The simple answer is ‘no, nor should they’. But that requires some context. It is fair to say that the original anti-virus companies are slowly attempting to rebrand themselves as security companies. This is because they have added additional capabilities to their products to the extent that they are now better classified as security suites rather than just anti-virus. Nevertheless, the original branding remains strong: an anti-virus product is designed to stop viruses. But if that is the case, anti-virus cannot protect against a vulnerability since a vulnerability is not a virus and cannot be stopped
Rik Ferguson, EMEA director of security research & communications at Trend Micro (whose layered security product performed very well in the test), described it like this. “A vulnerability is like leaving your front door open,” he told Infosecurity. “But that doesn’t mean you’ve been exploited – although an infection might subsequently be carried into your living room through the open door.” In this analogy, the purpose of anti-virus is to detect the virus trying to get in through the vulnerability. The solution to an open door is to close it; anti-virus attempts to provide a temporary partial solution by preventing things coming through it while it is still open.
Panda Security senior research advisor Pedro Bustamante puts it more bluntly. “It is not the job of anti-virus to protect against unpatched software vulnerabilities unless malicious code is detected.” That doesn’t mean that the wider, layered security of what used to be known as the anti-virus industry cannot be effective against vulnerabilities – only that anti-virus per se is not concerned with vulnerabilities. But the NSS report asks if AV products protect against vulnerabilities – they cannot, although the wider endpoint security suites will be more effective.
Any ability for the AV industry to protect against vulnerabilities will also depend upon the relationship between the vendor of the vulnerable software and the AV company. “Microsoft is pretty good these days at advising security companies about MS-specific vulnerabilities,” ESET senior research fellow David Harley told Infosecurity, but other companies are not. “I don't see most AV scanners competing on a level playing field with dedicated vulnerability scanners,” he added.
And this is the problem. Unless the security suite includes a specific vulnerability scanner, it should not be expected to be good at protecting against vulnerabilities. But by saying that the report analyzes AV products, and finds many wanting, the report implies that anti-virus itself is not delivering.
However, one thing is agreed by all: timely patching is always the best solution against vulnerabilities since they close the vulnerability door; and without the vulnerabilities, there is no malware. The solution, said Bustamante, is “ensuring software is fully up to date – along with security software, user behaviour and the other layers of security. This is the best way to mitigate risk.”
“Patching (and pre-patching remediation where advised by the provider) is still the first line of defense – though using a vulnerability scanner is also worth considering, certainly in an organizational context,” added Harley.