As security products improve their abilities to detect cyber threats, criminals react by attempting to conceal malware by packaging it with a variety of technologies. This group test report analyzes some of the common methods used by cyber criminals to circumvent or evade detection by consumer anti-malware or Endpoint Protection Products (EPP).
Cyber criminals do not just develop one attack and move on. Rather, they seek to make their software usable for as long as possible. Evasion techniques allow known threats to circumvent detection by security products.
NSS Labs tested 13 popular endpoint security suites to measure their effectiveness in protecting Windows computers against evasions. Understanding which products have coverage for the various evasion techniques is an important indicator of product quality of which consumers need to be aware. Consumers, and enterprises that have implemented a bring your own device (BYOD) policy, who seek protection from attacks against desktop PCs and laptops should closely examine results from this test.
The NSS Labs 2012 Exploit Protection Comparative Analysis Report has already demonstrated weaknesses in the abilities of most security products to detect a wide range of exploits. Evasion techniques provide an additional means for attackers to deliver the same exploits to the endpoint, and EPP products have traditionally proved poor at handling such techniques. However, this test indicates that vendors are beginning to take this threat seriously, since anti-evasion protection is greatly improved compared with previous tests.
The chart below shows ranking in terms of the absolute number of test cases passed. It should be noted that products that block on execution, but not on download, provide better protection for consumers than products that miss packed or compressed samples on execution.
Key Findings
Most vendors have dramatically improved their coverage for the basic evasions used in our testing as compared to NSS Labs testing in 2010.
Executable compressors are still problematic for some vendors.
Most vendors are not scanning standard compressors on download, and some are not scanning compressed executable payloads on download.
Microsoft exhibited the strongest anti-evasion capabilities.
Recommendations
Since patching helps to mitigate the impact of evasions, consumers should always keep their software current in addition to deploying endpoint security.
Consumers using products that do not inspect compressed software on download should contact their vendors for assistance in configuring their software to scan compressed files on download.
The most current browsers help block some malicious downloads, and should be used in favor of older browsers.
Tested Products
Avast Pro Antivirus 7 7.0.1466
AVG Internet Security 2012 2012.0.2197
Avira Internet Security 2012 12.0.0.1127
ESET Smart Security 5 5.2.9.1
F-Secure Agent 1.57 Build 191, CUIF 10.01 build 32329, DAAS2 1.10 build 299
Kaspersky Internet Security 2012 12.0.0.374
McAfee Internet Security 11
Microsoft Security Essentials 4.0.1526.0
Norman Security Suite 9.00
Norton Internet Security 19.8.0.14
Panda Internet Security 2012 17.01.00
Total Defense Internet Security Suite 8.0.0.87
Trend Micro Titanium Maximum Security 6.0.1215
Download this unsponsored and independent report to see the full results.
|
发表于 2012-11-3 12:22:27
发表于 2012-11-3 13:56:04
