Antivirus software protects your computer from malware. But what if malware infects the antivirus software itself?
That's not an academic question. Major security flaws have recently been found in several antivirus products, and antivirus software is the ideal vector for attack: It has deep hooks into the guts of a Mac or PC, deals with all sorts of nasty code and constantly runs in the background. "Turncoat" antivirus software would be difficult to defend against.
With that in mind, German independent lab AV-TEST evaluated the defenses put up by 21 well-known antivirus products. Only three — from ESET, McAfee and Norton — scored perfectly by implementing all possible defensive measures. Many products did far less well, including a couple of brands that usually do well in Tom's Guide's own antivirus rankings.
The good news: Six products protected all their software components by fully enabling address space layout randomization (ASLR) and data execution prevention (DEP), two highly recommended malware-deflecting defenses built into Windows computers since 2005. Without ASLR and DEP enabled, malware is much more likely to infect the spot on a computer's active memory where a program "lives."
The six winners were Avira Antivirus Pro, Bullguard Internet Security, ESET Smart Security, Kaspersky Internet Security, McAfee Internet Security and Norton Security. (Major flaws were found, then patched, in Avira, ESET and Kaspersky products in the past 18 months.) F-Secure Internet Security and G Data Internet Security came in just behind, enabling ASLR and/or DEP in more than 99 percent of their code.
Several other vendors that scored lower told AV-TEST that they protected their software in ways similar to ASLR and DEP. But they wouldn't tell AV-TEST what those methods were, and AV-TEST didn't identify those vendors by name.
The not-so-good news: Of the above six brands, only ESET, McAfee and Norton fully "signed" their code. Without such digital signatures, attackers could substitute corrupted files, especially during the installation or update processes — and most antivirus products update their malware definitions several times a day.
AVG Internet Security, Comodo Internet Security Premium and G Data Internet Security also fully signed their code; G Data also protected 99.4 percent of its code with ASLR/DEP, and AVG protected a respectable 95.9 percent.
The bad news: Three well-regarded products scored less than 90 percent on the ASLR/DEP percentages. They were Bitdefender Internet Security, with 87.9 percent; Panda Security Free Antivirus, with 87.4 percent; and Trend Micro Internet Security, with 76.0 percent.
Bitdefender and Trend Micro both normally find 99 or 100 percent of malware in AV-TEST's experiments, which Tom's Guide uses to gauge protection efficiency. We've also found products from both brands easy to use. Bitdefender Antivirus Plus is currently our editor's choice for budget antivirus software, and Bitdefender Total Security is second-best among premium suites.
Kaspersky and Avira, two other top brands, aced the ASLR/DEP evaluations but did poorly in code-signing. Avira, which leads our Best Mac Antivirus and Best Free PC Antivirus categories, didn't sign 10 out of 149 components in Avira Antivirus Pro. Kaspersky Total Security leads our Best Premium PC Security Suite rankings, but its sibling Kaspersky Internet Security failed to sign an even bigger share of its components — 25 out of 259.
On the bright side, Bitdefender failed to sign only one out of 326 components, and F-Secure one out of 277.
Still, the overall results for Bitdefender are especially distressing because AV-TEST conducted a previous evaluation of ASLR and DEP implementation a year ago, and while most products have significantly improved their scores since then, Bitdefender has slipped a bit.
"The manufacturers of security software actually ought to be role models and utilize all technologies to boost their own security to the maximum level feasible," AV-TEST's report, available on the lab's website, said. "If we examine the current tables compared to the test from 2014, some manufacturers still need to wake up and smell the coffee. Many have worked on their products since the last critique — but many have done absolutely nothing."
Most of the software packages that AV-TEST examined were the 2015 editions, and we can hope that the implementation of common software defenses improves in the 2016 packages.
It's also possible that Bitdefender was one of the unnamed vendors that implemented proprietary defenses instead of ASLR and DEP. We've reached out to the company for comment and will update this story when we receive a reply.