During November 2010, AV-Test performed a comparative review of six business security products to determine their real-world protection capabilities against threats that are encountered by businesses of all sizes every day.
The test was designed to challenge the products against zero-day attacks from the internet, including the most common infection vectors currently. The samples were accessed via direct links to malicious executable files, by drive-by-download websites that utilize exploits and by opening mail attachments.
Additionally, a static detection test of recent samples of two very prevalent malware families – FakeAV and Zbot – was carried out to show the detection capabilities of the products.
Overall, Sophos delivered the best detection rates, coming top in both parts of the test – detecting and blocking 96% of the zero-day threats, as well as blocking 99.74% of the prevalent malware samples. Symantec reached an equally good result for zero-day threats, also blocking 96%. The on-demand detection of prevelant malware was at 97.16%.
Trend Micro and Kaspersky were very close to the top two products regarding the blocking of zero-day threats, both reached 92% here. Trend Micro had the second best on-demand detection rate of Zbot and FakeAV with 99.59%, Kaspersky reached 98.83%. Finally Microsoft and McAfee were able to detect 80% of the zero-day threats and 91.38% (McAfee) resp. 98.14% (Microsoft) in case of the two prevalent malware families.
Products Tested
The tests were carried out on the latest versions (at the time of the test) of each of the following 6 products:
• Kaspersky Anti-Virus 6.0 for Windows Workstations
• McAfee Total Protection for Endpoint 4.5
• Microsoft Forefront Client Security 1.5
• Sophos Endpoint Security and Control 9.5
• Symantec Endpoint Protection 11
• Trend Micro OfficeScan 10.5
Test Results
1.Real-Time Protection
The best results for combined detection with all protection features turned on were achieved by Sophos both detecting 24 out of 25. Kaspersky and Trend Micro are only one threat behind with 23 detected samples. McAfee and Microsoft detected 20 out of 25 tested URLs and e-mails.
i. URL blocking
The test started by accessing malicious URLs and determined which products blocked access to the URLs and which didn’t. This prevents malicious code from ever reaching the endpoint, minimizing the risk of getting infected. All vendors other than Microsoft offer this feature.
The best result was achieved by Sophos and Trend Micro who both blocked access to 17 out of 23 URLs. Kaspersky and Symantec were a bit behind with 13 and 12 blocked URLs respectively. McAfee blocked access to 2 URLs. However, it is important to note, that Microsoft offers a protection feature called SmartScreen in the Internet Explorer which is also able to block access to malicious websites. This wasn’t included in the test as our focus was on the protection features in the security software.
ii. Static detection
In case the URL blocking fails or cannot be used, then traditional static malware detection becomes important. Therefore we tested the same 23 URLs again as well as the two malicious e-mail attachments with the on-demand scanner.
All products tested provide this protection feature, as it is the traditional way of detecting and blocking malware. The best results were achieved by Sophos, detecting 19 out of 25 cases, closely followed by Kaspersky which detected 17 cases.
iii. Dynamic detection
When both the URL filtering as well as the static file scanning fail and don’t detect anything the malware could be executed on the system. At this point the third protection layer becomes important. This is the dynamic detection of threats, analyzing the behavior of the threat and blocking suspicious actions and removing related components. However it is not easy to test the dynamic detectionseparately (because the static detection would have to be artificially disabled), so the overall scores in figure 1 give an idea of the impact this has on the full protection rates.
2. Detection of prevalent malware
The second type of testing performed was the static detection of FakeAV and ZBot, two very prevalent malware families for many businesses today. Sophos and Trend Micro achieved the highest results detecting over 99% of the files for both test sets. Kaspersky, Microsoft and Symantec also had a very good detection rate with over 98% for FakeAV and over 92% for ZBot.
McAfee was behind in this test, despite their in-the-cloud service, primarily because the sensitivity of this service is set to low in the default configuration to minimize the risk of false positives. This shows that you should always consider configuration settings and whether increasing protection rates will increase the risk of false positives or not.
Tidak ada komentar:
Posting Komentar