Anti-malware Technology Report February 2011 Technology Report The evolution of malware, security processing load, so that scanning will not noticeably decrease access times or interrupt workflow. “As both the malware But in the corporate world, keeping updated on the latest threats and technologies is not enough – TCO and ROI need to be considered. How well do technologies and services As both the malware landscape and anti-malware landscape and advanced technologies proactively detect? How products have changed, so has the security testing quickly are new threats added? How is customer industry. When products under test were updated anti-malware support response? How easily can the solution be periodically, used on-demand scanning and the products have managed remotely? How much CPU time is used There are few who are unaware of the malware or via poorly worded and spelled mass-mailer viruses. total known malware was in the thousands, it made for scanning? To find the answers to many of these landscape changing since the release of the first few When malware authors discovered there was profit to sense to have only a single pass or fail test which was changed, questions, take a look at product performance data viruses decades ago. But it seems there are just as be had in spreading their malicious wares, they began performed a few times a year over a static test-bed of so has the from leading independent test organizations, such few people outside the computer security industry who understand the nature of that change. No longer to take many of the tactics used by Search Engine Optimizers and improved their social engineering samples. This is no longer the reality of the current user experience. While it can be a meaningful baseline test security testing as West Coast Labs, and the performance validation programs they deliver – such as Real Time Testing. is malware as ethereal a threat as an urban legend, craft, placing files where people were most likely to of anti-malware functionality, it is far from a complete industry.” and no longer is the virus outbreak of the day making run across them. Consequently, the web is now where picture of overall product performance. You can also take a close look at how individual the evening news. Threats now come not by ones and the majority of people become infected with malware vendors are responding to the changing threat twos but by the many tens of thousands each day and, given the extent to which the internet is such an In order to accurately reflect a user’s experience with landscape and the implications for the security of with the known total hovering in the tens of millions. integral part of all corporations’ business activities, the malware, it is important to gather the full spectrum of corporate networks. Nowadays, vendors are defining And threats come quietly, remaining as far below the web is a potent threat vector. Company’s websites are malware from a variety of sources from throughout ‘protection’ differently. No longer is it just product radar as possible to maximize their stay on an affected regularly targeted for defacement or infected to spread the internet, which circulate on various protocols. This performance-related, but also related to business machine. Corporations are now victims of targeted Lysa Myers, Director malware to the site’s visitors. means including not just email-based malware, but and customer service issues, delivering a higher attacks, as well as the regular masses of malware, and of Research at West malicious files on P2P networks, as well as on the web value overall service to meet not just security, but also have specific needs for the protection of corporate Coast Labs. Lysa can be Given that the internet is operating system agnostic and other attack vectors. Because malware does not business needs. information assets. contacted at lmyers@ and because current scripting languages allow for stop when the work day ends nor does it recognize westcoast.com queries of the specific browser version of each visitor, geographic boundaries, threats must be collected all When considering product performance in a While malware activity has increased, security budgets malware can be spread in a manner which infects any day from around the world. corporate network environment, ‘protection’ is more certainly have not. Many corporate security staff find particular visit. In the last few years, this has been a than current malware detection capabilities, it’s also themselves facing a tidal wave of new threats without tactic which has proved increasingly popular with As anti-malware products have begun to include more about the extent of a vendor’s product research and extra personnel or resources. They need security malware authors, increasing their reach as the market wide-ranging technologies, including ones which development strategy that anticipates threats and software to work faster, harder and require less manual share of new technology increases. are initiated upon execution of a file, testing must trends to ensure proactive network protection. It can interaction while providing detailed reports as to what incorporate dynamic functionality by running threats be further defined as the extent to which malware actions have been taken. Machines which are infected Obviously, anti-malware products had to change with on test machines. This naturally takes more time than protection is delivered for a multiplatform infrastructure need to be cleaned completely to get systems back the times as the onslaught of malware has increased scanning an immobile directory of files, so one must through efficient and easily managed solutions with up and running quickly and painlessly. Anti-malware and the tactics of malware authors has shifted. The take care to select the most relevant sample set which wide interoperability capabilities. ‘Protection’ is also software is only as good as its research and support first anti-malware products were designed strictly a customer is most likely to encounter. This takes about the extent to which business interests are departments. They are vital in order to have excellent as signature scanners, which only ran when a user into account not just prevalence, but attack vector protected through vendor service strategies that response times to new threats and to provide top- specifically initiated a scan. In short order, this was popularity on which it’s spread, potential for damage now include optimized and cost-effective security notch customer assistance. As focus in corporate changed to allow the scanner to run continuously in on an infected system, as well as geography. plans tailored to individual corporations’ needs networks shifts away from the desktop into mobile, the background so that each file was examined as it for maximizing business productivity, lowering the cloud and virtual computing resources, security was accessed, without users having to think about Malware authors are always abreast of technology total cost of ownership and maximizing the return software needs to protect these environments too. it. This approach has become more widespread, so trends – where do people share their information, how on investment. Also, given that corporations are that products require little interaction – users can do people share files? At West Coast Labs, we’ve operating in a worldwide ‘e-economy’ all this needs The way malware spreads has also changed – there automatically have the most up-to-date protection already begun to see an increase of attacks on things to be supported by trusted and responsive global is less concern for infecting oneself with a floppy disk running at all times. like digital picture frames, USB thumb drives, mobile support plans. phones and on popular Web 2.0 sites. So, suffice to No longer are anti-malware products simply signature- say, if you know a few people who use one or other Yes, the threat landscape is continuing to evolve based scanners. They now include advanced heuristic or all – malware authors are looking to exploit them with new malware threats spawned at an alarming technologies and generic signatures which can for financial gain. Likewise, anti-malware vendors are rate, but no longer is malware protection and proactively detect new variants of existing families developing technologies to protect them and testers information security in general just a technical issue VP US Sales: Scott Markle - firstname.lastname@example.org and new malware families. The best products include like West Coast Labs are developing methodologies – it’s a business issue. That’s why vendors’ product US Sales: Rochelle Carter - email@example.com a variety of security features, such as web or spam to mirror the user’s risk and potential infection and service solutions are evolving to suit these UK/Europe Sales: Sebastian Stoughton - firstname.lastname@example.org filtering, behavioral analysis or a firewall technology experience. In order to keep up to date on the evolving changing needs and West Coast Labs is developing China/Japan Sales: Jesse Song - email@example.com which can help protect against brand new threats. With malware landscape, one need only see which new independent product performance programs that India/ROW Sales: Chris Thomas - firstname.lastname@example.org these new, intensive scanning technologies, vendors widgets are being used in home and business network ensure that these products and services are tested have come up with many ways to decrease the overall environments. and validated accordingly. n 1 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 2 Technology Report Test Networks and Methodology Kaspersky Lab Corporate Security Solutions Kaspersky Security 8.0 update In a heterogeneous network situation process it is important to know that a security solution is both compliant and compatible. Throughout the comparative test DEVELOPER'S STATEMENT program for ISA/TMG, Linux, Lotus Kaspersky Lab has developed highly-effective anti-malware solutions for use in medium and large-scale corporate networks with complex topologies and heavy loads. Combining Kaspersky Security 8.0 Domino and WSEE, WCL utilized the following network configuration ease of use with high standards of performance across multiple attack vectors, the for Microsoft Exchange to simulate a corporate network products are cost-effective solutions which environment: meet both business and technical needs Servers (Kaspersky worldwide. Security 8.0) • 64-bit Windows 2008 machine running as a gateway/DNS server hosting Forefront TMG/ISA Server WEST COAST LABS' EXECUTIVE SUMMARY REPORT Kaspersky Security 8.0 provides anti- In the ongoing Checkmark Certification Installation of Kaspersky Anti-Virus 8.0 is • 32-bit Windows 2003 machine malware and anti-spam protection for Static and Real Time tests, like all the simple, using a standard Windows Installer running Lotus Domino mail server The launch of the Kaspersky Lab’s Details of the specific tests to which the mail traffic on corporate networks. Its Kaspersky products, this solution has and settings imported from TMG during • 64-bit servers running Linux and range of anti-malware products for the products are exposed are published integration with Exchange allows for achieved consistently high standards the install process. The default settings Windows 2008, both acting as file corporate network environment provides elsewhere in this report, but the overall detection and removal of malware and of performance. For the comparative provide fast protection, but a more tailored servers. While each of the solutions security managers with an extended outcome of the certification testing is the spam at the gateway level. performance testing to measure the installation can be achieved if required. were tested independently of one choice of effective solutions for dealing achievement of the Platinum Product product’s detection capability of another, results of these tests and with threats in attack vectors across Award for these products, which is the The product is easy to install and its user- malware known to propagate over The solution is managed via MMC with an the observations made point to the multiple operating systems. highest level of independent validation friendly interface, flexible administration SMTP, Kaspersky Security 8.0 achieved additional central monitoring screen and various Kaspersky Lab solutions possible for an anti-malware solution from and straightforward configuration 100% detection rate of the 8,042 network policies which can be be added providing a multi-faceted security West Coast Labs’ independent testing West Coast Labs. and reporting system does not place malware samples used in the test. This to complement those of TMG; making framework for a corporate network. and performance validation of the excessive demand upon administrator’s performance is equivalent to and matches the whole process of management, products confirm that they combine This is complemented by very respectable time. No extra setup is required on that of the competitor products included administration and ongoing use very Taking a hypothetical network into ease of use and management with high malware detection test results which Exchange and malware protection began in the test. We also test HTTPS. n straightforward. account, as below, one can see how levels of performance, all of which is position the performance of Kaspersky immediately. each of the solutions would interact driven by Kaspersky Lab’s own research, Lab products very favorably alongside Kaspersky Anti-Virus 8.0 allows with and secure the network. Anti- development and customer support more widely recognized corporate Management of the solution is simple Kaspersky Anti-Virus 8.0 permission or denial of various traffic malware protection, at the gateway programs. security solutions. as Kaspersky Security 8.0 employs a types – HTTP, FTP, SMTP and POP3 – level, is provided by scanning email Microsoft Management Console (MMC) for Microsoft ISA Server plus the ability to define what, if any, of the coming into the ‘corporate network’ Kaspersky Lab has made a significant commitment to the independent The specific malware detection capability testing of both Kaspersky Lab and a snap-in, providing an intuitive interface with full access to all features. Database and Forefront TMG protocols should be subject to scanning. Data on network status – including the over SMTP with an initial scan by Kaspersky Anti-Virus 8.0 sitting on the validation of its products’ efficacy and number of competitive anti-malware and signature updates run automatically, Standard Edition protocols which are being blocked, TMG server. In turn, the email is then performance through West Coast Labs’ solutions was carried out in September as often as every two hours, but if required numbers of files scanned, and the number received by the Exchange or Domino Checkmark Certification System. This and October 2010 while the Checkmark may be run on-demand. Although there Kaspersky Anti-Virus 8.0 sits on top of of resulting infections, is readily available. server and a further scan conducted provides a range of static, dynamic Certification testing of its products is are fewer options available compared to Microsoft Forefront TMG 2010. While by the appropriate solution. Should and real-time tests which make these performed on an ongoing basis with other corporate products on the market, TMG acts as a standalone security In the performance testing over the HTTP any user require the downloading of Kaspersky solutions possibly the most confirmation of the results available at it can be argued that all the necessary solution in its own right, the addition of and FTP attack vectors, the combination of email from an external POP3 server, the intensively tested corporate anti-malware www.westcoastlabs.com. n options are available thus leading to a Kaspersky Anti-Virus 8.0 provides a multi- Kaspersky Anti-Virus 8.0 and TMG provided Kaspersky for TMG solution scans the solutions available anywhere in the world streamlined user experience. layered security solution. 99% detection of the range of malware traffic as it passes through the gateway. t today. samples which were included in the test. n When dealing with any files that are downloaded over HTTP/FTP, they are scanned on the TMG/KAV combined server. Should any network user then attempt to upload any files to either a Windows or Linux based file server, then here the respective Kaspersky Lab solution will provide further defense- in-depth. 3 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 4 Technology Report Domino 8.5 on Windows 2003 that each Update process picked up emails for a FQDN owned on Kaspersky and controlled by WCL. Client machines Anti-Virus WSEE running Lotus Notes 8.5 were used to pick up the messages from the Domino servers and analyzed the attachments to aid calculation of the overall detection rate which for Kaspersky Anti-Virus 8.0 was of a particularly high standard which mirrored that of the competitor products included in the test program. All solutions attained a 100% detection rate during the test period. n Application interface of KAV for ISA KAV 8.0 for Linux File Server interface within the product interface to review any Kaspersky Anti-Virus 8.0 sets itself apart Kaspersky Anti- Virus Kaspersky Anti-Virus 8.0 malware logged and thus decide what in this regard. It is well implemented, 8.0 for Windows Servers Licensing process for Linux File Server actions to take. as demonstrated in the comparative performance tests where it led with a Enterprise Edition on Kaspersky Anti-Virus for Given the complexities involved with 99.95% detection rate on the 25,640 Kaspersky Anti-Virus 8.0 for WSEE uses Lotus Kaspersky Anti-Virus 8.0 for Linux installs porting anti-malware solutions to Linux, malware samples tested compared to an the standard Windows Installer interface. from the command line, using a shell- it is not always possible to ensure average performance rate of 99.52% for five Two installations are required, one for script installer. Although some degree consistency of performance. However, other leading corporate solutions. n the administration tools and one for the of familiarity with Linux is required, even solution itself. However, importing an junior network administrators with a existing configuration file to keep existing basic understanding of Linux should be comfortable with the process. Kaspersky Anti- Virus 8.0 some of the other vendor products included in the comparative performance settings is possible when upgrading a previous version. Installation is quick and for Lotus Domino review, Kaspersky Anti-Virus 8.0 does trouble-free. Managed via a web-based GUI running not need the installation of a desktop on a non-standard port, Kaspersky Anti- Anyone familiar with Lotus Domino will anti-malware product to be able to use Managed through an MMC snap-in, Virus 8.0 is configured from the GUI. find the installation straightforward. It is the desktop product’s scanning engine the product allows product updates to No secondary interfaces or files need performed using a Lotus .nsf database signature files. be rolled back if needed. It provides a to be changed and updates are either file which is opened through Lotus Notes quarantine area and a backup facility just scheduled or run on-demand. to run. Administrators can set various In the comparative testing against five in case the administrator deletes a file actions to be performed when malware other leading corporate solutions, the that needs to be restored. The interface, On Demand scans can be set to a pre- an overall detection rate for Kaspersky For security admin staff who may be is detected, however, they will need to be test methodology employed sender as a whole, provides a rapid means of defined security level or customized to Anti-Virus 8.0 of 99.68% compared to an familiar with a file-server anti-malware familiar with Lotus in order to get the best machines running a Linux distribution. implementing malware security policies meet the demands of the organization. average performance of 99.51% for the product, the make-up of the interface is out of the solution when rolling Kaspersky Scripts developed by WCL were used on the solution. Similarly, On Access protection can be other five security solutions included. n very familiar – it is both clear and intuitive. Anti-Virus 8.0 out to a Domino server. to send the emails that contained set with a preference for either high speed infected attachments over a live internet All of the available features are easy to scans or high protection levels. On-Access and On-demand protection Delete or quarantine actions are easily connection. locate without the need for drilling down are available as standard. Administrators defined for detected malware and for through multiple options screens or Throughout the comparative test program, can browse the Quarantine folder from deleting infected attachments. Unlike Emails were sent to servers running Lotus hunting for a required setting. WCL found the scans ran quickly with t WEST COAST LABS VERDICT Combining ease of use with high levels of performance, the Kaspersky Lab solutions under test have delivered comparable and at times, better detection rates to equivalent products. With a consistent level of anti-malware protection across the network topology, users of the Kaspersky Lab products featured in this report can be confident that they are all rigorously tested through the Checkmark Certification and the Real Time testing. 5 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 6 Technology Report Threat Manager r12 TrustPort AV CA TrustPort DEVELOPER'S STATEMENT also saves valuable administration time DEVELOPER'S STATEMENT usual scheduling as required, or if preferred Threat Manager combines a full-featured and resources easing the burden on any TrustPort AV detects viruses and spyware they can be run on-demand. TrustPort also network anti-virus solution with policy- overstretched IT department. at all entry points to the computer and allows various actions to be configured for driven endpoint access control to protect prevents attempts by hackers to access detected malware samples. WCL noted networks from malicious software and The client is locally managed from either the computer. It enables not only the that the product management is in keeping unauthorized access. an intuitive GUI interface or from a central continuous monitoring of files being with other products traditionally found in server, depending on the individual opened, but at the same time also scans this category, however, it should be noted administrator's preference and the security files from incoming electronic mail or that what it actually does, it does very well. CA Threat Manager is specifically policies are created and deployed from downloaded from the web. recommended for small to medium the Threat Manager server. There is also TrustPort is a security ‘bundle’ providing sized business models and is designed an update option, which enables the anti-malware protection for local files, essentially to protect client machines administrator to either run updates on- This particular security solution is designed email, and web. It also includes URL residing on a corporate network. With demand or decide to schedule them to for home users and could also provide blocking and a firewall, enabling control of its anti-malware protection, CA Threat suit. an invaluable layer of security for home what can be viewed on the client. Manager will provide an important and workers or the self-employed. With its low much needed extra layer of security your Settings and options are available on the system requirements, TrustPort is an ideal The URL filter contains a variety of site business deserves. central server and if you are looking for a solution for providing malware protection classifications, such as adult and gambling, solution that provides a ‘good-fit’ with any for local files, web downloads and email, to prevent viewing this type of content The CA Threat Manager can be installed existing network architecture, then CA and also offers firewall protection along if required and this product includes a and managed via a central server, giving Threat Manager can provide this. with a URL filter. TrustPort is installed and Product ‘Portable Antivirus’ solution that allows a the administrator more time to concentrate managed directly on the client as it is purely TrustPort AV version of the TrustPort AV solution to be on other tasks on the IT infrastructure. The test engineer recommends that for a client-side-only solution, making it user Manufacturer deployed to a USB stick, thus protecting Product a uniform security policy set, across the friendly for the less well initiated. TrustPort any files you wish to transport; excellent for Threat Manager r12 CA Threat Manager is a server-client network, then CA Threat Manager is best Contact Details those on the move. solution and the installation can be Manufacturer managed from the server, however it can Users can purchase and install TrustPort www.trustport.com managed via a separate executable CA be accomplished via the client, making it from a separate executable that is Observations from the WCL engineers Certification installation. Alternatively, CA Threat Contact Details pretty flexible. downloaded from the TrustPort website, include comments on TrustPort being a www.westcoastlabs.com Manager can be installed from a central www.ca.com with the license provided at the point of really good all-round package with the server and as it is extremely straightforward Certification With CA Threat Manager there is further sale; making it extremely accessible. We ‘Portable Antivirus’ helping it stand out in and well documented, which is always www.westcoastlabs.com flexibility with On-Access scanning that all know the importance of ease of use with an already crowded market. an added benefit, the process can be can be scheduled to suit the needs of the single user client-based products and to tinker, all of the default options happily accomplished with relative ease. the network or permanently activated/ TrustPort doesn’t disappoint with a quick suffice. TrustPort supports all the usual This type of capability is important for there are practically no pre-requisites deactivated. Also, On-Demand scans can and painless installation that is easy to Windows client platforms and the West anyone relying on technology when on the This installation can be automated from needed other than those already found on be launched locally or via the central server. follow. Coast Lab’s (WCL) engineer stated that this move, and should not be underestimated a network-wide roll out and though the a standard client machine for instance SP2 CA Threat Manager additionally provides traditional client-side installation manages as it will protect their credibility and keep default options suffice there is some on XP Professional. CA Threat Manager real-time reports, giving users at-a-glance The available options contain good everything with minimal fuss. their security in one piece when it could flexibility in the install options available. can also be configured to automatically updates of the current network state while descriptions and there is also some otherwise be compromised. With a good variety of installation methods deploy to any systems joining the network also offering all the options you would flexibility in the installation options available The client is managed via a local GUI available and wide ranging system-support, for the first time for instance DHCP; this expect from this type of solution. to the user, however if you are happy not interface with the updates capable of the WEST COAST LABS VERDICT WEST COAST LABS VERDICT CA Threat Manager offers a variety of deployment models and offers endpoint TrustPort AV is aimed at home users, but can equally offer protection for SOHO workers. Including anti-malware protection against malware. The central management console offers flexibility protection in the suite of protection that it offers, the solution is well documented and is easy to configure for combined with good reporting over and allows for the overview of endpoints on a flexible protection levels dependent upon the requirements of the individual user. corporate network of small to medium size. 7 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 8 Technology Report IMSVA v5.1 IWSVA v5.1 Trend Micro Trend Micro DEVELOPER'S STATEMENT On the initial configuration of IMSVA, local DEVELOPER'S STATEMENT not so experienced, it should still prove Trend Micro InterScan Messaging Security firewall rules permitting, customization of Trend Micro InterScan Web Security easy to use and therefore it does not limit Virtual Appliance is a hybrid SaaS email the solution is carried out via the web-based Virtual Appliance is a consolidated web you to a specific member of your IT staff security solution that integrates an on- GUI, which can be accessed anywhere on security solution that combines award- being on hand. premise virtual appliance with in-the-cloud the network. winning malware scanning, real-time web SaaS email security. reputation, powerful URL filtering, and This, as described by the WCL engineer, The West Coast Lab’s engineer again integrated caching. is again a good user-friendly web-based commented on the excellent web-based GUI, but he also observed that access to IMSVA is designed specifically for enterprise GUI, however, emphasized that access to the management interface will depend size business models. It provides traditional the management interface will depend upon As with IMSVA, IWSVA is designed for upon any existing firewall rules, which is malware protection, but it does not stop existing firewall rules. the enterprise. IWSVA is installed and important to remember when setting up there, with the addition of extended managed directly on the server with no IWSVA for the first time. technologies, such as firewall, web threats Providing full anti-malware capability, as well further client installations necessary. The and POP3 scanning. as providing URL filtering for those URLs security policies are also managed on IWSVA not only provides full anti-malware found inside emails, IMSVA has the same the central server and pushed out to the capability, but also provides URL filtering; IMSVA ensures a cloak of security for any malware capability as IWSVA while also client machines to allow IWSVA to provide it also offers the same malware capability credible business looking to secure itself Product providing anti-spam support. traditional malware protection, as well Product as IMSVA. from potentially damaging security breaches. IMSVA v5.1 as incorporating extended technologies IWSVA v5.1 This also gives the administrator peace of Manufacturer Working at the gateway level, IMSVA scans such as firewall, web threats and POP3 Manufacturer Working at the gateway level, IWSVA mind in knowing that no glitches will occur in Trend Micro inbound traffic before it reaches the endpoint scanning. Trend Micro scans all of your enterprise's inbound this security as there will not be any issues Contact Details and blocks any traffic it finds to be malicious, Contact Details traffic before it reaches the endpoint and with compatibility. www.trendmicro.com thus protecting the whole enterprise. This These are all indispensable components www.trendmicro.com blocks any traffic it finds suspicious so Certification ensures nothing is left to chance and end- of a versatile security solution and the Certification that malicious entities are blocked and The IMSVA solution is initially installed on the users are not bogged down with header centralization provides the ease of use www.westcoastlabs.com your systems remain secure. This requires www.westcoastlabs.com server and can then be managed from there; messages they understand little about or and flexibility administrators have come to no client-side intervention and is therefore http://www.cctmark.gov.uk/ http://www.cctmark.gov.uk/ this is prior to rollout to the endpoint clients. decisions on what is expected of them in expect, especially useful when running a less prone to user error. respect of malicious and unwanted email. large network efficiently. The security policies are also managed on West Coast Labs found that during test that the central server then pushed out to the The West Coast Labs' engineer also Designed for VMware ESX/ESXi based GUI. this was again a solid, reliable gateway- client machines, so the administrator does As our engineer observed during his initial commented on the product's overall servers, this is a virtual machine, with level defense solution worthy of the job not have to configure each individual client encounter with it, the IMSVA setup and ability as a solid, reliable gateway-level the virtual images being placed on the With the ability of accessing it anywhere on in hand. So overall, IWSVA offers a well- machine, saving time and money. configuration is carried out via a web-based defense. This is an important point, as any ESX Hypervisor server. IWSVA requires the network, local firewall rules permitting, rounded security blanket protecting the GUI. Of course, for any administrators experienced IT manager will tell you, having some fairly basic setup via a Linux-based IWSVA customization may be carried out enterprise at the gateway, which frees up Designed for VMware ESX/ESXi servers with experience of Trend's IMSS and IWSS full confidence in the security product's command line when you run the virtual via the web-based GUI once the initial IT staff to concentrate on other business at IMSVA is a virtual machine with the images solutions, utilizing a web GUI will already be capability along with ease of use goes a long machine for the first time, but again, configuration has been accomplished. hand. being loaded into the ESX Hypervisor server. familiar to them, and for those with limited way when you have a large network to run. this is an uncomplicated process; and IMSVA does require some basic setup via a or no such experience, it still offers ease-of- as you’d expect with a virtual machine- For any administrators familiar with Trend's Linux-based command line when running use. based technology the product's setup IMSS and IWSS solutions they will be the virtual machine for the first time. and configuration is carried out via a web- accustomed to the web GUI, but for those WEST COAST LABS VERDICT WEST COAST LABS VERDICT Trend Micro's IMSVA solution comprises a virtual machine that handles messaging traffic Trend Micro's IWSVA solution offers the ease of virtualization and the flexibility to handle and includes a number of core technologies, such as spam, anti-malware and anti-phishing. web traffic in a number of types of network. The technologies at work that contribute to the These are combined to offer a scalable and flexible solution which can be deployed in a operation of this solution include anti-malware, and URL content filtering, and allow for very number of network scenarios. fine grained control. 9 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 10 Technology Report OfficeScan v10.0 ScanMail for Exchange v10.0 Trend Micro Trend Micro DEVELOPER'S STATEMENT It was also noted that OfficeScans has DEVELOPER'S STATEMENT Trend Micro OfficeScan is a comprehensive pretty low system requirements and that Trend Micro ScanMail for Microsoft The engineer commented on ScanMail endpoint security and malware protection it also offers good support to the virtual Exchange provides Industry-leading for Exchange's good installation routine, solution for medium sized businesses and desktops. scan engines to help stop the widest effective deployment and integration enterprises and is normally used in a client- possible range of threats, while innovative options; something to be considered when server configuration. OfficeScan is managed via an MMC- Web Reputation and Email Reputation deciding on time to deploy. style interface with all common options technologies use a unique cloud-client available, such as scanning actions, architecture accessing up-to-the-minute Managed via an MMC-style interface, If you are an administrator running an schedules and targets, with various threat intelligence to thwart the latest ScanMail for Exchange offers numerous enterprise and you are charged with security policies being catered for; so in all attacks. options for each of the available features, finding a suitable security solution, how this is a versatile product. Although there which can be tailored to fit a range of do you weigh up the protection you require is nothing revolutionary in the way that company security policies. Of course, without compromise? With OfficeScan OfficeScan is managed, it certainly does ScanMail for Exchange is designed as an all the usual options are available, such you can protect the enterprise by not detract from the solution in any way. It umbrella for email protection, including as scanning, schedules and targets. providing traditional malware protection, does however seem to pack a lot into one content filtering, spam, recipient filtering, Administrators take note, the engineer incorporating extended technologies Product package. URL detection (within emails) and Product says the numerous configuration options – such as firewall, protection from web OfficeScan v10.0 phishing, which is specifically produced ScanMail for Exchange v10.0 are very useful and will help tailor the threats and POP3 scanning – all in one Manufacturer As its name suggests, OfficeScan provides for enterprises running Exchange servers. Manufacturer protection on offer, so you can ensure your solution. Trend Micro protection against viruses, trojans, spyware ScanMail for Exchange is an obvious Trend Micro systems are protected to the enterprise's Contact Details and rootkits, with the further inclusion choice for securing your incoming content Contact Details requirements. This must make OfficeScan one www.trendmicro.com of firewall, web threats and a host- as the system requirements are relatively www.trendmicro.com such product worthy of noting to IT Certification intrusion prevention, so in all this is a fairly low when considering the security this Certification ScanMail for Exchange also provides administrators. OfficeScan is installed and www.westcoastlabs.com comprehensive barrier against potential solution provides and the market it's aimed www.westcoastlabs.com protection in an email ‘reputation filter.' managed on the server, and when ready threats. OfficeScan can also scan inbound at. This allows emails from a list of known http://www.cctmark.gov.uk/ http://www.cctmark.gov.uk/ to deploy it is simply rolled out to your POP3 traffic. ‘unwanted senders’ to be automatically endpoint clients to provide the layer and This particular product is installed and blocked, saving valuable time and level of security required. With security This product utilizes the Trend SPN system managed on the server. While ScanMail resources. With the ability to scan emails policies managed on the central server, package to the client, or by incorporating to provide cloud-based detection of for Exchange can be deployed to the configurations can be achieved, however for URLs/links to known-bad or malicious the administrator can push them out to the the solution utilizing the Active Directory. malware. Exchange server if necessary, it is also a the main installation routine itself is well- websites and to block any that are found, client machines, making it an easy task to The client installation is silent, so neither server-based solution with no client-side documented. this increases its effectiveness somewhat. accomplish - job done. the administrator nor the end-user has During WCL’s extensive testing, the aspect. to intervene on the client machine and, engineer observed that OfficeScan really Although, some experience with Exchange- According to the West Coast Lab Simply put, OfficeScan is a server-client as you’d expect, OfficeScan supports all did offer a good level of defense and he The installation itself is carried out directly based systems will be necessary, this is engineers, ScanMail for Exchange solution and OfficeScan is initially installed common Windows client platforms, as well also said it was in-depth, with numerous on the server and can be placed on the assumed given the target market. ScanMail incorporates into Trend Micro's Smart on a central server before being sent out to as VMware workstations. combined security technologies included. Exchange server, however this is not for Exchange supports a number of Protection Network (SPN) which adds to the client machines around the network. That has to put OfficeScan in a strong recommended for the larger business Windows server platforms and Exchange the level of protection on offer. Deployment can be carried out either by During installation, the engineer position, with its comprehensive security, model because of the impact on resources, versions, providing support for various targeting specific client machines from the commented on the various choices and as being a solution worthy of a place in any but if so required, the option is there. At the network configurations, such as Server server console, downloading the install variables available as deployment methods. security-conscious enterprise. installation stage, a number of possible 2000/3/8 and Exchange 2003/7/10. WEST COAST LABS VERDICT WEST COAST LABS VERDICT Trend Micro's OfficeScan offers anti-malware technology at its core, with the possibility Trend Micro's ScanMail – here considered in the integration with Microsoft Exchange Server of central reporting and administration in an enterprise level setting. The deployment and – offers gateway protection against email-borne threats. It includes all the components that management of remote endpoints is streamlined through the central management GUI might be expected, such as anti-spam, anti-malware and phishing protection, administered offering an easy way for IT staff to ensure that hosts are protected. with ease through a central management console. 11 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 12 Technology Report SecureWeb Webroot Web Security Service K7 Computing Webroot DEVELOPER'S STATEMENT SecureWeb address space and as such all DEVELOPER'S STATEMENT K7 SecureWeb provides end-to-end user data remained protected. With up to 85% of malware now distributed The scanning and features available to protection for personal information via the web, proactive web security is a the network include provision for URL right from the keyboard to the website SecureWeb also protects against the threat necessity. Webroot Web Security Service and content filtering, and uses preset and specifically aims to secure online of DNS poisoning, which alters the IP provides better manageability and better Product categories. Vulnerability scanning has transactions. address associated with the URLs for such malware protection than on-premise Webroot® Web Security Service also been added to the service, however, sites, so that a user is instead directed to a solutions. Organizations can get the most Manufacturer this aspect was not tested by WCL. In website controlled by the attacker. advanced protection against viruses, Webroot addition, WWSS also provides anti- Designed to provide end-to-end protection spyware, phishing and data loss while Contact Details phishing protection as well as standard for personal information – such as To test, a list of well-known e-commerce easily enforcing internet acceptable use www.webroot.com malware scanning. During testing, WCL’s username, password, and credit card – and financial domain names were added to policy—all without the hassle of purchasing observation was that it offered a good Certification right from the keyboard to the website, and the host's file. Each domain was associated and managing additional hardware and multilayered protection against a range of www.westcoastlabs.com to secure online financial transactions. In Product with an IP address of various web servers software. web-based threats. addition to protecting internet users against SecureWeb owned and controlled by WCL. However, various threats, such as screenscrapping SecureWeb does not rely on information The Checkmark testing WWSS underwent Manufacturer and keylogging, SecureWeb also provides contained within the system's host files. Webroot Web Security Service is company's individual internet acceptable was on the AV Gateway certification, the K7 Computing SSL certificate verification and website All attempts to redirect SecureWeb to an recommended for the larger business and use policy. The deployment to client Real Time system for malicious URLs and authentication. And the automatic browser Contact Details incorrect webserver/webpage proved enterprise-sized models and as its name machines is also completed quickly and WWSS also passed WCL's Web Threats launch is a great feature as it prompts users www.k7computing.com unsuccessful. suggests is a managed solution, therefore as already noted, as a managed service certification making it a platinum product. whenever they browse to online bank and Certification there is no hardware requirement. Webroot the installation is almost non-existent. The shopping websites. www.westcoastlabs.com Many transaction websites use SSL Web Security Service (WWSS) provides West Coast Lab’s engineer commented WWSS promises fast internet browsing certificates (HTTPS) for privacy assurance. gateway-level security to protect against that once the account has been finalized with minimal latency, a proactive scan SecureWeb was tested using a network But, attackers will often try to create web-based threats as a managed service. with Webroot, end-user machines simply ahead and safe search facility that color- consisting of a primary network attached Labs found that each screenshot was fraudulent certificates to pass-off spoofed These threats could include file downloads have to be configured to begin using the codes search engine results to allow users directly to the internet and a secondary, redacted so that any potential attacker versions as legitimate. and URL filtering, which can be a real Webroot service. to see if the sites are allowed, blocked or aggressor network. A standard desktop captures a blank screen. headache for corporate credibility. could contain malware. There is also real- machine was used as the host for SecureWeb provides a means of checking As far as the management of the service, time reporting and web activity logging; SecureWeb housed on the primary DLL injection can disrupt a security solution the authenticity of SSL certificates, WWSS is managed from a web-based this is accomplished remotely by logging this can be used to view the network or network. and lead to the theft of user data. Attackers reporting if they are self-signed and interface with each client machine being into the Webroot management portal individual users or groups, providing will often target the solutions themselves therefore not legitimate. To display this directed to use the proxy address of allowing protection and internet use flexible viewing of network activity. Add To prevent theft of passwords and bank as a first port of call to try to circumvent information, SecureWeb employs a WWSS. As far as setting up the service, it policies to be created and rolled out rapidly. all that to the rapid deployment of WWSS details SecureWeb provides an additional protection on a local machine, whether this SiteBand™ that uses colored warnings to is an extremely quick and easy affair and As the service is hosted by Webroot, there across your entire network, which requires layer of security. It does not provide anti- is anti-virus, URL/website filtering or data provide an at-a-glance report on whether requires an administrator providing basic is no need for the administrator to run no software or hardware purchase, and the virus or URL filtering, however, what it protection. In order to protect against this, the site can be trusted or not. network information to Webroot. updates for either software or security ability to use preconfigured policy options protects is done extremely well. SecureWeb continuously monitors its own definitions, making it less time-consuming. based on your chosen level of security, processes for signs of malicious behavior. Throughout testing, SecureWeb accurately Various settings can be defined by As WCL’s engineer pointed out, although and you can see that all in all a managed To protect against keyloggers, SecureWeb identified those sites that were using the administrator, such as which URL management is only possible via the web service could provide a viable alternative encrypts all keystrokes so that any data WCL's engineers attempted to load legitimate SSL certificates from those that categories to block, the amount of time interface, the options available do allow for to reduce IT resources and offer cost- that is captured is unintelligible. When malicious and harmful DLLs, but were weren't. each user is permitted to spend online as a tailored approach. effective security fast. dealing with screen grabbers, West Coast unable to inject malicious code into the well as giving information to the user of their WEST COAST LABS VERDICT WEST COAST LABS VERDICT K7 SecureWeb is a good example of a solution to a specific problem that fulfills its Webroot’s Web Security Service offers web threat protection as a managed service and protects remit very well. This is not a general use web browser, but in terms of protecting against a variety of threats whilst allowing the administrator central control through a web portal. users when entering financial details it has been shown to succeed. The use of a managed service also means that administrators no longer need concern themselves with remembering updates. 13 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 14 Technology Report Shell Control Box (SCB) syslog-ng Store Box (SSB) BalaBit BalaBit DEVELOPER'S STATEMENT like a movie using the aforementioned DEVELOPER'S STATEMENT and various servers. These logs can be The Shell Control Box by BalaBit is an Audit Player enabling a review of events The syslog-ng Store Box (SSB) from either analyzed, using integral tools, activity monitoring solution for privileged exactly as they occurred. The audit trail is BalaBit is a network log server that offers or stored for later retrieval. Use of a access that controls access to remote indexed to make searching for events and the capability to remotely collect and store proprietary encryption algorithm means servers, virtual desktops, or networking automatic reporting possible, enabling logging entries and records from a variety that only authorized personnel can access devices, and records the activities of the Product identification of misconfigurations and of sources, including syslog and SNMP, Product information via the SSB interface. users accessing these systems. Shell Control Box (SCB) other human errors during forensics and is designed to run alongside other syslog-ng Store Box Manufacturer analysis. SCB works in conjunction with security products. Manufacturer Log files can also be redirected to either a BalaBit network firewalls and can supplement BalaBit separate analysis device, or to a different One of the two BalaBit products to be Contact Details further security devices benefiting Contact Details log server. reviewed under West Coast Lab’s (WCL) www.balabit.com network and IT security administrators by As part of its Performance Validated testing www.balabit.com new Performance Validated program is Certification controlling all remote connections on a program, West Coast Labs (WCL) reviewed Certification To test SSB’s ability to correctly receive log Shell Control Box (SCB). As with syslog- www.westcoastlabs.com given network. the syslog-ng Store Box (SSB) solution www.westcoastlabs.com files, traffic from client machines residing ng Store Box, the SCB test allowed WCL from BalaBit. The aim of the testing was on the Real Time system were configured to provide an independent review of the SCB acts as a proxy gateway, and any to provide an independent means of so that logs relating to system restarts, solution. transferred connections and traffic validating the features and capabilities of network events and so on were redirected to integrate with ease, offering high are inspected on the application level SSB. The test networks on which SSB was to SSB. Gateway security appliances, To test SCB, WCL was provided with a availability and is configured via a clean, (Layer 7 in the OSI model) giving control evaluated contained client machines one on the Real Time system and one on x2200 Sun Microsystems server running intuitive web interface. The roles of each over protocol features such as the To test SSB, WCL was provided with a running Windows XP along with AV a separate network, were configured to SCB. WCL also tested a virtual version of SCB administrator are clearly defined authentication and encryption methods or x2200 Sun Microsystems server running software, various network security deliver all logs to SSB. A group of client SCB. using a set of privileges. SCB receives permitted channels. SSB. WCL tested a virtual version of SSB, appliances, and a number of routers. machines, residing on a separate WCL connection attempts for a specific target deploying the virtual machine SSB image Added to this were aspects of WCL’s network, had BalaBit’s client software Testing of the SCB solution was conducted host then forwards the connection. The In order to test SCB it was necessary that had been downloaded from the proprietary Real Time system. deployed to them in order to capture and on a custom-built network at WCL’s UK solution enables the creation of rules to establish inbound connections over BalaBit website under the VMware Player forward client logs to SSB. facility. The network itself consisted of allowing the administrator to permit a network to a specific machine. VNC, application. SSB’s ability to monitor, in real time, the a variety of client and server machines or deny connections based on set SSH, RDP and Telnet connections were incoming log files and flag any that do To validate SSB’s ability to manage running a range of both Windows and criteria, and provides for the auditing of established; each of the connection types This deployment of the machine was not match an expected pattern makes and secure the log files received by the Linux-based operating systems. network connections. SCB also works in and combinations were tested using straightforward, and should prove simple it extremely useful; providing an early solution, WCL ran tests to ensure all log conjunction with BalaBit’s Audit Player to access control lists. to anyone familiar with networking or indicator to any deviation in network files received from the various networks WCL downloaded SCB from the BalaBit allow logged network traffic to be replayed virtualization technologies. On first traffic and/or usage. While not a security were correctly captured. Searches were run website as a virtual machine, then SCB was in real time and supports the following These included machines with various boot, SSB requires some basic network solution in its own right, SSB can work in looking for known, specific log events such imported onto a server running VMPlayer. protocols: Secure Shell (SSH), Remote access permissions and, once connections configuration, such as designated IP, conjunction with those security solutions as machine restarts and network security Before full deployment, SCB requires basic Desktop (RDP), Telnet and terminal had been established, WCL also tested gateway and DNS addresses along with already deployed to a given network and events. WCL also attempted to open log network configuration (Host IP address, emulators using the standard TN3270, VNC the solution’s ability to terminate the the application of the SSB license key. With provide a means of monitoring any security files locally, without the use of the SSB gateway address, and so on) and the and VMware View. WCL only examined the connections successfully. WCL then this complete, the administrator is free to events that may occur. interface, and found that the controls in license is imported to SCB at the end of the following during the test period: VNC, RDP, replayed the network traffic logs through log in to SSB, via a web browser, and to place allowed access only via the interface, initial configuration. SSH, and Telnet. the Audit Player for verification. begin any required customization of the SSB allows the administrator to capture as expected. Log files were not human solution. redirected log files from various devices readable when accessed directly from the SCB is an independent appliance designed The recorded audit trails can be replayed such as routers, security appliances, underlying operating system. WEST COAST LABS VERDICT WEST COAST LABS VERDICT Testing of the SCB virtual machine showed that all connections were received and SSB received several thousand logs, all from various sources, and WCL concluded handled correctly, the administrator was able to terminate established connections that all log files were received with a 100 percent success rate. All log files that were and the logged files were 100% accurate. Tests also showed the capability of Audit received were accurately classified and grouped. Player to recreate the data from the session in an accurate movie-like format. 15 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 16 www.westcoastlabs.com US Headquarters & Test Facility West Coast Labs 16842 Von Karman Avenue Suite 125 Irvine CA 92606 U.S.A. USA: Email: email@example.com Telephone: +1 (347) 403 0374 Email: firstname.lastname@example.org Telephone: +1 (949) 870 3250 European Headquarters & Test Facility West Coast Labs Unit 9 Oak Tree Court Mulberry Drive Cardiff Gate Business Park Cardiff CF23 8RS U.K. UK/Europe: Email: email@example.com Telephone +44 (0) 208 267 8280 Asia Headquarters & Test Facility West Coast Labs, A2/9 Lower Ground Floor, Safdarjung Enclave, Main Africa Avenue Road, New Delhi 110 029, India.
Pages to are hidden for
"Anti malware Technology Report"Please download to view full document