Fresh Approaches to Solving the Malware Problem

White Paper www.securecomputing.com Secure Computing® has been solving the most difficult network and application security challenges for over 20 years. We help our customers create trusted environments both inside and outside their organizations. Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization Table of contents Introduction .........................................................................................................................2 State of the “virus union” .....................................................................................................2 Comparison of anti-virus response times from 2003 to 2006 ................................................3 The changing nature of malware attacks...............................................................................5 Fresh approaches to solving the malware problem................................................................6 General considerations .....................................................................................................6 Considerations for the desktop .........................................................................................6 Considerations for the Web gateway ...............................................................................5 Secure Computing Corporation Corporate Headquarters 4810 Harwood Road San Jose, CA 95124 USA Tel +1.800.379.4944 Tel +1.408.979.6100 Fax +1.408.979.6501 European Headquarters 1, The Arena Downshire Way Bracknell Berkshire, RG12 1PU UK Tel +44.0.870.460.4766 Fax +44.0.870.460.4767 Asia/Pac Headquarters 1604-5 MLC Tower 248 Queen’s East Road Wan Chai Hong Kong Tel +852.2520.2422 Fax +852.2587.1333 Japan Headquarters Shinjuku Mitsui Bldg. 2, 7F Nishi-Shinjuku 3-2-11 Shinjuku-ku Tokyo, 160-0023 Japan Tel +81.3.5339.6310 Fax +81.3.4496.4537 For a complete listing of all our global offices, see www.securecomputing.com/goto/globaloffices © November 2006 Secure Computing Corporation. All Rights Reserved. WW-AntiMal-WP-Nov06vF. Bess, enterprise strong, IronMail, MobilePass, PremierAccess, SafeWord, Secure Computing, SecureOS, SecureSupport, Sidewinder G2, SmartFilter, SofToken, Strikeback, Type Enforcement, CyberGuard, and Webwasher are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. Anti-Virus Multi-Scan, Anti-Virus PreScan, Application Defenses, Compliance, Dynamic Quarantine, Edge, Encryption, G2 Enterprise Manager, Global Command Center, IronIM, IronNet, Live Reporting, Message Profiler, MethodMix, On-Box, Outbreak Defender, Power-It-On!, Radar, RemoteAccess, Secure Encryption, SecureWire, SmartReporter, SnapGear, SpamProfiler, Threat Response, Total Stream Protection, TrustedSource, TrustedSource Portal, Webmail Protection, and ZAP are trademarks of Secure Computing Corporation. All other trademarks used herein belong to their respective owners. The next generation: Fighting malware without relying on signature updates.......................7 Verdict ..................................................................................................................................8 Webwasher Anti-Malware .....................................................................................................9 Overview ..............................................................................................................................9 The Anti-Malware community approach .............................................................................10 Convincing results ..............................................................................................................11 Sources and references .......................................................................................................12 Introduction Organizations can do more over the Web today than ever before. As use of the Web continues to grow, virus outbreaks and other forms of Web-borne threats known as ‘malware’ continue to grow as well. Current security systems such as IDS, traditional firewall, or anti-virus, while providing vital security, were not designed to combat software code targeted at individual organizations or cleverly hidden inside seemingly harmless Web access protocols. While organizations need the Web, they need to be protected from it as well. Anti-virus (A/V) vendors have doubled their signatures in less than two years in an attempt to keep pace with the increasing trends of malware. But they can’t keep up because malware is now designed to attack specific businesses and systems instead of causing general harm to the public Internet. And while their solutions are still a viable option for stopping known viruses and threats, for unknown threats posed by targeted attacks, the window of time between an outbreak and the arrival of a new signature leaves individual organizations exposed. Targeted attacks are not going to get the attention that a global Internet attack does from A/V vendors because the scope is limited in their perspective. But to the targeted organization, the scope is far from limited. This window of opportunity for malware catches a number of organizations off guard and unprotected. According to the 2006 CSI/FBI Computer and Crime survey1 even though 97% of the enterprises surveyed use anti-virus software and 98% even used a firewall, almost two thirds (65%) suffered a virus outbreak or incident. What’s needed is a comprehensive solution that goes beyond desktop or even gateway anti-virus protections that rely solely on signatures of known threats. Organizations need to be protected from both known and unknown threats, and all the varieties and forms that sophisticated malware takes. In this white paper, we discuss the evolving nature of malware, and why enterprises continue to be highly vulnerable to targeted malware attacks despite deployment of common security solutions like anti-virus software and traditional firewalls. Accordingly, the paper then describes new solutions designed to be much more proactive and effective in protecting an organization’s inbound and outbound traffic. www.securecomputing.com State of the “virus union” This whitepaper uses the term malware as synonymous with any dangerous software that someone might refer to as a virus, spyware, Trojan, rootkit, bot, hijacker, or ransom-ware. Malware, which stands for “malicious software” refers in general to every form of active content that most IT administrators don’t want to have in their network. A little bit of history: Ten years ago, when nearly all of today’s available anti-virus solutions were architected, the typical piece of malware was commonly authored by a dissatisfied employee or by a young amateur code writer looking for a thrill. Its sole purpose was to wreak general havoc and boost the self esteem of the author. Few individuals had the time or the skills needed to create a piece of malware, and even fewer had the skills to make it capable of self propagation. As such, in those early days of virus appearances, it was a sound approach for an anti-virus vendor to create a snapshot, now called a signature, of that piece of malware and to use it to search the system for infected files using a simple lookup mechanism. At the same time, some virus writers used morphing code to infect vital operating system files and disable a machine. For that threat, anti-virus vendors developed the simple idea of comparing sizes of popular operating system files that were prone to virus infection against a known list of valid file sizes and were thus able to detect infections accordingly. However, these approaches provided only limited protection after the virus/malware was out in the open and causing damage. And by comparison to now, those were the good old days. Today, anyone who is somewhat IT savvy, connected to the Internet, and with malicious intent can create a piece of self-propelled malware. Resources exist all over the Internet2, 3, 4 5 that provide information on how to develop and propagate malware, including some sites that provide downloadable toolkits to enable these efforts. Many of these sites are meant to provide legitimate tools to enhance the security awareness of an enterprise, but ill-willed individuals find it easy to convert these tools for malicious purposes. Attack points for such malware are now even easier to find, since more and more people and applications are on the Web today and the number of application vulnerabilities is rapidly increasing. According to Secunia6 the number of vulnerabilities is constantly on the rise, on average quadrupling from February 2003 to August 2006. White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 2 www.securecomputing.com Figure 1: Historical Secunia advisories6 With numerous tools readily available, more individuals capable of creating malware, and more access points, it’s not surprising that the number of actual malware appearances has grown exponentially over the last few years. On July 6th 2006, McAfee issued a press release that stated it had taken them almost 18 years to populate their database with the first 100,000 malicious samples, but just under two years to grow to 200,000 samples and that they expect to reach 400,000 threats within the next two years7. One of the important changes in the nature of the attacks is that malware is now often targeted at specific enterprises, this has contributed to the explosion in the volume of malware. Traditional anti-virus vendors have reacted to this flood of malware by upgrading their systems and streamlining their processes so that a new piece of malware could be investigated and transformed into a signature within a few hours. They’ve expanded their virus sources from only a few dozen to hundreds or even thousands of sources. While this appears to be a good start, is this additional investment in signature identification really providing adequate, timely coverage? To answer this question we need to look at the historical data for the reaction time from first outbreak of a new virus/piece of malware to when a signature is available from a vendor. Comparison of anti-virus response times from 2003 to 2006 The following three tables provide yearly response times for signatures from anti-virus vendors for 2003, 2005, 2006. You will notice the time span between an outbreak and a protective signature continues to vary widely, leaving an open door of vulnerability for organizations. Reaction times to “Sober.C” in 2003 and time and date signature availability from major anti-virus vendors WORM discovered BitDefender Kaspersky F-Prot(Frisk) F-Secure Norman eSafe(Aladdin) TrendMicro AVG(Grisoft) AntiVir(H+BEDV) Symantec Avast!(Alwil) Sophos Panda AV McAfee Ikarus eTrust(CA) AVG (GData) 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-20 2003-12-21 2003-12-21 2003-12-21 2003-12-21 2003-12-22 2003-12-22 2003-12-22 2003-12-23 03:00 13:20 14:44 15:25 15:45 18:25 18:35 19:50 20:15 22:20 04:05 09:55 14:35 17:05 04:10 10:35 17:50 23:50 Good Bad: 34 hrs Figure 2: Response times to W32/Sober.C/Source: AV-test.org8 White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 3 Reaction times to Zotob/A Worm in 2005 and time and date of signature availability from major anti-virus vendors Webwasher Kaspersky QuickHeal www.securecomputing.com Blocked w/o update (ProActive security filters) 2005-08-16 2005-08-16 2005-08-16 2005-08-16 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 2005-08-17 21:57 22:48 23:12 23:51 00:03 00:19 00:44 00:44 01:34 01:53 03:05 03:40 07:04 07:41 08:04 11:33 13:45 14:32 11:16 ClamAV eTrust-INO F-Secure AntiVir Sophos Trend Micro McAfee eTrust-VET Symantec Command Dr Web Ikarus Avast AVG Hauri VirusBuster Proland Good Bad: 37 hrs Figure 3: Reaction times of AV vendors to first Zotob worm9 Reaction times to Nyxem Worm in 2006 and time and date of signature availability from major anti-virus vendors Webwasher McAfee QuickHeal Bitdefender Kaspersky AntiVir Karus Dr Web F-Secure F-Prot Command AV AVG Sophos Ewido Trend Micro Trust-VET Norman ClamAV Avast! eTrust-INO Symantec Blocked w/o update (ProActive security filters) Blocked w/o update (Heuristics) 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 16.01.2006 17.01.2006 17.01.2006 17.01.2006 17.01.2006 17.01.2006 17.01.2006 17.01.2006 10:00 12:13 13:44 14:52 15:27 15:56 16:03 16:31 17:04 17:05 17:25 19:08 04:16 07:39 08:49 09:47 16:31 17:52 18:03 Good Bad: 32 hrs Figure 4: Reaction times of AV vendors to Nyxem worm10 White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 4 www.securecomputing.com Conclusion: Reactive A/V signatures alone are not enough; a proactive solution is needed While anti-virus vendors today provide protection from a much larger number of viruses, these examples demonstrate a key issue that still exists with signature-based solutions: the reaction time of the A/V updates still leaves organizations vulnerable for hours and even days. This is especially true for a targeted attack which may not even get the attention of an A/V vendor. In the examples above, the attacks were broad, affecting the entire Internet so they were noticed and the vendor analyzed them and issued signatures after some period of time. In the case of targeted malware, such attention may not happen for quite some time if at all, and likely not before it is too late. As you can see, response times fluctuate—perpetual evidence that reflects the essence of malware, as well as indicating that anti-virus signatures by definition cannot be solely relied upon for adequate and comprehensive protection. Hence, this underscores the wisdom of implementing proactive measures to protect against the unpredictable nature of malware. The changing nature of malware attacks Malware attacks are changing from the initial days of viruses being created and let loose on the Internet. The nature of these changes is summarized in six characteristics below. 1. Malware attacks are much more focused and sophisticated: Gone are the old random-style attacks. Today’s malware is focused on specific organizations or users with specific behavior patterns. It largely depends on who the organization is or what the user does, what sites are accessed online, whether material is downloaded from risky sites, and how careful he/she is about downloading files attached to emails, and similar issues. The traditional “one solution fits all” approach to stopping attacks is no longer applicable. 2. Malware changes its code constantly: The latest viruses are designed to avoid detection by AV engines by automatically changing or mutating every day and every time they send themselves out. Anti-virus vendors either have to use performance-hungry and error-prone heuristics or must create a new signature for each mutation. 3. Malware means money: Malware is no longer a teen prank. It is created and distributed by sophisticated individuals and well organized groups. The perpetrators either are or employ talented software engineers who are as good as those employed by anti-malware vendors, and they work hard to stay at least one step ahead of the good guys. More often, malware is actually used for corporate espionage against a specific corporation, as the infiltration of the Israel HOT cable television group network in 2005 showed11. 4. Some malware removers are actually malware: This ‘greyware’ represents a deceitful trap for users. Some pornography Web sites are rumored to have deals in place with malware authors. E.g. when someone accesses the site they get a fake error message that his/her system is compromised and is urged to click a link and download a “test utility” to scan. This “test utility” is usually a piece of spyware disguised as a seemingly benign system cleaner or something similar. 5. Standard antivirus programs are often ineffective: The malware designers constantly test their creations against Norton, McAfee, and other popular anti-virus and anti-spyware systems, so they know those programs will not detect their malware during the zero hour when it is first released. By the time the vendors catch up, the damage is done, and the bad guys change their code to make it undetectable again. Sometimes these code changes are even automatic (see #2 above). 6. Hide and seek: More and more malware actually tries to hide itself by using rootkit mechanisms or completely disabling anti-virus software on the client12. White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 5 Fresh approaches to solving the malware problem General considerations Organizations should not rely solely on either a pure client or pure gateway solution. Many have deployed a client side anti-virus solution which is a great first step, but should also consider adding an additional antimalware solution at the gateway. www.securecomputing.com When adding anti-malware at the gateway it is important to insure a wide range of protocols are covered. All application protocols entering a network need to be under close scrutiny. Most enterprises today have some form of anti-spam and anti-virus combination—but what about the Web gateway? It is as important as a mail gateway. In addition to HTTP traffic, protocols like HTTPS or instant messaging, which are increasing in traffic volume, are also vulnerable and should be protected and controlled. Secure Computing® offers an SSL Scanner to protect both inbound and outbound HTTPS traffic13 and an IM filter that allows blocking of unsanctioned usage of Instant Messaging and Peer-Peer applications such as Skype or Kazaa. If you want to allow Instant Messaging–and control it–consider the Secure Computing IronIM™ solution14. Considerations for the desktop Analyzing the VirusBulletin malware prevalence table for 200615, none of the top 30 pieces of malware reported this year has spread via manual/physical distribution. All are actually self-propelled and use email, instant messaging, or network shares to spread. Knowing this, we can conclude that virus-scanning at the client is actually becoming less effective, while fileservers and gateways on the switch side need much more focus. One of the main reasons for this change: the typical boot sector virus that used to reside on a floppy is extinct because there are no more floppy drives. The risk of a virus being present on USB memory devices or CDs/DVDs still remains and therefore there is still a need for anti-virus protection at the client; however the need to address the gateway is becoming more important as it is the primary entry point for malware. The typical worm, virus, or piece of spyware today only replicates via email or via the network. If you encounter malware that behaves differently, it is likely either: Fairly old and even the most antiquated anti-virus engine should have a signature for it, or A unique and specific attack being targeted at your company or your domain and it is unlikely that even the most advanced anti-virus vendor would have a signature for it. Desktop protection is still needed and one option for organizations to consider is a value priced desktop antivirus solution with good integration into Windows. Other good options are solutions which use a positive security model that allow only “known good processes” on client machines or servers and block any “not allowed” applications or scripts from running. (The potential downside of this is the loss of control over the PC for the individual end user.) Considerations for the Web Gateway As we’ve seen above, the importance of scanning all open protocols for malware at the gateway has become increasingly important to keep networks free of malware or other potentially unwanted programs (PUPs). Almost all anti-virus vendors offer a gateway version of their offerings, so customers have a great variety of solutions to choose from. Traditional signature-only based gateway solutions however face the same limitations as do similar solutions on the client, so consider the following when selecting a gateway security solution: Reduce your dependency on signatures: We’ve shown that traditional anti-virus vendors can not keep up with new forms and variations of the malware flood, which will only increase as time goes on. Additional ways to tackle the malware problem beyond reliance on timely signature updates exist today. We discuss these approaches next. Avoid monoculture: Having the same solution on the client and at the gateway is not wise, especially if the solution is entirely signature-based. The chance of a new piece of malware entering undetected through the gateway and also getting through at the client undetected is far more likely when using solutions from a single vendor. Most anti-virus vendors try to lure their corporate customers with bundled pricing for unlimited gateway use if they buy the client solution or vice versa. While this may be a tempting, cost-saving approach, a better option is to deploy client side and gateway anti-malware solutions from different vendors. White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 6 Cover all open protocols: Most organizations check for malware in email and Web traffic–but malware can spread as easily via peer-peer, instant messaging, and encrypted HTTPS connections. Easy-to-deploy solutions that extend the reach of anti-malware protections to HTTPS13 and IM traffic14 are available on top of existing solutions. Consider deploying these or blocking these protocols entirely. Don’t rely on a single anti-malware solution: As we demonstrated earlier with the signature data we presented for three virus attacks, the odds of one anti-malware vendor always being the first one to reliably stop new attacks are pretty low. Consider deploying more than one solution for your gateway. Hardware is cheap and some vendors offer bundles of anti-malware/anti-virus engines–put this to good use. www.securecomputing.com The next generation: Fighting malware without relying on signature updates So far we have demonstrated how viruses have evolved into malware which is designed to defeat virus signature updates. There are a variety of solutions available today that take different approaches to protecting against malware and go beyond A/V signatures. Let’s look at each of them: Heuristics: Some traditional anti-virus solutions have enhanced their solutions by introducing so called “heuristics” to find slight variations of signatures. Tests have shown this is not going to solve the problem, as the typical detection rate doesn’t improve significantly16. It gives some relief, but it can’t be considered a final solution. Adding heuristics has negative impacts on performance and false positives. Refer to the “Proactive Security step-by-step guide”16 for details on some of the issues that exist with heuristics. Sandboxing: Other solutions include “sandboxing”17. Sandboxes refer to a method to create a virtual encapsulated environment to determine the potentially malicious behavior of a piece of active code. Sandboxing at the gateway is mostly prohibitive because of performance bottlenecks for setting up an executable sandbox environment and because the gateway usually has no way of reliably finding out how to emulate the environment the executable code needs to run in correctly. Proactive behavioral analysis: Real proactive solutions are—at least partially—based on behavioral analysis and blocking of suspicious code. Known functions behave in a predetermined manner. Proactive solutions analyze the code to determine if it will behave in the known manner. If the behavior is not what is expected or suspicious, the code will be blocked. List-based connection control: This term refers to controlling where employees go when surfing the Web (URL-Filter) or checking incoming emails for known “bad senders” from which one cannot expect good or wanted traffic. While this approach doesn’t provide the level of security a company can solely depend on, these techniques are a great way to enhance and work with additional solutions in place. There will always be Web sites or sender IP’s for mails that are not easily categorized and therefore need some form of additional “treatment” before the final verdict of good/bad can be made. Claims by companies only providing a static database to judge if any given URL or sender IP is “malicious” without additional means in place to cover shades of grey should be questioned carefully. Given the rate at which new Web sites and Web servers appear and disappear, this leads to the same “late signatures” problem as with traditional anti-virus solutions. White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 7 Verdict We have outlined the evolving problem and a number of potential technology solutions. So what is the best approach? In short: a multilayered, multi protocol anti-malware strategy that encompasses client and gateway protection with both signature and proactive security is the best approach. 1. Enterprises today have and will continue to need anti-malware solutions for the client. www.securecomputing.com 2. Given the self propelled nature of malware today, gateway based solutions are also required. 3. To keep up with the growing flood and sophistication of malware, signature-based solutions need to be augmented by smarter “proactive” solutions. 4. Signature-based solutions should be combined with some form of connection control (URL-Filter, email blocking based on reputation of sender) to prevent being bombarded with malware in the first place. 5. Pathways (protocols) that are not under control now (HTTPS, IM) but when needed for business relevant purposes need to be put under strict control. Other protocols should be closed, as new forms of malware will otherwise find their way into the organization. The Webwasher® Anti-Malware product by Secure Computing is the only solution available on the market today that fulfills all these requirements. This solution is described in the next section. White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 8 Webwasher Anti-Malware Overview www.securecomputing.com Secure Computing offers a complete portfolio of Web Gateway Security appliances which protect enterprises from malware, data leakage, and Internet misuse, as well as ensure policy enforcement, regulatory compliance, and a productive application environment. Through our TrustedSource™ technology, we are able to profile in real-time literally millions of entities connected to the Internet worldwide and provide up-to-the minute host behavior analysis to create a “reputation score” which can be used to determine whether a connection to the enterprise network should be allowed to occur. Accordingly within Webwasher, TrustedSource technology provides the mechanism that drives connection control levels for bidirectional traffic (see below). We also employ the most sophisticated heuristic and signature-based techniques for stopping malware, as well as patented content analysis software for stopping data leakage. The Webwasher® solution adds an urgently needed layer of security for today’s Web environment which includes both inbound and outbound threats, providing immediate protection against these hidden threats. Webwasher Anti-Malware by Secure Computing is a next-generation Web gateway product that has been rated best-of-breed by AV-test.org, an independent research center19. Webwasher Anti-Malware inspects all incoming and outgoing traffic in up to six steps. Anti-Malware can easily be augmented by adding additional layers of protection that simply control the connections that are “allowed” at the gateway. This “connection control” level comprises two mechanisms: - A powerful URL Filter to block user access to known malicious sites distributing spyware or other potentially harmful or legally questionable content. - A mechanism to reject incoming mail - already at the connection request - from known bad sender IP’s based on Secure Computing’s TrustedSource reputation database. As a primary step of the Webwasher Anti-Malware solution, a powerful media type filter performs a ‘magicbyte’ analysis of each file to determine the actual file type and safeguard against files that are disguised to be something they are not. Corporations may want to disallow media types that are potentially hazardous (like unknown ActiveX), bandwidth intensive, or drain productivity, e.g. video streams. As a next step the Webwasher Anti-Malware engine inspects the traffic for known bad signatures of viruses, spyware, bots, or other potentially unwanted programs. All active code is examined for digital signatures in the authenticode filter. Administrators have very granular settings to allow, block, or inspect active code based on the issuer or signature validity. This is a powerful way to keep unwanted active code out of a network but still allow regular maintenance updates or executables from known and trusted sources. As the next step, behavioral analysis is performed, where Webwasher analyzes the code to determine if it will behave in a known manner. If the behavior is not what is expected or suspicious, the code will be blocked. For details see16. This Behavioral Malware Detection is already deployed to more than 5 million customer seats worldwide and the Webwasher team gets a steady flow of malicious or unwanted programs that they turn around to feed the Anti-Malware engine. In a sixth and final step, scripts trying to exploit vulnerabilities on the client are scanned and neutralized. Although the scripts are not malicious per se, they are the enablers to inject or execute further malicious code. Detecting and neutralizing such scripts on the gateway interrupts the malicious payload being distributed to the clients. A comprehensive set of methodologies scans and analyzes the scripts versus an automatically updated database of rules. Known or unknown script code utilizing exploits is reliably detected by probability weightings. Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization White paper 9 www.securecomputing.com Figure 5: Webwasher Anti-Malware inspects all incoming and outgoing traffic with multiple filters. For more information, see our Webwasher product overview18. The Anti-Malware community approach With Webwasher Anti-Malware every customer becomes part of the world’s largest Anti-Malware community. Webwasher’s behavior based Proactive Security filters available within Webwasher Anti-Malware and other Webwasher products have already been deployed and are actively protecting more than 5 million end users seats. As these security filters detect the vast majority of new threats without a signature-based update, Secure Computing gets a steady stream of highly pre-qualified samples of new and emerging pieces of malware. With this reliable source of malware, Secure Computing has little problem providing updates to our own signaturebased engine of the Webwasher Anti-Malware product while other vendors may struggle. The Secure Computing module actually benefits every customer, even those customers who did not activate ProActive Security filters or set the scan level to “low” since these updates are shared with everyone. Figure 6: Anti-Malware community White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 10 Convincing results The above approaches have been validated to be highly effective in fighting known malware by independent virus researchers. In a recent test19 comparing 33 anti-malware tools, a collection of 289.682 different malware samples gathered during the year 2006 was tested against these tools and Webwasher Anti-Malware ranked number one with the best malware coverage. www.securecomputing.com Figure 7: Anti-Malware test detection rate comparison. Source: eWeek: http://www.eweek.com/article2/0,1895,2023127,00.asp test done by AV-Test.org19 In the table below, independent test results reflect how Secure Computing’s Webwasher proactively addresses against malware. #1 Webwasher #2 AntiVir #3 AVK 2007 “Some AV companies seem to have serious problems with the flood of malware users are receiving each day...” Andreas Marx, AV-Test.org 99.97% 99.95% 99.95% 99.89% 99.04% 98.86% 98.24% 96.51% 96.34% 95.80% 95.17% 94.78% 94.65% 93.99% 91.18% 90.45% 90.38% #18 Trend Micro #19 Ikarus #20 VBA32 #21 F-Port #22 Command #23 Microsoft #24 Ewido #25 Sophos #26 eSafe #27 UNA #28 QuickHeal #29 @Proventia-VSP #30 ClamAV #31 eTrust-VET #32 eTrust-INO #33 VirusBuster 90.03% 84.77% 81.28% 77.88% 77.11% 76.18% 74.67% 65.55% 59.34% 58.76% 55.72% 51.76% 48.71% 48.37% 41.92% 40.94% #4 AVK 2006 #5 Symantec #6 Kaspersky #7 F-Secure #8 BitDefender #9 Norman #10 Nod32 #11 Avast! #12 AVG #13 Fortinet #14 McAfee #15 Rising #16 Panda #17 Dr Web Figure 8: Anti-Malware test results. Source: eWeek: http://www.eweek.com/article2/0,1895,2023127,00.asp. Test done by AV-Test.org19 White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 11 Sources and references 1 2 3 www.securecomputing.com Computer Security Institute: http://gocsi.com/ 2006 CSI/FBI Computer Crime and Security Survey http://www.astalavista.net/ http://www.metasploit.org/ http://astalavista.box.sk http://www.blackcode.com/ http://secunia.com/graph/?type=all&graph=adv_om McAfee Inc. Press release, July 6th 2006: http://phx.corporate-ir.net/phoenix.zhtml?c=104920&p=irol-newsArtic le&ID=879176&highlight= http://www.av-test.org/index.pho3?lang=en Source: http://www.pcwelt.de/news/sicherheit/118264/index2.html, data by AV-Test.org 4 5 6 7 8 9 10 Source: http://www.pcwelt.de/news/sicherheit/130720/index2.html, data by AV-Test.org 11 Computerworld Security (online): Israel holds couple in corporate espionage case Trojan writers helped top corporations spy on each other. http://www.computerworld.com/securitytopics/security/virus/ story/0,10801,108225,00.html?from=story_kc 12 http://en.wikipedia.org/wiki/Rootkits 13 Secure Computing Webwasher SSL Scanner: http://www.securecomputing.com/index.cfm?skey=1536 14 Secure Computing IronIM appliance: http://www.ciphertrust.com/products/ironim/ 15 Malware prevalence for 2006, VirusBulletin. http://www.virusbtn.com/resources/malwareDirectory/prevalence/ index.xml?year=2006 16 “Proactive Security Step-by-step guide” available from the Secure Computing resource center. http://www.securecomputing.com/resourcecenter_main.cfm 17 Wikipedia sandboxing description http://en.wikipedia.org/wiki/Sandbox_%28security%29 18 Secure Computing Webwasher product overview: http://www.securecomputing.com/index.cfm?skey=1657 19 Anti-Malware test performed by AV-Test.org and published on http://www.eweek.com/article2/0,1895,2023127,00.asp White paper Stopping the targeted attack: Why comprehensive malware protection is superior to anti-virus signatures for protecting your organization 12