Yikes! Antivirus Software Fails Basic Security Tests
Suppose that you're a feudal lord, riding high on the hog of exploiting your multitudinous peasants. You’ve done so well that you’ve built a castle, piled high with food and wine and riches. To fend off the barbarian hordes, you invest in a drawbridge with a stout, wrought-iron portcullis.
Sounds reasonable, right? There’s only one problem: Upon further inspection, the portcullis is spotted with rust. It sticks when you try to pull it up. It's framed with rotting wood.
Credit: Serhii Kalaba/Shutterstock
The castle is your computer. The portcullis is your antivirus suite. And, according to a study released today (May 2) by Madgeburg, Germany-based firm AV-TEST, your AV software may be even more vulnerable to attack than the files it purports to protect. The company put 19 consumer antivirus suites to the test and found that only three of them seemed to be well protected from savvy potential hackers.
AV-TEST evaluated each program in three categories. The first measured how well each program uses address space layout randomization (ASLR) and data execution prevention (DEP). Briefly, ASLR randomizes a computer's memory allocation, making it harder for an attacker to target a particular process in a program; DEP is a Windows protocol that designates some memory as non-executable space (other operating systems do this under different names), making it harder (or impossible) for unauthorized programs to run in that space.
The second test measured whether the AV programs digitally signed their software-update files. Signing is a way of determining a file’s origin and authenticity; unsigned files could be more easily substituted with malicious ones.
The final test was the simplest, and determined whether an AV manufacturers delivered its software updates via the encrypted HTTPS web protocol or the unencrypted HTTP one. Lack of encryption makes it easy for an attacker to stage a man-in-the-middle attack by intercepting the data transmission, altering the data and then sending the data back on its way.
Of the 19 programs tested, three succeeded on all counts: Bitdefender Internet Security 2017, ESET Internet Security 10 and Kaspersky Internet Security 17.0. It’s difficult to rank the rest of the programs, as each one succeeded and failed to varying degrees.
For example: Quick Heal Total Security 17.0, K7 Computing Total Security 15.1 and AhnLab V3 Internet Security 9.0 all did relatively poorly on ASLR and DEP protection, scoring between 76 and 36 percent of files properly protected. Avast Free AntiVirus 17.1, ThreatTrack VIPRE Internet Security Pro 2016 and Quick Heal Total Security 17.0 scored poorly on signed files, each containing between 1 and 29 unsigned files, depending on whether users installed the 32- or 64-bit version of the program.
Perhaps the most troubling results came from the HTTP vs. HTTPS results. Only six programs used a secure HTTPS server: Avira Antivirus Pro 17.1, Bitdefender Internet Security 2017, ESET Internet Security 10, F-Secure SAFE 14.1, G Data Internet Security 25.3 and Kaspersky Internet Security 17.0.
This underscores how difficult it is to rank the programs overall; a program like Symantec Norton Security 22.8 performed beautifully in two categories, but that wouldn’t do you any good if you suffered a man-in-the-middle attack while trying to download or update it, as it doesn't encrypt its transmissions.
While attacking antivirus software isn’t that common, and has been practiced more in theory than in fact, its effects could be disastrous. A compromised antivirus program could let malware through, sure, but what’s more disconcerting is that antivirus programs require top-level privileges in the machines they protect.
A hacker who exploits an antivirus program could effectively take over a computer and, in turn, often an entire network. From there, you can kiss all of your email, social media, and financial security goodbye — to say nothing of your private Internet history.
Still, AV-TEST pointed out that using an AV program, even one that has security holes, is a much better idea than using none at all. Between malvertising, phishing and good old-fashioned shady links, the internet can be a dangerous place, and everyday malware attacks are much more common than antivirus exploits. That portcullis may be rickety, but it’s still going to repel more invaders than an open drawbridge.