In association with heise online

03 August 2010, 14:10

Anti-virus software does not make full use of Windows exploit protection features - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom Avira's anti-virus protection for Windows uses DEP and ASLR, but not for all processes. The process that shows DEP as being "permanent" means that it cannot be disabled.
According to a blog posting by Brian Krebs, many anti-virus products do not make full use of Windows' Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) features in order to thwart attacks targeted at potential vulnerabilities.

Krebs was prompted to take a close look at anti-virus products following research published by security firm Secunia four weeks ago, which found that hardly any of 16 popular applications examined in the research, including browsers, media players and office applications, utilised Windows exploit protection features. Security products are the first place you would expect to see these used – especially as it isn't that rare for anti-virus software to itself contain vulnerabilities. Although it's possible to get around DEP and ASLR, it does raise the bar for successful exploits.

Krebs checked to see whether various anti-virus products were using DEP and ASLR under Windows Vista (XP does not support ASLR) using Windows' Process Explorer. He found that AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010 do not use either DEP or ASLR. Only Microsoft Security Essentials activates both DEP and ASLR for its processes. Other vendors, such as Avira, McAfee and Kaspersky fail to activate these protective mechanisms consistently for all processes.

According to Krebs, F-Secure and BitDefender are intending to implement support for DEP and ASLR in future versions. Avira also plans to do so in version 11 of its product, as it will no longer support Windows 2000 which has neither DEP or ASLR. Panda does not use DEP or ASLR because it has implemented its own protection mechanism. According to Symantec, DEP at least should already be active in Norton, with ASLR to follow in future versions. ESET, on the other hand, considers Windows' exploit protection features to be inadequate, stating that without sufficient testing ASLR offers an additional attack surface.

Update: If a user runs Process Explorer without administrator rights, it results in some services and processes showing incorrect information. This could also lead to false results in Norton.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit