Buying Guides -> Software -> Security How Well Do Security Suites ProtectTeam CHIP | 25 May 2011
How Well Do Security Suites Protect? With improved technologies, the latest internet security suites can fight new malware. Our test shows how reliable the protection really is. By claudio müller and Anand Tuliani
Antivirus vendors are struggling endlessly against the malware surge. The number of new viruses is increasing rapidly and so is the speed at which malware writers produce destructive codes. Currently, about 55,000 new malware are written everyday. But the fact that malware are infecting in newer ways is a lot more threatening. The Stuxnet worm could be a forerunner for future disasters, even though it is aimed at industrial software and equipment and few home users. Antivirus vendors observe that Trojans, key loggers and bots are increasingly being programmed professionally and hence are becoming more dangerous. Without antivirus protection, there is a very high risk that a computer will be infected. With the help of AV-Test test laboratory, we have examined how well the current generation of security suites protect against the latest attacks. The biggest developments in the antivirus scenario are real time behavior-based recognition and cloud services. In fact, the conventional virus signature remains essential, but they are ineffective against new and unknown malware. Here, the security suite must analyze how an unknown application will act. For that, it monitors system changes or executes the unknown application in a secure virtual environment (sandbox). In addition, the scan engine obtains information on whether other users have already used this application once, from the databases in cloud.
With new security Better real time protection Secure surfing More intelligent cloud services Simpler operation
Reputation: Better Real Time Protection Reputation technologies are the most important addition to the cloud services in this year. Antivirus developers obtain data from all the used security suites (as long as the user agrees) about the origin, size or behavior patterns of unknown files, which are sent to the cloud server and are evaluated there. “With that, we can differentiate trustworthy and potential suspicious files even before theyre available in the laboratory”, says Stefan Wesche, Technical Expert, Norton Products at Symantec. Reputation analysis is only one of the many detection levels; however, they help the program to decide how to deal with unknown files. You can see how this process runs in the info graphic, using F-secure as an example. This technique must be continually improved because the malware writers scrutinize the behavior analysis to outwit it. According to a statement by Symantec, they succeed for one to two weeks on an average until the developers of the security programs react to it from their end. Our test confirms that the detection rates for unknown malwares are considerably higher than in the previous year. The detection rate was at the most 80 percent in 2009; in 2010 all programs achieved at least 85 percent. In fact, F-Secure detected all the unknown viruses, exactly like PC Tools, whose behavior-based detection tool called ThreatFire can be downloaded for free from www.threatfire.com/download The scanner levels that are not based on signature have also improved considerably, but yet by no means do they protect the users optimally. “The further development of the behavior-based detection and the reputation technology is the prime focus for next year”, says Stefan Wesche.
Virus Detection Test Besides the genuine viruses, the test candidates had to recognize malware programmed in the laboratory, which simulated the potential new attacks. The On Demand scanner of the security suites could not identify these zoo malware with signatures alone. The heuristics was especially required here, which analyzed the malicious code for similarities to known malware. While the top group achieved sound results and recognized between 97 and 100 percent of the Trojans, backdoors and fake antivirus programs, Kaspersky and Eset have big problems. Their hit rate is considerably below average, mainly in case of Trojans and fake antiviruses. Eset missed 90 percent of the hurdles and overlooked about 30,000 potential viruses – a highly unacceptable value. As against that, Panda proved to be very efficient: from about 270,000 samples, its suite overlooked just 646. Nevertheless, all programs passed the mandatory test, the complete recognition of all known malware, with 100 percent results. The false alarms for harmless files were also in manageable limits. The scan engines didn’t give false alarm for 11,604 Windows and Office files. F-secure and G Data managed without any errors for 135,712 files of other software. Avira struggled the most with seven false alarms in the test. In addition, Avira was very annoying with warning messages for Winzip and the Defraggler system tool. Even Google Earth was totally blocked when launched.
Malware Attack: Poor Removal While the developers have optimized their scan engines so that they deliver good recognition rate and give out only a few false alarms, they have neglected an important point: cleaning an infected system. No security suite managed to get rid of all destructive software. The highest scorer in test: PC Tools got rid of the active component of nine out of ten viruses, and even fixed the system changes for eight of those. McAfee and Eset lay turned down at the end; they could not remove the active components from each of the four viruses. Andreas Marx, CEO of AV-Test, said “Some manufacturers still cannot manage to end malware processes or to remove their registry entries”. The manufacturers must pay keen attention to this aspect. A user who pays Rs 1,200 for a security suite should also be able to clean an infected system. If the malware infestation is so aggressive that it deactivates the protection or you cannot start your computer at all, then only a rescue CD with live operating system helps. The virus signatures are updated after start. Unfortunately, not all vendors provide an installation CD which is bootable. In some cases, you have to create the rescue disc yourself after the installation. These programs scored less in the total evaluation, which has even cost PC Tools two places. Here, McAfee strikes negatively again. With this Internet security suite, the user cannot even create a rescue disc. Malware protection is undoubtedly the most important criterion in the test. However if the security suite thwarts system performance, then even the most secure computer is no fun to use. Thus we also wanted to know, which suite uses the resources most efficiently. Our performance measurements confirm that there are clear differences here. BitDefender suite scored the highest here, which finished scanning the system partition very fast. Norton Internet Security, once criticized as a resource hog, achieved the second highest score thanks to the good boot time and fast scanning speed. Along with the very good malware protection, it secured top position.
System Boot-up: Snails and Sprinters The boot time was severely affected with Kaspersky Internet Security. The boot up lasted longer than any other program with Windows taking its own sweet time to load the components and start the real time protection. As against that is Eset, whose suite lags behind in almost all tests, but manages a real coup here; the booting time extends to only a few seconds in comparison to a system without an installed suite. Eset Internet Security certainly doesn’t offer any effective protection, but it hardly delays Windows startup. As in the previous year, the biggest differences showed again in the file scan of the system partition. Ideally the scanner should remember the analyzed files and only test new or unchanged files accurately for subsequent scans. Panda, G Data and Eset took thrice as long as BitDefender for the first scan and were also not considerably fast during the second run. According to the statement from G Data, the time needed for scanning should decrease after a few runs. Six of the competitors took less time right at the time of second scan. They showed lesser differences when decompressing archives and copying data between PC and USB flash drives. Since the circulation of malware extends to external storage devices, the antivirus should scan the data the user copies on the computer. When copying files from the PC to a flash drive, the scanner shouldn’t slow down. All suites performed equally well here with a very slight difference as compared to a bare system. Interface: Tidy and Informative Confusing user interfaces and the pop-up messages were nuisance for a long time. The programs should show with clear symbols whether the computer is protected and how one can solve possible problems. In addition, they should only report in emergency cases so as not to distract the user. BitDefender, with three selectable interfaces for beginner, intermediate and expert, and G Data understand the requirements of the user very well and present their suites in a very neat design. F-Secure is also convincing, with clear information as well as a well thought-out menu structure, which prevents long searches. As against that, inexperienced users find it a bit difficult to trace the required info with our test winner Norton Internet Security. In this case, the visual appeal goes before functionality, which causes discomfort to the user. The Internet security suite by eScan gets on the nerves with a default data scan of removable devices as soon as you connect them. This is well thought-out, but it’s very disturbing and time consuming to wait for it to run a scan each time you plug in a flash drive or an external hard disk. However, the option can be disabled. As against that, the program functions in Eset’s Internet security suite are not clearly explained. Terms like smart scan, in-depth scan and scan as administrator can be confusing for a beginner. Other programs explain these terms with short captions, whereas Eset leaves the users alone. The program’s built-in help is also not very useful; it explains the out-dated interface of its predecessor. Extras: Differences in Detail It has been observed that the suites borrow the good aspects of functionality and design from each other. However, the differences lie in fine details. For instance, email protection, Web and spam filter have been a common feature for a long time, but with eScan, the user has to first activate these functions. On the other hand, Kaspserksy, BitDefender and Eset offer the option to search for weak points in the system (such as lack of Windows updates). Bigger differences appear while installing the program. While Norton was ready for start after less than a minute, Eset requested to configure the firewall filter, the association with undesired applications and behavior analysis. eScan started a system scan automatically after the installation. That is certainly sensible, but the program had not at all updated the six week old signatures. We as well as AV-Test determined another problem with McAfee; the activation did not work because the connection with the McAfee server collapsed. According to McAfee, this problem had not occurred so far for any other user. In addition, it’s frustrating that the user must first register after the installation, to receive updates. F-Secure not only offers the best price-performance ratio, but in addition, the updated licenses of the 2010 edition use the technologies of the new version. So you can use the old licenses for life time without having to upgrade to a new version. Even though the new suites may not be perfect, they offer considerably better protection than their predecessors. – feedback@chip.in New risks from the Internet Intelligent malware hide better and spy on users Creators of viruses, Trojans and other forms of malware are continuously developing new and more powerful attack methods to get through our PCs' defenses. The antivirus developers have revealed the risk trends of the next months to us. Behavior spying Special viruses
Professionalism
Add your comments
|
