875. Conversely, CA and Microsoft blocked both attacks against CVE- 2012-1875, while failing to prevent either exploit against CVE- 2012-1889. Norman and Panda also failed to prevent both exploits against CVE- 2012-1889 and blocked only one of the two exploits against CVE- 2012-1875, indicating that their protection relies on detecting the malicious content being delivered after an exploit has successfully compromised the system as opposed to preventing the exploit itself. The World Is Going to HTTPS/SSL In addition to banking and e- commerce sites, HTTPS is being used exclusively by some of the most popular Internet- based applications such as Google s webmail service, Gmail. For the next phase NSS researchers transmitted the exploits over an encrypted channel using the HTTPS protocol. In these tests, only Avast, Kaspersky, McAfee, and Trend Micro successfully blocked both exploits while nine (9) of the 13 products fully or partially failed to protect the victim. 5

Avast AVG Avira CA ESET F-Secure Kaspersky McAfee Microsoft CVE-2012-1875-calc CVE-2012-1875-reverse shell CVE-2012-1889-calc CVE-2012-1889-reverse shell Norman Norton Panda Trend 0% 25% 50% 75% 100% Figure 3 Exploits Delivered via HTTPS AVG, Avira, CA, F- secure, and Microsoft failed to block any of the exploits, even though they had partial, or even complete, success in blocking the same attack when delivered over HTTP, indicating a failure to implement protection against exploits delivered via HTTPS. ESET and Norton failed to block both attacks against CVE- 2012-1875 when delivered via HTTPS, indicating a flaw in how the products handle attacks delivered via HTTPS against the browser itself. Where attackers elect to use SSL, it is quite possible that even known malware will slip past the faulty intrusion prevention found in these products. En Garde Once an endpoint defense mechanism of any kind has been bypassed, the next step taken by most attackers is to attempt to disable it completely. This would, for example, enable further malicious software to be downloaded without risk of it being detected by the protection mechanism. There are significant differences in the abilities of market- leading products to defend themselves against being disabled. Unfortunately both Microsoft and CA offerings presented virtually no defensive capabilities. Both products could be disabled with a simple kill command. 6

Other products presented varying degrees of resilience and full details will be in the reports of the EPP testing results in late 2012. The Good, the Bad, and the Ugly Avast, Kaspersky, McAfee, and Trend were able to block all four attempted exploits when delivered via HTTP or HTTPS protocols. ESET and Norton both blocked the four initial attacks, but when HTTPS was added to the mix they failed to block either attack exploiting CVE- 2012-1875. AVG and Avira both blocked all four attempted exploits, but were unable to deal with the HTTPS variations. Avast AVG Avira CA ESET F-Secure Kaspersky McAfee Microsoft Norman Norton Panda Trend 0% 20% 40% 60% 80% 100% CVE-2012-1875-calc-HTTP CVE-2012-1875-reverse shell- HTTP CVE-2012-1889-calc-HTTP CVE-2012-1889-reverse shell- HTTP CVE-2012-1875-calc-HTTPS CVE-2012-1875-reverse shell- HTTPS CVE-2012-1889-calc-HTTPS CVE-2012-1889-reverse shell- HTTPS Figure 4 Combined Results CA, Microsoft, Norman, and Panda, were all able to block only two of the eight total variations of the attacks. While Norman and Panda only blocked one exploit over HTTP, the same exploit was blocked over HTTPS, indicating that HTTPS does not appear to be an issue for either product. The combinations of failures and successes are dramatic and necessitate further research. It is clear that many of the products are not blocking exploits. However, more testing is required to determine if those that scored well in this test had signatures for calc.exe and Meterpreter traffic, or actually block the exploits regardless of payload. The failure to deal with HTTPS would seem conclusive, but NSS will further validate the results in more comprehensive testing that will include a several more exploits and a battery of new and existing malware, both known and unknown to the products under test. 7

Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2012 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information