Are anti-malware solutions good enough?

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
A new study reveals that anti-malware solutions are not as good as first thought, with most unable to detect new 'in the wild' malware. But some of the vendors in question have hit back.

Delta Testing, a specialist in anti-malware testing methodologies and research, released a new report on Thursday highlighting shortcomings in the detection rates of leading players in the advanced threat solution market.

In its report, the company found ‘significant' discrepancy between the seven vendors tested, with FireEye the top-performing vendor with its NX7500 product detecting 99.14 percent of new threats. Others were not quite as efficient – Fidelis solutions (XPS Edge 200, XPS Sensor, XPS Command Post) detected just 5.17 percent of malware.

Delta Testing said that rather than testing blackbox systems against legacy malware like viruses, worms and malware repositories, it looked for ‘in the wild' malware sourced for the firm's network of incident response teams, security researchers and organisations that have been breached.

“By using malicious code already in the wild, yet recent enough that no signatures currently exist, products are exposed to an unpredictable environment,” said the firm in a press release, adding that this approach of using malicious malware code with packet captures was better than testing against ‘synthetic' lab-approved malware.

In the test, packet captures were stripped of customer data and replayed through the latest published software version of the solutions. The tested products were given time to analyse the packets in their virtualised environments, or to perform look-ups via threat intelligence or in the cloud.

Each product's interface was subsequently checked to see if an alert had been triggered to determine detection, and detection rates were calculated as percentages by dividing the total number of detection against the number of samples sent

cb8gr57bjb.jpg


Mark Thomas, commercial director, Delta Testing, said that the results prove that malware defences are always reactive to threat actors.

“It would appear that most mainstream vendors are on par when it comes to previously known attacks. However, as soon as you move towards a methodology that exposes the products to fresh malware samples taken from actual customer environments, detection rates start to show significant variations based on the technology and detection methodology used by the vendor,” he said in an email.

“While only one malware sample tested was missed by all seven products, the fact that no vendor scored 100 percent in identifying all of the samples shows that some attacks are still getting through the net. To meet the shortfall, organisations need to consider a holistic approach to security which doesn't just rely on detection but addresses threat prevention and response tactics too.”

But speaking to SCMagazineUK.com before the report was announced, Thomas said that the evolution of malware is hard to keep up with as it is ‘cat and mouse', but stressed that some of the solutions will to evolve – or will improve detection when paired with other products.

As an example, he pointed to Fidelis solutions, which he said were stronger on preventing data exfiltration, and to McAfee's– which gave a ‘fuller picture' when working with IPS.

He said that cyber-criminals are increasingly hiding their activities using encryption, and are often ‘kicking off the process' by exploiting vulnerabilities in Java or JavaScript, before moving to a second-stage of a remote access Trojan (RAT) which reports back to command and control (C&C) servers.

“If CISOs are looking at this, a co-ordinated threat prevention strategy has to be front of mind,” said Thomas, adding that they too would need to be diligent in looking at information sources and case studies before buying solutions.

“If someone is looking at this, they need to consider a more holistic approach and that is not just about detection. It shouldn't be taken in isolation is the story.”

But some of the named security vendors hit back at the study's results with Trend Micro VP of security research Rik Ferguson telling SCMagazineUK.com that FireEye's involvement as sponsor raised questions about its credibility.

“Yes, ‘FireEye-sponsored test gives FireEye the lead" is a slightly less credible and slightly more realistic headline I think,” he said in an email to SC, before later tweeting FireEye directly to say that the test “smacks of desperation.”

“To be honest, independent and unsponsored testing does not bear out the conclusions of this PR exercise at all,” he said pointing to the recent NSS Labs Breach Detection Comparison Report.

“Quite aside from testing, what really counts is the value that is returned to the user of these technologies, and the fact that we are consistently winning head-to-head deals against every other BDS (Breach Detection System) vendor is proof enough for me (of the validity of) our coverage of more than 80 different protocols and applications on all network ports, using customisable, on-site sandboxing and our deep integration with other industry leading technologies such as TippingPoint, QRadar, ArcSight and Splunk, all while achieving independently tested and verified industry-leading protection.”

Other companies in the test had not responded to our requests for comment at the time of writing. We will update this article if/when we receive this information.
Source
 

tonibalas

Level 40
Verified
Honorary Member
Top Poster
Well-known
Sep 26, 2014
2,973
To meet the shortfall, organisations need to consider a holistic approach to security which doesn't just rely on detection but addresses threat prevention and response tactics too.”
I believe this line says it all;),security companies needs to evolve:)

Thanks again Petrovic for providing us a very useful article,keep up the great work;)
 
  • Like
Reactions: Ali80 and Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
I just hope Kaspersky 2015 has evolved enough to keep me safe from today's malware and the world wide web - which I believe is by-far the most dangerous place on earth.
 
  • Like
Reactions: Ali80 and tonibalas

Cch123

Level 7
Verified
May 6, 2014
335
Clearly self explanatory, that's why signatures are not enough and always alongside components to help better prevention and detection. (BB, HIPS, and others)

All of these are enterprise grade hardware based products and they do not run on signatures. Almost all of them are sandbox/emulation/static analysis appliances. However, a thing to note is that these products, although very powerful and definitely far more advanced than consumer grade products require skilled analysts to interpret their warning and results. They can easily flood you with warnings and you need to differentiate actual threats from the sea of data. That was what caused the target breach to go undetected. Their IT staff missed the warnings Fireeye sent out about the malware attack.
 

Ali80

Level 5
Verified
Nov 13, 2014
218
I agree with above comments...so I will not repeat what has already been said :)

However i must mention AV HEURETICS ANALYSIS - Heuristic analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the "wild". Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. I must note that based on my experience none of todays antiviruses does not implement this method correctly. Heuretics as a one of the layers of the protection is completely bad implemented. This technique really should catch the virus based on the technique of fingertips based on signatures. Word explain everything "FINGERTIP" - "VIRUS FINGERTIP". As we all know: Heuretic technique is not Behaviour Blocker technique. BB technique is a lot better implemented and most todays AV-s show signs of progess in that area (Trend Micro for example). But heuretics technique went in completely wrong direction. With better implementation it can be huge step forward.

Finally: Heuretic analysis should catch virus before execution, while Behaviour Blocker step up on execution. Kaspersky puts a lot of effort in this field.
 
Last edited:

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Yes Kaspersky does use Heuristic analysis in their file antivirus, mail antivirus and web antivirus, something I have not seen in any other antivirus software
 
  • Like
Reactions: Ali80 and tonibalas

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
The thing is that any of us has a 0,0000001% (probably less) chance to encounter a real Zero-Day malware in real life. Except if you're searching for a one on purpose. Malware writers are relying on inexperienced, internet and computer/security uneducated people, and that's the real problem. Having an antivirus program is essential, but having a common sense is more important.
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Yes, you're right @BoraMurdar. But, we have to omit common sense if we want to help improve products (and unexperienced users also). :)
Of course, I agree that AV Companies always need to have a room for improvements. But, no antivirus can teach you something like :
  • Oh an untrusted website...let open it to see what it has... (Flash based website plays an animation that your PC is infected with a virus and automatically downloads/drops a file named "TheBestAntivirus2015.exe)
  • Oh my God!!! I have a virus on my PC?!?! This Kaspersky I'm having right now sucks!!! Let's remove this infection, that this website, which I see first time in my life, alarms me to!
  • Double click and BAM! Ransomware.
My point is, if you cannot protect yourself in the first place, no AV can protect you. Especially if you are reckless. The best security is from the chair to the mouse click.
 

Ali80

Level 5
Verified
Nov 13, 2014
218
My point is, if you cannot protect yourself in the first place, no AV can protect you. Especially if you are reckless. The best security is from the chair to the mouse click.
Yes, I fully agree with you :) Users should educate themselves about the dangers on the Internet. With solid knowledge and good antivirus it is difficult to get infected. And they have a chance ... just to visit MalwareTips site :D
 
  • Like
Reactions: BoraMurdar

Tony Cole

Level 27
Verified
May 11, 2014
1,639
That's very true. My friend at university used a fake copy of Windows 7 and he was unable to get vital updates from Microsoft, he was always getting infected because of how stupid and reckless he was - until one day he was infected by ransomware and he lost two 4000 word essays
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top