Malware caught at one entry point is often not detected by EPPs at other entry points, such as a USB drive or network file server, NSS Labs found. The company examined EPPs from the top vendors in terms of market share.
“We found that the same pieces of malware weren’t always detected if they were delivered to the machine through different entry points. If you clicked on something on the web and it was detected, the same vendor product might not detect the malware if it was on a USB, on a file share, or emailed to them”, Rick Moy, chief executive officer at NSS Labs, told Infosecurity.
“What that says to us is that the architecture of these AV products are not very uniform. That is a sign of a lack of maturity of the product, frankly. If you have the ability to detect malware on one vector, you should be able to detect on another,” Moy said.
Less than one-third of the tested vendors had products with protection against memory-only malware, the company found. Moy explained that memory-only malware is injected into memory directly over the web, not downloaded as a file; this makes it harder for anti-virus products to catch the malware.
One memory-only malware technique is reverse DLL (dynamic-link library) injection: the malware injects itself into a system process that has been approved to run. “When the DLL is called, the malware will run and do it’s thing, but it is hiding inside an approved process. So it can’t be easily separated out. There is no file”, he said. “The memory-only malware can hide from detection algorithms that most AV products are using”, he added.
In addition, EPPs missed between 10% and 60% of evasion techniques used by cybercriminals, such as hiding malware in WinZip files. On average EPPs missed 30% of evasion techniques, according to Moy.
The most common evasion technique involves compression, Moy said. “We found that WinZip wasn’t detected [by the anti-virus software], so you can create a self-extracting archive of malware, and most of the AV products would not detect the malware that was hidden in there”, he explained.
At the network layer, cybercriminals can exploit IP fragmentation and segmentation. “A number of the AV products just look at individual packets without reassembling the entire conversation [between two computers]. So if you are looking for a signature and only part of the signature is in each packet, you will never understand the full message and be able to apply that signature to the full conversation”, Moy said.
“We are definitely disappointed with the results from the AV vendors”, Moy said. “There hasn’t been a lot of acknowledgement that this is a problem that needs to be address by the AV vendors”, he stressed.