Why Antivirus Standards of Certification Need to Change

Security software is designed to keep users safe from malware and other online threats. As such, it enjoys great affect among ordinary users, the majority of whom feel antivirus solutions have helped protect them along each episode of their digital lives. People worry they would be exposed to considerably greater risk online without it.

That’s a fair expectation, but most AV tools don’t live up to it.

Security software is exactly that: software. All computer programs are vulnerable to bugs and other shortcomings that may detract from their ability to perform as well as they claim. Antivirus is no different.

Perhaps no one understands this reality better than Tavis Ormandy, a researcher for Google Project Zero.

Ormandy has built a name for himself discovering security issues in well known AV solutions. In February of this year alone, the researcher found a bug in Avast’s SafeZone that placed passwords in danger. He also unearthed a flaw in Malwarebytes that exposed users to man in the middle (MitM) attacks that same month.

More recently, Ormandy determined that GeekBuddy, a remote desktop tool for Comodo, came configured with weak to no authentication despite having full admin privileges. This insecure setup meant that anyone could connect to a user’s computer via an IP:port combination.

The researcher has discovered scores of these types of issues throughout his career. While they are unfortunate, most of the flaws he finds are isolated and can be fixed by the product vendor.

Some issues are more complicated, however, and an even smaller number of problems affect not just one company but antivirus as an industry.

Ormandy came across one such problem recently.

During his work with Comodo, in whose antivirus solution he discovered “hundreds of critical memory corruption flaws,” the researcher noticed that the security firm was working on receiving its certification from Verizon. He was therefore surprised when the company was awarded an “Excellence in Information Security Testing” award despite its default installation enabling a VNC server with weak authentication, its installed-by-default browser disabling the same origin policy, the scanning process not enabling address space layout randomization (ASLR), and its product using access control lists (ACLs) throughout.

How could this have happened?

Ormandy feels Verizon’s certification methodology is to blame, which is in part based upon a set of criteria such as the candidate’s ability to “include Administrative Functions to Enable and disable the Detection of Malware” and “demonstrate through On-Demand testing that it Detects Malware.”

“These are the meaningless tests that antivirus vendors will actually scramble to pass,” Ormandy laments in a blog post. “Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.”

Specifically, the researcher recommends that Verizon integrate parts of Microsoft’s Security Development Lifecycle, including dynamic analysis, fuzz testing, and attack surface review, to test each certification candidate against the reality of today’s threats.

Verizon’s antiquated certification methodology is part of a larger problem where signature-based security software fails to detect emerging malware. Indeed, in its 2015 State of Infections report, Damballa found that a majority of high-profile antivirus solutions overlooked 70 percent of malware within the first hour. It is this type of finding, coupled with the discovery of persistent flaws in individual tools, that have led some to question whether relying on antivirus actually makes users insecure.

If antivirus is to rescue its relevance, it is going to need to reinvent itself and its reliance on signature-based detection. One way forward could be solutions that use protocol-specific deep packet inspection (DPI) to scan for threats in users’ emails and other pieces of digital correspondence.

To read about how protocol-specific DPI challenges the signature-based inspection model, please read Belden’s blog post here.

_{Title image courtesy of ShutterStock}