AV-Test Certifies Security Products on Windows 7

AV-Test this week published certification results for 19 software security products running on Windows 7.

The test and consulting firm ranked the 19 antimalware products based on three categories: protection, repair and usability. Three products failed to get certified, including BullGuard Internet Security 9.0, McAfee Internet Security 2010 and Trend Micro Internet Security Pro 2010.

The top performers (top scores in two of the three categories) were Kaspersky Internet Security 2010, Panda Internet Security 2010 and Symantec Norton Internet Security 2010. All passed with AV-Test certification, along with 10 other security products. The complete AV-Test list can be found here.

Microsoft Security Essentials 1.0, the free consumer antimalware solution, passed certification. According to AV-Test's MSE stat sheet, MSE had a top-ranking score on its usability tests. It also performed well in detecting widespread malware, but scored lower when protecting against zero-day malware attacks. It had respectable results cleaning malware off an infected computer. MSE also "achieved VB100 certification last week," according to a Microsoft spokesperson via e-mail. A Microsoft blog points to both achievements.

A Microsoft spokesperson attributed the positive usability results to MSE's lightweight design for consumers. It's designed to run on older PCs and only alerts users if an action needs to be performed. MSE is based on the Microsoft Forefront Client Security "engine technology, signatures and research teams," according to the spokesperson.

AV-Test conducted its tests during the second quarter of this year. For its protection tests, the firm examined the product's ability to deliver "static and dynamic malware protection" as well as protection against zero-day attacks, which leverage undisclosed vulnerabilities in software. Testing the repair capabilities involved checking product's "system disinfection and rootkit removal." In testing usability, AV-Test measured any system slow-down caused by the product, as well as any false-positive results.

Of six points total, products scoring lowest on the protection side included Norman Security Suite 8.0 (score 2) and Trend Micro Internet Security Pro 2010 (score 2.5). The sole low performer on the repair side was McAfee Internet Security 2010 (score 2). Results were a little more level on the usability side, with BullGuard Internet Security (score 3) achieving the lowest score.

Usability might seem to be the death knell for all antimalware products. According to a video by Kaspersky Lab, the amount of files requiring blacklisting by software security products has grown from 3 million files in 2007, to 17 million in 2008 and 34 million in 2009. The amount of malicious files has roughly tripled each year.

Kaspersky's software performed well on the usability side because of technology that handles old virus signatures, according to Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab Americas.

"If we were to uniquely identify each specific malware sample in our product, then, in a number of years, the size of the malware detection database would outgrow the average amount of RAM on the system," Schouwenberg said via e-mail. "However, new technologies allow us to create different kinds of signatures which can replace up to 100,000 old signatures."

Microsoft also uses technology to keep down the bloat of loading antivirus signatures.

"We're cognizant of file size and we try to streamline downloads and use generic signatures to target entire families of malware rather than release a signature for each variant," a Microsoft spokesperson said via e-mail. "We also revisit older signatures and tune them to catch current variants rather than create brand new signatures reducing the amount of accumulation of virus definitions and impact on system performance."

The option to use whitelisting isn't a solution to the potential bloat of antimalware solutions. A pure whitelist approach (using a slate of "good" executable files) would amount to more than 100 million files, according to the Kaspersky Lab video. Moreover, whitelists can get fooled. Schouwenberg pointed to cases where legitimate software gets loaded with malicious code, such as via the Induc virus.

"There are tons and tons of (digitally signed) files out there which have this [Induc] virus," he said. "Whitelisting can't be applied in a generic way and there are too many ways to basically fool whitelisting. For those reasons I'm convinced that we need to look at whitelisting mostly so that we can treat the non-whitelisted files with more suspicion."

The Kaspersky Lab video also suggested that cloud computing could be enlisted to better enable such a whitelist strategy.

About the Author

Kurt Mackie is online news editor for the 1105 Enterprise Computing Group.

comments powered by Disqus

Reader Comments:

Wed, Aug 25, 2010 Harry Sverdlove

It's interesting that, in describing why whitelisting is not a viable solution to blacklisting, this article notes problems as if they are unique to whitelisting, and attributes solutions to those problems to only blacklisting.
First, take the argument that the volume of "good" software is too large to track: The same techniques that blacklisting must employ to reduce malware signatures have already been successfully applied to advanced whitelisting. Whitelisting is not just a “list of signatures”. It is a set of policies that can be used to encompass thousands or millions of pieces of software.
It is also misleading because the fact is that no one wants “100 million files” on their computer. With blacklisting, you need to continually monitor for and protect against hundreds of millions of possible malicious attacks. With whitelisting you need only to approve the hundreds (or just dozens) of applications you actually want on your computer. Even in the largest and most diverse of organizations, I have seen effective whitelisting work with a few dozen policies. The set of programs you want on your computer is a significantly smaller set than what you don’t want.
As far as managing the catalog of good software, Bit9 Parity for example provides a cloud service to our Global Software Registry which is one of the largest databases of known software in the world. Cataloging good software is a difficult task, but the coverage is far more effective than trying to catalog all bad software. By design, it is in the malicious programmers’ interest to keep their code hidden and their signatures constantly changing.
Second, the argument that “whitelists can get fooled” is a red herring. Does that imply that blacklists cannot get fooled? No technology is a silver bullet to all security threats. As the article already notes, there are many flaws to blacklisting only techniques. Effective security comes from a combination of technologies.
Consider also the consequences of a “miss” under the different approaches. An unknown malicious program will be allowed to run in a purely blacklisting environment. An unknown good program will be blocked from running in a whitelisting environment. In both cases, the security software allows for exceptions, but with blacklisting, you’re likely already infected at that point and now remediation becomes the biggest problem.
The point is that both techniques have merit. People have been using antimalware as a primary security defense for so long that sometimes they have a difficult time changing their perspective, even as articles like this one point out the inherent flaws of blacklisting technology.
Harry Sverdlove, CTO, Bit9 Inc.

Thu, Aug 19, 2010 John P. Guckel - Two Old Farts & A Laptop Milwaukee, Wisconsin U.S.A.

This article reinforces our companies policy of recommending Kaspersky products, both Home User & Corporate products. We have been flooded with new customers that have been infected with an "A-V Look Alike" Security product that is really a Trojan. It is "Antvir Pro". It downloads itself on the customers computer and starts an A-V scan. What it is really doing is infecting as it scans. The only product that traps this is Kaspersky. Norton 360 & Mc Afee, and the free stuff, miss it completely. That's the bad news, the good news is that our sales of Kaspersky Internet Security 2011 have skyrocketed!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.