Platinum Product Test Report Kaspersky Lab Anti ... - West Coast Labs

TEST REPORT December 2010 

Kaspersky Lab 

Performance Validation Testing 

Kaspersky Corporate Solutions

Kaspersky Lab Product Performance 

Validation Testing & Certification 

Commissioning Vendor 

Kaspersky Lab, 97 Milton Park, Abingdon, Oxon, OX14 4RY, UK. 

WCL Corporate Offices and Test Facilities 

USA Headquarters and Test Facility 

West Coast Labs, 16842 Von Karman Avenue, Suite 125, Irvine, CA 92606, U.S.A. Tel: 

+1 (949) 870 3250, Fax: +1 (949) 251 1586 

European Headquarters and Test Facility 

West Coast Labs, Unit 9 Oak Tree Court, Mulberry Drive, Cardiff Gate Business Park, 

Cardiff, CF23 8RS, UK. 

Tel: +44 (0) 29 2054 8400, Fax: +44 (0) 29 2054 8401 

Asia Headquarters and Test Facility 

West Coast Labs, A2/9 Lower Ground Floor, Safdarjung Enclave, Main Africa Avenue 

Road, New Delhi 110 029, India. Tel: +91 (0) 11 4602 0622, Fax: +91 (0) 11 4602 0633 

Date: 8th December 2010 Version: 1.0 

Authors: Richard Thomas, Lysa Myers, Michael Parsons, Matt Garrad, Mark Thomas, 

Chris Thomas 

Page 2 of 40



Contents 

Changing Malware Threats in Corporate Networks 4 

Test Objectives 9 

Comparative Product Testing 11 

Test Network 12 

Test Methodology 14 

Test Results 16 

Checkmark Product Testing and Certification 17 

Baseline and Static Certification Testing 

Dynamic Testing and Certification 

Real Time Product Testing and Certification 

Kaspersky Lab Certifications in Checkmark 19 

West Coast Labs’ Conclusion 20 

Appendix 

Product Feature Set Comparisons 22 

Malware Test Suites 33 

Disclaimer 38 

Revision History 39 

Page 3 of 40



Changing Malware Threats in Corporate Networks 

The evolution of Malware, Security Technologies and Services 

By Lysa Myers, director of research, West Coast Labs. 

There are few who are unaware of the malware landscape changing since the 

release of the first few viruses decades ago. But it seems there are just as few people 

outside the computer security industry who understand the nature of that change. 

No longer is malware as ethereal a threat as an urban legend, and no longer is the 

virus outbreak of the day making the evening news. Threats now come not by ones 

and twos but by the many tens of thousands each day with the known total 

hovering in the tens of millions. And threats come quietly, remaining as far below the 

radar as possible to maximize their stay on an affected machine. Corporations are 

now victims of targeted attacks, as well as the regular masses of malware and have 

specific needs for the protection of corporate information assets. 

While malware activity has increased, security budgets certainly have not. Many 

corporate security staff find themselves facing a tidal wave of new threats without 

extra personnel or resources. They need security software to work faster, harder and 

require less manual interaction while providing detailed reports as to what actions 

have been taken. Machines which are infected need to be cleaned completely so 

as to get systems back up and running quickly and painlessly. Anti-Malware 

software is only as good as its research and support departments. They are vital in 

order to have excellent response times to new threats and to provide top-notch 

customer assistance. As focus in corporate networks shifts away from the desktop, 

into mobile, cloud and virtual computing resources, security software needs to 

protect these environments too. 

Page 4 of 40




The way malware spreads has also changed – there is less concern for infecting 

oneself with a floppy disk (how many of us even have a floppy disk drive now) or 

via poorly worded and spelled mass-mailer viruses. When malware authors 

discovered there was profit to be had in spreading their malicious wares, they 

began to take many of the tactics used by Search Engine Optimizers and improved 

their social engineering craft, placing files where people were most likely to run 

across them. Consequently, the Web is now where the majority of people become 

infected with malware and, given the extent to which the internet is such an integral 

part of all corporations’ business activities, the Web is a potent threat vector. 

Company’s websites are regularly targeted for defacement or infected to spread 

malware to the site’s visitors. 

Given that the Internet is operating system agnostic and because current scripting 

languages allow for queries of the specific browser version of each visitor, malware 

can be spread which in a manner which infects any particular visit. In the last few 

years, this has been a tactic which has proved increasingly popular with malware 

authors, increasing their reach as the market share of new technology increases. 

Obviously, anti-malware products had to change with the times as the onslaught of 

malware has increased and the tactics of malware authors has shifted. The first antimalware 

products were designed strictly as signature scanners, which only ran when 

a user specifically initiated a scan. In short order, this was changed to allow the 

scanner to run continuously in the background so that each file was examined as it 

was accessed, without users having to think about it. This approach has become 

more widespread over time, so that products require little interaction – users can 

automatically have the most up-to-date protection running at all times. 

Page 5 of 40




Another thing which has changed with the times is the complexity of the scanning 

processes. No longer are anti-malware products simply signature-based scanners. 

They now include advanced heuristic technologies and generic signatures which 

can proactively detect new variants of existing families and new malware families. 

The best products include a variety of security features such as web or spam filtering, 

behavioural analysis or a firewall technology which can help protect against brand 

new threats. With these new, intensive scanning technologies, vendors have come 

up with many ways to decrease the overall processing load, so that scanning will 

not noticeably decrease access times or interrupt workflow. 

As both the malware landscape and anti-malware products have changed, so has 

the security testing industry. When products under test were updated periodically, 

used on-demand scanning and the total known malware was in the thousands, it 

made sense to have only a single pass or fail test which was performed a few times 

a year over a static test-bed of samples. This is no longer the reality of the current 

user experience. While it can be a meaningful baseline test of anti-malware 

functionality, it is far from a complete picture of overall product performance. 

In order to accurately reflect a user’s experience with malware, it is important to 

gather the full spectrum of malware from a variety of sources from throughout the 

internet, which circulate on various protocols. This means including not just emailbased 

malware, but malicious files on P2P networks, as well as on the Web and other 

attack vectors. Because malware does not stop when the work day ends nor does it 

recognize geographic boundaries, threats must be collected all day from around 

the world. 

Page 6 of 40




As anti-malware products have begun to include more wide-ranging technologies 

including ones which are initiated upon execution of a file, testing must incorporate 

dynamic functionality by running threats on test machines. This naturally takes more 

time than scanning an immobile directory of files, so one must take care to select 

the most relevant sample set which a customer is most likely to encounter. This takes 

into account not just prevalence, but attack vector popularity on which it is spread, 

potential for damage on an infected system, as well as geography. 

Malware authors are always abreast of technology trends – how people share their 

information, how they share files. At West Coast Labs we’ve already begun to see 

an increase of attacks on things like digital picture frames, USB thumb drives, mobile 

phones and on popular Web 2.0 sites. So, suffice to say, if you know a few people 

who use one or other or all – malware authors are looking to exploit them for 

financial gain. Likewise, anti-malware vendors are developing technologies to 

protect them and testers like West Coast Labs are developing methodologies to 

mirror the user’s risk and potential infection experience. In order to keep up to date 

on the evolving malware landscape, one need only see which new widgets are 

being used in home and business network environments. 

But in the corporate world, keeping updated on the latest threats and technologies 

is not enough – TCO and ROI need to be considered. How well do advanced 

technologies proactively detect How quickly are new threats added How is 

customer support response How easily can the solution be managed remotely 

How much CPU time is used for scanning To find the answers to many of these 

questions, take a look at product performance data from leading independent test 

organisations such as West Coast Labs and the performance validation programmes 

they deliver – such as Real Time Testing. 

Page 7 of 40




You can also take a close look at how individual vendors are responding to the 

changing threat landscape and the implications for the security of corporate 

networks. Nowadays, vendors are defining ‘Protection’ differently. No longer is it just 

product performance-related but also related to business and customer service 

issues, delivering a higher value overall service to meet not just security, but also 

business needs. 

When considering product performance in a corporate network environment, 

‘Protection’ is more than current malware detection capabilities, it’s also about the 

extent of a vendor’s product research and development strategy that anticipates 

threats and trends to ensure proactive network protection. It can be further defined 

as the extent to which malware protection is delivered for a multi-platform 

infrastructure through efficient and easily managed solutions with wide interoperability 

capabilities. ‘Protection’ is also about the extent to which business 

interests are protected through vendor service strategies that now include optimised 

and cost-effective security plans tailored to individual corporations’ needs for 

maximising business productivity, lowering the total cost of ownership and 

maximising the return on investment. Also, given that corporations are operating in a 

worldwide ‘e-economy’ all this needs to be supported by trusted and responsive 

global support plans. 

Yes, the threat landscape is continuing to evolve with new malware threats 

spawned at an alarming rate, but no longer is malware protection and information 

security in general just a technical issue - it is a business issue. That is why vendors’ 

product and service solutions are evolving to suit these changing needs and West 

Coast Labs is developing independent product performance programmes that 

ensure that these products and services are tested and validated accordingly. 

Page 8 of 40



The Test Objectives 

Kaspersky Lab commissioned West Coast Labs to carry out the following testing: 

• Checkmark Certification for the Baseline, Dynamic and Real Time testing 

programme on seven corporate security solutions: 

o Kaspersky Security 8.0 for Exchange Servers 

o Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition 

o Kaspersky Anti-Virus 8.0 for Linux File Server 

o Kaspersky Anti-Virus 8.0 for Lotus Domino 

o Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition 

o Kaspersky Endpoint Security 8 for Mac 

o Kaspersky Endpoint Security 8 for Linux 

• Comparative testing of selected Kaspersky products against a range of 

competitor products in a “static” test environment (See following page). 

• A comparison of product feature sets using publicly available information on 

vendor websites and marketing collateral. 

The Kaspersky Lab applications included in the test program are: 

o 

o 

o 

o 

o 

o 

o 

o 

Kaspersky Security 8.0 for Exchange Servers 

Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition 

Kaspersky Anti-Virus 8.0 for Linux File Server 

Kaspersky Anti-Virus 8.0 for Lotus Domino 

Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition 

Kaspersky Anti-Virus 6.0 for Windows Workstations 

• Windows XP 

• Windows Vista 

• Windows 7 

Kaspersky Endpoint Security 8 for Mac 

Kaspersky Endpoint Security 8 for Linux 

A comprehensive list of all Kaspersky Lab Checkmark Certifications and Checkmark 

Platinum Product Awards can be found on page 19. 

Page 9 of 40



The Test Objectives 

For the Comparative Testing and the Comparison of Product Feature Sets, five 

technology groups and a selection of comparable competitor products were 

identified by Kaspersky Lab. These were purchased in the way that any ordinary 

corporation would buy them – commercially off the shelf, and are detailed below. 

Microsoft Exchange Test 

Kaspersky Security 8.0 Symantec Mail Security Trend Micro ScanMail 

McAfee GroupShield Sophos E-mail Security ESET Mail Security 

Lotus Domino Test 

Kaspersky Anti-Virus 8.0 Symantec Mail Security Trend Micro ScanMail 

McAfee GroupShield Sophos E-mail Security ESET Mail Security 

MS ISA Server (replaced 

by Forefront TMG 2010) 

Test 

Kaspersky Anti-Virus 8.0 Forefront TMG 2010 

Windows Server Test 

Kaspersky Anti-Virus 8.0 

Symantec Endpoint 

Protection 

Trend Micro Officescan server 

edition 

McAfee VirusScan 

Enterprise and 

VirusScan for storages Sophos Endpoint security ESET File Security 

Linux Test 

Kaspersky Anti-Virus 8.0 

Symantec Endpoint 

Protection 

Trend Micro ServerProtect 

McAfee VirusScan 

Enterprise Sophos Endpoint security ESET File Security 

Page 10 of 40



Comparative Product Testing 

The comparative testing comprised a basic evaluation of each product’s malware 

detection capability in a static test environment. WCL built a test suite of 100,000 live 

malware samples* from its own independent resources that covered all appropriate 

attack vectors. 

Each solution was installed to a server running the appropriate and commonly 

supported Operating System and software detailed in the next section of this report. 

During installation, all default values were kept and, where a choice was required, 

the course of action recommended by the solution and/or the attendant product 

documentation was adhered to. 

Each solution was updated to the latest available definition, engine, and signature 

releases before a forensic image was taken and stored for later use. Updates were 

allowed during the test period through any normal scheduled and automatically 

enabled update mechanism present in the product, and a further forensic image 

was taken on the last day of testing for each combination of products. 

Each solution was tested against an appropriate test set extracted from the 100,000 

samples mentioned above and made up of real-world, “solution capability specific” 

samples taken from West Coast Labs’ collections, including samples received in the 

West Coast Labs Global Honeypot Network. For example, the Exchange-based 

solutions were tested against malware known to propagate over email. Test sets and 

the methodologies were constructed so as to mirror the experience of a real-life 

installation as far as possible and not to advantage any one vendor over the others. 

*For a description of the malware used in this test programme, refer to Appendix 1 of this 

report. 

Page 11 of 40



Comparative Product Testing – Test Network 

Testing was carried out on distinct networks which comprised various server and 

client machines needed to run the respective technologies and operating systems. 

In order to provide a balanced reporting process, West Coast Labs recommended 

that all client machines should run Windows XP and Service Pack 3 and that server 

platforms ran the highest OS version commonly supported across each of the 

solutions. 

In some cases this meant that they may not have been running on the latest version 

of a particular operating system, but this method meant that any testing carried out 

was more directly comparable. Details of highest levels of common operating 

systems per component available at the time of testing are as follows: 

Network 1 – Microsoft Exchange 

This network comprised 12 systems – 6 desktops and 6 servers (one of each for each 

solution). Each of the desktop machines were paired up with a server system in order 

to allow an Exchange Server and Outlook client configuration. 

Server OS: Windows 2003 Server 64 bit, Exchange Release: 2007 64 bit. 

Network 2 – Windows Server 



to allow a server/client configuration. 

Server OS: Windows 2008 64 bit 

Page 12 of 40



Comparative Product Testing – Test Network 

Network 3 – Linux 

This network comprised 6 systems running the Red Hat Enterprise release 5 version of 

Linux. 

Network 4 – Lotus Domino 



to allow a Lotus Domino server and Lotus Notes client configuration. 

Server OS: Windows 2003 32 bit, Lotus Domino Release: R8 

Network 5 – Microsoft ISA Server (Forefront TMG 2010) 

This network comprised 4 systems – 2 desktop and 2 servers (one of each for each 


to allow a server/client configuration. 

Server OS: Windows 2008 64 bit, Forefront TMG 2010 

Supporting these five networks there were a number of servers designed to collect 

data from each of the tests, along with desktop machines to act as remote points of 

control and for test management. 

Page 13 of 40



Comparative Product Testing – Test Methodology 

In each test case, the protocol most likely to be used was employed to test the 

solutions – these are detailed as below. 

Microsoft Exchange testing: Testing was conducted on an “On Access” basis. All 

samples were sent via email from accounts on a real-life, resolvable domain owned 

and controlled by West Coast Labs to the products under test over a live internet 

connection with appropriate firewall rules in place to allow only communication 

between the hosts used in the testing. This enabled West Coast Labs to report on 

those emails that were stopped at the Exchange Server and track those emails that 

were bounced to allow for resending to ascertain the gateway protection offered. 

Windows Server testing: Testing was conducted on an “On Demand” basis. All 

samples were copied on to the appropriate server in a number of directories. The 

solution under test was asked to scan the server Operating System to report any 

infections it found. 

Linux testing: Testing was conducted on an “On Demand” basis. All samples were 

copied on to the appropriate server in a number of directories. The solution under 

test was asked to scan the server Operating System to report any infections it found. 

Lotus Domino testing: Testing was conducted on an “On Access” basis. All samples 

were sent via email from accounts on a real-life, resolvable domain owned and 

controlled by West Coast Labs to the products under test over a live internet 

connection with appropriate firewall rules in place to allow only communication 

between the hosts used in the testing. This enabled West Coast Labs to report on 

those emails that were stopped at the Domino Server and track those emails that 

Page 14 of 40



Comparative Product Testing – Test Methodology 

might get bounced to allow for resending to ascertain the gateway protection 

offered. 

ISA Server/Forefront TMG testing: Testing was conducted on an “On Access” basis. 

All samples were provided from a real-life resolvable web and FTP server on a 

domain wholly owned and controlled by West Coast Labs. 

Attempts were made to download the samples over a live internet connection with 

appropriate firewall rules in place to allow only communication between the hosts 

used in the testing using HTTP and FTP to ascertain the gateway protection offered. 

Page 15 of 40



Comparative Product Testing – Test Results 

Malware Detection Test Results 

TEST 1 - Microsoft Exchange 

Total Malware Samples - 8042 Test Date Detection Rate Test Location 

Kaspersky Security 8.0 16/09/2009 - 23/09/2010 100% ** WCL UK Lab 

Product Performance Average* 100%** WCL UK Lab 

Product A 16/09/2009 - 23/09/2010 100% ** WCL UK Lab 

Product B 16/09/2009 - 23/09/2010 100% ** WCL UK Lab 

Product C 16/09/2009 - 23/09/2010 100% ** WCL UK Lab 

Product D 16/09/2009 - 23/09/2010 100% ** WCL UK Lab 

Product E 16/09/2009 - 23/09/2010 100% ** WCL UK Lab 

TEST 2 - Windows Server Enterprise 


Kaspersky Anti Virus 8.0 20/09/2010 - 23/09/2010 99.68% WCL USA Lab 

Product Performance Average* 99.54% WCL USA Lab 

Product A 20/09/2010 - 23/09/2010 99.45% WCL USA Lab 

Product B 20/09/2010 - 23/09/2010 99.50% WCL USA Lab 

Product C 20/09/2010 - 23/09/2010 99.36% WCL USA Lab 

Product D 20/09/2010 - 23/09/2010 99.69% WCL USA Lab 

Product E 20/09/2010 - 23/09/2010 99.57% WCL USA Lab 

TEST 3 - Linux 


Kaspersky Anti Virus 8.0 05/10/2010 - 08/10/2010 99.95% WCL USA Lab 

Product Performance Average* 99.59% WCL USA Lab 

Product A 05/10/2010 - 08/10/2010 99.64% WCL USA Lab 

Product B 05/10/2010 - 08/10/2010 99.24% WCL USA Lab 

Product C 05/10/2010 - 08/10/2010 99.40% WCL USA Lab 

Product D 05/10/2010 - 08/10/2010 99.80% WCL USA Lab 

Product E 05/10/2010 - 08/10/2010 99.53% WCL USA Lab 

TEST 4 - Lotus Domino 


Kaspersky Anti Virus 8.0 06/10/2010 - 10/10/2010 100% ** WCL UK Lab 

Product Performance Average* 100%** WCL UK Lab 


Product B 06/10/2010 - 10/10/2010 100% ** WCL UK Lab 

Product C 06/10/2010 - 10/10/2010 100% ** WCL UK Lab 

Product D 06/10/2010 - 10/10/2010 100% ** WCL UK Lab 

Product E 06/10/2010 - 10/10/2010 100% ** WCL UK Lab 

TEST 5 - ISA Server (Forefront TMG) 


Kaspersky Anti Virus 8.0 14/10/2010 - 19/10/2010 99% ** WCL UK Lab 


*Defined as the performance average of the products included in the tests, which are deemed to be leading solutions in their own rights. 

** Samples used in these tests are those found to be in circulation on West Coast Labs’ SMTP malware feeds immediately prior to the 

commencement of testing. Although appearing unusual, the 100% detection rates are indicative of two key facts. Firstly, the paranoid 

behaviour of email protection systems and the degree of protection extended to vital communication systems such as these, Secondly, this 

reflects the changing nature of attempts to compromise end users over this vector. Whilst executables and binaries travelling over this 

vector are still highly prevalent, they are becoming less diverse, there are not as many frequent outbreaks of email‐based malware as there 

were and it is becoming more likely to that targeted accounts will receive phishing emails and links to websites rather than files. 

Page 16 of 40



Checkmark Product Testing and Certification 

The Checkmark Certification System is recognised globally as probably the most 

comprehensive independent functionality and performance validation program of 

its kind. 

With three tiers of certification – Baseline, Dynamic and Real Time testing – vendors 

have the opportunity to commit to the System at a level that suits the performance 

of their products and services in the real-world. 

The Baseline certifications comprise a series of static benchmarking tests that 

measure detection capability against a finite suite of known malware threats. 

Whereas the addition of Dynamic and Real Time testing transforms this certification 

program into a threefold process that results in the most complete evaluation of an 

Anti-Malware vendor’s products available. 

• Static Testing – baseline tests that measure detection capabilities against 

known threats. 

• Dynamic Testing – measures product performance in relation to malware 

executing as end users and corporations experience them in the real world . 

• Real Time Testing – measures critical performance characteristics in a network 

environment 24x7x365. The testing provides results in metrics including; 

performance in relation to time, attack vectors, heuristic behavior analysis, 

signature update and vendor research effectiveness. 

The combination of these three, distinct test programs provide the highest level 

certification of product performance available. 

Page 17 of 40



Checkmark Product Testing and Certification 

All the Kaspersky Lab products that form part of this test program 

are registered in the Checkmark System for all three levels of 

testing – Baseline, Dynamic (where appropriate) and Real Time. 

www.westcoastlabs.com 

In Real Time, the products are 

tested 24x7x365 against live 

malware in a range of attack vectors are relevant to 

each product. These include FTP, HTTP, P2P, SMTP and 

Malicious Web Sites. Given the nature of the Real Time 

testing program and the fact that it is probably the most 

rigorous product performance validation of its kind, the 

products registered for Real Time testing are eligible for 

the Checkmark Platinum Product 

Award. Far more than just a measure 

of product performance it also acts as recognition of the 

vendor’s commitment to the highest level of independent 

product validation and a measure of the vendor’s responsiveness 

to emerging threats. 

The Kaspersky Lab products holding the Checkmark Platinum Product Awards are: 

• Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition 

• Kaspersky Anti-Virus 8.0 for Linux File Server 

• Kaspersky Anti-Virus 8.0 for Lotus Domino 

• Kaspersky Anti-Virus 6.0 for Windows Workstations 

• Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition 

• Kaspersky Security 8.0 for Microsoft Exchange Server 

• Kaspersky Endpoint Security 8 for Linux 

Page 18 of 40



Kaspersky Lab Certifications in Checkmark 

Checkmark Certification Profile for Kaspersky Lab 

Awards 

Checkmark Certifications Anti Virus Anti Virus Trojan Spyware Anti Anti Anti Malware 

Detection Disinfection Malware Spam Dynamic 

Kaspersky Lab Applications 

Kaspersky Anti Virus 8.0 for Windows Servers Enterprise x x x x 

Kaspersky Anti Virus 8.0 for Linux File Servers x x x x 

Kaspersky Anti Virus 8.0 for Lotus Domino x x x x 

Kaspersky Anti Virus 8.0 for ISA/TMG x x x x 

Kaspersky Security 8.0 for Exchange x x x x x 

Kaspersky Anti Virus 6.0 for Windows Workstations 

Windows XP x x x x x x 

Windows Vista x x x x x x 

Windows 7 x x x x x x 

Kaspersky Endpoint Security 8 for Mac 

x 

Kaspersky Endpoint Security 8 for Linux x x x x x 

Kaspersky Anti Spam 

x 

Awards 

Checkmark Certifications Real Time Real Time Real Time Real Time Real Time Real Time 

FTP HTTP SMTP P2P Mal URL Spam 

Kaspersky Lab Applications 

Kaspersky Anti Virus 8.0 for Windows Servers Enterprise x x 

Kaspersky Anti Virus 8.0 for Linux File Servers x x 

Kaspersky Anti Virus 8.0 for Lotus Domino 

x 

Kaspersky Anti Virus 8.0 for ISA/TMG x x x x x 

Kaspersky Security 8.0 for Exchange x x 

Kaspersky Anti Virus 6.0 for Windows Workstations 

Windows XP x x x 

Windows Vista x x x 

Windows 7 x x x 

Kaspersky Endpoint Security 8 for Linux x x 

Page 19 of 40



West Coast Labs’ Conclusion 

In this test programme, Kaspersky Lab products have undergone probably the most 

extensive testing carried out by West Coast Labs against a single corporate solution. 

These tests range from West Coast Lab’s established Checkmark Certification to 

ongoing performance validation the Real Time system and the custom malware 

comparative testing. This programme also includes the first ever product to be 

awarded the Checkmark Anti-Malware Macintosh certification. 

Upon completion of the tests covered in this report it can clearly be seen that 

Kaspersky are offering an extremely competitive and thorough security package to 

businesses and corporate organisations. 

For mail-based systems, Kaspersky recorded a 100% detection rate on both 

Exchange and Lotus against samples which propagate over the SMTP protocol. 

While this is an impressive detection rate, it should be noted that the other vendors 

also recorded the same detection levels*. This should be an indicator to the level of 

importance of email coverage and the perceived threat to business 

communications that is held by the security industry as a whole. 

On file server-type systems, in this case Windows 2008 and Red Hat Enterprise 5, there 

is a differential in detection levels. On the Linux OS, Kaspersky recorded the highest 

detection rate amongst the solutions on test, whilst on the Windows OS Kaspersky 

recorded the second-highest detection rate. It should be noted that the difference 

between first and second in the Windows OS test was just 1/100 th of a percent, thus 

putting Kaspersky above the Industry Average as defined in the test results. 

Page 20 of 40



West Coast Labs’ Conclusion 

From the results of the test programme it can be concluded that not only do the 

Kaspersky solutions offer comparative detection rates to offerings from other 

vendors, it is clear that the level of protection afforded by Kaspersky Labs solutions is 

consistently high across the range of platforms. 

Whether corporate organisations require protection for the desktop environment, a 

file server, Microsoft Exchange email server, an Apple Mac client, or a server running 

Lotus Domino, the Kaspersky Lab performance is consistent throughout. 

Prospective users of Kaspersky Lab products, and specifically those featured in this 

report, can take confidence from the fact that the solutions are rigorously tested on 

an ongoing basis through the Checkmark certification system and the Real Time 

testing programme to ensure independent validation of a consistently high standard 

of product performance. 

*Please see footnote on page 16. 

Page 21 of 40



Appendix 1- Product Feature Set Comparisons 

West Coast Labs were asked to compile a comparative feature list for each of the 

products included in this test. This information has been gathered from freely 

available marketing literature of those companies included in this test. 

As this information is gathered from marketing and other such materials, the 

information contained within the following tables should be taken as a high level 

overview and does not constitute a comparison of those features that were 

examined as part of the extended malware testing. 

Research was carried out during September and October 2010 using the reference 

points detailed on the following pages. 

Page 22 of 40



Page 23 of 40



Page 24 of 40



Page 25 of 40



Page 26 of 40



Page 27 of 40



Product Feature Set Comparison References 

Reference Points for Comparison on Linux - 6 th October 2010 

Symantec Endpoint Protection 

http://www.symantec.com/business/endpoint-protection 

http://www.symantec.com/business/products/newfeatures.jsppcid=pcat_security&pvid=endpt_prot_1 

http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-endpoint_protection_DS_12836807-7.en-us.pdf 

Trend Micro ServerProtect for Linux 

http://us.trendmicro.com/us/products/enterprise/serverprotect-for-linux/ 

http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/serverprotectforlinux/ds07_splx_060308us. 

pdf 

McAfee VirusScan Enterprise 

http://www.mcafee.com/us/enterprise/products/system_security/servers/linuxshield.html 

http://www.mcafee.com/us/local_content/datasheets/ds_virusscan_linux.pdf 

Sophos Endpoint Security 

http://www.sophos.com/products/enterprise/endpoint/security-and-control/linux/ 

http://www.sophos.com/products/enterprise/endpoint/security-and-control/linux/sysreqs.html 

http://www.sophos.com/sophos/docs/eng/factshts/sophos-sav-linux-dsna.pdf 

http://www.sophos.com/products/enterprise/endpoint/security-and-control/management/ 

ESET File Security for Linux/BSD/Solaris 

http://www.eset.com/business/server-security/linux-file 

http://www.eset.com/business/remote-administrator 

Page 28 of 40




Reference Points for Comparison on Lotus Domino - 7 th October 2010 

Symantec Mail Security for Lotus Domino (Multi-platform edition) 

http://www.symantec.com/business/mail-security-for-domino 

http://www.symantec.com/business/products/sysreq.jsppcid=pcat_security&pvid=848_1 

http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-prot_suite_abe_DS_21025217-1.en-us.pdfTrend 

Micro ScanMail 

http://us.trendmicro.com/us/products/enterprise/scanmail-for-lotus-domino/index.html 

http://us.trendmicro.com/us/products/enterprise/scanmail-for-lotus-domino/ system-requirements/index.html 

http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/scanmailforlotusdomino/scanmail_for_lot 

us_domino_datasheet.pdf 

McAfee GroupShield 

http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/security_email_servers.html 

http://www.mcafee.com/us/local_content/datasheets/ds_security_email_servers_domino.pdf 

Sophos E-mail Security 

http://www.sophos.com/products/enterprise/email/security-and-control/lotus-domino/ 

http://www.sophos.com/products/enterprise/email/security-and-control/lotus-domino/sysreqs.html 

http://www.sophos.com/sophos/docs/eng/factshts/sophos-puremessage-lotus-domino-dsna.pdf 

ESET Mail Security for Lotus Domino Server 

http://www.eset.com/business/server-security/domino-mail 

Page 29 of 40




Reference Points for Comparison on Microsoft Exchange Server - 13 th October 2010 

Symantec Mail Security 

http://www.symantec.com/business/mail-security-for-microsoft-exchange 

http://eval.symantec.com/mktginfo/enterprise/fact_sheets/bmail_security_for_microsoft_exchange_DS-1207718- 

3.en-us.pdf 

Trend Micro ScanMail 

http://us.trendmicro.com/us/products/enterprise/scanmail-for-microsoft-exchange/index.html 

http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/scanmailformicrosoftexchange/ds07_sm 

ex10_091021us.pdf 

http://us.trendmicro.com/us/products/enterprise/scanmail-for-microsoft-exchange/system-requirements/index.html 

McAfee GroupShield 

http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/security_email_servers.html 

http://www.mcafee.com/us/local_content/datasheets/ds_security_email_servers_exchange.pdf 

Sophos PureMessage 

http://www.sophos.com/products/enterprise/email/security-and-control/microsoft-exchange/ 

http://www.sophos.com/products/enterprise/email/security-and-control/microsoft-exchange/sysreqs.html 

http://www.sophos.com/sophos/docs/eng/factshts/sophos-puremessage-exchange-dsna.pdf 

ESET Mail Security 4 

http://www.eset.eu/products/eset-mail-security-for-microsoft-exchange-server 

http://www.eset.eu/products/system-requirements-eset-mail-security-for-microsoft-exchange 

http://download.eset.com/manuals/ESET_EMSX_4_UserGuide_ENU.pdf 

Page 30 of 40




Reference Points for Comparison on Windows Server Enterprise -16-24 th October 2010 

Symantec Endpoint Protection 

http://www.symantec.com/business/endpoint-protection 16/09/2010 

http://www.symantec.com/business/products/newfeatures.jsppcid=pcat_security&pvid=endpt_prot_1 24/09/2010 

http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-endpoint_protection_DS_12836807-7.en-us.pdf 

24/09/2010 

Trend Micro Officescan server edition 

http://us.trendmicro.com/us/products/enterprise/officescan/ 16/09/2010 

http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/officescan/ds04_os10.5_100603us.pdf 

24/09/2010 

McAfee VirusScan Enterprise and VirusScan for storages 

http://www.mcafee.com/us/enterprise/products/system_security/servers/virusscan_enterprise.html 16/09/2010 

http://www.mcafee.com/us/local_content/datasheets/ds_vse.zip 16/09/2010 

Sophos Endpoint Security 

http://www.sophos.com/products/enterprise/endpoint/security-and-control/ 16/09/2010 

http://www.sophos.com/sophos/docs/eng/factshts/sophos-endpoint-security-and-data-protection-dsna.pdf 

16/09/2010 

http://www.sophos.com/sophos/docs/eng/factshts/sophos-endpoint-security-and-data-protection-rgna.pdf 

24/09/2010 

ESET File Security for Windows File Server 

http://www.eset.com/business/server-security/windows-file23/09/2010 

Page 31 of 40




Reference Points for Comparison on ISA/TMG - 8 th October 2010 

Microsoft Forefront Threat Management Gateway 

http://www.microsoft.com/forefront/threat-management-gateway/en/us/ 

http://www.microsoft.com/forefront/threat-management-gateway/en/us/overview.aspx 

http://www.microsoft.com/forefront/threat-management-gateway/en/us/features.aspx 

http://www.microsoft.com/forefront/threat-management-gateway/en/us/system-requirements.aspx 

Page 32 of 40



Malware Test Suites 

West Coast Labs puts considerable effort into ensuring the relevance of samples 

used in testing. 

There are three key components to this process. The company’s research facilities 

continuously monitor the malware attacks and intercept attempts to attack the 

corporate network of a global company with thousands of users spread over 4 

continents. 

WCL also has the advantage of an international system of honeypots, machines 

based in many countries on most continents that sit on open networks waiting to be 

attacked. When attacks occur the malware is intercepted and reported back to a 

central repository, where it is de-duped, checked for corruption and validity, stored 

and can then be used as a sample for testing products. 

In the Real Time Testing System, which forms one component of the Checkmark 

Platinum Product Award, the malware is sent through the test network almost 

immediately and is subsequently considered to be eligible for inclusion in other test 

collections. 

Another method of collection and validation is through honeyclients. Located in 

Europe, Asia and the USA, these are systems designed to trawl the Internet to 

discover “drive-by downloads” (where malware is downloaded in the background 

unknown to the user who is looking at an otherwise perfectly acceptable web site), 

and to download files by visiting these websites and capturing the output. Again, this 

malware is sent through the Real Time system almost immediately and is eligible for 

inclusion in other collections. 

Page 33 of 40




Malware in Real Time Testing 

In Real Time testing and the Checkmark Platinum Product Award programme, both 

new and older malware still circulating (providing that it has been received in the 

recent past) are used, being tested within a few minutes of their arrival at WCL. 

Malware is transmitted through the appropriate attack vectors in which they are 

received – FTP, HTTP, SMTP, Mal URL or P2P. 

Malware in Checkmark Baseline Testing 

WCL’s static Checkmark malware certifications normally use both Real Time samples 

and also slightly older malware, sometimes derived from sources such as the Wildlist 

but usually being malware that was received in recent months and chosen from the 

most prevalent receipts. 

Malware in Custom Testing 

For a custom test larger quantities of malware are used, including some older 

malware to verify that the users are still protected against historical samples, and 

showing no bias in favour of or against any particular product under test, including 

any regional bias (unless the terms of the test so require). It is necessary to have a 

balance of malware from around the world because a predominance of malware 

obtained in one area of the world will discriminate against those companies with less 

exposure to that market. This is ensured through WCL’s corporate network research 

plus receipts from WCL’s honeypot and honeyclient networks across the globe. 

Page 34 of 40




With so much new malware appearing each day, it is necessary to concentrate on 

that malware that is most frequently found (or prevalent), and that attacks via the 

methods protected by the system under test; it is, for example, pointless sending 

“drive-by” malware through an email security product - it would never normally be 

spread by email and so the product will never be expected to deal with it. 

It is also important to make certain that the malware used reflects what users are 

genuinely seeing. Older malware endures in the real world for years after its 

appearance, and products must therefore maintain defences against it. It is 

tempting to reduce system overheads by removing older definitions, but this must 

not be done if the user is then left at risk. All WCL’s static collections therefore 

include an element of malware that is not new but that is still bombarding 

honeypots and users’ systems, to confirm that protection against it is still effective. 

There are many sorts of malware, including (though not exclusively) viruses of a 

number of types, worms (spreading both by email and across networks), bots, 

downloaders, backdoors, Trojans and keyloggers. The Checkmark certifications 

divide them into three large groups, Trojans, Spyware and Viruses. Real Time testing 

covers any malware using the diffusion methods under test, and a custom test will 

include whatever may be required by the specifications of the test. 

The collation of West Coast Labs’ test suites also includes a number of processes 

ensuring that samples used are viable, valid and appropriate – any samples found 

to be unusable are discarded unless there is a specific reason for them being in the 

test suite, for example, testing against samples reported as corrupted. 

Page 35 of 40




Kaspersky Labs Comparative Test Project 

For this particular custom test, testing takes place in five different operating 

environments, namely Microsoft Exchange, Lotus Domino, MS ISA (TMG 2010) Server, 

Windows Server Enterprise Edition and Linux File Servers. The main test suite is divided 

into separate sub-suites used for each environment (although some sub-suites are 

used more than once). 

For both Microsoft Exchange and Lotus Domino, the main component of the test 

suite is a group of malware that spreads itself via SMTP. Of course, many different 

files and types of malware can be attached to emails, and therefore the test suite 

also includes malware gathered internationally that can be sent by email. Types of 

malware used in this part of the test include viruses, bots, Trojans, and especially 

those worms designed to spread by email, all of which have been found in the email 

intercepts delivered to WCL. 

Windows Server Enterprise Edition acts as a network server and repository and so the 

appropriate test sub-suites include not only those sub-suites as used elsewhere but 

also network worms as being the malware most likely to infect and spread via these 

environments. 

MS ISA Server acts as a network edge gateway and so the suites considered when 

testing this include a wide range of malware concentrating on network traffic 

including HTTP, FTP, and Peer to Peer malware as well as network worms – malware 

transported by the sort of traffic flow that would be associated with a corporate 

network. 

Page 36 of 40




Linux has a small selection of malware especially designed to run in that 

environment, but also needs to recognise Windows malware; although this cannot 

run natively in this environment, many companies include both Windows and Linux 

machines on the same networks and any failure to recognise Windows malware 

might lead to infection of central or shared servers and leave the whole network 

vulnerable. For this reason the test sub-suites used in this environment include Linux 

malware but also Windows malware as used in some of the other tests. 

Page 37 of 40



West Coast Labs Disclaimer 

While West Coast Labs is dedicated to ensuring the highest standard of security 

product testing in the industry, it is not always possible within the scope of any given 

test to completely and exhaustively validate every variation of the security 

capabilities and/or functionality of any particular product tested and/or guarantee 

that any particular product tested is fit for any given purpose.Therefore, the test 

results published within any given report should not be taken and accepted in 

isolation. 

Potential customers interested in deploying any particular product tested by West 

Coast Labs are recommended to seek further confirmation that the said product will 

meet their individual requirements, technical infrastructure and specific security 

considerations.All test results represent a snapshot of security capability at one point 

in time and are not a guarantee of future product effectiveness and security 

capability. 

West Coast Labs provide test results for any particular product tested, most relevant 

at the time of testing and within the specified scope of testing and relative to the 

specific test hardware, software, equipment, infrastructure, configurations and tools 

used during the specific test process. 

West Coast Labs is unable to directly endorse or certify the overall worthiness and 

reliability of any particular product tested for any given situation or deployment. 

Page 38 of 40



Revision History 

Issue Description of Changes Date Issued 

1.0 Test Report Version 1.0 29/10/2010 

Page 39 of 40

USA SALES 



T +1 (949) 870 3250 

EUROPE SALES 

T +44 (0) 2920 548400 

CHINA, KOREA, JAPAN, TAIWAN SALES 

T +86 1 343 921 7464 

REST OF THE WORLD SALES 

T +44 (0) 2920 548400 

CORPORATE OFFICES AND TEST FACILITIES 

US Headquarters and Test Facility 

West Coast Labs 

16842 Von Karman Avenue, Suite 125, 

Irvine, California, CA92606, USA 

T +1 (949) 870 3250, F +1 (949) 251 1586 

European Headquarters and Test Facility 

West Coast Labs 

Unit 9, Oak Tree Court, Mulberry Drive 

Cardiff Gate Business Park, Cardiff CF23 8RS, UK 

T +44 (0) 2920 548400, F +44 (0) 2920 548401 

Asia Headquarters and Test Facility 

A2/9 Lower Ground floor, Safdarjung Enclave, 

Main Africa Avenue Road, New Delhi 110 029, India. 

T +91 (0) 11 4602 0622, F +44 (0) 11 4602 0633 

E info@westcoast.com 

W www.westcoastlabs.com 

Page 40 of 40

Platinum Product Test Report Kaspersky Lab Anti ... - West Coast Labs

Create successful ePaper yourself

Delete template?

Save as template?