AV industry fails to cover the basics

NSS Labs released two test reports of endpoint protection products which reveal new shortcomings in these widely deployed products. They cover multi-vector attacks (malware delivered from the web, email, network file sharing and USB flash drives), memory-only attacks, and anti-evasion techniques.

Key findings from the reports show:

• Malware caught via one entry point may not be detected when introduced via another entry point. E.g. malware that is detected via a web download could be missed if downloaded from a USB drive or network file server.
• Products missed between 10% and 60% of the evasions typically used by cybercriminals.
• Less than a third of the tested vendors had protection for memory-only malware, leaving a significant evasion gap in their products.

All of the products tested had been certified by multiple organizations. However, traditional antivirus test and certification labs are simply not performing this level of gloves-off testing.

Enterprises basing purchasing decisions off such vendor-funded reports are therefore blind to the holes in their endpoint security defenses.

“IT organizations worldwide have a false sense of security in part due to tests that have been too easy,” said Vik Phatak, CTO, NSS Labs. “Our test results point towards the need for more realistic testing based on what cybercriminals are actually doing to breach corporate defenses.”

The tested products:

• AVG Internet Security Business Edition
• ESET Smart Security Enterprise
• F-Secure Client Security for Business
• Kaspersky Business Space Security with Internet Security
• McAfee Total Protection for Endpoint
• Norman Endpoint Protection
• Panda Internet Security (Enterprise)
• Sophos Endpoint Security and Control
• Symantec Endpoint Protection
• Trend Micro OfficeScan Plus IDF Plug-in.