Check 2015: Self-Protection of Antivirus Software
It is undisputed: Good security software protects the user from risks and attacks from the Internet. But how well do the many security solutions in the market protect themselves against threats? AV-TEST already examined this question in November 2014, and published the test Self-Protection for Antivirus Software. It examined whether programmers use the freely available protection mechanisms DEP and ASLR for their program code. This involves existing functions in the compiler that simply need to be activated. The volume of code and program run time are not influenced by these technologies. How it works exactly is explained in the following box, "Background knowledge on ASLR, DEP and file signatures".
The test provided a wake-up call for some manufacturers and confirmed how carelessly self-protection was neglected in some cases. That is why many manufacturers pledged that they would immediately improve their protection.
Self-protection in business solutions
DEP & ASLR in consumer packages
DEP & ASLR in enterprise solutions
Signed files in consumer software
Files without signature in business solutions
300 days after the test scare
All manufacturers had enough time to make corrections and keep their promises in the meantime. And how do things look now? In the lab at AV-TEST, 21 solutions for private users and 10 solutions for corporate users were tested once again. In the test, it was examined whether DEP and ASLR were implemented in connection with user-mode PE (portable executable) files for 32- and 64-bit. In addition, the 2015 test round checked whether the files are also signed with a valid certificate.
Whereas in the solutions for private users tested last year only one product offered 100% protection with DEP and ASLR, in the current test there are a total of 6 products from Avira, Bullguard, ESET, Kaspersky, McAfee and Symantec. Two additional products achieved 99.4 and 99.5% in the evaluation: F-Secure and G Data. Afterwards, the numbers continue to drop, as in last year's test, until they reach a rock-bottom value of only 25.9%.
Greatly-improved enterprise solutions
Greater strides were achieved in the solutions for corporate users. Three out of 10 solutions use DEP and ASLR 100%: Kaspersky Lab with its small office version and endpoint version, as well as Symantec. An additional six solutions do in fact reach levels between 95.7 and 90.5%. Solely the product from Seqrite newly entering the test field is protected at only 29.8%.
All in all, the enterprise solutions improved the most. Kaspersky Lab, for instance, beefed up its versions to 100%, or Trend Micro improved from the appalling level of 18.7 percent from the last test to 95.5%.
As an additional note: Some providers already stated after the last test that they would never reach 100%. They said this was because they were already using their own protection technologies that were not compatible with DEP and ASLR, however. Yet the manufacturers do not wish to disclose which technologies are involved.
Additional check 2015: Are all the files digitally signed?
In the previous year's test, the key user-mode PE (portable executable) files for 32 and 64 bits were only tested in terms of the deployment of DEP and ASLR. In this test, PE files were also examined in terms of whether they were digitally signed by the manufacturer and whether they are also using a valid certificate at the same time. After all, the security software manufacturers require from all other software producers that they use signatures and certificates for their files. Because they help classify the manufacturer from which they originate. While unsigned files in security products are not an acute security gap, the potential does indeed exist. Because for self-protection, a suite has to be able to verify the authenticity and integrity of its own files. Digital signatures with valid certificates along with hash values are helpful in this. These values alone are not sufficient for securing the files. Yet how do the manufacturers of security software actually approach this straightforward task? In a relatively slap-dash manner, as the evaluation demonstrates.
For the corporate solutions, 50% of the products have unsigned files in the mix. It is partly only individual files, for some manufacturers, 20 to 30% of the user-mode PE files are not signed. At least all the certificates are valid for the signed files. That was also tested.
For the consumer products, the result is considerably worse. Here even 60% of the security packages tested use unsigned PE files. On half of them, the number of unsigned files is below 10. On most of them, there are 20 to 60 files, and for ThreatTrack it is even 411 out of 602 PE files. The worst: for Avast, Check Point and ThreatTrack, there were even files with invalid certificates as well.
Antivirus software with potential vulnerabilities
The manufacturers of security software actually ought to be role models and utilize all technologies to boost their own security to the maximum level feasible. If we examine the current tables compared to the test from 2014, some manufacturers still need to wake up and smell the coffee. Many have worked on their products since the last critique – but many have done absolutely nothing.
For consumer products, Avira, Bullguard, ESET, Kaspersky Lab, McAfee and Symantec use the DEP & ASLR technologies 100%. In terms of digitally signed files, ESET, McAfee and Symantec also did a good job. Avira, Bullguard and Kaspersky still have to offer signed files, even if it only involves a few.
In the security solutions for enterprises, the DEP and ASLR technology was implemented 100% on both tested versions from Kaspersky Lab and Symantec On the verification of unsigned files, however, only Symantec can pat itself on the back. On the products from Kaspersky Lab, the test laboratory still discovered some unsigned files.
The additional examination for signed and validly certified PE files opens up new areas in need of improvement for certain manufacturers. They urgently need to remedy something that actually ought to be a standard task.
As in last year's test, the detailed findings were once again forwarded to the manufacturers. Whether these important remarks in terms of self-protection for security software are accepted is something on which the laboratory will conduct follow-up tests in the future and report on it.
Background knowledge on ASLR, DEP and file signatures
Director Malware Research: Ulf Lösche
As a non-expert, you have to first understand what PE files are and what ASLR, DEP and signatures mean. Here is a brief and and concise explanation that sheds light on this topic.
Only the so-called "user-mode PE (portable executable) files" for 32 and 64 bits are important for an evaluation. All the other files, including the so-called native PE files, were irrelevant for the test. Between 5 and 45% of the installed files of a security solution are PE files. The PE files include, for example:
.exe or any "executable" program or module
.dll or "dynamic link library", a program library
.sys or "system", a system software
.drv or "driver", a driver file for a device
Behind the cryptic terms DEP and ASLR are the following:
ASLR or Address Space Layout Randomization stands for a shuffling of memory sectors, making it more difficult to exploit security gaps in computer systems. Using ASLR, stack addresses are randomly allocated to applications. This is intended to prevent, or at least impede, attacks via a buffer overflow.
DEP or Data Execution Prevention is also referred to as NX-Bit (No eXecute). The protection is already based on the hardware. Chip producers AMD and Intel have already been implementing this technology for more than 10 years under the proprietary names of EVP and XD-Bit in all their processors. It is intended to prevent programs from executing random data as programs and thus launching malicious code in this manner.
If a programmer uses DEP and ASLR technologies as a supporting measure, this reduces the risk that a possible vulnerability may actually become exploitable. If an application does not employ DEP and ASLR, this does not necessarily mean that it is unsafe. If the programming is 100% error-free, the level of security cannot be increased either. Thus DEP and ASLR are an additional precaution that a programmer or manufacturer should not do without. Implementation is so easy: it involves existing functions in the compiler that simply need to be activated. The technology has no negative impact on the code size or program run time.
The file signatures with certificates are just as easy to implement. Every manufacturer undoubtedly owns constantly renewed certificates obtained from an official certifying body. This certificate is a copy of the digital corporate identity certified by an independent entity. Tools enable the programmers to simply add the signature containing the certificate to a file. This Microsoft Authenticode code signing technology belongs to the industry standard and is essential to any published file.