Our good friends at NSS Labs have released a new report today independently evaluating the effectiveness of Host Intrusion Prevention Services (HIPS) that are integrated into most mainstream security suites. In this go-round, they've evaluated solutions from AVG, ESET, F-Secure, Kaspersky, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro. As with previous reports I've reviewed (see AV/malware here and IPS here), this report provides a very thorough look at the capabilities of these product suites.
Testing Summary
First up, let's dig in a bit into what exactly was tested. Traditional AV vendor products were generally targeted. In this day and age, these products are universally advertised as "security suites" that not only provide traditional AV scanning services, but also provide "enhanced" services, such as those targeted at preventing an exploit from being successful. The notion here is that your average drive-by malware incident has two components: the exploit and the malware (payload) itself. Traditional AV scanning targets the malware through signature-based scanning, whereas the newer HIPS components are more dynamic in nature and seek to block the exploit itself from being successful.
A couple products notably absent from this round of testing were the Cisco Security Agent (CSA, formerly Okena StormWatch), for which Cisco has announced end-of-life, and Solidcore's security solutions (now owned by McAfee, but not yet integrated into McAfee's security suite). The reason I note these products is because they provide a good example of the type of service being tested in this latest NSS Labs report.
The goal, then, was quite simply to evaluate how well these products met their claims of blocking exploits vs blocking malware. The results are none too positive, with a couple examples.
Results Summary
To find out who did really well, you'll need to go buy and read the report. However, a few tidbits can be shared. First and foremost, lots of users and enterprises are SOL in this area (blocking the exploit). In particular, the report states that "between 70-75% of the market is under-protected."
Also consistent with previous reports, it seems that you oftentimes get what you pay for. The bigger ("fatter") packages seem to actually come through with performance, whereas a lot of the lightweight solutions just done make the grade. Also, it seems clear that more than a couple AV vendors don't quite understand what it is they claim to be providing.
Specifically, four vendors were given a "Caution" rating by NSS Labs for having woefully inadequate capabilities in this area. AVG, ESET, Norman, and Panda all fell short in the testing, leaving their customers heavily exposed to exploits, and relying on outdated and easily bypassed malware detection methods. It's worth noting that this is the second time that ESET has been shown to have poor performance (the last time being NSS Labs' report on malware detection last year, available here).
Now What?
If you can afford the price and are in a position to recommend or purchase endpoint security solutions, then I highly recommend buying a copy of this report. The data is valuable and should be useful in creating a short list of viable products. Ultimately, though, there should be very few surprises in here.
Now, if you happen to have one of the four "Caution" products, then you have a whole different kind of dilemma. When is your contract up for renewal? How happy are you with the product currently? It's probably time to start looking at replacing those solutions, and perhaps sooner than later. Given the results of last year's AV test, when combined with this HIPS test, it is very clear who the top-tier choices are. As much as we'd like to believe that the AV market is commoditized, nothing could be further from the truth.
Reference:
Q2 2010 Endpoint Protection Product Group Test Report: Host Intrusion Prevention