AV-Test Self-Protection of Antivirus Software: https://www.av-test.org/en/news/news-single-view/check-2015-self-protection-of-antivirus-software/
This sums up the review nicely: For consumer products, Avira, Bullguard, ESET, Kaspersky Lab, McAfee and Symantec use the DEP & ASLR technologies 100%. In terms of digitally signed files, ESET, McAfee and Symantec also did a good job.
Nice test, a shame so few score 100%. DEP&ASLR have been around for years now. The score for newer migitations would probably be very awful. It would be interesting to also show server connection security in the next version of this test; is TLS used? If yes is it TLS 1.2 and does it use Forward Secrecy? With all the cloud phone home features it is important this information is protected in transport. Another interesting test would be to see if AV's properly verify updates files.
Care to elaborate vlk? I'm interested in hearing the reasons, because I've seen similar self-protection tests that were severely flawed as well (tester killing avastUI.exe and basing conclusion on that).
Sure. All the tester did was run a static scan of the binaries installed by the AV product, checking whether the ASLR and DEP flags are enabled in the PE header. There's multiple issues with this approach: 1. Since they don't scan the live processes (just static binaries on the disk), the situation when the binaries get loaded into memory may be totally different. Other 3rd party DLLs that don't have ASLR/DEP enabled may be loaded as well. In-memory modifications can be made. Etc. 2. On the flip side, the fact that a binary is present on the disk doesn't imply it gets loaded -- or, that it gets loaded the way the tester assumes (i.e. as a normal EXE/DLL). For example, the binary may be an empty stub used to replace malicious code during the cleaning process. Or, it may be part of a sensor/honeypot system where the point is NOT to have DEP/ASLR enabled to maximize its effectiveness. Etc... The point is, the tester made the assumption that all binaries present on the disk are used in the normal, traditional way -- which is often not the case, especially with security software. Very often, the lack of DEP/ASLR flags in security software is not a result of some kind of sloppiness; instead, it's part of a carefully crafted design. Based on that, I think the results of this test have very little correlation with the actual ability of the product to protect itself against malware. Instead of doing the test properly, the tester just took a shortcut and did a simple scan of all the binaries in the product, without even trying to understand the purpose of these binaries and the way they are used. Thanks, Vlk