Product Group Tests
Group Test: Anti-malware
January 07, 2009
All of the products reviewed provided multiple components of our malware definition. Most provided anti-virus and anti-spyware, while some took a different approach and relied on other products to deliver the traditional signature-based virus and spyware protection, while taking a more focused approach on protecting from the unknown threats through a more host-based IDS-like solution.
Malware is the catch-all for most malicious and unwanted software, and includes viruses, worms, trojan horses, bots, rootkits, spyware and adware.
In this month's issue, we not only wanted to test the tools that we use to fight malware, we wanted to test the capabilities of these tools to handle the multiple threats we lump into the malware definition. We also were interested in their ability to centralize management, reporting, alerting and deployment of the malware solutions.
Why is this important? There are numerous solutions for fighting malware. We have anti-virus, anti-spyware, anti-spam, anti-adware, rootkit detection, host-based intrusion detection and prevention, and personal firewalls. For those who have deployed just one of these in an enterprise environment, you will appreciate the challenge in deploying multiple non-integrated or centrally managed solutions to thousands or tens of thousands of users.
The approaches from the vendors we reviewed this month took on this challenge in some very creative ways. Some solutions were endpoint focused, while others were gateway solutions. As well, some were software-based, some purpose-built appliances, and others virtual appliances. We were interested in the kinds of malware these solutions could manage, and in the approach the vendors took for addressing the new blended threats we face today. We were also interested in a product's ability to centrally alert and report on threats.
All of the products reviewed provided multiple components of our malware definition. Most provided anti-virus and anti-spyware, while some took a different approach and relied on other products to deliver the traditional signature-based virus and spyware protection (i.e., protecting against the threats we know), while taking a more focused approach on protecting from the unknown threats through a more host-based IDS-like solution. Some were gateway solutions focused on providing web content protection and email protection from virus, spyware, spam and malicious code in HTTP, FTP, POP3 and SMTP traffic.
We did not test the products for their catch rates. For this test, we assumed they all have very similar catch rates for signature-based threats. We were looking for the product's ability to identify, alert and stop zero-hour threats. Some products used firewall and IDS-like approaches to lock down executables, applications and registry items. Some used advanced heuristics for threat detection. Others provided scripting tools to allow for a wide range of additional management and alerting options.
We were also interested in a product's ability to provide near real-time updates to virus and spyware engines and databases through a centralized means that would reduce the load on network bandwidth. Some products used server-based synchronization and distributed architectures, while others used multicast technologies to distribute the updates.
We were surprised to see that the endpoint interfaces were very intuitive and easy to use. The solutions provided a user interface for alerting, monitoring and local management functions, while providing comfort to the corporate security team by tracking and alerting the management server if users disabled any protection, made changes to programming or policy, and started or stopped scans.
Choosing the right malware solution can be a challenge for IT personnel. When evaluating the best solution for your enterprise, keep in mind that the cost savings and ease of deployment and management of the centrally managed solution comes with a security price.
Some solutions require that the remote desktops have remote administration turned on. Others require that Internet Control Message Protocol (ICMP) be allowed for automatic network detection. Some of the systems we tested did not respond well to restrictive setting on Windows Firewall, and required us to ease the firewall settings for remote discovery and management.
All in all, we were pleased with the solutions. They attacked the malware problem on multiple fronts and provided a means for alerting that allows for rapid remediation once a threat is detected. In a perfect world, where budget is never an issue, the combination of the gateway technologies with the endpoint solutions would provide a very effective malware defense for your enterprise.
All products in this group test