NSS Labs said the average protective score was 76 percent among the 10 suites for "original exploits," or the first exploit to be made publicly against a particular software vulnerability. Three of the 10 caught all original exploits. For variant exploits, the average protective score was 58 percent.
"Based on market share, between 70 to 75 percent of the market is under protected," the report said. "Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old."
NSS Labs president, Rick Moy, said all of the vulnerabilities are "low-hanging fruit." Information on the vulnerabilities has been available in some cases since 2006, which means the hackers all know the problems and the exploits are still being used.
But security software companies have tended to focus on the malicious software delivered after an exploit. Those samples number in the millions now. However, the number of exploits are much, much less numerous and would be a better choke point to protect computers.
"I think part of the problem is the industry is focusing more on the malware than the exploit," Moy said. "You need to look at both, but ...you really need to look a vulnerability-based protection and stopping the exploits."
Patching the known vulnerabilities will also stop the exploits, but many companies won't apply all patches immediately since it may break other software those companies are using, Moy said. Security software represents a good "virtual patch," but only if it can detect those exploits and subsequent malware, he said.
NSS Labs puts the suites in three categories: "recommend," which means a product performed well and should be used in an enterprise; "neutral," which means a product performed reasonably well and should continued to be used if it is already in use; and "caution," which means the product had poor test results and organizations using it should review their security posture.
NSS Labs chose to reveal those security suites it rates as "caution": AVG Internet Security Business Edition 9.0.733, ESET Smart Security Enterprise Business 4.474, Norman Endpoint Protection 7.2 and Panda Internet Security 2010 (Enterprise) 15.01. The full report costs $495 and is available on NSS Labs' website.
Send news tips and comments to firstname.lastname@example.org.