NSS Labs: Half of top antivirus suites fail against HTTPS exploits

You don't hear about the Texas-based outfit NSS Labs as much as you do about other higher profile companies such as AV-Test.org and AV-Comparatives.org. That isn't because the researchers aren't busy; it's because the vast majority of their research is commissioned by large companies for internal use.

However, from time to time they release findings to the public, notably their studies on how well browsers block web malware. At the moment, NSS researchers have a major test of consumer endpoint security in the works. In preparation for that, they've just released a mini-test that evaluates how well popular security suites handle web-based exploits. The results will surprise you.

Exploits are attacks that attempt to gain control of the victim’s system through unpatched vulnerabilities in the operating system, the browser, or popular third-party applications. For this mini-test, the researchers started with two Microsoft vulnerabilities that were patched in June and July of 2012. Users who didn't apply those patches would be vulnerable.

Test Methodology

Rather than use any known malicious code or pre-packaged penetration tests, the researchers built their own exploits, two of them for each vulnerability. One exploit launched a program on the victim system (in this case the innocuous calc.exe). The other opened a remote access backdoor shell on the victim’s machine.

For testing, they installed no less than 13 popular security suites on test systems lacking critical patches for the two vulnerabilities. They launched each attack against each test system, first over a standard HTTP connection, and then over a secure HTTPS connection. The results, shown in the table below, are surprising.

Avast, Kaspersky, McAfee and Trend Micro stood firm against the exploits, blocking all four attacks over HTTP and over HTTPS. ESET and Norton did fine with the HTTP-based attacks, but missed half over HTTPS. AVG and Avira also blocked all HTTP-based attacks but didn't block any attacks that came in over HTTPS.

CA Total Defence, F-Secure and Microsoft also had trouble with HTTPS. They blocked half of the attacks over HTTP, but none over HTTPS. At the bottom, Norman and Panda blocked just one attack. On the plus side, they managed to block the attack whether it came in via HTTP or HTTPS.


The report points out that HTTPS connections are common, and that users can't assume HTTPS traffic is free of exploits. NSS Labs recommends that anyone using one of the security products that ran into trouble with HTTPS in this test should double-check that they've got all current patches in place. To make that task easier, the report suggests using some form of patch management tool like Secunia Personal Software Inspector.

Vendors whose products bombed under HTTPS may be able to slip in a fix before the full-scale consumer endpoint protection report in late 2012. You can view the full text of the mini-report on the NSS Labs website.

If mobile malware is also of interest to you, then you might want to have a quick read over our recent guide on how to avoid mobile maliciousness.