AVG Blog
March 12, 2010
NSS Labs’ Questionable Report
In an article today by Bob McMillan of IDG, he covered a vulnerability report by NSS Labs which claims that AVG does not block the recent Aurora exploit. According to the NSS Labs report, AVG didn’t catch the original attack or variants of the attack. These are strong accusations; especially since our tests show AVG software stops the Aurora attacks just fine - in fact three different security rules of our software stop it. So we called the good folks at NSS Labs this morning to ask them to show us how they tested. But guess what? They said they won’t tell us unless we pay them! So we are calling their vulnerability report into question. Here are some items about the NSS testing methodology that AVG is questioning:
NSS claims AVG does not block the Aurora exploit code provided on the NSS report under section 3.2.1. However, in testing the same exploit against the exact version NSS claimed that they used, AVG cannot replicate the negative result. In fact, the exploit is blocked separately by three different security rules of AVG’s product!
On the report, NSS didn’t disclose their other tests code and code variants for revalidation of the results.
NSS wants to charge AVG money to demonstrate how they tested. It seems NSS is holding AVG hostage and wants to charge us ransom because we are questioning the validity of their claims how they reached their conclusion.
NSS videotapes all of its testing and they agreed to send AVG the files within two hours of our phone conversation (which was on Thursday, March 11). However, it took them more than14 hours and several requests for them to send us the video which means we have been unable to validate the test prior to Bob McMillan’s article being published.
In our phone conversation with NSS about the results, they stated that their results had AVG blocking the original Aurora exploit, but failing when a variant was introduced. This is completely different than what is published in their report, and different from what they told the external press.
NSS lists the version of the AVG product tested to be 8.5.364 (an old version of our product). However, now they claim this was a typo and that they tested on our version 9.0. We are now reviewing the NSS video of the test to verify which version of our product was used and how the test was performed, we will share the results of our findings in this blog as soon as we have them.
On the report, NSS didn’t disclose their other tests code and code variants for revalidation of the results.
NSS wants to charge AVG money to demonstrate how they tested. It seems NSS is holding AVG hostage and wants to charge us ransom because we are questioning the validity of their claims how they reached their conclusion.
NSS videotapes all of its testing and they agreed to send AVG the files within two hours of our phone conversation (which was on Thursday, March 11). However, it took them more than14 hours and several requests for them to send us the video which means we have been unable to validate the test prior to Bob McMillan’s article being published.
In our phone conversation with NSS about the results, they stated that their results had AVG blocking the original Aurora exploit, but failing when a variant was introduced. This is completely different than what is published in their report, and different from what they told the external press.
NSS lists the version of the AVG product tested to be 8.5.364 (an old version of our product). However, now they claim this was a typo and that they tested on our version 9.0. We are now reviewing the NSS video of the test to verify which version of our product was used and how the test was performed, we will share the results of our findings in this blog as soon as we have them.
This is a screenshot of AVG blocking the Aurora 0-day attack from the AVG labs.
This is a screenshot of the three security rules blocking the exploit for the Aurora attack.
The bottom line is this: when someone reports and informs the external press that our product doesn’t work, but we have solid proof that it does, we take these accusations very seriously and we expect them to offer some validation to back up their findings. It’s interesting that this is the first time in AVG’s history that anyone has come out and said that our product flat out doesn’t catch what it’s supposed to catch. That doesn’t fit with our reputation and it doesn’t fit our own experience with our 110 million customers. It just doesn’t smell right.
AVG eagerly awaits a further response from NSS so they can see for themselves that AVG does indeed protect its customers from the Aurora attack.
沒有留言:
張貼留言