Product Group Tests
Anti-malware management (2010)
F-Secure Client Security 9 is our Best Buy for its strong feature set, ease of use and good price.
For its layered approach and its all-round performance, we rate AVG Internet Security Business Edition 9.0 Recommended.
Full Group Summary
Malware may be inescapable, but it can be managed at the endpoint. By Michael Lipinski.
Malware is the malicious, unwanted software that shows up as a virus, worms, Trojan horses, rootkits, spyware, some adware, bots, keystroke loggers and diallers.
There have been numerous instances of malware being used to steal and sell information such as credit card details.
In the US, Albert Gonzalez has just been sentenced to 20 years in jail for using malware to steal and sell more than 170 million credit card numbers. In 2007, a Trojan horse stole more than 1.6 million records belonging to people from Monster.com's job search service. And Torpig is a botnet that, as of late 2008, had been reported to have stolen about 500,000 online bank and credit card details.
Any good defence-in-depth security architecture will include several tools for protecting servers and workstations from malicious software. Malware targets defects in OS design and uses them to steal information or take control of the compromised system. Solutions for providing protection include anti-virus, anti-spyware, anti-spam, anti-adware and rootkit detection - all rolled into an anti-malware offering.
Our criteria for the reviews this month focused on technologies that are used to provide a central point for mitigation of the threat of malware. Malware management for the purposes of this group test was defined as a product that reduces the threat of malware on an organisational basis.
We saw a couple of approaches to solving the malware challenge. The first group of products took an AV approach to scanning and identifying threats in OS files, applications and registry. The second group used the approach of managing the ability to place a file onto the PC without your approval or knowledge.
We were interested in the approach the various products took to remediate the risk against today's more sophisticated blended threats, and the kinds of malware that these products could identify and stop. Since a breach is inevitable, we were also interested in the logging, event notification and reporting capabilities of the products to provide real-time alerting and auditing support.
We did not test the products for their catch rates. We assumed they all have similar catch rates for signature-based threats. We were looking for the ability to identify, alert and stop zero-hour threats.
Some products used firewall and IDS approaches to lock down executables, applications and registry items. Some used advanced heuristics for threat detection. Others provided scripting tools to allow for a wide range of additional management and alerting options.
We focused heavily on their management solutions. There were some that used web-based dashboards for centralised alerting and reporting. Others allowed for full endpoint management, endpoint software deployment, centralised management, alerting, reporting and backup of client configurations. Certain products provided full network discovery via LDAP or AD. Others provided network mapping via ICMP-based means or required manual endpoint deployments, managed by a central solution.
We were also interested in the ability to provide near real-time updates to virus and spyware engines and databases through a centralised means, to reduce load on network bandwidth.
Each of the products provided multiple components of the malware definition. Most provided anti-virus and anti-spyware. Some took a completely different approach, relying on other products to deliver the traditional signature-based virus and spyware protection of protecting against known threats, while they took a more focused approach on protecting from unknown threats.
Most of the solutions deployed easily, with fully automated processes that included the software load followed by a wizard-based configuration tool.
We reviewed the centralised management capabilities of the various solutions. We focused on: usability of the user interface; ability to detect or import the user workstations; automated or easy agent or software deployments; detailed alerting and event information; reporting and auditing capabilities; and advanced capabilities for detecting non-signature-based threats.
Overall, the products we reviewed did a good job attacking the malware problem. The integrated solutions were easy to use and manage, while the more focused ones would make a great collection of tools, if budget and staffing allow you to support that approach.