Testing reveals security software often misses new malware
New research has further confirmed the difficulties security software companies are having keeping up with an explosion in malicious software programs on the Internet.
Security software from major vendors can take an average of two days to block a Web site designed to attack a computer visiting it, according to the latest report from NSS Labs, which tested security software suites against fresh malware released on the Internet.
“The magnitude of these findings should be noting short of an alarming wake-up call for the security industry,” according to the report.
NSS Labs does independent security software testing. Unlike many other testing companies, it does not accept money from vendors for performing the tests, a stance that the company’s president Rick Moy says results in more accurate evaluations.
NSS Labs developed a test that mimics how average people browse the Web, finding potentially malicious Web sites and then visiting them with a Web browser. They then record how and when—or if at all—security software block the threats. The latest test was run 24 hours a day for nine days.
“We’ve done testing like the bad guys do,” Moy said. “If you’re not testing like the bad guys, what’s the point? We go out to the live Internet and find out what is circulating on malicious campaigns in real time.”
Enterprises are most at threat from fresh customized malware. Security companies share malware samples, but if no company sees or detects the malware, it could quietly circulate and potentially infect machines, stealing data. Even if it is undetected for a short period of time, it still is enough a window to infect a corporate network. As many as 50,000 new malicious programs are detected every day.
NSS Labs has chosen to reveal the worst-performing vendors of the 10 products they tested. NSS Labs puts the suites in three categories: “recommend,” which means a product performed well and should be used in an enterprise; “neutral,” which means a product performed reasonably well and should continued to be used if it is already in use; and “caution,” which means the product had poor test results and organizations using it should review their security posture.
NSS Labs rated AVG’s Internet Security Business Edition and Panda Security’s Internet Security as “caution.” The full results are contained in NSS Labs’ report, “Endpoint Protection Products Group Test Report, Socially-Engineered Malware,” which costs $495. Also covered in the report are Eset, F-Secure, Kaspersky, McAfee, Norman, Sophos, Symantec, Trend Micro.
Some security software vendors employ reputation systems in order to detect a malicious Web site, which usually involves checking a database of blacklisted Web sites. Those systems, however, are not widely used and are immature, NSS Labs said. Overall, it took vendors an average of 45.8 hours to block a site, if it was blocked at all, according to the report.
If a software suite did not block a bad Web site the first time, they continued to test the site against the software every eight hours to see how long it took a vendor to add protection. Times ranged from 4.62 hours for the best performing vendor to 71.01 hours for AVG and 92.48 hours for Panda.
Block rates varied depending on how long the malicious Web site has been active. The researchers have a “zero-hour” criteria where it checks whether the software can stop newly found sites. The results aren’t great. The best vendor was able to block new sites only 60.6 percent of the time. At the bottom end, AVG, Panda and Eset’s software could do that less than 44 percent of time.
Moy said security companies could make vast improvements in their ability to detect brand-new malware. For consumers and enterprises, buying the brand that takes out the largest ad space doesn’t necessarily equate to better security, he said.
Up to one-third of security software contracts change hands every year. “Enterprises are definitely dissatisfied with the protection,” Moy said. “They’re looking around.”