Anti-malware Technology Report

February 2011

Technology Report

The evolution of malware, security technologies and services

There are few who are unaware of the malware landscape changing since the release of the first few viruses decades ago. But it seems there are just as few people outside the computer security industry who understand the nature of that change. No longer is malware as ethereal a threat as an urban legend, and no longer is the virus outbreak of the day making the evening news. Threats now come not by ones and twos but by the many tens of thousands each day with the known total hovering in the tens of millions. And threats come quietly, remaining as far below the radar as possible to maximize their stay on an affected machine. Corporations are now victims of targeted attacks, as well as the regular masses of malware, and have specific needs for the protection of corporate information assets. While malware activity has increased, security budgets certainly have not. Many corporate security staff find themselves facing a tidal wave of new threats without extra personnel or resources. They need security software to work faster, harder and require less manual interaction while providing detailed reports as to what actions have been taken. Machines which are infected need to be cleaned completely to get systems back up and running quickly and painlessly. Anti-malware software is only as good as its research and support departments. They are vital in order to have excellent response times to new threats and to provide topnotch customer assistance. As focus in corporate networks shifts away from the desktop into mobile, cloud and virtual computing resources, security software needs to protect these environments too. The way malware spreads has also changed there is less concern for infecting oneself with a floppy disk or via poorly worded and spelled mass-mailer viruses. When malware authors discovered there was profit to be had in spreading their malicious wares, they began to take many of the tactics used by Search Engine Optimizers and improved their social engineering craft, placing files where people were most likely to run across them. Consequently, the web is now where the majority of people become infected with malware and, given the extent to which the internet is such an integral part of all corporations business activities, the web is a potent threat vector. Companys websites are regularly targeted for defacement or infected to spread malware to the sites visitors. Given that the internet is operating system agnostic and because current scripting languages allow for queries of the specific browser version of each visitor, malware can be spread in a manner which infects any particular visit. In the last few years, this has been a tactic which has proved increasingly popular with malware authors, increasing their reach as the market share of new technology increases. Obviously, anti-malware products had to change with the times as the onslaught of malware has increased and the tactics of malware authors has shifted. The first anti-malware products were designed strictly as signature scanners, which only ran when a user specifically initiated a scan. In short order, this was changed to allow the scanner to run continuously in the background so that each file was examined as it was accessed, without users having to think about it. This approach has become more widespread, so that products require little interaction users can automatically have the most up-to-date protection running at all times. No longer are anti-malware products simply signaturebased scanners. They now include advanced heuristic technologies and generic signatures which can proactively detect new variants of existing families and new malware families. The best products include a variety of security features, such as web or spam filtering, behavioral analysis or a firewall technology which can help protect against brand new threats. With these new, intensive scanning technologies, vendors have come up with many ways to decrease the overall
www.westcoastlabs.com

processing load, so that scanning will not noticeably decrease access times or interrupt workflow. As both the malware landscape and anti-malware products have changed, so has the security testing industry. When products under test were updated periodically, used on-demand scanning and the total known malware was in the thousands, it made sense to have only a single pass or fail test which was performed a few times a year over a static test-bed of samples. This is no longer the reality of the current user experience. While it can be a meaningful baseline test of anti-malware functionality, it is far from a complete picture of overall product performance. In order to accurately reflect a users experience with malware, it is important to gather the full spectrum of malware from a variety of sources from throughout the internet, which circulate on various protocols. This means including not just email-based malware, but malicious files on P2P networks, as well as on the web and other attack vectors. Because malware does not stop when the work day ends nor does it recognize geographic boundaries, threats must be collected all day from around the world. As anti-malware products have begun to include more wide-ranging technologies, including ones which are initiated upon execution of a file, testing must incorporate dynamic functionality by running threats on test machines. This naturally takes more time than scanning an immobile directory of files, so one must take care to select the most relevant sample set which a customer is most likely to encounter. This takes into account not just prevalence, but attack vector popularity on which its spread, potential for damage on an infected system, as well as geography. Malware authors are always abreast of technology trends where do people share their information, how do people share files? At West Coast Labs, weve already begun to see an increase of attacks on things like digital picture frames, USB thumb drives, mobile phones and on popular Web 2.0 sites. So, suffice to say, if you know a few people who use one or other or all malware authors are looking to exploit them for financial gain. Likewise, anti-malware vendors are developing technologies to protect them and testers like West Coast Labs are developing methodologies to mirror the users risk and potential infection experience. In order to keep up to date on the evolving malware landscape, one need only see which new widgets are being used in home and business network environments.
www.westcoastlabs.com

As both the malware landscape and anti-malware products have changed, so has the security testing industry.

But in the corporate world, keeping updated on the latest threats and technologies is not enough TCO and ROI need to be considered. How well do advanced technologies proactively detect? How quickly are new threats added? How is customer support response? How easily can the solution be managed remotely? How much CPU time is used for scanning? To find the answers to many of these questions, take a look at product performance data from leading independent test organizations, such as West Coast Labs, and the performance validation programs they deliver such as Real Time Testing. You can also take a close look at how individual vendors are responding to the changing threat landscape and the implications for the security of corporate networks. Nowadays, vendors are defining protection differently. No longer is it just product performance-related, but also related to business and customer service issues, delivering a higher value overall service to meet not just security, but also business needs. When considering product performance in a corporate network environment, protection is more than current malware detection capabilities, its also about the extent of a vendors product research and development strategy that anticipates threats and trends to ensure proactive network protection. It can be further defined as the extent to which malware protection is delivered for a multiplatform infrastructure through efficient and easily managed solutions with wide interoperability capabilities. Protection is also about the extent to which business interests are protected through vendor service strategies that now include optimized and cost-effective security plans tailored to individual corporations needs for maximizing business productivity, lowering the total cost of ownership and maximizing the return on investment. Also, given that corporations are operating in a worldwide e-economy all this needs to be supported by trusted and responsive global support plans. Yes, the threat landscape is continuing to evolve with new malware threats spawned at an alarming rate, but no longer is malware protection and information security in general just a technical issue its a business issue. Thats why vendors product and service solutions are evolving to suit these changing needs and West Coast Labs is developing independent product performance programs that ensure that these products and services are tested and validated accordingly. n
Technology Report 2

Lysa Myers, Director of Research at West Coast Labs. Lysa can be contacted at lmyers@ westcoast.com

VP US Sales: Scott Markle - smarkle@westcoast.com US Sales: Rochelle Carter - rcarter@westcoast.com UK/Europe Sales: Sebastian Stoughton - sstoughton@westcoast.com China/Japan Sales: Jesse Song - jsong@westcoast.com India/ROW Sales: Chris Thomas - cthomas@westcoast.com

1 Technology Report

Technology Report

Test Networks and Methodology

Kaspersky Security 8.0 update process In a heterogeneous network situation it is important to know that a security solution is both compliant and compatible. Throughout the comparative test program for ISA/TMG, Linux, Lotus Domino and WSEE, WCL utilized the following network configuration to simulate a corporate network environment: 64-bit Windows 2008 machine running as a gateway/DNS server hosting Forefront TMG/ISA Server 32-bit Windows 2003 machine running Lotus Domino mail server 64-bit servers running Linux and Windows 2008, both acting as file servers. While each of the solutions were tested independently of one another, results of these tests and the observations made point to the various Kaspersky Lab solutions providing a multi-faceted security framework for a corporate network. Taking a hypothetical network into account, as below, one can see how each of the solutions would interact with and secure the network. Antimalware protection, at the gateway level, is provided by scanning email coming into the corporate network over SMTP with an initial scan by Kaspersky Anti-Virus 8.0 sitting on the TMG server. In turn, the email is then received by the Exchange or Domino server and a further scan conducted by the appropriate solution. Should any user require the downloading of email from an external POP3 server, the Kaspersky for TMG solution scans the traffic as it passes through the gateway. When dealing with any files that are downloaded over HTTP/FTP, they are scanned on the TMG/KAV combined server. Should any network user then attempt to upload any files to either a Windows or Linux based file server, then here the respective Kaspersky Lab solution will provide further defensein-depth.

Kaspersky Lab Corporate Security Solutions

DEVELOPER'S STATEMENT Kaspersky Lab has developed highly-effective anti-malware solutions for use in medium and large-scale corporate networks with complex topologies and heavy loads. Combining ease of use with high standards of performance across multiple attack vectors, the products are cost-effective solutions which meet both business and technical needs worldwide.

Kaspersky Security 8.0 for Microsoft Exchange Servers (Kaspersky Security 8.0)
Kaspersky Security 8.0 provides antimalware and anti-spam protection for mail traffic on corporate networks. Its integration with Exchange allows for detection and removal of malware and spam at the gateway level. The product is easy to install and its userfriendly interface, flexible administration and straightforward configuration and reporting system does not place excessive demand upon administrators time. No extra setup is required on Exchange and malware protection began immediately. Management of the solution is simple as Kaspersky Security 8.0 employs a Microsoft Management Console (MMC) snap-in, providing an intuitive interface with full access to all features. Database and signature updates run automatically, as often as every two hours, but if required may be run on-demand. Although there are fewer options available compared to other corporate products on the market, it can be argued that all the necessary options are available thus leading to a streamlined user experience. In the ongoing Checkmark Certification Static and Real Time tests, like all the Kaspersky products, this solution has achieved consistently high standards of performance. For the comparative performance testing to measure the products detection capability of malware known to propagate over SMTP, Kaspersky Security 8.0 achieved 100% detection rate of the 8,042 malware samples used in the test. This performance is equivalent to and matches that of the competitor products included in the test. We also test HTTPS. n Installation of Kaspersky Anti-Virus 8.0 is simple, using a standard Windows Installer and settings imported from TMG during the install process. The default settings provide fast protection, but a more tailored installation can be achieved if required. The solution is managed via MMC with an additional central monitoring screen and network policies which can be be added to complement those of TMG; making the whole process of management, administration and ongoing use very straightforward. Kaspersky Anti-Virus 8.0 allows permission or denial of various traffic types HTTP, FTP, SMTP and POP3 plus the ability to define what, if any, of the protocols should be subject to scanning. Data on network status including the protocols which are being blocked, numbers of files scanned, and the number of resulting infections, is readily available. In the performance testing over the HTTP and FTP attack vectors, the combination of Kaspersky Anti-Virus 8.0 and TMG provided 99% detection of the range of malware samples which were included in the test. n

WEST COAST LABS' EXECUTIVE SUMMARY REPORT

The launch of the Kaspersky Labs range of anti-malware products for the corporate network environment provides security managers with an extended choice of effective solutions for dealing with threats in attack vectors across multiple operating systems. West Coast Labs independent testing and performance validation of the products confirm that they combine ease of use and management with high levels of performance, all of which is driven by Kaspersky Labs own research, development and customer support programs. Kaspersky Lab has made a significant commitment to the independent validation of its products efficacy and performance through West Coast Labs Checkmark Certification System. This provides a range of static, dynamic and real-time tests which make these Kaspersky solutions possibly the most intensively tested corporate anti-malware solutions available anywhere in the world today. Details of the specific tests to which the products are exposed are published elsewhere in this report, but the overall outcome of the certification testing is the achievement of the Platinum Product Award for these products, which is the highest level of independent validation possible for an anti-malware solution from West Coast Labs. This is complemented by very respectable malware detection test results which position the performance of Kaspersky Lab products very favorably alongside more widely recognized corporate security solutions. The specific malware detection capability testing of both Kaspersky Lab and a number of competitive anti-malware solutions was carried out in September and October 2010 while the Checkmark Certification testing of its products is performed on an ongoing basis with confirmation of the results available at www.westcoastlabs.com. n

Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition
Kaspersky Anti-Virus 8.0 sits on top of Microsoft Forefront TMG 2010. While TMG acts as a standalone security solution in its own right, the addition of Kaspersky Anti-Virus 8.0 provides a multilayered security solution.

3 Technology Report

www.westcoastlabs.com

www.westcoastlabs.com

Technology Report 4

Technology Report
Domino 8.5 on Windows 2003 that each picked up emails for a FQDN owned and controlled by WCL. Client machines running Lotus Notes 8.5 were used to pick up the messages from the Domino servers and analyzed the attachments to aid calculation of the overall detection rate which for Kaspersky Anti-Virus 8.0 was of a particularly high standard which mirrored that of the competitor products included in the test program. All solutions attained a 100% detection rate during the test period. n Application interface of KAV for ISA KAV 8.0 for Linux File Server interface within the product interface to review any malware logged and thus decide what actions to take. Given the complexities involved with porting anti-malware solutions to Linux, it is not always possible to ensure consistency of performance. However, Kaspersky Anti-Virus 8.0 sets itself apart in this regard. It is well implemented, as demonstrated in the comparative performance tests where it led with a 99.95% detection rate on the 25,640 malware samples tested compared to an average performance rate of 99.52% for five other leading corporate solutions. n Update process on Kaspersky Anti-Virus WSEE

Kaspersky Anti-Virus 8.0 for Linux File Server

Kaspersky Anti-Virus 8.0 for Linux installs from the command line, using a shellscript installer. Although some degree of familiarity with Linux is required, even junior network administrators with a basic understanding of Linux should be comfortable with the process. Managed via a web-based GUI running on a non-standard port, Kaspersky AntiVirus 8.0 is configured from the GUI. No secondary interfaces or files need to be changed and updates are either scheduled or run on-demand. For security admin staff who may be familiar with a file-server anti-malware product, the make-up of the interface is very familiar it is both clear and intuitive. On-Access and On-demand protection are available as standard. Administrators can browse the Quarantine folder from

Kaspersky Anti- Virus 8.0 for Windows Servers Enterprise Edition

Kaspersky Anti-Virus 8.0 for WSEE uses the standard Windows Installer interface. Two installations are required, one for the administration tools and one for the solution itself. However, importing an existing configuration file to keep existing settings is possible when upgrading a previous version. Installation is quick and trouble-free. Managed through an MMC snap-in, the product allows product updates to be rolled back if needed. It provides a quarantine area and a backup facility just in case the administrator deletes a file that needs to be restored. The interface, as a whole, provides a rapid means of implementing malware security policies on the solution. All of the available features are easy to locate without the need for drilling down through multiple options screens or hunting for a required setting.

Licensing process on Kaspersky Anti-Virus for Lotus

Kaspersky Anti- Virus 8.0 for Lotus Domino

Anyone familiar with Lotus Domino will find the installation straightforward. It is performed using a Lotus .nsf database file which is opened through Lotus Notes to run. Administrators can set various actions to be performed when malware is detected, however, they will need to be familiar with Lotus in order to get the best out of the solution when rolling Kaspersky Anti-Virus 8.0 out to a Domino server. Delete or quarantine actions are easily defined for detected malware and for deleting infected attachments. Unlike

some of the other vendor products included in the comparative performance review, Kaspersky Anti-Virus 8.0 does not need the installation of a desktop anti-malware product to be able to use the desktop products scanning engine signature files. In the comparative testing against five other leading corporate solutions, the test methodology employed sender machines running a Linux distribution. Scripts developed by WCL were used to send the emails that contained infected attachments over a live internet connection. Emails were sent to servers running Lotus t

On Demand scans can be set to a predefined security level or customized to meet the demands of the organization. Similarly, On Access protection can be set with a preference for either high speed scans or high protection levels. Throughout the comparative test program, WCL found the scans ran quickly with

an overall detection rate for Kaspersky Anti-Virus 8.0 of 99.68% compared to an average performance of 99.51% for the other five security solutions included. n

WEST COAST LABS VERDICT Combining ease of use with high levels of performance, the Kaspersky Lab solutions under test have delivered comparable and at times, better detection rates to equivalent products. With a consistent level of anti-malware protection across the network topology, users of the Kaspersky Lab products featured in this report can be confident that they are all rigorously tested through the Checkmark Certification and the Real Time testing.
5 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 6

Technology Report

Threat Manager r12

CA
DEVELOPER'S STATEMENT Threat Manager combines a full-featured network anti-virus solution with policydriven endpoint access control to protect networks from malicious software and unauthorized access. also saves valuable administration time and resources easing the burden on any overstretched IT department. The client is locally managed from either an intuitive GUI interface or from a central server, depending on the individual administrator's preference and the security policies are created and deployed from the Threat Manager server. There is also an update option, which enables the administrator to either run updates ondemand or decide to schedule them to suit. Settings and options are available on the central server and if you are looking for a solution that provides a good-fit with any existing network architecture, then CA Threat Manager can provide this. Product Threat Manager r12 Manufacturer CA Contact Details www.ca.com Certification www.westcoastlabs.com The test engineer recommends that for a uniform security policy set, across the network, then CA Threat Manager is best managed from the server, however it can be accomplished via the client, making it pretty flexible. With CA Threat Manager there is further flexibility with On-Access scanning that can be scheduled to suit the needs of the network or permanently activated/ deactivated. Also, On-Demand scans can be launched locally or via the central server. CA Threat Manager additionally provides real-time reports, giving users at-a-glance updates of the current network state while also offering all the options you would expect from this type of solution.

TrustPort AV
TrustPort
DEVELOPER'S STATEMENT TrustPort AV detects viruses and spyware at all entry points to the computer and prevents attempts by hackers to access the computer. It enables not only the continuous monitoring of files being opened, but at the same time also scans files from incoming electronic mail or downloaded from the web. usual scheduling as required, or if preferred they can be run on-demand. TrustPort also allows various actions to be configured for detected malware samples. WCL noted that the product management is in keeping with other products traditionally found in this category, however, it should be noted that what it actually does, it does very well. TrustPort is a security bundle providing anti-malware protection for local files, email, and web. It also includes URL blocking and a firewall, enabling control of what can be viewed on the client. The URL filter contains a variety of site classifications, such as adult and gambling, to prevent viewing this type of content if required and this product includes a Portable Antivirus solution that allows a version of the TrustPort AV solution to be deployed to a USB stick, thus protecting any files you wish to transport; excellent for those on the move. Observations from the WCL engineers include comments on TrustPort being a really good all-round package with the Portable Antivirus helping it stand out in an already crowded market. This type of capability is important for anyone relying on technology when on the move, and should not be underestimated as it will protect their credibility and keep their security in one piece when it could otherwise be compromised.

CA Threat Manager is specifically recommended for small to medium sized business models and is designed essentially to protect client machines residing on a corporate network. With its anti-malware protection, CA Threat Manager will provide an important and much needed extra layer of security your business deserves. The CA Threat Manager can be installed and managed via a central server, giving the administrator more time to concentrate on other tasks on the IT infrastructure. CA Threat Manager is a server-client solution and the installation can be managed via a separate executable installation. Alternatively, CA Threat Manager can be installed from a central server and as it is extremely straightforward and well documented, which is always an added benefit, the process can be accomplished with relative ease. This installation can be automated from a network-wide roll out and though the default options suffice there is some flexibility in the install options available. With a good variety of installation methods available and wide ranging system-support,

This particular security solution is designed for home users and could also provide an invaluable layer of security for home workers or the self-employed. With its low system requirements, TrustPort is an ideal solution for providing malware protection for local files, web downloads and email, and also offers firewall protection along with a URL filter. TrustPort is installed and managed directly on the client as it is purely a client-side-only solution, making it user friendly for the less well initiated. Users can purchase and install TrustPort from a separate executable that is downloaded from the TrustPort website, with the license provided at the point of sale; making it extremely accessible. We all know the importance of ease of use with the single user client-based products and TrustPort doesnt disappoint with a quick and painless installation that is easy to follow. The available options contain good descriptions and there is also some flexibility in the installation options available to the user, however if you are happy not

Product TrustPort AV Manufacturer TrustPort Contact Details www.trustport.com Certification www.westcoastlabs.com

there are practically no pre-requisites needed other than those already found on a standard client machine for instance SP2 on XP Professional. CA Threat Manager can also be configured to automatically deploy to any systems joining the network for the first time for instance DHCP; this

to tinker, all of the default options happily suffice. TrustPort supports all the usual Windows client platforms and the West Coast Labs (WCL) engineer stated that this traditional client-side installation manages everything with minimal fuss. The client is managed via a local GUI interface with the updates capable of the

WEST COAST LABS VERDICT CA Threat Manager offers a variety of deployment models and offers endpoint protection against malware. The central management console offers flexibility combined with good reporting over and allows for the overview of endpoints on a corporate network of small to medium size.
7 Technology Report www.westcoastlabs.com

WEST COAST LABS VERDICT TrustPort AV is aimed at home users, but can equally offer protection for SOHO workers. Including anti-malware protection in the suite of protection that it offers, the solution is well documented and is easy to configure for flexible protection levels dependent upon the requirements of the individual user.

www.westcoastlabs.com

Technology Report 8

Technology Report

IMSVA v5.1
Trend Micro
DEVELOPER'S STATEMENT Trend Micro InterScan Messaging Security Virtual Appliance is a hybrid SaaS email security solution that integrates an onpremise virtual appliance with in-the-cloud SaaS email security. On the initial configuration of IMSVA, local firewall rules permitting, customization of the solution is carried out via the web-based GUI, which can be accessed anywhere on the network. The West Coast Labs engineer again commented on the excellent web-based GUI, however, emphasized that access to the management interface will depend upon existing firewall rules. Providing full anti-malware capability, as well as providing URL filtering for those URLs found inside emails, IMSVA has the same malware capability as IWSVA while also providing anti-spam support. Working at the gateway level, IMSVA scans inbound traffic before it reaches the endpoint and blocks any traffic it finds to be malicious, thus protecting the whole enterprise. This ensures nothing is left to chance and endusers are not bogged down with header messages they understand little about or decisions on what is expected of them in respect of malicious and unwanted email. The West Coast Labs' engineer also commented on the product's overall ability as a solid, reliable gateway-level defense. This is an important point, as any experienced IT manager will tell you, having full confidence in the security product's capability along with ease of use goes a long way when you have a large network to run.

IWSVA v5.1
Trend Micro
DEVELOPER'S STATEMENT Trend Micro InterScan Web Security Virtual Appliance is a consolidated web security solution that combines awardwinning malware scanning, real-time web reputation, powerful URL filtering, and integrated caching. not so experienced, it should still prove easy to use and therefore it does not limit you to a specific member of your IT staff being on hand. This, as described by the WCL engineer, is again a good user-friendly web-based GUI, but he also observed that access to the management interface will depend upon any existing firewall rules, which is important to remember when setting up IWSVA for the first time. IWSVA not only provides full anti-malware capability, but also provides URL filtering; it also offers the same malware capability as IMSVA. Working at the gateway level, IWSVA scans all of your enterprise's inbound traffic before it reaches the endpoint and blocks any traffic it finds suspicious so that malicious entities are blocked and your systems remain secure. This requires no client-side intervention and is therefore less prone to user error. West Coast Labs found that during test that this was again a solid, reliable gatewaylevel defense solution worthy of the job in hand. So overall, IWSVA offers a wellrounded security blanket protecting the enterprise at the gateway, which frees up IT staff to concentrate on other business at hand.

IMSVA is designed specifically for enterprise size business models. It provides traditional malware protection, but it does not stop there, with the addition of extended technologies, such as firewall, web threats and POP3 scanning. IMSVA ensures a cloak of security for any credible business looking to secure itself from potentially damaging security breaches. This also gives the administrator peace of mind in knowing that no glitches will occur in this security as there will not be any issues with compatibility. The IMSVA solution is initially installed on the server and can then be managed from there; this is prior to rollout to the endpoint clients. The security policies are also managed on the central server then pushed out to the client machines, so the administrator does not have to configure each individual client machine, saving time and money. Designed for VMware ESX/ESXi servers IMSVA is a virtual machine with the images being loaded into the ESX Hypervisor server. IMSVA does require some basic setup via a Linux-based command line when running the virtual machine for the first time. Product IMSVA v5.1 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/

As with IMSVA, IWSVA is designed for the enterprise. IWSVA is installed and managed directly on the server with no further client installations necessary. The security policies are also managed on the central server and pushed out to the client machines to allow IWSVA to provide traditional malware protection, as well as incorporating extended technologies such as firewall, web threats and POP3 scanning. These are all indispensable components of a versatile security solution and the centralization provides the ease of use and flexibility administrators have come to expect, especially useful when running a large network efficiently. Designed for VMware ESX/ESXi servers, this is a virtual machine, with the virtual images being placed on the ESX Hypervisor server. IWSVA requires some fairly basic setup via a Linux-based command line when you run the virtual machine for the first time, but again, this is an uncomplicated process; and as youd expect with a virtual machinebased technology the product's setup and configuration is carried out via a web-

Product IWSVA v5.1 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/

based GUI. With the ability of accessing it anywhere on the network, local firewall rules permitting, IWSVA customization may be carried out via the web-based GUI once the initial configuration has been accomplished. For any administrators familiar with Trend's IMSS and IWSS solutions they will be accustomed to the web GUI, but for those

As our engineer observed during his initial encounter with it, the IMSVA setup and configuration is carried out via a web-based GUI. Of course, for any administrators with experience of Trend's IMSS and IWSS solutions, utilizing a web GUI will already be familiar to them, and for those with limited or no such experience, it still offers ease-ofuse.

WEST COAST LABS VERDICT Trend Micro's IMSVA solution comprises a virtual machine that handles messaging traffic and includes a number of core technologies, such as spam, anti-malware and anti-phishing. These are combined to offer a scalable and flexible solution which can be deployed in a number of network scenarios.
9 Technology Report www.westcoastlabs.com

WEST COAST LABS VERDICT Trend Micro's IWSVA solution offers the ease of virtualization and the flexibility to handle web traffic in a number of types of network. The technologies at work that contribute to the operation of this solution include anti-malware, and URL content filtering, and allow for very fine grained control.
www.westcoastlabs.com Technology Report 10

Technology Report

OfficeScan v10.0
Trend Micro
DEVELOPER'S STATEMENT Trend Micro OfficeScan is a comprehensive endpoint security and malware protection solution for medium sized businesses and enterprises and is normally used in a clientserver configuration. It was also noted that OfficeScans has pretty low system requirements and that it also offers good support to the virtual desktops. OfficeScan is managed via an MMCstyle interface with all common options available, such as scanning actions, schedules and targets, with various security policies being catered for; so in all this is a versatile product. Although there is nothing revolutionary in the way that OfficeScan is managed, it certainly does not detract from the solution in any way. It does however seem to pack a lot into one package. As its name suggests, OfficeScan provides protection against viruses, trojans, spyware and rootkits, with the further inclusion of firewall, web threats and a hostintrusion prevention, so in all this is a fairly comprehensive barrier against potential threats. OfficeScan can also scan inbound POP3 traffic. This product utilizes the Trend SPN system to provide cloud-based detection of malware. During WCLs extensive testing, the engineer observed that OfficeScan really did offer a good level of defense and he also said it was in-depth, with numerous combined security technologies included. That has to put OfficeScan in a strong position, with its comprehensive security, as being a solution worthy of a place in any security-conscious enterprise.

ScanMail for Exchange v10.0

Trend Micro
DEVELOPER'S STATEMENT Trend Micro ScanMail for Microsoft Exchange provides Industry-leading scan engines to help stop the widest possible range of threats, while innovative Web Reputation and Email Reputation technologies use a unique cloud-client architecture accessing up-to-the-minute threat intelligence to thwart the latest attacks. The engineer commented on ScanMail for Exchange's good installation routine, effective deployment and integration options; something to be considered when deciding on time to deploy. Managed via an MMC-style interface, ScanMail for Exchange offers numerous options for each of the available features, which can be tailored to fit a range of company security policies. Of course, all the usual options are available, such as scanning, schedules and targets. Administrators take note, the engineer says the numerous configuration options are very useful and will help tailor the protection on offer, so you can ensure your systems are protected to the enterprise's requirements. ScanMail for Exchange also provides protection in an email reputation filter.' This allows emails from a list of known unwanted senders to be automatically blocked, saving valuable time and resources. With the ability to scan emails for URLs/links to known-bad or malicious websites and to block any that are found, this increases its effectiveness somewhat. According to the West Coast Lab engineers, ScanMail for Exchange incorporates into Trend Micro's Smart Protection Network (SPN) which adds to the level of protection on offer.

If you are an administrator running an enterprise and you are charged with finding a suitable security solution, how do you weigh up the protection you require without compromise? With OfficeScan you can protect the enterprise by providing traditional malware protection, incorporating extended technologies such as firewall, protection from web threats and POP3 scanning all in one solution. This must make OfficeScan one such product worthy of noting to IT administrators. OfficeScan is installed and managed on the server, and when ready to deploy it is simply rolled out to your endpoint clients to provide the layer and level of security required. With security policies managed on the central server, the administrator can push them out to the client machines, making it an easy task to accomplish - job done. Simply put, OfficeScan is a server-client solution and OfficeScan is initially installed on a central server before being sent out to the client machines around the network. Deployment can be carried out either by targeting specific client machines from the server console, downloading the install

Product OfficeScan v10.0 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/

ScanMail for Exchange is designed as an umbrella for email protection, including content filtering, spam, recipient filtering, URL detection (within emails) and phishing, which is specifically produced for enterprises running Exchange servers. ScanMail for Exchange is an obvious choice for securing your incoming content as the system requirements are relatively low when considering the security this solution provides and the market it's aimed at. This particular product is installed and managed on the server. While ScanMail for Exchange can be deployed to the Exchange server if necessary, it is also a server-based solution with no client-side aspect. The installation itself is carried out directly on the server and can be placed on the Exchange server, however this is not recommended for the larger business model because of the impact on resources, but if so required, the option is there. At the installation stage, a number of possible

Product ScanMail for Exchange v10.0 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/

package to the client, or by incorporating the solution utilizing the Active Directory. The client installation is silent, so neither the administrator nor the end-user has to intervene on the client machine and, as youd expect, OfficeScan supports all common Windows client platforms, as well as VMware workstations. During installation, the engineer commented on the various choices and variables available as deployment methods.

configurations can be achieved, however the main installation routine itself is welldocumented. Although, some experience with Exchangebased systems will be necessary, this is assumed given the target market. ScanMail for Exchange supports a number of Windows server platforms and Exchange versions, providing support for various network configurations, such as Server 2000/3/8 and Exchange 2003/7/10.

WEST COAST LABS VERDICT Trend Micro's OfficeScan offers anti-malware technology at its core, with the possibility of central reporting and administration in an enterprise level setting. The deployment and management of remote endpoints is streamlined through the central management GUI offering an easy way for IT staff to ensure that hosts are protected.
11 Technology Report www.westcoastlabs.com

WEST COAST LABS VERDICT Trend Micro's ScanMail here considered in the integration with Microsoft Exchange Server offers gateway protection against email-borne threats. It includes all the components that might be expected, such as anti-spam, anti-malware and phishing protection, administered with ease through a central management console.
www.westcoastlabs.com Technology Report 12

Technology Report

SecureWeb
K7 Computing
DEVELOPER'S STATEMENT K7 SecureWeb provides end-to-end protection for personal information right from the keyboard to the website and specifically aims to secure online transactions. SecureWeb address space and as such all user data remained protected. SecureWeb also protects against the threat of DNS poisoning, which alters the IP address associated with the URLs for such sites, so that a user is instead directed to a website controlled by the attacker. To test, a list of well-known e-commerce and financial domain names were added to the host's file. Each domain was associated with an IP address of various web servers owned and controlled by WCL. However, SecureWeb does not rely on information contained within the system's host files. All attempts to redirect SecureWeb to an incorrect webserver/webpage proved unsuccessful. Many transaction websites use SSL certificates (HTTPS) for privacy assurance. But, attackers will often try to create fraudulent certificates to pass-off spoofed versions as legitimate. SecureWeb provides a means of checking the authenticity of SSL certificates, reporting if they are self-signed and therefore not legitimate. To display this information, SecureWeb employs a SiteBand that uses colored warnings to provide an at-a-glance report on whether the site can be trusted or not. Throughout testing, SecureWeb accurately identified those sites that were using legitimate SSL certificates from those that weren't.

Webroot Web Security Service

Webroot
DEVELOPER'S STATEMENT With up to 85% of malware now distributed via the web, proactive web security is a necessity. Webroot Web Security Service provides better manageability and better malware protection than on-premise solutions. Organizations can get the most advanced protection against viruses, spyware, phishing and data loss while easily enforcing internet acceptable use policyall without the hassle of purchasing and managing additional hardware and software. The scanning and features available to the network include provision for URL and content filtering, and uses preset categories. Vulnerability scanning has also been added to the service, however, this aspect was not tested by WCL. In addition, WWSS also provides antiphishing protection as well as standard malware scanning. During testing, WCLs observation was that it offered a good multilayered protection against a range of web-based threats. The Checkmark testing WWSS underwent was on the AV Gateway certification, the Real Time system for malicious URLs and WWSS also passed WCL's Web Threats certification making it a platinum product. WWSS promises fast internet browsing with minimal latency, a proactive scan ahead and safe search facility that colorcodes search engine results to allow users to see if the sites are allowed, blocked or could contain malware. There is also realtime reporting and web activity logging; this can be used to view the network or individual users or groups, providing flexible viewing of network activity. Add all that to the rapid deployment of WWSS across your entire network, which requires no software or hardware purchase, and the ability to use preconfigured policy options based on your chosen level of security, and you can see that all in all a managed service could provide a viable alternative to reduce IT resources and offer costeffective security fast.

Product Webroot Web Security Service Manufacturer Webroot Contact Details www.webroot.com Certification www.westcoastlabs.com

Designed to provide end-to-end protection for personal information such as username, password, and credit card right from the keyboard to the website, and to secure online financial transactions. In addition to protecting internet users against various threats, such as screenscrapping and keylogging, SecureWeb also provides SSL certificate verification and website authentication. And the automatic browser launch is a great feature as it prompts users whenever they browse to online bank and shopping websites. SecureWeb was tested using a network consisting of a primary network attached directly to the internet and a secondary, aggressor network. A standard desktop machine was used as the host for SecureWeb housed on the primary network. To prevent theft of passwords and bank details SecureWeb provides an additional layer of security. It does not provide antivirus or URL filtering, however, what it protects is done extremely well. To protect against keyloggers, SecureWeb encrypts all keystrokes so that any data that is captured is unintelligible. When dealing with screen grabbers, West Coast

Product SecureWeb Manufacturer K7 Computing Contact Details www.k7computing.com Certification www.westcoastlabs.com

Labs found that each screenshot was redacted so that any potential attacker captures a blank screen. DLL injection can disrupt a security solution and lead to the theft of user data. Attackers will often target the solutions themselves as a first port of call to try to circumvent protection on a local machine, whether this is anti-virus, URL/website filtering or data protection. In order to protect against this, SecureWeb continuously monitors its own processes for signs of malicious behavior. WCL's engineers attempted to load malicious and harmful DLLs, but were unable to inject malicious code into the

Webroot Web Security Service is recommended for the larger business and enterprise-sized models and as its name suggests is a managed solution, therefore there is no hardware requirement. Webroot Web Security Service (WWSS) provides gateway-level security to protect against web-based threats as a managed service. These threats could include file downloads and URL filtering, which can be a real headache for corporate credibility. WWSS is managed from a web-based interface with each client machine being directed to use the proxy address of WWSS. As far as setting up the service, it is an extremely quick and easy affair and requires an administrator providing basic network information to Webroot. Various settings can be defined by the administrator, such as which URL categories to block, the amount of time each user is permitted to spend online as well as giving information to the user of their

company's individual internet acceptable use policy. The deployment to client machines is also completed quickly and as already noted, as a managed service the installation is almost non-existent. The West Coast Labs engineer commented that once the account has been finalized with Webroot, end-user machines simply have to be configured to begin using the Webroot service. As far as the management of the service, this is accomplished remotely by logging into the Webroot management portal allowing protection and internet use policies to be created and rolled out rapidly. As the service is hosted by Webroot, there is no need for the administrator to run updates for either software or security definitions, making it less time-consuming. As WCLs engineer pointed out, although management is only possible via the web interface, the options available do allow for a tailored approach.

WEST COAST LABS VERDICT K7 SecureWeb is a good example of a solution to a specific problem that fulfills its remit very well. This is not a general use web browser, but in terms of protecting users when entering financial details it has been shown to succeed.

WEST COAST LABS VERDICT Webroots Web Security Service offers web threat protection as a managed service and protects against a variety of threats whilst allowing the administrator central control through a web portal. The use of a managed service also means that administrators no longer need concern themselves with remembering updates.
www.westcoastlabs.com Technology Report 14

13 Technology Report

www.westcoastlabs.com

Technology Report

Shell Control Box (SCB)

BalaBit
DEVELOPER'S STATEMENT The Shell Control Box by BalaBit is an activity monitoring solution for privileged access that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. like a movie using the aforementioned Audit Player enabling a review of events exactly as they occurred. The audit trail is indexed to make searching for events and automatic reporting possible, enabling identification of misconfigurations and other human errors during forensics analysis. SCB works in conjunction with network firewalls and can supplement further security devices benefiting network and IT security administrators by controlling all remote connections on a given network. SCB acts as a proxy gateway, and any transferred connections and traffic are inspected on the application level (Layer 7 in the OSI model) giving control over protocol features such as the authentication and encryption methods or permitted channels. In order to test SCB it was necessary to establish inbound connections over a network to a specific machine. VNC, SSH, RDP and Telnet connections were established; each of the connection types and combinations were tested using access control lists. These included machines with various access permissions and, once connections had been established, WCL also tested the solutions ability to terminate the connections successfully. WCL then replayed the network traffic logs through the Audit Player for verification.

syslog-ng Store Box (SSB)

BalaBit
DEVELOPER'S STATEMENT The syslog-ng Store Box (SSB) from BalaBit is a network log server that offers the capability to remotely collect and store logging entries and records from a variety of sources, including syslog and SNMP, and is designed to run alongside other security products. and various servers. These logs can be either analyzed, using integral tools, or stored for later retrieval. Use of a proprietary encryption algorithm means that only authorized personnel can access information via the SSB interface. Log files can also be redirected to either a separate analysis device, or to a different log server. To test SSBs ability to correctly receive log files, traffic from client machines residing on the Real Time system were configured so that logs relating to system restarts, network events and so on were redirected to SSB. Gateway security appliances, one on the Real Time system and one on a separate network, were configured to deliver all logs to SSB. A group of client machines, residing on a separate WCL network, had BalaBits client software deployed to them in order to capture and forward client logs to SSB. To validate SSBs ability to manage and secure the log files received by the solution, WCL ran tests to ensure all log files received from the various networks were correctly captured. Searches were run looking for known, specific log events such as machine restarts and network security events. WCL also attempted to open log files locally, without the use of the SSB interface, and found that the controls in place allowed access only via the interface, as expected. Log files were not human readable when accessed directly from the underlying operating system.

One of the two BalaBit products to be reviewed under West Coast Labs (WCL) new Performance Validated program is Shell Control Box (SCB). As with syslogng Store Box, the SCB test allowed WCL to provide an independent review of the solution. To test SCB, WCL was provided with a x2200 Sun Microsystems server running SCB. WCL also tested a virtual version of SCB. Testing of the SCB solution was conducted on a custom-built network at WCLs UK facility. The network itself consisted of a variety of client and server machines running a range of both Windows and Linux-based operating systems. WCL downloaded SCB from the BalaBit website as a virtual machine, then SCB was imported onto a server running VMPlayer. Before full deployment, SCB requires basic network configuration (Host IP address, gateway address, and so on) and the license is imported to SCB at the end of the initial configuration. SCB is an independent appliance designed

Product Shell Control Box (SCB) Manufacturer BalaBit Contact Details www.balabit.com Certification www.westcoastlabs.com

to integrate with ease, offering high availability and is configured via a clean, intuitive web interface. The roles of each SCB administrator are clearly defined using a set of privileges. SCB receives connection attempts for a specific target host then forwards the connection. The solution enables the creation of rules allowing the administrator to permit or deny connections based on set criteria, and provides for the auditing of network connections. SCB also works in conjunction with BalaBits Audit Player to allow logged network traffic to be replayed in real time and supports the following protocols: Secure Shell (SSH), Remote Desktop (RDP), Telnet and terminal emulators using the standard TN3270, VNC and VMware View. WCL only examined the following during the test period: VNC, RDP, SSH, and Telnet. The recorded audit trails can be replayed

As part of its Performance Validated testing program, West Coast Labs (WCL) reviewed the syslog-ng Store Box (SSB) solution from BalaBit. The aim of the testing was to provide an independent means of validating the features and capabilities of SSB. To test SSB, WCL was provided with a x2200 Sun Microsystems server running SSB. WCL tested a virtual version of SSB, deploying the virtual machine SSB image that had been downloaded from the BalaBit website under the VMware Player application. This deployment of the machine was straightforward, and should prove simple to anyone familiar with networking or virtualization technologies. On first boot, SSB requires some basic network configuration, such as designated IP, gateway and DNS addresses along with the application of the SSB license key. With this complete, the administrator is free to log in to SSB, via a web browser, and to begin any required customization of the solution.

Product syslog-ng Store Box Manufacturer BalaBit Contact Details www.balabit.com Certification www.westcoastlabs.com

The test networks on which SSB was evaluated contained client machines running Windows XP along with AV software, various network security appliances, and a number of routers. Added to this were aspects of WCLs proprietary Real Time system. SSBs ability to monitor, in real time, the incoming log files and flag any that do not match an expected pattern makes it extremely useful; providing an early indicator to any deviation in network traffic and/or usage. While not a security solution in its own right, SSB can work in conjunction with those security solutions already deployed to a given network and provide a means of monitoring any security events that may occur. SSB allows the administrator to capture redirected log files from various devices such as routers, security appliances,

WEST COAST LABS VERDICT Testing of the SCB virtual machine showed that all connections were received and handled correctly, the administrator was able to terminate established connections and the logged files were 100% accurate. Tests also showed the capability of Audit Player to recreate the data from the session in an accurate movie-like format.
15 Technology Report www.westcoastlabs.com www.westcoastlabs.com

WEST COAST LABS VERDICT SSB received several thousand logs, all from various sources, and WCL concluded that all log files were received with a 100 percent success rate. All log files that were received were accurately classified and grouped.

Technology Report 16

www.westcoastlabs.com US Headquarters & Test Facility West Coast Labs 16842 Von Karman Avenue Suite 125 Irvine CA 92606 U.S.A. USA: Email: smarkle@westcoast.com Telephone: +1 (347) 403 0374 Email: rcarter@westcoast.com Telephone: +1 (949) 870 3250 European Headquarters & Test Facility West Coast Labs Unit 9 Oak Tree Court Mulberry Drive Cardiff Gate Business Park Cardiff CF23 8RS U.K. UK/Europe: Email: sstoughton@westcoast.com Telephone +44 (0) 208 267 8280 Asia Headquarters & Test Facility West Coast Labs, A2/9 Lower Ground Floor, Safdarjung Enclave, Main Africa Avenue Road, New Delhi 110 029, India.