Test Shows Shortcomings of Antivirus Programs

Antivirus (AV) products and traditional "Internet security suites" generally don't detect about 80 percent of the exploits and vulnerabilities they see, according to a study published earlier this week by security software vendor Secunia.

The Secunia Internet security suite test pitted 12 popular antivirus suites against "300 exploits targeting vulnerabilities in various high-end, high-profile programs," according to Secunia. Symantec's suite was the clear winner, detecting more than 10 times as many exploits as its nearest competitor.

But that winning program only detected 64 of the 300 exploits, blogs Thomas Kristensen, CTO of Secunia. Between poor patching practices and the signature creation method used by most popular AV suites, the rate of detection among AV users remains remarkably low, he says.

"Even with a very rapid creation of payload-based signatures, all [Internet security suite] customers are still left exposed for a considerable amount of time from the point when the criminals start distributing their new payload until it has been 'caught,' analyzed," and signatures created and tested, Kristensen says.

Secunia's is one of many recent tests that have pointed out the shortcomings in popular, signature-based AV tools. (See New Tests Show Rootkits Still Evade AV and Antivirus Tools Underperform When Tested in LinuxWorld 'Fight Club'.) However, because some of these tests are conducted by vendors that offer competitive products, many observers have questioned their validity.

"I like Secunia, so no hard feelings from our side," says Sunbelt Software's Alex Eckelberry in his blog. "But truly, this test... is a silly and useless PR stunt. I think [Secunia was] just trying to get some news for their business of patch scanning or something, and decided to kick the AV players around for fun."

Andreas Marx, CEO of AV-Test.org, says Secunia's test and report were not as thorough as they might have been. "Some critical details are missing," he says. For example, the report does not specifically state "the time of the last update of the scanners, the exact product versions, and the like," he says. Only the on-demand scanner and the on-access guard of each AV suite were tested, he observes.

Still, most experts concur on Secunia's two major points: that signature-based tools alone are generally not sufficient to detect and prevent new threats; and that unpatched systems continue to leave users open to attack.

"The security industry can never offer a protection that matches that of a properly patched program," Kristensen blogs. "Consumers and businesses have to put more effort into patching their programs. If your programs are vulnerable and unpatched, then you're left quite exposed to new attacks."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.