Anti-virus Products Mostly Ignore Windows Security Features

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

As I wrote last month:

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operating system, and they’re designed to make it difficult for attackers to develop reliable exploits for vulnerabilities in Windows applications. As we saw last month, few top apps invoke the protections, but many readers may be surprised to learn that few anti-virus products have adopted these technologies.

I installed the trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product’s executable files using Microsoft’s excellent process Explorer tool, which provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR.

Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010.

Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista (although interestingly it does not invoke DEP on Windows XP). Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite. For example, McAfee Internet Security’s “mcagent.exe” program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASLR (since these tests were run, McAfee has changed the trial version of MIS available on its site, and the company sent me a screen shot that shows DEP and ASLR on all running processes in that version).

Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components.

To be sure, DEP and ASLR are not panaceas: Security researchers have come up with a number of clever ways to bypass these protection mechanisms. Still, it’s interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders. Second, anti-virus products are not immune to a number of clever ways to bypass these protection mechanisms

I sought comment from all of the anti-virus vendors whose products I examined (except for Microsoft) and received a few responses. Most either downplayed the usefulness of the two technologies in combating today’s threats, or said that they planned to implement the protections in upcoming releases.

Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.”

Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favor of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.”

Bustamante continued: “These Microsoft technologies might be a good solution for certain types of more basic applications, but from our point of view are insufficient for an anti-malware product trying to get a more defense-in-depth approach to securing the whole OS and third party applications.”

Bitdefender said it plans to incorporate DEP and ASLR in its 2011 suite of products.

Symantec’s director of product management, Dan Nadir, said Norton Internet Security 2010 does in fact include support for DEP (although my experiments with Process Explorer showed it was not enabled) and that the company is “evaluating possible support of ASLR in future versions of our products.”

The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”

Cloud AV Support Forum

At the same time we released Panda Cloud Antivirus Beta3 we also published a new website with two interesting new services; a Collective Intelligence Activity Monitor and user-driven Technical Support Forum.

I really encourage all of you to start using the Support Forums as we have our entire Cloud Antivirus project teams from support, QA and development participating and looking forward to interact with you guys.

Don’t be shy and visit our new support forum, drop us a note or let us know if you’re having any problems. Even if you simply want to say hello or drop suggestions for future versions, we’ll be happy to hear about it.

New Panda Cloud Antivirus Version Released

Panda Security has released version 1.3 of its Cloud Antivirus product, which adds several new features and contains many improvements and bug fixes.

The company was intent on making Panda Cloud Antivirus Free even more appealing to users, so the annoying pop-ups advertising the Pro edition were removed from the new version.

The free edition will also get automatic and transparent updates starting with 1.3. This feature was previously available only in the paid variant.

In the past, Could Antivirus Free users who wished to upgrade had to manually uninstall the old version and then install the new one.

Detection wise, the most important new feature of Panda Cloud Antivirus 1.3 is the Web filtering component, which leverages the company's threat intelligence services to block malicious websites.

However, in all fairness, this functionality is actually provided via a browser toolbar, which is bundled with the antivirus and can be unchecked during the installation process.

The toolbar can also be downloaded and installed separately, but leaving the packaging aspect aside, the feature is there and works in Internet Explorer, Firefox, Chrome and Safari.

In addition, with new version the company can push updates for behavioral blocking rules much easier, allowing it to provide protection for new threats and address false positive incidents faster.

The recycle bin and the quarantine features have been unified for easier management and some new detection counters have been added to the statistics window.

The company plans to start pushing the new version automatically to people who are still using Panda Cloud Antivirus 1.1 or 1.2.

However,1.0 users will have to wait a few more weeks for an automatic update solution. In the meantime, anyone can manually upgrade to 1.3.

The only remaining differences between Panda Cloud Antivirus Free and Pro editions is VIP support, behavioral analysis - this is not the same as behavioral blocking, which is available in both - and automatic USB device vaccination.

Source : Softpedia

©2009 Antivirus Support | by TNB