Docstoc

Kaspersky Business Space Securit

Document Sample
Kaspersky Business Space Securit Powered By Docstoc
					 Kaspersky Business Space Security
                vs.
Sophos Endpoint Security and Control




         Comparative Analysis
Contents

1 General information ............................................................................................................3
2 Comparison of the main protection capabilites ...............................................................3
   2.1     Comparison of protection quality                                                                                      4
   2.1.1   Detection rates                                                                                                       4
   2.1.2   Detection and treatment of objects in archived and compressed files                                                   4
   2.1.3   Treatment of active infections                                                                                        5
   2.1.4   Number of updates                                                                                                     5
   2.2 Functional comparison                                                                                                     6

3 Comparison of the administration system capabilities ...................................................7




           Kaspersky Business Space Security vs. Sophos Endpoint Security and Control                Comparative analysis



                                                                   2
1        General information
    This document provides a comparative analysis of the Windows file server and workstation protection
    capabilities in Kaspersky Business Space Security and Sophos Endpoint Security and Control.



2       Comparison of the main protection capabilites
                                                            Kaspersky Anti-Virus 6.0
                                                                                       Sophos Anti-Virus and
                                                                 for Windows
                                                                                          Client Firewall
                                                                Workstations
Protection quality
                       1
Overall detection rate                                               98.86%                   94.63%
                                    2
Detection rate for compressed files                                   81%                       5%
                               3
Treatment of active infections                                        71%                      18%
                                      4
Average number of updates per month                                    615                      189
Proactive protection
Heuristic analyzer
Behavior blocker
Rollback of malicious changes                                                                    –
Rootkit detection                                                                                –
Scanning of hidden files                                                                         –
Detection of system anomalies                                                                    –
File antivirus, on-demand scanning
Protection level selection. Setting the balance between
                                                                                                 –
scanning depth and speed.
                                                                                                 –
Treatment of objects in archived and compressed files
                                                             ZIP, ARJ, CAB, RAR, LHA
Mail antivirus
Protection level selection. Setting the balance between
                                                                                                 –
scanning depth and speed.
Scanning of POP3 and SMTP traffic                                                                –
Scanning of IMAP4 traffic                                                                        –
Scanning of Microsoft Office Outlook (MAPI) mail                                                 –
Web antivirus (scanning of HTTP traffic)                                                         –
Detection of spyware and other potentially hostile
software
Protection from network attacks
Personal firewall
Intrusion detection system (IDS)                                                                 –
Anti-phishing protection                                                                         –
Protection from phishing attacks in emails                                                       –
Protection from phishing attacks when opening websites in                                        –
the browser
Protection from unwanted advertising
Blocking of unwanted applications                                      –
Antispam protection                                                                              –
Tools for creating a Rescue Disk                                                                 –




    1
        AV-Test.org, August 2007
    2
        Anti-Malware-Test.com, August 2006
    3
        Anti-Malware-Test.com, September 2007
    4
        AV-Test.org, November 2006




    Kaspersky Business Space Security vs. Sophos Endpoint Security and Control             Comparative analysis



                                                               3
  2.1 Comparison of protection quality
  2.1.1     Detection rates

   In August 2007, the research group from Magdeburg University (AV-Test.org) studied the malicious
   program detection capabilities for various antivirus solutions.

                                      Malicious program detection



        Kaspersky                                                                                   98.86%




           Sophos                                                                        94.63%



                  60%                                      80%                                  100%

                                             Source: AV-Test.org


  2.1.2 Detection and treatment of objects in archived and compressed
        files
    Most contemporary malicious programs are packed with one compression utility or another. In August
    2006, the Anti-Malware Test Lab, an independent research project, studied the capabilities of different
    antivirus products in terms of their ability to detect malicious programs in compressed files.

                           Detection rate: archived and compressed files



         Kaspersky                                                                            81%




            Sophos         5%



                     0%                      30%                       60%                        90%

                                        Source: Anti-Malware Test Lab

    For archives, it is crucial to not only detect a threat, but to treat the infected files without damaging the
    user’s data. iCure, a unique technology developed by Kaspersky Lab, makes it possible to treat infected
    files in ARJ, CAB, RAR, ZIP and LHA archives. Infected files in multi-volume archives are treated using the
    iArc technology, which supports ARJ, CAB and RAR archives. Sophos solutions are incapable of treating
    infected objects in archives.




Kaspersky Business Space Security vs. Sophos Endpoint Security and Control              Comparative analysis



                                                       4
  2.1.3 Treatment of active infections
    Unfortunately, no antivirus developer can guarantee 100% antivirus protection and infections are rather
    common. In September 2007, the Anti-Malware Test Lab studied the capabilities of the most popular
    antivirus programs in terms of treating active infections. Antivirus programs were installed on computers
    where malicious programs had been executed and installed, some of which could interfere with the
    detection and removal capabilities of the antivirus product. During testing, the results demonstrated by the
    Kaspersky Lab product were among the best for all products tested.

                                     Treatment of active infections



         Kaspersky                                                                     71%




            Sophos                    18%



                     0%                      30%                       60%                      90%

                                        Source: Anti-Malware Test Lab


  2.1.4 Number of updates

   The frequency of database updates is among the most important criteria by which to evaluate the
   effectiveness of antivirus protection. If proactive methods fail to detect a new threat, users remain
   unprotected until they receive a database update with the threat signature. The shorter the interval between
   updates, the shorter the period when users remain unprotected.


    According to research conducted by the Magdeburg University team (AV-Test.org), Kaspersky Lab
    releases antivirus database updates nearly every hour.

                                   Number of updates per month



     Kaspersky                                                                          615




        Sophos                 189




                 100         200          300          400         500           600          700

                                          Source: AV-Test.org




Kaspersky Business Space Security vs. Sophos Endpoint Security and Control              Comparative analysis



                                                       5
  2.2 Functional comparison
    Kaspersky Anti-Virus 6.0 for Windows Workstation includes a number of important features which
    are not available in Sophos Anti-Virus.
    1.   Sophos Anti-Virus does not detect files and processes masked using rootkit technologies.
         Kaspersky Anti-Virus effectively detects files and processes masked by rootkits. The proactive
         defense module included in the product detects rootkits based on their behavior.
    2.   Sophos Anti-Virus does not scan POP3/SMTP/IMAP mail traffic on the fly before it is processed
         by the mail client.
    3.   Sophos Anti-Virus does not offer on-the-fly scanning of Microsoft Office Outlook (MAPI) mail
         traffic, making it unsafe to use the corporate exchange server without installing an additional
         antivirus program capable of protecting it.
    4.   Sophos Anti-Virus does not provide treatment of viruses in archived files, which is especially
         important for scanning emails with attachments.
    5.   Sophos Anti-Virus does not scan web traffic on the fly. Therefore, viruses that can launch
         without creating a file can penetrate the user’s computer.
    6.   Sophos Endpoint Security and Control also includes Sophos Client Firewall (Sophos Anti-Virus
         and Sophos Client Firewal are two separate components, which are not integrated). In the event
         that the system administrator deploys the firewall using the default settings, which will disrupt
         access by all users of the Internet and email connected to the server.
    7.   Sophos Client Firewall does not include some important features:
         •   The product does not support exporting and importing a list of rules. As a result, the firewall
             rules cannot be saved for future use.
         •   The product does not support defining the time interval during which each rule is enabled.
             This feature provides time-based Internet access control for applications installed on the
             computer.
         •   The product does not include a traffic monitor, which monitors the volume of incoming and
             outgoing data, a connection monitor, which provides information about the number of the
             port opened on the local computer, and information about connections to remote
             computers, including their IP-addresses and port numbers.
    8. Sophos Endpoint Security and Control does not provide protection from phishing attacks at the
        mail client level and when opening websites in the browser.
    9. Sophos Endpoint Security and Control does not provide antispam protection.
    10. Sophos Endpoint Security and Control does not support the creation of a rescue disk. A rescue
        disk is necessary if the operating system cannot start up as a result of a malicious attack.
        Kaspersky Lab products provide an emergency system recovery feature, which makes it
        possible to create a rescue disk that functions correctly under the NTFS file system (Windows
        2000/XP) in the write mode and can correctly treat or delete infected objects.




Kaspersky Business Space Security vs. Sophos Endpoint Security and Control               Comparative analysis



                                                        6
3 Comparison of the administration system
     capabilities
                                                                  Kaspersky
                                                                                     Sophos Enterprise Console
                                                                Administration Kit

 Forced centralized installation of the antivirus product                              An additional restriction is
 via RPC or the administration agent                                                            present
                                                                                          (see item 1 below)
 Centralized installation of the antivirus product using the                                          –
                                                                                     Only manually created startup
 Login Script
                                                                                                 scripts
                                                                                          (see item 2 below)
 Manual scanning of the network for unprotected
 computers. Scanning of the IP subnetwork / Active                    /       /                   /       /
 Directory / Windows Network
 Automatic scanning of the network for unprotected
 computers. Scanning of IP subnetwork / Active Directory              /       /                 –/        /–
 / Windows Network
 Support for automatically adding new computers to
 administration groups and automatically installing                                  Only by using Active Directory
 antivirus applications on newly detected computers                                       (see item 3 below)
 Support for Cisco NAC (Network Admission Control)
 Scanning for computers with specific properties or                                      Partially implemented
 problems                                                                                 (see item 4 below)
 Support for an unlimited number of levels in the
                                                                                                      –
 administration server hierarchy
 Administration of several administration servers from the
                                                                                                      –
 system administrator's console
 Policy mechanism, whereby system administrators can
                                                                                          Partly implemented
 block users from making changes to the protection                                        (see item 7 below)
 settings
 Support for defining different access levels for different
                                                                                                      –
 system administrators / operators
 Auditing of system administrators’ actions                                                           –
 Automatic centralized updating of antivirus databases
 and application modules
 Support for Wake-on-LAN / Shut Down to remotely turn
                                                                                                      –
 computers on/off in order to perform scheduled tasks
 Backup copying of administration server data
                                                                                                      –
 Detailed predefined reports                                                                          –
 Support for generating reports at a time specified by the
 system administrator and sending them to an email
 address for timely notification of the current protection                /                       –/–
 level




 Kaspersky Business Space Security vs. Sophos Endpoint Security and Control                Comparative analysis



                                                            7
    1.   Sophos Enterprise Console imposes an additional restriction on the remote RPC-based
         installation of the antivirus solution on client nodes. For each client computer, a user with the
         same name and password as that node’s administrator should be registered as a Windows user
         on the administration server, otherwise installation will fail. As a result, the following problems
         arise:
         •   If the network is not based on a domain and administrators of different computers have
             different passwords, accounts for all of them must first be created on the computer on which
             the administration server is installed. Remote installation is only available after such
             accounts have been created.
         •     If the passwords for the user account used to perform the installation (e.g., Administrator)
               are not the same on the administration server and on the client computer, installation will
               not be possible.
         To perform an RPC-based installation of the antivirus solution on client nodes using Kaspersky
         Administration Kit, it is enough to specify the name and password for a user with administration
         rights on the target computer.
    2.   Sophos Enterprise Console does not support automatic installation of the antivirus product on
         client nodes using startup scripts. A script must be created manually. This process requires
         many additional operations.
         Kaspersky Administration Kit automatically creates startup scripts and deletes them after they
         have been executed.
    3.   Sophos Enterprise Console supports automatic scanning of the network for new computers and
         automatic installation of antivirus applications on newly detected computers using the Active
         Directory service only.
         Kaspersky Administration Kit provides automatic scanning of the Active Directory, the Windows
         Network or the IP subnetwork for new computers with subsequent automatic installation of
         antivirus applications on newly detected computers.
    4.   Sophos Enterprise Console does not support scanning for computers that have specific
         properties or problems. It is only possible to display computers included in certain categories
         predefined by the developers of the product.
         With Kaspersky Administration Kit, the system administrator can search for computers using any
         search criteria based on computer properties or problems.
    5.   Sophos Enterprise Console does not support administration server hierarchy, while Kaspersky
         Administration Kit makes it possible to create an administration server hierarchy of any nesting
         level.
    6.   Sophos Enterprise Console can manage only one administration server, resulting in difficulties
         with the administration of large corporate networks.
    7.   The policies in Sophos Enterprise Console are not stringent: all users with Sophos administrator
         rights can make changes to the protection settings on their computers. When the Sophos
         product is installed on a client computer, all local administrators become Sophos administrators
         by default and can make any changes to the application's settings on their computers. The
         security administrator can subsequently bring these settings in line with the policies, but that will
         require spending time tracking changes and undoing them.
         In Kaspersky Administration Kit policies, each parameter for the client products can be
         designated as enforced or optional. Required parameters are always enforced and clients (even
         if they are local administrators) cannot change them locally.
    8.   Sophos Enterprise Console does not include a system to define different access levels for
         different system administrators.
         With Kaspersky Administration Kit, different access rights can be defined for different
         administration groups.
    9.   Sophos Enterprise Console does not support auditing the actions of system administrators. This
         means that it is impossible not only to restrict administrators’ access rights, but also to control
         their actions.
         In Kaspersky Administration Kit, all administrators’ actions are recorded, from login to making
         changes to application settings and launching tasks.




Kaspersky Business Space Security vs. Sophos Endpoint Security and Control                 Comparative analysis



                                                         8
    10. The Sophos database update system is based primarily on Windows shared folders. These
        update sources are created by default and can be selected in accordance with the company’s
        security policy. Updating via HTTP is also supported, but, to implement it, the system
        administrator must manually create a web server which is inconvenient, or specify the HTTP
        address of the main Sophos Internet update server, which will negatively affect the channel
        loading.
        Kaspersky Administration Kit updates are transferred via connections between administration
        agents and the administration server. Kaspersky Administration Kit also supports updating via
        FTP and HTTP and updating from network folders, which can be used as a reserve channel for
        updates.
    11. Kaspersky Administration Kit provides support for Wake-on-LAN and Shut Down to remotely
        turn on / off computers to perform scheduled tasks and shut them down after the tasks have
        been performed.
        Sophos Enterprise Console does not support Wake-on-LAN and Shut Down.
    12. Sophos Enterprise Console does not support creating backup copies of administration server
        data. In the event of a problem with the administration server, it is impossible to restore the
        protection system using the tools built into the product.
        Kaspersky Administration Kit includes both a command prompt utility and a special task for
        creating backup copies of administration server data.
    13. Sophos Enterprise Console provides only basic reporting. Reports include only threat names
        and the number of alerts for each threat. The product does not provide support for reports on
        application versions, errors, network attacks etc.
        Kaspersky Administration Kit offers more than 10 types of detailed reports. Reports can be
        generated on schedule and sent to the system administrator’s email address.




Kaspersky Business Space Security vs. Sophos Endpoint Security and Control           Comparative analysis



                                                     9