SOURCE: NSS Labs

NSS Labs

October 30, 2012 12:45 ET

NSS Labs Tests Show Leading Consumer End Point Protection Solutions Have Improved in Detecting Evasion Techniques

Testing Reveals Areas for Improvement, as Attacks Using Compression and Payload Packing Can Still Evade More Than Half of Solutions Tested

AUSTIN, TX--(Marketwire - Oct 30, 2012) -  NSS Labs today released the second Comparative Analysis Report™ from its 2012 Group Test for Consumer End Point Protection (EPP), which evaluated 13 leading EPP solutions and their ability to block some of the common evasion techniques that cybercriminals use to launch attacks and circumvent detection. EPP products have traditionally struggled with handling most evasion techniques. However, NSS Labs found that most endpoint products showed significant improvement in their anti-evasion protection compared with previous tests. A notable exception and cause for concern are attacks utilizing file compression and payload packing, which NSS Labs showed can still evade the majority of EPP products tested.

View the NSS Labs 2012 Consumer End Point Protection Comparative Analysis Report - Evasion Defenses

Evasions Using Compression and Payload Packing Remain Challenges for EPP Solutions
While all of the vendors tested blocked 100% of evasions in most of the categories tested, over 60% (8 of 13) fail to block attacks where obfuscation methods for compressing and packing payloads were used. Several products allow compressed or packed payloads to be downloaded without checking the content and NSS Labs believes that consumers are better served when these are blocked by default. While all vendors were able to block threats once decompressed, several still struggled to block run-time packed payloads upon download and 3 blocked 75% or less on execution. Key findings of the report include:

  • A single missed evasion opens doors for multiple attacks: Unlike missing a single malware sample, which lets a single malicious program infiltrate, failing to block a single evasion technique means that consumers are vulnerable to all attacks utilizing that particular method for evading detection.
  • Vendors are effective at detecting attempts to hide malicious URLs and file types: Coverage for evasions using HTTP obfuscation and payload encoding greatly improved: All vendors scored 100% in these two tests, which is a significant improvement over past tests. In previous tests, almost half of vendors blocked less than 60% of evasions using HTTP obfuscation and most blocked less than 40% in payload encoding tests.
  • Protection against layered evasions proved strong: None of the vendors had any problems blocking against layered evasions, even in attempts made with up to as many as 4 layers of obfuscation. This is a significant improvement since previous tests (which used only single layers of evasion) were problematic for some vendors.
  • Consumers should take extra steps to protect themselves: In addition to regularly patching all software, consumers should make sure their endpoint protection is configured to scan compressed files on download rather than only on execution and make sure that they are using the most current version of their chosen browser. 

Commentary: NSS Labs Research Director Randy Abrams
"With the majority of products scoring 100% in most of our evasion testing, it's obvious that vendors are taking the need for protection against evasions seriously and have invested considerable resources and effort to improve their abilities to protect against these type of threats," said Randy Abrams, Research Director at NSS Labs. "The fact that evasions using compression and payload packing remain effective shows vendors need to improve their detection capabilities in this area, which is where many attacks will likely persist. Cybercriminals don't just develop an attack method and move on; they want to make it usable for as long as possible. Any effective evasion method that lets them conceal their attacks and repurpose exploits, exposes consumers to further risk."

The 13 vendors tested in this report and in the current group tests include:

  • Avast
  • AVG
  • Avira
  • CA
  • ESET
  • F-Secure
  • Kaspersky
  • McAfee
  • Microsoft
  • Norman
  • Norton
  • Panda
  • Trend Micro

Results for each additional test area in 2012 End Point Protection Group Test -- evasions, performance and protection against live malware, drive-by attacks and phishing -- will be available to NSS Labs' subscribers at www.nsslabs.com.

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

About NSS Labs, Inc.
NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs' insight, every day. Founded in 1991, the company is located in Austin, Texas. For more information, visit www.nsslabs.com.

© 2012 NSS Labs, Inc. All rights reserved. All brand, product and service names are the trademarks, registered trademarks, or service marks of their respective owners.

Contact Information

  • Contact:
    ReseAnne Sims
    Senior Marketing Manager
    NSS Labs
    Phone: +1 (832) 741-7373
    rsims@nsslabs.com