NSS Labs has released its latest report: Endpoint Protection Product Group Test Report: Host Intrusion Prevention. As in its recent socially engineered malware protection test, AVG and Panda received “caution” ratings from NSS for their respective enterprise endpoint protection products. Enterprise products from Norman and NSS president Rick Moy’s former employer ESET also received “caution” ratings. Norman’s anti-malware appliance, however, was recently certified by NSS.
The study examined security products’ ability to prevent client-side exploits – attacks that take advantage of vulnerabilities in software such as Adobe Reader or Web browsers. Operation Aurora, which hit Google and many other major companies late last year, is an example of such an exploit.
NSS found the worst performing products stopped only 29% of exploits, while the best performing products stopped 100% of exploits. NSS estimates 70-75% of all organizations are under-protected against client-side exploits.
The NSS Report emphasizes the fact that users need not navigate to a “shady” web site to fall victim to a client-side exploit – reputable web sites such as the New York Times have served malware (see our coverage of Dasient‘s report on web site vulnerabilities).
NSS also emphasized the importance of patching known vulnerabilities so one doesn’t need to rely on enterprise security suites.
AVG protested NSS’s testing earlier this year when NSS claimed AVG failed to detect the Aurora exploit. AVG posted a screenshot of its application detecting and blocking the exploit. Moy fired back with a blog post pointing out that the screenshot showed AVG detecting the exploit in Firefox, even though Aurora was an Internet Explorer exploit. He also included a video of AVG failing to stop the exploit. One eagle-eyed ReadWriteWeb commenter noticed that Firefox seemed to be running the IE Tab plugin in that screenshot, but that still doesn’t explain Moy’s video.
ESET told us earlier this year that they had been unable to get useful feedback from NSS without paying steep consulting fees, and was therefore unable to asses the validity of NSS’s testing. This time around, NSS has provided examples of malware tested in the report and has posted several videos demonstrating its testing on its YouTube channel.