August 3, 2010

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

As I wrote last month:

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operating system, and they’re designed to make it difficult for attackers to develop reliable exploits for vulnerabilities in Windows applications. As we saw last month, few top apps invoke the protections, but many readers may be surprised to learn that few anti-virus products have adopted these technologies.

I installed the trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product’s executable files using Microsoft’s excellent Process Explorer tool, which provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR.

Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010.

Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista (although interestingly it does not invoke DEP on Windows XP). Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite. For example, McAfee Internet Security’s “mcagent.exe” program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASLR (since these tests were run, McAfee has changed the trial version of MIS available on its site, and the company sent me a screen shot that shows DEP and ASLR on all running processes in that version).

Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components.

To be sure, DEP and ASLR are not panaceas: Security researchers have come up with a number of clever ways to bypass these protection mechanisms. Still, it’s interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders. Second, anti-virus products are not immune to introducing their own exploitable software flaws.

I sought comment from all of the anti-virus vendors whose products I examined (except for Microsoft) and received a few responses. Most either downplayed the usefulness of the two technologies in combating today’s threats, or said that they planned to implement the protections in upcoming releases.

Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.”

Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favor of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.”

Bustamante continued: “These Microsoft technologies might be a good solution for certain types of more basic applications, but from our point of view are insufficient for an anti-malware product trying to get a more defense-in-depth approach to securing the whole OS and third party applications.”

Bitdefender said it plans to incorporate DEP and ASLR in its 2011 suite of products.

Symantec’s director of product management, Dan Nadir, said Norton Internet Security 2010 does in fact include support for DEP (although my experiments with Process Explorer showed it was not enabled) and that the company is “evaluating possible support of ASLR in future versions of our products.”

The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”


35 thoughts on “Anti-virus Products Mostly Ignore Windows Security Features

  1. Richard Steven Hack

    So what’s YOUR response to THEIR response that it’s either not needed or can be done better in other ways?

    I don’t know what to think based either on the fact that some products use DEP/ASLR and some don’t, or their responses.

    I do think it obvious that Microsoft’s products would use both technologies.

    As to your two points, 1) even if these technologies raise the bar for malicious coders, it clearly hasn’t stopped them significantly either. So I don’t see that as proof the AV products should use them, especially if it’s true that there are better ways – IF that’s true. And 2) all software has flaws, so it’s not surprising that AV products do, so that’s not necessarily an argument for using DEP/ASLR absent other reasons.

    It may be interesting that AV products don’t use these technologies, but based on this post, I’d say the jury is out on whether that’s necessarily important.

    Certainly correct to raise the issue, however, well done.

  2. Wladimir Palant

    Brian, did you really check ASLR for the executable only? If so, you should check it for the DLLs as well, Process Explorer allows adding this column to the DLL view. For example, Firefox used to enable ASLR on the executable and most DLLs but not nss3.dll and nspr4.dll (this has been fixed in Firefox 3.6.7). I wouldn’t be too surprised if the vendors who supposedly implement ASLR failed to do it on some DLLs.

    1. Brian Krebs

      Wladimir, no I did not check the .dll files associated with each application. Perhaps fodder for a follow-up? This test took a long time to put together, and I realized that I was running out of time, as most of the AV vendors are getting ready to put out new versions of their products.

  3. Bryan Soemo

    My anti-virus of choice is currently Sophos, interesting that I did not see it tested here. I am curious to know if it provides this protection…

    1. Tom

      We also use Sophos, so I thought I’d check.
      (tests carried out on Win7 x64 and Sophos 9.5)
      SavService.exe – Both disabled
      SAVAdminService.exe – Both disabled
      ManagmentAgentNT.exe – Both disabled
      ALsvc.exe – Both disabled
      RouterNT.exe – Both disabled
      swi_service.exe – Both enabled 🙂
      sdcservice.exe – both disabled
      ALMon.exe – both disabled

      So, only one component of Sophos AV has DEP and ASLR enabled.

  4. Clive Robinson

    What is interesting to note is that individually either DEP or ASLR are not that difficult to get around. However when combined the result is considerably more than the sum of their effects.

    For those that want to know a little more in a quick and easy read,

    https://net-ninja.net/blog/?p=124

  5. Lawrence Munro

    I think this is a really interesting article and a though-provoking read.

    However, I do agree with Richard that you haven’t really crafted any steps for further investigation as to whether DEP and ASLR actually improve AV efficacy or provide an opinion on the response of the vendors. Also, I’m not sure how effective using process explorer is for checking if AV vendors are using DEP and ASLR(?). Although I’m a big advocate of Mark Russinovich is the tool 100% effective? Does it look for a registry setting or make a best guess based on how the process behaves?

    Also, like Bryan, I would like to see the full list of passes and fails? You seem to have named and shamed but a few.

  6. Clive Robinson

    Oh this is not the only round up of software not using DEP & ASLR. Secunia have produced four reports in the past couple of years on some very standard software you would expect to find on many many desktops

    The latest report came out about a month ago.

    Over on TAO Security Richard Bejtlichs produced four nice tables so you caqn see easily who is dragging the ball on this,

    http://taosecurity.blogspot.com/2010/07/secunia-survey-of-dep-and-aslr.html

    It needs to be mentioned that DEP / ASLR are by no means new technologies hardware support has been in some CPU’s for something like 15years. A project to implement it on Linux was producing kernel patches back in 2000 and it is built in as standard these days.

    It needs to be said that DEP & ASLR on Intel/Windows are a bit like putting wooden splints on a compound leg fracture, they might enable you to limp along till you can get the hospital to fix the fracture properly…

    THe problem with ASLR on Windows is with libraries, it is the library “fixed” image that is moved up and down in memory and the various DLL’s are loaded in a different order. Thus to get around ASLR you only need to know the location of one call to find the image offset to find all the other calls in that library. The obvious solution is to actualy randomise the call entry points (and the call code) order in each DLL. In theory this is actually not that difficult to do, however in practice their are issues as the library might well call/jump around within it’s self, and as with MFC there are people using “unofficial” entry points.

    That being said randomising the call order within a library is not sufficient. There is still the issue of jumping into the code of a call at a known position. Thus library code will need to be written in a more defensive manner.

    As for DEP this is a CPU architecture issue. The von Neumann architecture has the advantage of allowing code or data to be put into one linear memory space, which is required for a single CPU system to load programs into memory.

    The strict Harvard architecture with two fully isolated linear memory spaces one for code and one for data does not allow execution of data, thus by design the attacks DEP is mitigating on von Neumann do not exist for strict Harvard. The problem with the strict Harvard architecture is obviously loading programs in, if the CPU cannot alter it’s code space then it cannot do the normal loading of a program that the von Neumann architecture so easily supports (this is why you tend to only see Harvard architecture in “embedded systems”).

    However in a strict Harvard architecture with a general purpose CPU you can have an additional state machine acting as a hardware hypervisor that is responsible for loading code. It can also get around another issue by actually taking controlling of the MMU used by the general purpose CPU away from it. Thus allows the CPU to be simplified and made more secure and use considerably less silicon space. It also allows the chip level hardware to still use a single linear address space as the Harvard CPU can have one MMU for it’s code space, and one MMU for it’s data space both of which are entirely transparent to it.

    Although switching architecture sounds like a major undertaking it is not. Due to trying to get increased performance via caching the switch to Harvard has already been done, the “von Neumann” bit is done almost as an after thought outside of the CPU core and caches.

    Further the apparently odd use of MMU’s has been done in the past and still is when multiple CPU’s are mounted on the same linear memory space.

    Thus the modifications required to a multiple core chip are not as great as might be expected. Is it going to happen any time soon probably not due to the extensive reworking that would be required for “some” OS code.

    1. Brian Krebs

      For the record, the Secunia study you reference was called out in both of the first two paragraphs of this story, where I reference the story about the original Secunia research.

  7. Alan

    I’m not surprised. Up until a few years ago many anti-virus products required admin rights to run properly. Running as non-admin provided better protection than running as admin in conjunction with anti-virus (or do I mean scareware?).

    On XP SP2 and SP3 (I’m ‘m not sure about Vista and W7) DEP only protects core Windows components and services by default. It has to be turned on manually for other programs. See http://technet.microsoft.com/en-us/library/cc700810.aspx

    Also worth checking out is a Microsoft tool, EMET v2, that’s about to be released. It allows you to force apps that aren’t using DEP, ASLR and a number of other protections to do so. More information here:
    http://blogs.technet.com/b/srd/archive/2010/07/28/announcing-the-upcoming-release-of-emet-v2.aspx

    1. Alan

      EMET 2 is now available (9/2/10). It’s free.

      The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
      http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx

      From the User Guide:
      “Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation.”

  8. Alan

    There’s a detailed video on EMET 2 here:
    http://technet.microsoft.com/en-us/security/ff859539.aspx

    For Peter Vreugdenhil’s account of his W7 IE8 hack, which involved getting round DEP and ASLR, at this years CanSecWest Pwn2Own contest see:
    http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

    Vreugdenhil: “This was not as easy as it is to write about it, and it took quite some tricks to get the heap layout the way I wanted it and in a way that the browser would survive a controlled buffer overflow and not crash before I was able to use the information we got.”

    Symantec on take-away message:
    “ASLR and DEP are important anti-exploitation advancements and in some cases they assist in hindering memory corruption vulnerability exploitation. However, it is important that we do not consider these technologies a panacea for such vulnerabilities. The effectiveness of ASLR and DEP in protecting against reliable exploitation of a vulnerability is heavily influenced by the attack surface of the targeted application and the persistence and capability of the exploit developer.”
    http://www.symantec.com/connect/blogs/pwn2own-2010-lessons-learned

    Charlie Miller on DEP and ASLR in Windows and OS X:
    “Now with ASLR and DEP, its extremely hard to get exploits working on even toy programs….So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit….Here, Windows is ahead of OS X since both have DEP, but OS X only has limited ASLR….It’d be harder [to hack OS X if it had full ASLR]. Right now they have DEP+some ASLR. Of the executable code, which is what you really care about for DEP bypass, they randomize all but one library and the executable. So the amount of code you have is already small (so its already hard), but it’d be way harder if there was NONE – which is what full ALSR would give you.”
    http://threatpost.com/en_us/blogs/transcript-charlie-miller-mac-os-x-pwn2own-and-writing-exploits-031810

  9. Alan

    I guess I should add, based on what professional hackers like Miller and Vreugdenhil say about ASLR and DEP, that the comments you got from the anti-virus companies don’t encourage me to run out and buy one of their products.

  10. JCitizen

    I’ve long suspected Comodo uses settings of the Windows firewall to make it’s firewall work; perhaps there is even more to this?

    I’ve read many an expert say that if you configure Windows (post XP SP2 or newer) properly, that many security issues can be addressed.

    I know I manually do a lot of this, and my clients have no usability problems, and I rarely get calls related to such conflicts from them.

  11. CloudLiam

    Quite an interesting article along with the comments.

    My Dell 64 bit Windows 7 machine came with a free 18 month McAfee subscription. Unlike with Brian’s computer, Process Explorer shows both DEP and ALSR as disabled for mcagent.exe. DEP and ALSR are listed as n/a for all other McAfee processes.

    I wonder what’s up with that?

  12. Daniel

    I might just be dense, but I have been googling and cannot find instructions on how to add DEP to my c++ applications. Everything I find is to enable it on the system, not to software enforce it.

  13. Jim

    “The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”
    ———————————————————————–
    This fellow should be in politics. He deployed a stream of verbal chafe to try and fool the reader into not seeing their inaptness.

  14. zeos

    has anyone checked security essentials? that would be funny if microsoft’s own anti-virus program didn’t use those features.

    1. Brian Krebs

      Zeos — As I said in the story, MSE was the only product that deployed ASLR and DEP across all executables (I didn’t check associated .dll files), although as I mentioned McAfee claims the new version of their product uses ASLR and DEP on all processes.

  15. Alan

    It’s interesting that some of the anti-virus companies are playing down the significance of ASLR and DEP as if it is some sort of toy protection that doesn’t add much when implemented in apps like their own, given that anti-virus isn’t very effective. I doubt anyone here thinks anti-virus provides much protection against ZeuS/Zbot and the other Trojans discussed on this blog.

    There is a long list of basic protections users should be doing to protect themselves (usually free–but they require awareness and education) . In terms of effectiveness anti-virus is pretty low on the list. It’s just not very effective but I suspect a lot of people think, “Oh, I’ve got anti-virus installed and it’s up-to-date and so I’m good to go” and don’t bother about any of the other things they should to be doing to make up for low level of protection provided by their anti-virus product. Of course anti-virus vendors have a financial interest it users over-rating their products. And the users in turn are probably only too happy to buy the quick, easy “fix”. Anti-virus is a product that enables lots of users to avoid dealing with security issues in any meaningful way.

    Here’s a report from today on the effectiveness of anti-virus:
    “Testing shows that even the most popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days. Even after 30 days, many AV vendors cannot detect known attacks, making it critical for enterprises to take a more proactive approach to online security in order to minimize the potential for infection,” said Panos Anastassiadis, COO of Cyveillance.
    http://www.net-security.org/malware_news.php?id=1419

    Here’s some earlier work done by Cisco that comes to the similar conclusions:
    “Though the improvement over one week was significant, this example underscores the fact that antivirus products are reactionary and are likely to be only modestly effective when dealing with new samples. This leaves a window of opportunity for miscreants, where end users are particularly vulnerable even if they have antivirus products deployed and updated. Antivirus is not a replacement for end-user discretion and defense in depth.”
    http://blogs.cisco.com/security/comments/the_effectiveness_of_antivirus_on_new_malware_samples/

    1. Clive Robinson

      Alan,

      The quote you give about the 30day period and having to do considerabl additional work applies not just to business users but SoHo and home users.

      Sadly though they are not likley to have the in house knowledge of where to start looking let alone address the issue.

      And with most types of malware “hosts are effectivly equal” when it comes to passing it on.

      It is not hard to see from “botnet” data the proportions of machines that are effectivly “home user” and which are effectivly “corporate users” and the imbalance.

      As with many very hard problems identifing the problem is easy enough, finding a solution is extraordinarily difficult.

      1. Alan

        Clive,

        I agree that SOHO and home users are a huge problem. Even in large companies you may have large numbers of people using laptops and other mobile devices that are moving in and out of the corporate network.

        Alan.

  16. Alan

    Brian:

    Microsoft has a tool called the BinScope Binary Analyzer that may provide a better check than Process Explorer. It analyzes binary code to check if various security features, like ASLR, have been set.
    http://blogs.msdn.com/b/sdl/archive/2009/09/16/two-new-security-tools-for-your-sdl-tool-belt-bonus-a-7-easy-steps-whitepaper.aspx. The tool is made available as part of Microsoft’s Security Development Lifecycle (SDL) program.

    A problem for Microsoft is that while they have changed their own practices, getting third parties to change their practices is a problem. They’ve had to go to a lot of effort just to get third parties to write programs that run properly without requiring admin privileges, never mind incorporate ASLR etc. See http://blogs.msdn.com/b/e7/archive/2008/10/08/user-account-control.aspx. And how many implement programs like SDL to improve the security of their code? My guess is not many.

  17. security bay

    I wonder what’s the cause for this. Is this because of the AV developers’ ignorance about what Windows has to offer in terms of security, or they are pushing their own solutions in favour of the MS, because they believe they are better.

  18. Kevin

    Brian I found this a very intresting read, I am suprised that a lot of the A/V vendors were not using this to help make their products even better, I think this would prevent a lot of the drive by dowloads that peopel are subjected to, I use Trned mIcros products and have now for quite a few years as I like their service and their product I however did NOT know they never took advatgae of the ability to use these features in their product , I sent TrendMicro a inquiry via a e-mailto the Tech Support people seeking if this will be added in an update or in their next 2011 product line , I also sent them a link to this story to see if they will publicly respond to the results of your test and story. I am amazed that more anti virus vendors didn’t respond to your story and the question you raised to them about using these features to make a better and more secure product foor the home and buisnesss customers, You have opened my eyes as I was very shocked to see my A/V choice wasn’t using these features, I wonder how many other fiollowers of your blog , like myself are considering switching to something that is designed with a little more in mind to protect us…Thanks for looking into and researching this Brian, once again you always have some very good investigative reporting on something most of us would never have known was amiss..

    1. Brian Krebs

      Hi Kevin. I’m glad you enjoyed the story. It took some time to report. So it’s not like the AV vendors who didn’t respond weren’t given ample time to do so. Given that, I thought it strange as well.

  19. Kevin

    For your info Brian I have also submitted your story to Slashdot as I think this is well worth the read and I think a lot of people are going to be interested in the results, Maybe this will get some more comments back to you from the A/V/ vendors.

    1. Brian Krebs

      Thanks, Kevin! Although I just poked my head in to the submissions queue at Slashdot and it looks like you posted almost the entire story verbatim? I think Slashdot probably prefers summaries (I would prefer them as well ;))

  20. Kevin

    Re- submitted without the whole thing in verbatim Brian, once again my apologies.

  21. Miloss

    DEP is not a MS Windows feature, at least not proper hardware DEP (my installation reports software DEP only)

    Although the hardware can do it for more than 15 years, a lot of BIOSes fail to enable the feature. (My linux box gives me a warning that my CPU can do DEP, but the feature is disabled in BIOS.. which does not suport enabling.. a pity.. I’ll have to check Coreboot project state again..)

    And only 64bit or 32bit-with-PaE OSes can do DEP

  22. me09

    hello.I am sad to hear these news but I can tell you that my Kasperky antivirus is 100% compatible with my windows xp.Since i updated it helped by top ten best antiviruses http://www.best-antivirus.co/,it works perfectly
    have a nice day

  23. Cayla Craft

    Last year I used Avast! and this year, I prefer Bitdefender 2011 Total security. I think it can’t be made a simple point that antivirus ingore windows security features, coz the security software company has divided it into several branches.

Comments are closed.