Archive

Archive for October, 2008

Exploits vs Antivirus – The Last Stand

October 14th, 2008 17 comments

Internet Security Suites fail to block exploits and do little to protect users against exploits, according to a recently released "test" [here] by Secunia, a Danish vulnerability notification firm. I quoted the word "test" as it's very common to see vulnerability companies use close-to-unethical tactics to oversell problems with the AV industry in order to promote their own services [another example here].

Now its Secunia's turn. In their "test" they assume that anti-virus products have poor performance in detecting vulnerability exploits because of their limited focus on traditional AV signatures. So along comes Secunia's Chief Technology Officer (CTO) Thomas Kristensen with the bright idea of testing 12 different Internet Security Suites from McAfee, Norton, Kaspersky, Panda and others against a testbed of exploit files. So far so good, it’s an interesting idea for comparing technologies and I believe it should be performed.

However when testing exploits one very important aspect is that these products don't just rely on traditional signature detection. Yet Secunia's "test methodology" only takes into consideration manually scanning 144 different inactive exploit files. This is very much like saying that you're going to test a car’s ABS breaks by throwing it down a 200 meter cliff. Absurd, sensationalist and misleading at best.

Just to clarify, if you only test 1 part of a product against exploits, which by the way is the part of the product which IS NOT designed to deal with exploits, and leave out of the test the part of the product that DOES deal with exploits and vulnerabilities, there's a very good chance the results will be misleading. Mr. Kristensen, as a Chief Technology Officer, should know this and should be very well aware of the consequences of a faulty methodology. So the question remains, why did he ignore it and just go for the yellow sensationalist approach?

But the absurd doesn't stop with Secunia's flawed testing methodology. Mr. Kristensen concludes that "… major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities." Well duh, if you only test traditional signatures and neglect the other technologies included in the product which ARE designed to block exploits, what do you expect? Oh, wait, I just saw on their website that Secunia actually sells a vulnerability scanner! Hmmm, I wonder if that has something to do with the flawed conclusions of this test… Internet Security Suites do not rely on signature detection alone since many years ago. Panda's (and other) products integrate behavioral analysis, context-based heuristics, security policies, vulnerability detection, etc. However none of these technologies were tested by Secunia.

Let's just take 1 of the many protection technologies included in Panda Internet Security 2009 which DOES deal with prevention of vulnerability exploitation and see how it behaves against these exploits if tested correctly. I'm talking about Kernel Rules Engine, a security policy technology incorporated in 2004 to all Panda products which effectively prevents zero-day exploits of PDF, DOC, XLS, PPT and many other vulnerable applications. While Secunia's test grants Panda a lowly 1.59% detection rate of the important threats, if they would have tested correctly they would have found out that just with Kernel Rules Engine Panda's product is able to generically and proactively block 56% of the important threats. And this just with KRE technology. But Panda's  products also include other technologies such as TruPrevent's Behavioral Analysis, URL Filters and the Vulnerability Detection module which would prevent other exploits if Secunia cared to run their tests with a minimum level of professionalism.

Note to Secunia:
The following exploits (at least), which in your study are marked as "not detected by Panda", are actually detected generically with the correct testing methodology. Hint: have you tried actually "running" the exploits?

SA14896 CVE-2005-0944 PoC.mdb
SA20748#1 CVE-2006-3086 PoC.xls
SA21061 CVE-2006-3655 POC1.ppt
SA21061 CVE-2006-3656 POC2.ppt
SA21061 CVE-2006-3660 POC3.ppt
SA22127#1 CVE-2006-4694 PoC.ppt
SA23540 CVE-2007-0015 PoC.qtl
SA23676#2 CVE-2007-0028 Exploit1.xls
SA23676#2 CVE-2007-0028 exploit2.xls
SA23676#2 CVE-2007-0028 PoC.xls
SA23676#3 CVE-2007-0029 PoC.xls
SA23676#4 CVE-2007-0030 PoC.xls
SA23676#5 CVE-2007-0031 PoC.xls
SA24152 CVE-2006-1311 PoC.rtf
SA24359#1 CVE-2007-0711 PoC.3gp
SA24359#3 CVE-2007-0713 PoC.mov
SA24359#4 CVE-2007-0714 PoC.mov
SA24359#8 CVE-2007-0718 PoC.qtif
SA24359#9 CVE-NOMATCH PoC.jp2
SA24659 CVE-2007-0038 GameOver.ani
SA24664 CVE-2007-1735 PoC.wpd
SA24725 CVE-2007-1867 GameOver.ani
SA24784 CVE-2007-1942 Exploit.bmp
SA24784 CVE-2007-1942 PoC.bmp
SA24884 CVE-2007-2062 GameOver.cue
SA24973 CVE-2007-2194 GameOver.xpm
SA25023 CVE-2007-2244 PoC.bmp
SA25034 CVE-2007-2366 GameOver.png
SA25044 CVE-2007-2365 GameOver.png
SA25052 CVE-2007-2363 GameOver.iff
SA25089 CVE-2007-2498 PoC.mp4
SA25150#1 CVE-2007-0215 PoC1.xls
SA25150#1 CVE-2007-0215 PoC2.xls
SA25150#3 CVE-2007-1214 PoC.xls
SA25178 CVE-2007-1747 PoC.xls
SA25278 CVE-2007-2809 GameOver.torrent
SA25426 CVE-2007-2966 PoC.lzh
SA25619#1 CVE-2007-0934 PoC.vsd
SA25619#2 CVE-2007-0936 GameOver.vsd
SA25619#2 CVE-2007-0936 PoC.vsd
SA25826 CVE-2007-3375 PoC.lzh
SA25952 CVE-2007-6007 PoC1.psp
SA25952 CVE-2007-6007 PoC2.psp
SA25952 CVE-2007-6007 PoC3.psp
SA25988 CVE-2007-1754 PoC.pub
SA25995#1 CVE-2007-1756 PoC.xls
SA25995#2 CVE-2007-3029 PoC1.xls
SA25995#2 CVE-2007-3029 PoC2.xls
SA25995#3 CVE-2007-3030 PoC.xlw
SA26034#4 CVE-2007-2394 PoC.mov
SA26145 CVE-2007-3890 PoC1.xlw
SA26145 CVE-2007-3890 PoC2.xlw
SA26433 CVE-2007-3037 PoC.wmz
SA26619 CVE-2007-4343 Exploit.pal
SA26619 CVE-2007-4343 GameOver.pal
SA27000 CVE-2007-5279 PoC.bh
SA27151 CVE-2007-3899 GameOver.doc
SA27151 CVE-2007-3899 PoC.doc
SA27270 CVE-2007-5709 GameOver.m3u
SA27304#1 CVE-2007-5909 GameOver1.rtf
SA27304#1 CVE-2007-5909 GameOver2.rtf
SA27304#1 CVE-2007-5909 PoC1.rtf
SA27304#2 CVE-2007-6008 PoC1.eml
SA27304#2 CVE-2007-6008 PoC2.eml
SA27361#4 CVE-2007-2263 PoC.swf
SA27849 CVE-2007-6593 GameOver1.123
SA27849 CVE-2007-6593 GameOver2.123
SA27849 CVE-2007-6593 GameOver3.123
SA28034 CVE-2007-0064 PoC1.asf
SA28034 CVE-2007-0064 PoC2.asf
SA28034 CVE-2007-0064 PoC3.asf
SA28034 CVE-2007-0064 PoC4.asf
SA28083#2 CVE-2007-0071 PoC.swf
SA28092#1 CVE-2007-4706 PoC.mov
SA28209#10 CVE-2007-5399 PoCbcc.eml
SA28209#10 CVE-2007-5399 _PoC_cc.eml
SA28209#10 CVE-2007-5399 PoC_date.eml
SA28209#10 CVE-2007-5399 PoC_from.eml
SA28209#10 CVE-2007-5399 PoC_imp.eml
SA28209#10 CVE-2007-5399 PoC_prio.eml
SA28209#10 CVE-2007-5399 PoC_to.eml
SA28209#10 CVE-2007-5399 PoC_xmsmail.eml
SA28209#11 CVE-2007-5399 PoC.eml
SA28209#12 CVE-2007-5399 PoC.eml
SA28209#13 CVE-2007-5399 PoC.eml
SA28326 CVE-2008-0064 GameOver1.hdr
SA28326 CVE-2008-0064 GameOver2.hdr
SA28506#1 CVE-2008-0081 Exploit.xls
SA28506#1 CVE-2008-0081 PoC.xls
SA28506#2 CVE-2008-0111 PoC1.xls
SA28506#2 CVE-2008-0111 PoC2.xls
SA28506#2 CVE-2008-0111 PoC3.xls
SA28506#4 CVE-2008-0114 PoC.xls
SA28506#7 CVE-2008-0117 Exploit.xls
SA28506#7 CVE-2008-0117 GameOver.xls
SA28506#7 CVE-2008-0117 PoC.xls
SA28563 CVE-2008-0392 Exploit_CommandName.dsr
SA28563 CVE-2008-0392 GameOver_CommandName.dsr
SA28765 CVE-2008-0619 PoC.m3u
SA28765 CVE-2008-0619 PoC.pls
SA28802#1 CVE-2007-5659 GameOver.pdf
SA28802#1 CVE-2007-5659 PoC.pdf
SA28904#2 CVE-2008-0105 PoC1.wps
SA28904#2 CVE-2008-0105 PoC2.wps
SA28904#3 CVE-2007-0108 GameOver.wps
SA29293#1 CVE-2008-1581 PoC.pct
SA29321#2a CVE-2008-0118 PoC.ppt
SA29321#2b CVE-2008-0118 GameOver.ppt
SA29321#2b CVE-2008-0118 PoC.ppt
SA29620 CVE-2008-0069 GameOver.sld
SA29650#5 CVE-2008-1017 crgn_PoC.mov
SA29704#1 CVE-2008-1083 PoC.emf
SA29704#2 CVE-2008-1087 PoC.emf
SA29838 CVE-2008-1765 Exploit.bmp
SA29838 CVE-2008-1765 GameOver.bmp
SA29934 CVE-2008-1942 PoC_ExtGState.pdf
SA29934 CVE-2008-1942 PoC_Height.pdf
SA29934 CVE-2008-1942 PoC_MediaBox.pdf
SA29934 CVE-2008-1942 PoC_Width.pdf
SA29941 CVE-2008-1104 Exploit.pdf
SA29941 CVE-2008-1104 PoC.pdf
SA29972 CVE-2008-2021 PoC.ZOO
SA30143#1 CVE-2008-1091 PoC.rtf
SA30953 CVE-2008-1435 PoC.search-ms
SA30975 CVE-2008-2244 PoC1.doc
SA30975 CVE-2008-2244 PoC2.doc
SA31336#2 CVE-2008-3018 PoC.pict
SA31336#4 CVE-2008-3020 PoC.bmp
SA31336#5 CVE-2008-3460 PoC1.wpg
SA31336#5 CVE-2008-3460 PoC2.wpg
SA31336#5 CVE-2008-3460 PoC3.wpg
SA31385 CVE-2008-2245 PoC.emf
SA31441 CVE-2008-4434 PoC.torrent
SA31454#X CVE-NOMATCH PoC.xls
SA31454#2 CVE-2008-3005 Exploit.xls
SA31454#2 CVE-2008-3005 PoC.xls
SA31675#3 CVE-2008-3013 PoC.gif
SA31675#4 CVE-2008-3014 PoC.wmf
SA31675#X CVE-NOMATCH PoC.emf
SA31675#X CVE-NOMATCH PoC.wmf
SA31675#5 CVE-2008-3015 PoC.ppt
SA31821#6 CVE-2008-3626 PoC1.mp4
SA31821#6 CVE-2008-3626 PoC2.mp4
Categories: behavior analysis, News, Vulns Tags:

Panda Security Days in Sweden

October 7th, 2008 1 comment

Last week we did a series of technical conferences in different swedish cities talking about products and Collective Intelligence and how it works "behind the scenes". The talks were given in Stockholm, Gothenburg and Malmö by Panda Sweden's CEO Bo Hasse, Security Expert Sebastian Zabala and myself.

 

In the pics above Sebastian and myself. More details and pictures at Daniel Nyström's personal blog. Daniel is Panda Sweden's Tech Support main man and writes a bad ass blog called icmpecho.com.

Categories: News Tags: