Internet security suites do little to protect users against exploits, according to security notification firm Secunia.

The Danish security notification firm is urging a root and branch
rethink on how security suites are designed, moving away from
"ineffective signature-based detection" to a smarter form of defence.

However, an anti-virus expert whose firm’s products were not involved
in the tests said Secunia’s approach only tested against one aspect of
how security suites protect consumers, and were therefore potentially

Secunia tested 12 suites
(which typically bundle firewall, anti-malware
and anti-spam functions
) against a range of 300 exploits targeting
vulnerabilities in various high-profile programs.

Even though it blocked only 64 out of 300 exploits, Symantec’s Norton
Internet Security 2009 came out best from the test, detecting almost
ten times more exploits than its nearest competitor. Security suites
from the likes of Kaspersky, Check Point, Microsoft, AVG and McAfee all

Security product bundles are marketed as comprehensive Internet
Security Suites, leaving the impression that the user is fully
protected against internet threats. Secunia’s tests suggest the
products fail to do what they say on the tin. Symantec has recently
begun introducing behaviour-based detection, which helps to explain why
its software did the best of a bad bunch.

Thomas Kristensen, chief technology officer at Secunia
, said that the
shortcomings of security suites combined with the fact users rarely
keep systems fully patched made a recipe for trouble.

"While we did suspect that the popular security vendors would score
quite poorly in detecting exploits, the extremely low detection rate
took us by surprise and this really begs the question: Does the
customer get their money’s worth?"

Computer users therefore need to keep up to date with patches in order
to have any hope of withstand hacking attacks. Secunia’s free Personal
Software Inspector
(PSI)* and the similar functionality within
Kaspersky Internet Security 2009 make it easier to keep up to date with

Graham Cluley, senior technology consultant at Sophos, which focuses on
the corporate market and did not take part in the tests, agreed that
applying patches was important. "There’s no such thing as a perfect
security suite, but security software reduces threats and people
shouldn’t come away from these tests with the conclusion that they
these products are ineffective."

Cluley added that the tested problems might do better in real world
conditions rather than in the lab because of run time protection.
Security products commonly scan files before they are run as well as
monitoring what they are doing once they begin running. That means that
although Word files harbouring 0day exploits, for example, may make it
past scanners they might be prevented from running.

"They [Secunia] haven’t actually "run" these exploits on the computer –
so it’s not really a "real-life" test of how well these security suites
would perform," Cluley explained. "It sounds like only one aspect of
the suites was tested, rather than all of the ways in which they might
have been able to protect the users."

Secunia said its tests illustrated the shortcomings of signature-based
security suites. Generic detection of exploits would be a better
approach because what triggers a vulnerability (unlike the payload of
an attack) doesn’t alter, Kristensen pointed out.

"Even with a very rapid creation of payload-based signatures, all their
customers are still left exposed for a considerable amount of time from
the point when the criminals start distributing their new payload until
it has been ‘caught’, analysed, a signature has been created, the
signature has undergone quality assurance testing, the signature is
published, and finally downloaded and activated by the security
software," Kristensen said.

"Determining the characteristics of a vulnerability is somewhat more
complicated and takes longer than than creating a payload based
signature, however, it need only be created once," he continued. "Often
the security vendors can finish their analysis and create a signature
in the same time as the criminals can develop an exploit and start
their criminal attacks."

Cluley argued that this criticism was misplaced, as security firms all
moved away from signature-based detection years ago. He said modern
security suites made far greater use of generic and behaviour-based
detection as a way of dealing with the growing volume of malware-sample