Anti-malware Technology Report by hwk44488



January 2010
World Leaders in Product Testing

“Being awarded with the
 Checkmark Certification
 strengthens Sophos’s position
 as a trusted advisor and
 supplier of best-in-class
 security solutions.”
 Andrew Bradshaw,
 S.V.P. Worldwide Sales & Operations, Sophos UK

 Checkmark Certification is the leading edge product
 testing and accreditation system used by              Product
 the top information security vendors worldwide.

 For more information visit

Technology Report

Testing anti-malware solutions in real time

In the Technology Report published earlier this year,                                    different set of malware. This allows us a view of
we outlined our vision for the changes in testing and                                    what an office environment will encounter, regardless
performance accreditation, which we feel need to be                                      of where they’re located.
made to accurately reflect the way security software
is currently used – the Real Time Testing program.                                       No one will say that these threats comprise a large
Starting such a system from scratch is never a simple                                    percentage of threats on the internet, so more attack
or a static project. This is something where the finish                                  vectors are being included all the time. Email threats
line must be moving forever – at least as long as the                                    were the obvious next place to go, as this has been a
way we use computers continues to change!                                                popular attack vector for a number of years. Again,
                                                                                         we’re pulling samples in from locations around the
Our focus has been on recreating the environment of                                      globe, and we’re seeing a mix of older threats, plus
a small to medium business, and the threats people                                       brand-new variants of existing families along with
are likely to face on a machine “out of the box” – the    Lysa Myers, Director of        wholly new malware. But this still is not enough to
threats which will hit a computer before a user even      Research at West Coast Labs.   test solutions effectively in a multi-vector, global
begins to start checking emails or surfing the web.       Lysa can be contacted at       threat environment, nor is it the majority of malware
This is primarily network-aware worms, which spread           that the average, established computer-users are
quite well with zero user interaction.                                                   likely to encounter. So where do we go next?

When you see articles talking about how long it takes                                    Getting to the meat of the malware landscape
for a new machine to be infected on connecting to                                        The majority of the things which infect people are
the internet, this is what they’re talking about. A                                      internet based – no mystery there. The infections
significant number of these malware threats are                                          spread by old floppy disks, USB devices, etc.,
several years old (the threats from those articles                                       are certainly there, but malware floating around
about how long a machine stays infected!), the                                           the internet is by far the larger number. With the
majority are brand-new and potentially undetected                                        exception of ancient boot viruses (yes, they’re really
variants of established malware families, and then a                                     still out there!) most malware, which is designed to
few are entirely new malware families.                                                   spread by the Autorun function of USB devices, has
                                                                                         an alternate infection functionality to spread by some
Research and testing in real time                                                        internet-based vector too.
West Coast Labs gathers these threats in real time
having set up honeypots in our offices around the                                        Most of the malware that’s out there is static, and
world – machines which sit, unprotected, on the                                          trojan. That is to say, the code itself is independent:
internet waiting to get infected through the FTP and                                     It does not infect clean files, like a parasitic virus and
HTTP threat vectors. These machines are located in                                       it does not try to spread itself automatically. A trojan
a perpetually-growing number of different locations                                      is sent or placed somewhere by an individual, with
in Asia, Europe, the U.S., Central and South America,                                    intent. This makes it significantly more difficult to
and each different location brings in a noticeably                                       capture than a virus, which spreads mindlessly. How
                                                                                         do you convince an individual to try to trick you into
                                                                                         installing malicious code? Or where do you go to find
                                                                                         their strategically placed malware? The internet is a
                                                                                         truly infinite place, and malware authors go to great
 VP US Sales: Scott Markle -                                       pains to put their code in places which are obvious
 US Sales: Rochelle Carter -                                       enough to be stumbled upon by a hapless user, but
 UK/Europe Sales: Sebastian Stoughton -                         not so obvious that anti-malware researchers find
 China/Japan Sales: Jesse Song -                                     them in a hurry.
 India/ROW Sales: Chris Thomas -
                                                                                         With P2P downloads, this is pretty straightforward
                                                                                         due to the limitations of the client technology. We                                                                                                         Technology Report 3
Are you buying
the right IT security
    n Are you considering deploying a security            Contact Scott Markle or Rochelle Carter in the
      product or service but don’t have the time to       US or Sebastian Stoughton in the UK to find out
      trial it for your type of network?                  more about how West Coast Labs can help you
                                                          maximize the return on your security investment.
    n Are you unsure if a security technology will
      deliver the type of business and technical          USA:
      benefits you need to cost justify its               Email:
      deployment?                                         Telephone: +1 (347) 403 0374
    n Do you want to validate a security vendor’s         Telephone: +1 (949) 870 3250
      claims to support a purchasing decision for
      your organization?                                  UK/Europe:
    n Would you benefit from independent technical        Telephone +44 (0) 208 267 8280
      data that could help you in deciding which
      security product is right for your organization?

    With extensive experience in testing information
    security technologies, West Coast Labs can do         US Headquarters & Test Facility
    the job for you by building a test environment that   West Coast Labs
    replicates your network environment and give          16842 Von Karman Avenue
    you the data to make the right management and         Suite 125
    purchasing decision.                                  Irvine CA 92606 U.S.A.

    As an ISO 17025:2005 accredited test facility that    European Headquarters & Test Facility
    specializes in security products and services,        West Coast Labs
    West Coast Labs has been delivering successful,       Unit 9 Oak Tree Court
    meaningful test outcomes for clients around the       Mulberry Drive
    world for over a decade.                              Cardiff Gate Business Park
                                                          Cardiff CF23 8RS U.K.
    Our independent product testing and validation
    services are designed to help information security    Asia Headquarters & Test Facility
    executives make informed technology purchasing        West Coast Labs, A2/9 Lower Ground Floor,
    decisions.                                            Safdarjung Enclave, Main Africa Avenue Road,
                                                          New Delhi 110 029, India.

Technology Report

research where the users are – what the users are          Because missed samples are fed back in to be re-
searching for. With a few limits on what sort of results   tested within 24 hours, this also allows us to test the
you get, you can easily massage the searches to            responsiveness of a vendor’s research team and
return malware almost exclusively. There’s another         update processes.
good source which, it is claimed, is fast becoming
the primary source of malware infections.                  As we’ve seen this year, especially as many vendors
                                                           add and improve cloud-based technologies, there
On the web, it gets a little trickier. Websites have       can be significant jumps in detection capability from
evolved from simple text pages to highly powerful          one day to the next. The actual results for most anti-
code, which is used just as well by malware authors        malware vendors are quite a bit better than the most
to make their operations stealthier and more robust.       sensationalist articles spouting doom and gloom
One popular technique for capturing malware on             about detection rates. More and more vendors are
the internet is to use honeyclients – these are like       presently adding or developing additional detection
honeypots, but instead of lying totally dormant, they      technologies, and we expect that detection rates will
emulate users’ surfing behavior. All system changes        continue to climb.
are monitored and anything which is determined to
be malicious behavior triggers the system to capture       Given the particularly challenging nature of this
any new code. The bulk of threats reside here, in the      test program, which measures the effectiveness of
wild, World Wide Web.                                      anti-malware solutions in a real-world, real-time
                                                           test environment, it is particularly important
Vendor response                                            that those vendors that commit to this level of
With such a dynamic, continuous source of samples          independent performance validation achieve a
across a variety of attack vectors, the number and         level of recognition that differentiates their
types of malware seen in our Real Time testing             performance capabilities from the rest of the
program can vary quite a bit from day to day.              market. Hence the introduction of the Checkmark
Vendors can’t be judged in a pass/fail sort of way,        Platinum Product Award which, to date, has been
they must be viewed sort of like a stock index. Some       awarded to four Vendors – AVG, Kaspersky, Webroot
days they’ll trend toward better detection rates,          and CA, whose products are reviewed on the
some days they will not detect as many threats.            following pages.                                                                         Technology Report 5
World Leaders in Product Testing

“In today’s fast-paced corporate environment,
 spam threatens not only productivity, but the safety of
 an organisation’s network, achieving Checkmark’s
 Premium Anti-Spam Certification provides independent
 verification of eSafe’s ability to deliver best-of-breed Web
 and email security solutions that protect organizations
 against constantly evolving malware threats.”
  Rami Shalom, managing director of the Aladdin eSafe
  Business Unit at Aladdin Knowledge Systems

  Checkmark Certification is the leading edge product
  testing and accreditation system used by the top information
  security vendors worldwide.

  For more information visit

Technology Report

The Checkmark Anti-Malware Certification
As the perpetrators of attacks on our networks have
become more sophisticated, malware attack vectors
have multiplied and the points of attack are now
more specifically targeted.

As a consequence, while the characteristics of
security threats to corporate networks are the same
worldwide, there has been an increasing need for
independent testing to evolve into a more proactive
and dynamic system of performance validation that

n Differentiation between products on
  sophistication and performance.
n Comprehensive testing of products based on
  threat attack vectors.                                                              The result is the most comprehensive and relevant
n Real-world testing of products based on network                                     series of tests against which the products are
  points of attack.                                                                   measured, hence the Platinum Product Award for
n Testing in real time to provide the ultimate                                        those products registered and tested in all three
  performance validation.                                                             testing programs.

West Coast Labs’ independent testing, validation and
Checkmark Certification systems have developed
from a series of static or baseline benchmarking tests
into a more sophisticated real-world program which
also tests products based on attack vectors through                                                       Platinum
unique and higher level real time and dynamic testing                                                     Product
services.                                                                                                 Award

It provides both vendors and end users who seek a
high level of independent validation with valid, real-
world product performance data.

The Checkmark Anti-Malware Certification program                 West Coast Labs Standard               West Coast Labs Platinum
as a whole measures product performance within                   Checkmark Award                        Product Award
three levels of testing and research:
                                                         West Coast Labs Security Product Testing and Research Facilities
n Static Testing – is a series of baseline tests
                                                         WCL is a global leader in testing and technical research used by the leading global
  that measure detection capabilities against
                                                         brands to create market advantage and by large enterprises for obtaining crucial
  known threats.
                                                         technical insight into product performance. WCL has testing labs in the U.S.A., U.K.
n Dynamic Testing – measures product
                                                         and India, with additional facilities around Europe, Asia and South America, using
  performance in relation to malware executing
                                                         market-leading technology such as Mu Dynamics’ service analyzer. This has the
  as end users and corporations experience
                                                         ability to quantify the reliability, availability and security of networked products or
  them in the real world.
                                                         services by sending millions of variations on service-level traffic, simulating denial-
n Real Time Testing – measures critical
                                                         of-service conditions, and replaying published vulnerabilities.
  performance characteristics in a network
  environment.                                                                                                       Technology Report 7

AVG Internet Security 9.0
AVG Technolgies
DEVELOPER'S STATEMENT                                                                              Checkmark Anti-Malware Dynamic
AVG Internet Security (AVG IS) provides                                                            Certification, AVG IS has shown that it
a comprehensive range of protection                                                                can protect against threats executed at
which includes Anti-Virus, Anti-Spyware,                                                           the desktop. Testing is carried out using a
Anti-Spam, Anti-Rootkit, Web-Shield, and                                                           selection of files drawn from the virus, trojan,
Resident-Shield features, as well as an                                                            and spyware test suites of West Coast Labs.
Email-Scanner, and LinkScanner.                                                                    AVG IS continues to hold the Certification.

                                                                                                   AVG has also achieved a consistently high
The SBS Edition is designed specifically for                                                       standard of performance in the Real Time
Microsoft Small Business Servers with the                                                          testing program when protecting against
ability to be deployed from a central server.                                                      HTTP and FTP malware attack vectors. The
It will install on a wide range of Windows 32-                                                     product’s high detection rates are once
and 64-bit platforms.                                                                              again complemented by the speed with
                                                                                                   which the product is updated by the support
In committing to a process of independent                                                          teams at AVG.
performance validation, AVG IS is registered       AVG Internet Security 9.0
in and regularly tested against a range of         Manufacturer                                    AVG IS quality of performance is reflected
certifications to validate its effectiveness       AVG Technologies                                in the way the product has been developed
in dealing with a variety of malware threats       Contact Details                                 to provide a comprehensive solution.
through a number of different attack                                          Installation is straightforward, but consists
vectors, achieving a consistently high level       Certification                                   of multiple stages. After the initial installation
of performance both in blocking malware                                is complete, a wizard guides the user
threats and in dealing effectively with                                                            through the configuration, and allows
malware that executes at the desktop.                                                              them to update and schedule daily scans.
                                                 there are regularly at least 1200 samples in      After the installation, there is minimal need
Within the Checkmark Certification program,      each of the Virus and Spyware collections         for user interaction with the product. For
AVG IS is accredited to the full Anti-Malware    and over 450 in the trojan collection.            administrators, however, there is real depth
Certification, which comprises the individual                                                      to the settings available.
Anti-Virus, Anti-Spyware and Trojan              Since launching AVG IS, the product has
accreditations. These test against suites        performed consistently well within the            Basic use of AVG IS is as simple or complex
comprising a wide variety of vruses, trojans,    criteria of the Certification program, and any    as a user’s need defines. The Computer
bots, worms and spyware, including RATs,         samples missed have been promptly dealt           Scanner option incorporates functions from
hijackers, password stealers, and a host of      with by the support teams.                        three of AVG IS’s eight different protection
other malicious software. Test suite sizes                                                         modules: Anti-Virus, Anti-Spyware and Anti-
vary from test to test on a monthly basis, but   As the first product to achieve the               Rootkit. Computer Scanner allows users to

                                    WEST COAST LABS VERDICT                                  CHECKMARK CERTIFICATION AND
         Platinum                   AVG Internet Security is an in-depth solution            PLATINUM PRODUCT AWARD
         Product                    that provides easy to use, customizable                  AVG IS is Checkmark certified for the full anti-
         Award                      protection for small businesses.                         malware accreditation: including anti-virus
                                    Administrators can integrate AVG into their              desktop, anti-spyware, anti-trojan plus the new
                                    networks with confidence that the product                anti-malware dynamic certification. It is part
                                    will protect against a wide range of user and            of the WCL Real Time Program for malware
                                    internet-based threats.                                  detection in the HTTP & FTP threat vectors.
8 Technology Report                                                                                                

Technology Report                                                                                      Real time attack
                                                                                                       vector testing

scan the whole machine with customizable             issue of unwanted emails. Alongside this is       For both the HTTP and FTP attack
settings, with an option to shutdown                 an email scanner which checks for malware         vectors, files are sourced from
afterwards, allowing scans to be performed           contained in any emails either received or        West Coast Labs’ global malware
outside of normal office hours. For ease of          outgoing. Custom flags can be inserted into       research and collection network.
use, scans can also be initiated with a simple       the subject of the email if required.             Files are tested against the product
right click on a specific directory or file. Users                                                     24x7x365 through each attack vector.
can also select what the scan will report,           Scheduling scans is a simple task, and the        The testing is configured such that
which can be reviewed later.                         option to run on start-up is useful should a      each vector is tested using an “On
                                                     scan be interrupted. Similarly, updates are       Access” methodology where files
With the combination of the Web Shield               easy to schedule. Users can update from the       that are transferred to the system are
module, the Email Scanner and the Anti-              web, from a directory and, in the advanced        examined during the process of transfer
Spam and Resident Shield modules, an                 setting tab, custom URLs can be added.            rather than being scanned as a static
internet user is well protected against a range      There is also an ability to roll back updates     collection of files in a directory.
of threats. Protection against web based             to a previous version, should the need arise.
threats is supplemented by the LinkScanner           Manual updates can also be performed.             Over HTTP, files are delivered to the
feature, which consists of two modules               Should a user wish to just leave the product      machine under test using proprietary
- SafeSearch and SafeSurf. Combined,                 to its own devices, it will keep itself up to     software based around a well known
these technologies aim to provide protection         date automatically. Alternatively, it may         internet browser which downloads the
against drive-by-downloads, phishing sites,          notify the user of pending updates, making        samples as a user might. These files
and a host of other malicious content which          maintenance of the product very simple.           include threats that are currently seen
could affect users via their browsers. Basic                                                           by West Coast Labs to be attacking
testing by West Coast Labs has shown                 AVG IS has multiple reporting options as well     corporate networks globally and can
that these technologies have proven to be            as those found in the manual scan settings.       include zero day malware, as well
effective in both warning end users and also         Users can view previous scan results, Web         as existing worms, web exploits,
blocking access to sites compromised by              Shield activity logs, and Resident Shield and     trojans and spyware. AVG IS uses a
drive-by code.                                       Email Scanner logs.                               combination of the Web-Shield and
                                                                                                       Resident-Shield features to protect the
The advanced settings tab allows further             The Virus Vault informs users of overall          users against these threats that enables
customization of protection features                 product activities, but it is also the location   AVG to have their latest malware
and refinement on each of the individual             of quarantined files. From the Virus Vault, it    protection signatures tested against
components, which will help to tailor the            is possible to retrieve any quarantined files     malware that is live in the wild.
product to fit in with an individual business’       should the need arise.
needs. Users can set exceptions for                                                                    The FTP attack vector uses a series
business based software that may have been           This is a very effective product with many        of standardized FTP sessions to feed
flagged as a Potentially Unwanted Program            features for protecting a PC in an online         malware in to the test PC in real time
by AVG IS. Options for the anti-spam module          environment. AVG’s ability to configure the       and this again tests the Resident-Shield
allow administrators to change the potential         product to the users’ liking will appeal to       protection component of AVG IS. It
spam scoring, and the resource allocation to         administrators, who will also find its set up     performs very well in real time testing
spam scanning. The availability of white and         and go usability gives them peace of mind.        with a consistently high detection rate in
black lists, and the ability to train the spam                                                         both the HTTP and FTP attack vectors.
filtering software, allow this module to offer a
multi-tiered approach when dealing with the                                                  

The minimum resources required for AVG IS is a 1.8GHz processor, 600MB of hard
drive space, and 512MB of RAM.

                                                                                                                                                                                  Technology Report 9

Internet Security Suite Plus 2010
DEVELOPER'S STATEMENT                                                                                any missed files that are fed back.
CA Internet Security Suite Plus 2010 is a
comprehensive security suite that acts to                                                            CA ISS Plus 2010 comes with a three-user
protect your PC from internet threats and                                                            licence and, for extra peace of mind, also
identity theft and to protect your children from                                                     currently offers an Internet Protection Plan
inappropriate content.                                                                               covering both malware infections and identity
                                                                                                     theft (subject to certain restrictions) from
                                                                                                     host machines on which CA ISS is correctly
CA Internet Security Suite Plus 2010 (ISS)                                                           installed and registered with support and
is a wide-ranging security package aimed                                                             protection included as part of the deal.
at home users and the SOHO market. It
offers anti-malware protection, an integrated                                                        During the initial installation, the setup routine
personal firewall, an email scanner, Windows                                                         searches for previous CA activation codes
                                                     Internet Security Suite Plus 2010
Registry Protection, and code injection                                                              making it a simple process to upgrade from
protection. These are complemented by                Manufacturer                                    an older version of the product. During
modules that cover spam protection, anti-            CA                                              the installation, updates are applied and
phishing protection, and identity protection,        Contact Details                                 can subsequently be applied either via a
along with tools to backup and restore data                                      scheduled task, or manually if required.
that make this a feature-rich offering. The          Certification
majority of these elements are also highly                               Following the installation, the product
customizable allowing users a great deal of                                                          offers a useful tour feature to introduce less
control over their security software.                                                                confident users to the product; this explains
                                                   monthly basis, but are regularly at least 1200    the usage of each of its components in
CA has been involved in the Checkmark              samples in each of the virus and spyware          depth. The guide ensures that new users are
certification scheme for a long time, and is       collections and over 450 in the trojan            quickly made aware of all of the workings of
tested against the anti-malware certification      collection.                                       the product, enabling each user to optimize
standard, and all its component parts, on a                                                          their protection based upon their specific
regular basis, thus ensuring that their malware    ISS Plus 2010 is also enrolled in the Anti-       requirements. Following this tour, the product
detection standards are independently              Malware Dynamic certification, and is             requests permission to perform a number of
validated against a wide range of threats          currently being tested against the constantly     tasks, including a full scan of the machine.
including viruses, trojans, bots, worms and        updated threats provided via the West Coast       This is intended to ensure that the user has a
spyware, such as RATs, hijackers, password         Labs’ Real Time system. ISS Plus 2010 is          clean system to use and that there are no pre-
stealers, and a host of other malicious            currently on the HTTP and FTP malware             existing infections.
software.                                          feeds, performing consistently well over both.
                                                   This is accompanied by quick response times       Basic scanning is conducted via the simple
Test suite sizes vary from test to test on a       for the release of malware signatures to detect   mechanism of a right mouse click when a

                                       WEST COAST LABS VERDICT                                 CHECKMARK CERTIFICATION AND
        Platinum                       CA ISS has a powerful feature set that                  PLATINUM PRODUCT AWARD
        Product                        belies its ease of use. The reporting shows             CA ISS is certified for full anti-malware
        Award                          an appropriate amount of data, with a level             accreditation including AV desktop, AV
                                       of customization to make this product of                disinfection, anti-spyware desktop, anti-trojan,
                                       great benefit to both first time and more               the new anti-malware dynamic certification. It
                                       experienced users                                       is part of the Real Time Program for malware
                                                                                               detection in the HTTP and FTP threat vectors.
10 Technology Report                                                                                                 

Technology Report                                                                                     Real time attack
                                                                                                      vector testing

file or folder is highlighted, and choosing the     control their access via this common infection    CA ISS is tested on the HTTP and
option to run the scan. The product also offers     vector. Alongside the Browser Protection the      FTP attack vectors of the Real Time
the ability to exclude certain folders/files from   Website Advisor feature provides information      System, which feeds files sourced from
future scans, in order to speed up scan times.      on links typed into the internet browser’s        West Coast Labs’ global honeypot
It is worth noting, however, that this should be    address bar in real time, in an attempt           network directly to the product via
used with caution.                                  to control and limit access to malicious          the appropriate attack vectors. “On
                                                    websites.                                         Access” testing methodology is applied
Scans may also be scheduled with an option                                                            to files that are transferred to the system
that allows the product to only scan when           Information made available in a toolbar to the    to be examined during the transfer
the computer is idle. This will ensure that         user includes physical server location, along     process, rather than a static scan of an
workflow is not interrupted or slowed by a          with the company the server is registered to,     already present malware collection in a
process running in the background. Options          allowing users to make informed decisions         directory.
are available to allow detected malware either      regarding their web security. The ability to
to be cleaned or to be quarantined should the       report potentially threatening sites helps the    Over the HTTP attack vector, propriety
cleaning process fail. Easily understandable        user base to protect each other (through a        software based on a well known internet
reports are also available should a user require    community based model.) These features            browser is used to download the
them.                                               are complemented by the parental controls         samples, which replicate the way a user
                                                    which can stop users from viewing unsuitable      would access these files. As the files
As part of the solution’s customization ability,    content.                                          have been sourced from honeypots, this
and for increased protection, the CA ISS 2010                                                         means that the product sees malware
allows the user to create program rules. These      There is extensive support available directly     that is currently propagating in the wild.
are categorized according to different groups       within the product, including a ‘how to’ video    These can include zero day malware,
set out: Trusted, Blacklist, SafeApps and           library, which emphasizes CA’s focus on           exploits, trojans and spyware.
Installer.                                          making the product simple to use.
                                                                                                      Due to the nature of the system, CA are
Firewall protection is made simple to use           In committing to a process of independent         able to see their test results against live
with the ability to select pre-defined levels of    performance validation, CA has shown,             threats on an ongoing basis, helping
protection. For more advanced users, there is       through a range of certifications, that it is     them to ensure that their protection is
the ability to add custom firewall rules, which     effective in dealing with a variety of malware    up to date with that which is currently
is good for small businesses which might wish       threats through a number of different attack      threatening users’ security.
to customize their network protection, while        vectors, achieving a consistently high level
retaining strict controls.                          of performance both in blocking malware           Over the FTP attack vector, a series
                                                    threats and in dealing effectively with malware   of standard FTP sessions collect the
Browser Protection contains Cookie Control,         that executes at the desktop.                     samples and supply them to the test
Pop-up Blocker Control, Mobile Code Control                                                           host in real time.
and a Cache cleaner. Combined, these                CA ISS Plus 2010 has also achieved a
features allow for very specific control over       consistently high standard of performance         CA ISS is among the top performers
protection against threats through a browser.       in the Real Time testing program and              when testing against the HTTP and FTP
                                                    the product’s high detection rates are            attack vectors, consistently achieving
The product again shows the strengths of its        complemented by the speed with which it is        one of the highest detection rates.
customization options by offering the ability to    updated by the support teams working on the
set site-specific options, meaning users can        product.                                

The product has different requirements depending on the operating system it is
installed on. CA ISS supports Windows 2000, XP, Vista and Windows 7, and requires
256 MB RAM for XP, 512MB RAM for Vista, and 1GB RAM for Windows
7. Processor speeds vary – with the product requiring
300Mhz for XP, 800Mhz for Vista, and 1Ghz for Windows 7.

                                                                                                                                                                                Technology Report 11

Kaspersky Work Space Security
DEVELOPER'S STATEMENT                                                                         networking.
Kaspersky Work Space Security provides
centralized protection from all types                                                         Upon launching the Kaspersky
of contemporary computer threats for                                                          Administration Kit the user is presented
workstations, whether on the corporate                                                        with a brief overview of deployment,
network or used remotely.                                                                     computer management, protection, virus
                                                                                              scan, update, and monitoring. These
                                                                                              provide a quick representation of the
Kaspersky Work Space Security is the                                                          current network status through a traffic
entry level offering for its wider Kaspersky                                                  light system, an easily understandable
Open Space Security family of products,                                                       theme that is carried out through both the
designed to offer various types of                                                            Administration Kit and the client interfaces.
protection, which include both on-machine         Product                                     Clicking on any of these modules gives the
and web-based anti-virus functionality,                                                       administrator more specific information
                                                  Kaspersky Work Space Security
anti-spyware, anti-spam, firewall, and                                                        related to the module, which is presented
device control features at the workstation                                                    in a dashboard view including bar and pie
level.                                            Kaspersky                                   charts.
                                                  Contact Details
Work Space Security includes the                                   Although changes to the product can
Kaspersky Anti-Virus solution, as well as         Certification                               be made remotely via the Kaspersky
Kaspersky Lab’s central management                                Administration Kit and locally via the
console Kaspersky Administration Kit. The                                                     product’s interface screen, users have the
hands-on aspect of this review is based on                                                    ability, via options in the Administration Kit,
a Windows installation of the Kaspersky         supported as the database component           to block end users from making changes to
Anti-Virus solution, and the Administration     under the Linux platform.)                    the product, which is useful for enforcing
Kit. Support is offered for multiple versions                                                 adherence to corporate security policies.
of the Windows OS, including 2000, XP,          Kaspersky Anti-Virus may be installed         When configuring the solution via this
Vista and Windows 7 along with their 64-bit     either locally or via the Kaspersky           Administration Kit, the Administrator also
counterparts. The central management            Administration Kit. Should the                has the ability to group client computers
console (Kaspersky Administration Kit)          company decide to deploy through the          together, allowing for security and policy
also covers Windows Server platforms            Administration Kit, it will have a number     changes to be applied rapidly across a
from 2000 to 2008 both in 32- and 64-bit        of methods open to them, including            number of endpoint client machines.
versions. There are also a number of Linux      deployment to a single IP address, a range
flavors that support the client part of the     of IP addresses, or even a predetermined      Through the use of policies on
solution, however the central management        group of computers, including Active          the Kaspersky Administration Kit,
console is Windows only. (My SQL is             Directory support and Windows                 Administrators are able to customize the

                                    WEST COAST LABS VERDICT                             CHECKMARK CERTIFICATION AND
       Platinum                     Kaspersky Work Space Security is a multi-           PLATINUM PRODUCT AWARD
       Product                      faceted security tool that incorporates             Kaspersky Work Space is certified for full anti-
       Award                        Kaspersky Labs industry established Anti-           malware accreditation including AV desktop, AV
                                    Virus solution. The pedigree of the solution is     disinfection, anti-spyware desktop, anti-trojan ,
                                    reflected in its high performance levels and wide   the new anti-malware dynamic certification and
                                    range of included technologies.                     is also part of the Real Time Program for malware
                                                                                        detection in the HTTP, FTP & POP3 threat vectors.
12 Technology Report                                                                                       

Technology Report                                                                                 Real time attack
                                                                                                  vector testing

amount of configuration that is applied          Within the Kaspersky Administration Kit          Kaspersky Lab is currently on West
locally. Configuring the solution for            there is the option to schedule a backup         Coast Labs’ Real Time system for HTTP,
endpoint users is made easy with a series        of the Administration Server data. This          FTP and POP3 malware. Over each
of tick boxes, drop-down boxes and               allows administrators to keep a copy of          protocol Kaspersky Lab’s performance
sliders. On the main endpoint interface,         the configuration files and reports on a         has been consistently high, one of the
administrators are presented with a              remote server in case of failures with the       few companies to achieve this feat.
breakdown of the included modules.               server, providing them with the ability to       All protocols are tested using an On-
Modules which are currently active are           deal with any server failure issues quickly.     Access methodology
displayed in green with a tick beside them,      It is also worth noting that it is possible to
while deactivated modules are grey with          set endpoint hosts to copy quarantined           HTTP and FTP feeds are tested over the
a cross alongside. Clicking on any of the        files to the server, which would allow the       appropriate protocol delivery method
modules, administrators are presented            administrator to control the restoration         using a combination of standardized
with four options: settings, reports, start      of key documents should they become              tools and proprietary scripting. The
and stop, leading to quick customization or      infected.                                        feeds are supplied by West Coast Labs’
the enabling and disabling of each module                                                         global honeypot network supplemented
individually.                                    Kaspersky Lab shows its continuous               by various web-crawling systems. West
                                                 commitment to performance validation             Coast Labs receives a wide variety of
Updates can be handled in two ways:              by their enrollment in the Anti-Malware          different types of malware in these feeds
the administrator can choose to allow            Dynamic Certification, where their               including zero-day malware, the latest
each client computer to connect to the           behaviour models intercept the malware           worms, trojans and spyware, along with
Kaspersky Lab update server, or to set up        before it has a chance to execute on the         malware that is still active online due to
the Kaspersky Administration Kit to update       computer. The collection for the Dynamic         unpatched systems still being deployed.
from Kaspersky Lab and then roll out the         test suite is drawn up from a number of          Kaspersky Lab is tested hourly on each
updates to internal users, saving on the         files from the anti-virus, anti-trojan and       of these protocols with missed samples
company’s external bandwidth.                    anti-spyware test suites and is designed to      being re-fed hourly through the system.
                                                 show whether the solution can cope with
Reporting is available through the client’s      a number of different and complex threats.       Kaspersky Lab detection for mail-
individual interface, or centrally through       Kaspersky Lab has been a member of the           based malware is tested over the POP3
Kaspersky Administration Kit. In a default       Checkmark Certification scheme for a             protocol relying on Kaspersky Lab’s
policy, an endpoint user is only provided with   decade.                                          POP3 scanner to delete the messages.
basic information about detected threats,                                                         Malware for this protocol is sourced via
however, extra data related to current threats   The solution is also a consistently high         a number of domains that are owned
and issues in the network are available if the   performer on West Coast Labs’ Real               and controlled by West Coast Labs
reports are generated centrally. Using either    Time system, where it is tested on HTTP,         with testing occurring immediately
the client or Administration Kit interfaces      FTP and SMTP malware attack vectors.             upon receipt of a piece of malware.
allows the user to save reports to a local       The solution’s high performance across           The majority of files seen across these
disk or network paths in a choice of HTML,       all three attack vectors along with the          domains are network worms, consistent
XML or PDF formats, while the centralized        dynamic and static collections, shows            with the types of traffic being received
method also allows for reports to be sent        its ability - which is complemented by           by corporate enterprises.
to an email address on an immediate or           the support and response speed of its
scheduled basis.                                 engineers should any issues arise.     

System Requirements vary for each operating system, but typically are as follows:
Intel Pentium processor 800MHz or higher (or a compatible CPU), 512 MB available
RAM, and 100 MB available HDD space.

                                                                                                                                                               Technology Report 13

Webroot Internet Security Essentials
DEVELOPER'S STATEMENT                                                                              trojan accreditations.
Webroot Internet Security Essentials
provides essential protection that won’t                                                           These test against suites comprising
slow you down. It keeps your PC safe                                                               a wide variety of viruses, trojans, bots,
without slowing down performance.                                                                  worms and spyware, including RATs,
The streamlined design includes award-                                                             hijackers, password stealers and a host of
winning anti-spyware, anti-virus and                                                               other malicious software. These test suite
firewall protection, plus file cleanup and                                                         sizes vary from test to test on a monthly
automatic backup.                                                                                  basis, but there are regularly at least 1,200
                                                                                                   samples in each of the virus and spyware
                                                                                                   collections and over 450 in the trojan
Webroot Internet Security Essentials                                                               collection.
(WISE) is an inclusive security package
aimed at the home-office and home user.                                                            Since testing began on WISE in 2008,
The suite includes both anti-virus and                                                             the product has consistently performed
anti-spyware protection, along with a                                                              well within the criteria of the Certification
host-based firewall and free telephone             Product                                         program, and any samples missed have
support for US-based customers. Help               Webroot Internet Security Essentials            been promptly dealt with by the support
and support for basic problems and issues                                                          teams.
is also available directly from the program
interface.                                                                                         Webroot was also among the early uptakes
                                                                                                   for the Anti-Malware Dynamic Certification,
Support is offered for XP, Vista                   Contact Details                                 and have thus shown themselves to be
and Windows 7, and the minimum                                            effective both in blocking malware threats
specifications are remarkably low.                 Certification                                   and in dealing effectively with malware that
Webroot has shown its commitment to                                    executes at the desktop.
a process of independent performance
validation, with registrations in and regular                                                      WISE has also achieved a consistent
tests against a range of certifications to       has achieved a consistently high level of         standard of performance in the Real
validate its effectiveness in dealing with       performance.                                      Time testing program when protecting
a variety of malware threats through a                                                             against the HTTP and FTP malware attack
number of different attack vectors.              Within the Checkmark Certification                vectors. The product’s detection rates are
                                                 program, Webroot Internet Security                complemented by the speed with which
Webroot has been a member of West                Essentials is accredited to the full Anti-        it is updated by the support teams at
Coast Labs’ Checkmark Certification              Malware Certification, which comprises            Webroot.
scheme for five years and during that time       the individual anti-virus, anti-spyware and

                                     WEST COAST LABS VERDICT                                 CHECKMARK CERTIFICATION AND
       Platinum                      WISE provides a multi-layered threat                    PLATINUM PRODUCT AWARD
       Product                       prevention package with consistently                    WISE is certified for: AV desktop, AV
       Award                         performing anti-malware protection. The                 disinfection, anti-spyware desktop, Anti-
                                     solution is easy to navigate and offers a good          trojan, installed spyware and is part of West
                                     range of flexibility with the ability to customize      Coast Labs’ Real Time testing scheme for FTP
                                     security protection to best suit individual             & HTTP threat vectors. WISE also has the new
                                     circumstances.                                          anti-malware dynamic certification.
14 Technology Report                                                                                              

Technology Report                                                                             Real time attack
                                                                                              vector testing

Installation of this product consists of       Each shield has its own configuration          Webroot’s WISE is currently tested
a standard wizard routine with each            options associated with it to allow for        on the HTTP and FTP attack vectors.
step explained with helpful on-screen          customization.                                 Samples are collected from around the
directions. During the install, the user is                                                   globe via a number of geographically
presented with the option to join              As part of the subscription to Webroot         dispersed honeypots controlled and
Webroot Automated Research Network             Internet Security Essentials protection,       owned by West Coast Labs, and
(WARN). This is a voluntary scheme that        Webroot also offers 2Gb of online storage,     include a large variety of malware
allows Webroot to retrieve information         allowing files to be backed up via the         types. These files include threats that
from a participating host computer to aid in   Backup tab.                                    are currently seen by West Coast Labs
their malware research and prevention.                                                        to be propagating in the wild and can
                                               Usefully for some, the solution offers a       include zero day malware, as well as the
Scheduled events can also be setup             Gamer mode. Enabling this feature turns        latest worms, web exploits, trojans, and
during the installation, such as a computer    off all product alerts, thus stopping the      spyware.
scan or cleanup. By default the solution       possibility of a game window minimizing
backs up the user’s desktop, documents         mid-game. It is worth noting, however,         For HTTP, West Coast Labs’ Real Time
and pictures folders to an online data         that this mode also reduced the overall        system looks at the way in which a user
center after an account has been created.      protection level somewhat, as WISE’s           would download files, attempting to
These scheduled events can, of course,         real-time systems are also disabled.           save the file via internet browser, which
subsequently be altered or augmented           Gamer mode is automatically turned off         provides a realistic test environment
through the solution’s interface.              after four hours by default, but this can be   that examines the solution’s on-access
                                               disabled or set to a custom time by the        protection thoroughly.
Once installed, the solution is easy to        user.
get started with and uses a layout that                                                       FTP is tested in much the same way, but
is easy to navigate, allowing the user to      By default, Webroot Internet Security          simulates a user downloading malicious
get straight to the required functionality,    Essentials will update itself automatically    content via an FTP client. With the Real
whether it be an on-demand scan,               every day; this can be changed to hourly if    Time testing systems providing current
computer cleanup, update or just a general     the user so desires, however there is          samples, WISE’s definitions are being
overview of their protection status.           also allowance for manual update               constantly tested against real, live
                                               requests.                                      threats on an hourly basis.
Scans are easily reached via a tab labelled
‘Sweep’ – options include Full, Quick or                                                      For both attack vectors, WISE’s File
Custom Sweeps, with varying levels of                                                         System Shield is the component that is
examination associated with each.                                                             most active in determining the nature of
Under the ‘Shields’ tab, the user can find                                                    the incoming threats and refusing them
details of WISE’s ongoing protection                                                          access.
modules. Using combinations of
multiple layers, the product defends                                                
the host using 13 shields in total,
protecting the web browser, Windows
system, startup programs, network
and email attachments among others.

WISE is supported on Microsoft Windows 7, Vista and XP on either 32-bit or 64-bit
architecture. The product requires a minimum of 256 Mb of memory to operate and
100 Mb of hard disk space for installation.

                                                                                                                                                            Technology Report 15

Anti-Spam, VA & UTM Solutions



                                            Contact Details
                                            Full Product Test Report

   US Headquarters & Test Facility
   West Coast Labs
   16842 Von Karman Avenue
   Suite 125
   Irvine CA 92606 U.S.A.

   Telephone: +1 (347) 403 0374
   Telephone: +1 (949) 870 3250

   European Headquarters & Test Facility
   West Coast Labs
   Unit 9 Oak Tree Court
   Mulberry Drive
   Cardiff Gate Business Park
   Cardiff CF23 8RS U.K.

   Telephone +44 (0) 208 267 8280                                      For full details of the Checkmark Certifications
                                                                       for ISS, please visit
   Asia Headquarters & Test Facility                          and use the search
   West Coast Labs, A2/9 Lower Ground Floor,                           facility by vendor or product name. Download
   Safdarjung Enclave, Main Africa Avenue Road,                        the complete White Paper Product Test Report
   New Delhi 110 029, India.                                           at

5 Technology Report                                                                     

To top