Antivirus Tools No Match for Different Attack Vectors

Report Release Date: March 2, 2011
Report Title: Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems Resulting from Malware Infections
Depending on the attack vector, there are some antivirus products that fail to detect malware that tries to infect a computer.
Tests conducted by NSS Labs found out how effective security products are at detecting malware from various attack vectors. Malware can hit a computer via rigged websites, email attachments, through a network fileshare and USB flash drives, among other ways.
Although drive-by downloads remain the most common attack vector, about 15% of attacks come in via email with a malicious attachments, such as a PDF document.
There are quite a few security products that allow users to download all of their email to their inbox by default and not scan it, even if it contains malware.
“Surprisingly, many products tested did not remove malware from the inbox by default,” according to the report, titled “Socially-engineered Malware Via Multiple Attack Vectors.”
Of the 10 products tested, the average protection rate was just 36%, the tests showed.
NSS Labs said if a company runs a centralized, server-based security product that integrates with the email servers, such as Microsoft’s Exchange or IBM’s Lotus Notes, it may remove the malware before it reaches an end user.
NSS Labs did find those products that did not scan email before it arrived in an inbox and would scan it only if the user decided to save the attachment. That improved the average protection rate, which measured 74%, NSS Labs said.
Another possible infection vector is file servers, commonly used in organizations to allow access to documents among users. But those files servers can become repositories for malware, allowing bad programs to proliferate among a high number of users.
“While file servers should have their own anti-malware scanning, this often is not the case, and users must rely on local anti-malware security products to detect the downloaded files,” the report said.
The 10 products tested captured about 70% of the malware when downloaded from a file server, NSS Labs found.
The strongest aspect of most endpoint antivirus products is their ability to block malware and quarantine it. NSS Labs found even if malware did make it on a PC, most products performed well at containing it.
But one attack vendor where most security companies are still lacking is detecting malicious payloads written only to memory, also known as single-use malware. Malware can, for example, masquerade as a permitted DLL (Dynamic Link Library), which skirts around DEP (Data Execution Prevention) security features in OSes.
This type of attack circumvents protections that lack behavioral analysis for these attacks,” NSS Labs wrote. 

PS: The Repository for Industrial Security Incidents (RISI) records incidents of a cyber security nature that directly affect industrial Supervisory Control and Data Acquisition (SCADA) and process control systems. It is the largest known collection of incidents of this type. At the end of the 2009, the database contained a total of 175 records.