Product Group Tests

Anti-malware gateways (2008)

Group Summary

For its fully loaded feature set with many extras that comes without a hefty price tag we rate Trend Micro's InterScan Web Security Appliance v3.1 our Best Buy.

Our Recommended product is the BorderWare Email Security Gateway v7.1 with its strong malware and content protection across email, web and IM.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Contrary to expectations, this category is far from extinct, but the market is certainly characterised by a much smaller product choice compared to previous years. By Peter Stephenson

Last year I predicted that we would see almost no pure anti-malware gateways by 2008. Well, it seems reports of the death of this market segment were premature, but we certainly saw nowhere near the number of products this time round.

However, those solutions we did look at were slick, well-conceived and easy to set up and manage. The big strength of these gateways is their ability to manage endpoint anti-malware products as well as provide a solid gateway. This led me to consider why the convergence trend has slowed down. So here are some thoughts on that:
First, the trend towards a single gateway device - a sort of super-UTM - badly affects the concept of in-depth defence. Leaving the UTM as the only device at the perimeter forces one to extend protection to the desktop in order to achieve in-depth defence.

Extending anti-malware protection to the desktop requires some way to manage large numbers of endpoints centrally. These anti-malware gateways don't provide what is needed in that regard. They do not allow things such as provisioning of current signature sets and they do not force automatic updating, for example, as a way to keep all endpoints current in terms of malware protection.

Rather, these products filter at the gateway based largely on protocols that attempt to pass the perimeter in either direction. In order to manage the endpoints you need an anti-malware management product. It is important to understand the difference.

The products we looked at have a wide variety of very interesting capabilities. For example, some used the notion of reputation to decide whether a particular website is likely to be a malware risk. At least one product does not require periodic updates. Instead it communicates with a server back at the vendor to check for the most current status of a website. This is a refinement on the use of reputation to determine risk.

Buying tips
My first piece of advice is to set your expectations correctly. What do you want to accomplish? If, as I pointed out above, you want to manage and correlate endpoints, this is not the right type of product. However, if you want to add a robust malware filter that operates in a variety of ways, this product group may be a good bet.

For example, if you have a problem with employees surfing the internet and then connecting to a secured network and possibly cross-contaminating the secure network, use a gateway to prevent the infection in the first place. Coupled with anti-malware at the endpoint, you'll have robust protection. However, do not expect your anti-malware gateway to manage that endpoint.

We found that focusing on the web covered almost all of the malware threats we considered. However, the issue of email is not to be forgotten. While there are competent email filters, a lot of email is exchanged using some form of webmail. The classic example of this is the employee who checks his or her Yahoo account while at work, picking up an infection and then contaminating the entire enterprise. For that, these products shine.

My second piece of advice is to be sure that you know what your throughput at the gateway needs to be. These generally are in-line appliances and on very large networks you should make sure that you've selected a product that won't increase latency unacceptably.

How we tested
For this group, we were not concerned about such things as catch rates. We have found, over years of testing, that products of the quality we were looking at usually all had similar catch rates.

We set the products up in our network test bed and noted how easy they were to set up and manage. We also looked carefully at how they performed their assigned tasks. In that regard we found some very innovative approaches to controlling malware.

We were mostly concerned with things such as how updating occurs, what technology is used to catch malware and how the device is managed. Reporting and alerting also were important to us. Finally, we wanted to know what types of malware the product caught. Overall, we were impressed with the clever ways in which these gateways do their jobs.

Managing malware at the perimeter is a difficult problem and, frankly, I question whether it can be effectively built into a UTM appliance.

- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/

All Products In This Group Test