Product Group Tests

Anti-malware (2009)

Group Summary

A strong product that includes a large amount of protection, all for a fair price, makes F-Secure Client Security 8 our Best Buy.

Rich features and full protection for web and email make AVG Internet Security Network Edition 8.0 worthy of our Recommended rating.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Nine anti-malware products as diverse as the threats they manage, by Michael Lipinski

Malware is the catch-all for most malicious and unwanted software, and includes things such as viruses, worms, trojan horses, bots, rootkits, spyware and adware.

In this issue, we wanted to test the tools that we use to fight malware, and test the capabilities of these tools to handle the multiple threats we lump into the malware definition. We were also interested in their ability to centralise management and the reporting, alerting and deployment of the solutions.

Why is this important? There are numerous solutions for fighting malware. We have anti-virus, anti-spyware, anti-spam, anti-adware, rootkit detection, host-based intrusion detection and prevention, and personal firewalls. Those who have deployed one of these in an enterprise environment will appreciate the challenge in deploying multiple non-integrated or centrally-managed solutions to thousands or tens of thousands of users.

The approaches from the vendors we reviewed took on this challenge in some very creative ways. Some solutions were endpoint-focused, while others were gateway solutions. Some were software-based, some purpose-built appliances and others virtual appliances. We were interested in the kinds of malware these solutions could manage and the products' ability to centrally alert and report on threats.

All of the products reviewed provided multiple components of the malware definition we used above. Most provided anti-virus and anti-spyware. Some took a different approach and relied on other products to deliver the traditional signature-based virus and spyware protection, while they took a more focused approach on protecting from the unknown threats through a more HIDS (host-based IDS)-like solution. The gateway solutions focused on providing web content and email protection from virus, spyware, spam and malicious code in HTTP, FTP, POP3 and SMTP traffic.

We did not test the products for their catch rates. For this test we assumed they all have very similar catch rates for signature-based threats. We were looking for the products' ability to identify, alert and stop zero hour threats. Many of the products used firewall and IDS-like approaches to lock down executables, applications and registry items. Others used advanced heuristics for threat detection.

We focused heavily on the products' management solutions, with some of the products using web-based dashboards for centralised alerting and reporting. Other solutions allowed for full endpoint management, endpoint software deployment, centralised management, alerting, reporting and backup of client configurations. Some provided full network discovery via LDAP or Active Directory and some provided network mapping via ICMP-based means. Different products required manual endpoint deployments that could be managed by a central solution.

We were also interested in the products' ability to provide near real-time updates to virus and spyware engines and databases, through a centralised means that would reduce load on network bandwidth. Some products used server-based synchronisation and distributed architectures, while others used multicast technologies to distribute the updates.

We were surprised to see that the endpoint interfaces were very intuitive and easy to use. The solutions provided a user interface for alerting, monitoring and local management functions while providing comfort to the corporate security team by tracking and alerting the management server if users disabled any protection, made changes to programming or policy and started or stopped scans.

When evaluating the best solution for your enterprise, keep in mind that the cost savings, ease of deployment and management of the centrally-managed solutions come with a security price. Others required that ICMP be allowed for automatic network detection. Some of the systems we tested did not respond well to restrictive setting on Windows firewall and required us to ease the firewall settings for remote discovery and management.

All in all, we were pleased with the solutions we tested. They attacked the malware problem on multiple fronts and provided a means for alerting to allow for rapid remediation once a threat was detected. In a perfect world where budget is never an issue, the combination of the gateway technologies evaluated with the endpoint solutions would provide a very effective malware defence for your enterprise.

All Products In This Group Test