Platinum Product Test Report Kaspersky Lab Anti ... - West Coast Labs
Platinum Product Test Report Kaspersky Lab Anti ... - West Coast Labs
Platinum Product Test Report Kaspersky Lab Anti ... - West Coast Labs
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TEST REPORT December 2010<br />
<strong>Kaspersky</strong> <strong>Lab</strong><br />
Performance Validation <strong>Test</strong>ing<br />
<strong>Kaspersky</strong> Corporate Solutions
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Commissioning Vendor<br />
<strong>Kaspersky</strong> <strong>Lab</strong>, 97 Milton Park, Abingdon, Oxon, OX14 4RY, UK.<br />
WCL Corporate Offices and <strong>Test</strong> Facilities<br />
USA Headquarters and <strong>Test</strong> Facility<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s, 16842 Von Karman Avenue, Suite 125, Irvine, CA 92606, U.S.A. Tel:<br />
+1 (949) 870 3250, Fax: +1 (949) 251 1586<br />
European Headquarters and <strong>Test</strong> Facility<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s, Unit 9 Oak Tree Court, Mulberry Drive, Cardiff Gate Business Park,<br />
Cardiff, CF23 8RS, UK.<br />
Tel: +44 (0) 29 2054 8400, Fax: +44 (0) 29 2054 8401<br />
Asia Headquarters and <strong>Test</strong> Facility<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s, A2/9 Lower Ground Floor, Safdarjung Enclave, Main Africa Avenue<br />
Road, New Delhi 110 029, India. Tel: +91 (0) 11 4602 0622, Fax: +91 (0) 11 4602 0633<br />
Date: 8th December 2010 Version: 1.0<br />
Authors: Richard Thomas, Lysa Myers, Michael Parsons, Matt Garrad, Mark Thomas,<br />
Chris Thomas<br />
Page 2 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Contents<br />
Changing Malware Threats in Corporate Networks 4<br />
<strong>Test</strong> Objectives 9<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing 11<br />
<strong>Test</strong> Network 12<br />
<strong>Test</strong> Methodology 14<br />
<strong>Test</strong> Results 16<br />
Checkmark <strong>Product</strong> <strong>Test</strong>ing and Certification 17<br />
Baseline and Static Certification <strong>Test</strong>ing<br />
Dynamic <strong>Test</strong>ing and Certification<br />
Real Time <strong>Product</strong> <strong>Test</strong>ing and Certification<br />
<strong>Kaspersky</strong> <strong>Lab</strong> Certifications in Checkmark 19<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s’ Conclusion 20<br />
Appendix<br />
<strong>Product</strong> Feature Set Comparisons 22<br />
Malware <strong>Test</strong> Suites 33<br />
Disclaimer 38<br />
Revision History 39<br />
Page 3 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Changing Malware Threats in Corporate Networks<br />
The evolution of Malware, Security Technologies and Services<br />
By Lysa Myers, director of research, <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s.<br />
There are few who are unaware of the malware landscape changing since the<br />
release of the first few viruses decades ago. But it seems there are just as few people<br />
outside the computer security industry who understand the nature of that change.<br />
No longer is malware as ethereal a threat as an urban legend, and no longer is the<br />
virus outbreak of the day making the evening news. Threats now come not by ones<br />
and twos but by the many tens of thousands each day with the known total<br />
hovering in the tens of millions. And threats come quietly, remaining as far below the<br />
radar as possible to maximize their stay on an affected machine. Corporations are<br />
now victims of targeted attacks, as well as the regular masses of malware and have<br />
specific needs for the protection of corporate information assets.<br />
While malware activity has increased, security budgets certainly have not. Many<br />
corporate security staff find themselves facing a tidal wave of new threats without<br />
extra personnel or resources. They need security software to work faster, harder and<br />
require less manual interaction while providing detailed reports as to what actions<br />
have been taken. Machines which are infected need to be cleaned completely so<br />
as to get systems back up and running quickly and painlessly. <strong>Anti</strong>-Malware<br />
software is only as good as its research and support departments. They are vital in<br />
order to have excellent response times to new threats and to provide top-notch<br />
customer assistance. As focus in corporate networks shifts away from the desktop,<br />
into mobile, cloud and virtual computing resources, security software needs to<br />
protect these environments too.<br />
Page 4 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Changing Malware Threats in Corporate Networks<br />
The way malware spreads has also changed – there is less concern for infecting<br />
oneself with a floppy disk (how many of us even have a floppy disk drive now) or<br />
via poorly worded and spelled mass-mailer viruses. When malware authors<br />
discovered there was profit to be had in spreading their malicious wares, they<br />
began to take many of the tactics used by Search Engine Optimizers and improved<br />
their social engineering craft, placing files where people were most likely to run<br />
across them. Consequently, the Web is now where the majority of people become<br />
infected with malware and, given the extent to which the internet is such an integral<br />
part of all corporations’ business activities, the Web is a potent threat vector.<br />
Company’s websites are regularly targeted for defacement or infected to spread<br />
malware to the site’s visitors.<br />
Given that the Internet is operating system agnostic and because current scripting<br />
languages allow for queries of the specific browser version of each visitor, malware<br />
can be spread which in a manner which infects any particular visit. In the last few<br />
years, this has been a tactic which has proved increasingly popular with malware<br />
authors, increasing their reach as the market share of new technology increases.<br />
Obviously, anti-malware products had to change with the times as the onslaught of<br />
malware has increased and the tactics of malware authors has shifted. The first antimalware<br />
products were designed strictly as signature scanners, which only ran when<br />
a user specifically initiated a scan. In short order, this was changed to allow the<br />
scanner to run continuously in the background so that each file was examined as it<br />
was accessed, without users having to think about it. This approach has become<br />
more widespread over time, so that products require little interaction – users can<br />
automatically have the most up-to-date protection running at all times.<br />
Page 5 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Changing Malware Threats in Corporate Networks<br />
Another thing which has changed with the times is the complexity of the scanning<br />
processes. No longer are anti-malware products simply signature-based scanners.<br />
They now include advanced heuristic technologies and generic signatures which<br />
can proactively detect new variants of existing families and new malware families.<br />
The best products include a variety of security features such as web or spam filtering,<br />
behavioural analysis or a firewall technology which can help protect against brand<br />
new threats. With these new, intensive scanning technologies, vendors have come<br />
up with many ways to decrease the overall processing load, so that scanning will<br />
not noticeably decrease access times or interrupt workflow.<br />
As both the malware landscape and anti-malware products have changed, so has<br />
the security testing industry. When products under test were updated periodically,<br />
used on-demand scanning and the total known malware was in the thousands, it<br />
made sense to have only a single pass or fail test which was performed a few times<br />
a year over a static test-bed of samples. This is no longer the reality of the current<br />
user experience. While it can be a meaningful baseline test of anti-malware<br />
functionality, it is far from a complete picture of overall product performance.<br />
In order to accurately reflect a user’s experience with malware, it is important to<br />
gather the full spectrum of malware from a variety of sources from throughout the<br />
internet, which circulate on various protocols. This means including not just emailbased<br />
malware, but malicious files on P2P networks, as well as on the Web and other<br />
attack vectors. Because malware does not stop when the work day ends nor does it<br />
recognize geographic boundaries, threats must be collected all day from around<br />
the world.<br />
Page 6 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Changing Malware Threats in Corporate Networks<br />
As anti-malware products have begun to include more wide-ranging technologies<br />
including ones which are initiated upon execution of a file, testing must incorporate<br />
dynamic functionality by running threats on test machines. This naturally takes more<br />
time than scanning an immobile directory of files, so one must take care to select<br />
the most relevant sample set which a customer is most likely to encounter. This takes<br />
into account not just prevalence, but attack vector popularity on which it is spread,<br />
potential for damage on an infected system, as well as geography.<br />
Malware authors are always abreast of technology trends – how people share their<br />
information, how they share files. At <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s we’ve already begun to see<br />
an increase of attacks on things like digital picture frames, USB thumb drives, mobile<br />
phones and on popular Web 2.0 sites. So, suffice to say, if you know a few people<br />
who use one or other or all – malware authors are looking to exploit them for<br />
financial gain. Likewise, anti-malware vendors are developing technologies to<br />
protect them and testers like <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s are developing methodologies to<br />
mirror the user’s risk and potential infection experience. In order to keep up to date<br />
on the evolving malware landscape, one need only see which new widgets are<br />
being used in home and business network environments.<br />
But in the corporate world, keeping updated on the latest threats and technologies<br />
is not enough – TCO and ROI need to be considered. How well do advanced<br />
technologies proactively detect How quickly are new threats added How is<br />
customer support response How easily can the solution be managed remotely<br />
How much CPU time is used for scanning To find the answers to many of these<br />
questions, take a look at product performance data from leading independent test<br />
organisations such as <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s and the performance validation programmes<br />
they deliver – such as Real Time <strong>Test</strong>ing.<br />
Page 7 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Changing Malware Threats in Corporate Networks<br />
You can also take a close look at how individual vendors are responding to the<br />
changing threat landscape and the implications for the security of corporate<br />
networks. Nowadays, vendors are defining ‘Protection’ differently. No longer is it just<br />
product performance-related but also related to business and customer service<br />
issues, delivering a higher value overall service to meet not just security, but also<br />
business needs.<br />
When considering product performance in a corporate network environment,<br />
‘Protection’ is more than current malware detection capabilities, it’s also about the<br />
extent of a vendor’s product research and development strategy that anticipates<br />
threats and trends to ensure proactive network protection. It can be further defined<br />
as the extent to which malware protection is delivered for a multi-platform<br />
infrastructure through efficient and easily managed solutions with wide interoperability<br />
capabilities. ‘Protection’ is also about the extent to which business<br />
interests are protected through vendor service strategies that now include optimised<br />
and cost-effective security plans tailored to individual corporations’ needs for<br />
maximising business productivity, lowering the total cost of ownership and<br />
maximising the return on investment. Also, given that corporations are operating in a<br />
worldwide ‘e-economy’ all this needs to be supported by trusted and responsive<br />
global support plans.<br />
Yes, the threat landscape is continuing to evolve with new malware threats<br />
spawned at an alarming rate, but no longer is malware protection and information<br />
security in general just a technical issue - it is a business issue. That is why vendors’<br />
product and service solutions are evolving to suit these changing needs and <strong>West</strong><br />
<strong>Coast</strong> <strong>Lab</strong>s is developing independent product performance programmes that<br />
ensure that these products and services are tested and validated accordingly.<br />
Page 8 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
The <strong>Test</strong> Objectives<br />
<strong>Kaspersky</strong> <strong>Lab</strong> commissioned <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s to carry out the following testing:<br />
• Checkmark Certification for the Baseline, Dynamic and Real Time testing<br />
programme on seven corporate security solutions:<br />
o <strong>Kaspersky</strong> Security 8.0 for Exchange Servers<br />
o <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Windows Servers Enterprise Edition<br />
o <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Linux File Server<br />
o <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Lotus Domino<br />
o <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition<br />
o <strong>Kaspersky</strong> Endpoint Security 8 for Mac<br />
o <strong>Kaspersky</strong> Endpoint Security 8 for Linux<br />
• Comparative testing of selected <strong>Kaspersky</strong> products against a range of<br />
competitor products in a “static” test environment (See following page).<br />
• A comparison of product feature sets using publicly available information on<br />
vendor websites and marketing collateral.<br />
The <strong>Kaspersky</strong> <strong>Lab</strong> applications included in the test program are:<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
<strong>Kaspersky</strong> Security 8.0 for Exchange Servers<br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Windows Servers Enterprise Edition<br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Linux File Server<br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Lotus Domino<br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition<br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 6.0 for Windows Workstations<br />
• Windows XP<br />
• Windows Vista<br />
• Windows 7<br />
<strong>Kaspersky</strong> Endpoint Security 8 for Mac<br />
<strong>Kaspersky</strong> Endpoint Security 8 for Linux<br />
A comprehensive list of all <strong>Kaspersky</strong> <strong>Lab</strong> Checkmark Certifications and Checkmark<br />
<strong>Platinum</strong> <strong>Product</strong> Awards can be found on page 19.<br />
Page 9 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
The <strong>Test</strong> Objectives<br />
For the Comparative <strong>Test</strong>ing and the Comparison of <strong>Product</strong> Feature Sets, five<br />
technology groups and a selection of comparable competitor products were<br />
identified by <strong>Kaspersky</strong> <strong>Lab</strong>. These were purchased in the way that any ordinary<br />
corporation would buy them – commercially off the shelf, and are detailed below.<br />
Microsoft Exchange <strong>Test</strong><br />
<strong>Kaspersky</strong> Security 8.0 Symantec Mail Security Trend Micro ScanMail<br />
McAfee GroupShield Sophos E-mail Security ESET Mail Security<br />
Lotus Domino <strong>Test</strong><br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 Symantec Mail Security Trend Micro ScanMail<br />
McAfee GroupShield Sophos E-mail Security ESET Mail Security<br />
MS ISA Server (replaced<br />
by Forefront TMG 2010)<br />
<strong>Test</strong><br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 Forefront TMG 2010<br />
Windows Server <strong>Test</strong><br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0<br />
Symantec Endpoint<br />
Protection<br />
Trend Micro Officescan server<br />
edition<br />
McAfee VirusScan<br />
Enterprise and<br />
VirusScan for storages Sophos Endpoint security ESET File Security<br />
Linux <strong>Test</strong><br />
<strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0<br />
Symantec Endpoint<br />
Protection<br />
Trend Micro ServerProtect<br />
McAfee VirusScan<br />
Enterprise Sophos Endpoint security ESET File Security<br />
Page 10 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing<br />
The comparative testing comprised a basic evaluation of each product’s malware<br />
detection capability in a static test environment. WCL built a test suite of 100,000 live<br />
malware samples* from its own independent resources that covered all appropriate<br />
attack vectors.<br />
Each solution was installed to a server running the appropriate and commonly<br />
supported Operating System and software detailed in the next section of this report.<br />
During installation, all default values were kept and, where a choice was required,<br />
the course of action recommended by the solution and/or the attendant product<br />
documentation was adhered to.<br />
Each solution was updated to the latest available definition, engine, and signature<br />
releases before a forensic image was taken and stored for later use. Updates were<br />
allowed during the test period through any normal scheduled and automatically<br />
enabled update mechanism present in the product, and a further forensic image<br />
was taken on the last day of testing for each combination of products.<br />
Each solution was tested against an appropriate test set extracted from the 100,000<br />
samples mentioned above and made up of real-world, “solution capability specific”<br />
samples taken from <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s’ collections, including samples received in the<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s Global Honeypot Network. For example, the Exchange-based<br />
solutions were tested against malware known to propagate over email. <strong>Test</strong> sets and<br />
the methodologies were constructed so as to mirror the experience of a real-life<br />
installation as far as possible and not to advantage any one vendor over the others.<br />
*For a description of the malware used in this test programme, refer to Appendix 1 of this<br />
report.<br />
Page 11 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing – <strong>Test</strong> Network<br />
<strong>Test</strong>ing was carried out on distinct networks which comprised various server and<br />
client machines needed to run the respective technologies and operating systems.<br />
In order to provide a balanced reporting process, <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s recommended<br />
that all client machines should run Windows XP and Service Pack 3 and that server<br />
platforms ran the highest OS version commonly supported across each of the<br />
solutions.<br />
In some cases this meant that they may not have been running on the latest version<br />
of a particular operating system, but this method meant that any testing carried out<br />
was more directly comparable. Details of highest levels of common operating<br />
systems per component available at the time of testing are as follows:<br />
Network 1 – Microsoft Exchange<br />
This network comprised 12 systems – 6 desktops and 6 servers (one of each for each<br />
solution). Each of the desktop machines were paired up with a server system in order<br />
to allow an Exchange Server and Outlook client configuration.<br />
Server OS: Windows 2003 Server 64 bit, Exchange Release: 2007 64 bit.<br />
Network 2 – Windows Server<br />
This network comprised 12 systems – 6 desktops and 6 servers (one of each for each<br />
solution). Each of the desktop machines were paired up with a server system in order<br />
to allow a server/client configuration.<br />
Server OS: Windows 2008 64 bit<br />
Page 12 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing – <strong>Test</strong> Network<br />
Network 3 – Linux<br />
This network comprised 6 systems running the Red Hat Enterprise release 5 version of<br />
Linux.<br />
Network 4 – Lotus Domino<br />
This network comprised 12 systems – 6 desktops and 6 servers (one of each for each<br />
solution). Each of the desktop machines were paired up with a server system in order<br />
to allow a Lotus Domino server and Lotus Notes client configuration.<br />
Server OS: Windows 2003 32 bit, Lotus Domino Release: R8<br />
Network 5 – Microsoft ISA Server (Forefront TMG 2010)<br />
This network comprised 4 systems – 2 desktop and 2 servers (one of each for each<br />
solution). Each of the desktop machines were paired up with a server system in order<br />
to allow a server/client configuration.<br />
Server OS: Windows 2008 64 bit, Forefront TMG 2010<br />
Supporting these five networks there were a number of servers designed to collect<br />
data from each of the tests, along with desktop machines to act as remote points of<br />
control and for test management.<br />
Page 13 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing – <strong>Test</strong> Methodology<br />
In each test case, the protocol most likely to be used was employed to test the<br />
solutions – these are detailed as below.<br />
Microsoft Exchange testing: <strong>Test</strong>ing was conducted on an “On Access” basis. All<br />
samples were sent via email from accounts on a real-life, resolvable domain owned<br />
and controlled by <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s to the products under test over a live internet<br />
connection with appropriate firewall rules in place to allow only communication<br />
between the hosts used in the testing. This enabled <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s to report on<br />
those emails that were stopped at the Exchange Server and track those emails that<br />
were bounced to allow for resending to ascertain the gateway protection offered.<br />
Windows Server testing: <strong>Test</strong>ing was conducted on an “On Demand” basis. All<br />
samples were copied on to the appropriate server in a number of directories. The<br />
solution under test was asked to scan the server Operating System to report any<br />
infections it found.<br />
Linux testing: <strong>Test</strong>ing was conducted on an “On Demand” basis. All samples were<br />
copied on to the appropriate server in a number of directories. The solution under<br />
test was asked to scan the server Operating System to report any infections it found.<br />
Lotus Domino testing: <strong>Test</strong>ing was conducted on an “On Access” basis. All samples<br />
were sent via email from accounts on a real-life, resolvable domain owned and<br />
controlled by <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s to the products under test over a live internet<br />
connection with appropriate firewall rules in place to allow only communication<br />
between the hosts used in the testing. This enabled <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s to report on<br />
those emails that were stopped at the Domino Server and track those emails that<br />
Page 14 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing – <strong>Test</strong> Methodology<br />
might get bounced to allow for resending to ascertain the gateway protection<br />
offered.<br />
ISA Server/Forefront TMG testing: <strong>Test</strong>ing was conducted on an “On Access” basis.<br />
All samples were provided from a real-life resolvable web and FTP server on a<br />
domain wholly owned and controlled by <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s.<br />
Attempts were made to download the samples over a live internet connection with<br />
appropriate firewall rules in place to allow only communication between the hosts<br />
used in the testing using HTTP and FTP to ascertain the gateway protection offered.<br />
Page 15 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Comparative <strong>Product</strong> <strong>Test</strong>ing – <strong>Test</strong> Results<br />
Malware Detection <strong>Test</strong> Results<br />
TEST 1 - Microsoft Exchange<br />
Total Malware Samples - 8042 <strong>Test</strong> Date Detection Rate <strong>Test</strong> Location<br />
<strong>Kaspersky</strong> Security 8.0 16/09/2009 - 23/09/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> Performance Average* 100%** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> A 16/09/2009 - 23/09/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> B 16/09/2009 - 23/09/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> C 16/09/2009 - 23/09/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> D 16/09/2009 - 23/09/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> E 16/09/2009 - 23/09/2010 100% ** WCL UK <strong>Lab</strong><br />
TEST 2 - Windows Server Enterprise<br />
Total Malware Samples - 25640 <strong>Test</strong> Date Detection Rate <strong>Test</strong> Location<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 20/09/2010 - 23/09/2010 99.68% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> Performance Average* 99.54% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> A 20/09/2010 - 23/09/2010 99.45% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> B 20/09/2010 - 23/09/2010 99.50% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> C 20/09/2010 - 23/09/2010 99.36% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> D 20/09/2010 - 23/09/2010 99.69% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> E 20/09/2010 - 23/09/2010 99.57% WCL USA <strong>Lab</strong><br />
TEST 3 - Linux<br />
Total Malware Samples - 25640 <strong>Test</strong> Date Detection Rate <strong>Test</strong> Location<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 05/10/2010 - 08/10/2010 99.95% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> Performance Average* 99.59% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> A 05/10/2010 - 08/10/2010 99.64% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> B 05/10/2010 - 08/10/2010 99.24% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> C 05/10/2010 - 08/10/2010 99.40% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> D 05/10/2010 - 08/10/2010 99.80% WCL USA <strong>Lab</strong><br />
<strong>Product</strong> E 05/10/2010 - 08/10/2010 99.53% WCL USA <strong>Lab</strong><br />
TEST 4 - Lotus Domino<br />
Total Malware Samples - 8042 <strong>Test</strong> Date Detection Rate <strong>Test</strong> Location<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 06/10/2010 - 10/10/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> Performance Average* 100%** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> A 06/10/2010 - 10/10/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> B 06/10/2010 - 10/10/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> C 06/10/2010 - 10/10/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> D 06/10/2010 - 10/10/2010 100% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> E 06/10/2010 - 10/10/2010 100% ** WCL UK <strong>Lab</strong><br />
TEST 5 - ISA Server (Forefront TMG)<br />
Total Malware Samples - 18680 <strong>Test</strong> Date Detection Rate <strong>Test</strong> Location<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 14/10/2010 - 19/10/2010 99% ** WCL UK <strong>Lab</strong><br />
<strong>Product</strong> A 14/10/2010 - 19/10/2010 99% ** WCL UK <strong>Lab</strong><br />
*Defined as the performance average of the products included in the tests, which are deemed to be leading solutions in their own rights.<br />
** Samples used in these tests are those found to be in circulation on <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s’ SMTP malware feeds immediately prior to the<br />
commencement of testing. Although appearing unusual, the 100% detection rates are indicative of two key facts. Firstly, the paranoid<br />
behaviour of email protection systems and the degree of protection extended to vital communication systems such as these, Secondly, this<br />
reflects the changing nature of attempts to compromise end users over this vector. Whilst executables and binaries travelling over this<br />
vector are still highly prevalent, they are becoming less diverse, there are not as many frequent outbreaks of email‐based malware as there<br />
were and it is becoming more likely to that targeted accounts will receive phishing emails and links to websites rather than files.<br />
Page 16 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Checkmark <strong>Product</strong> <strong>Test</strong>ing and Certification<br />
The Checkmark Certification System is recognised globally as probably the most<br />
comprehensive independent functionality and performance validation program of<br />
its kind.<br />
With three tiers of certification – Baseline, Dynamic and Real Time testing – vendors<br />
have the opportunity to commit to the System at a level that suits the performance<br />
of their products and services in the real-world.<br />
The Baseline certifications comprise a series of static benchmarking tests that<br />
measure detection capability against a finite suite of known malware threats.<br />
Whereas the addition of Dynamic and Real Time testing transforms this certification<br />
program into a threefold process that results in the most complete evaluation of an<br />
<strong>Anti</strong>-Malware vendor’s products available.<br />
• Static <strong>Test</strong>ing – baseline tests that measure detection capabilities against<br />
known threats.<br />
• Dynamic <strong>Test</strong>ing – measures product performance in relation to malware<br />
executing as end users and corporations experience them in the real world .<br />
• Real Time <strong>Test</strong>ing – measures critical performance characteristics in a network<br />
environment 24x7x365. The testing provides results in metrics including;<br />
performance in relation to time, attack vectors, heuristic behavior analysis,<br />
signature update and vendor research effectiveness.<br />
The combination of these three, distinct test programs provide the highest level<br />
certification of product performance available.<br />
Page 17 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Checkmark <strong>Product</strong> <strong>Test</strong>ing and Certification<br />
All the <strong>Kaspersky</strong> <strong>Lab</strong> products that form part of this test program<br />
are registered in the Checkmark System for all three levels of<br />
testing – Baseline, Dynamic (where appropriate) and Real Time.<br />
www.westcoastlabs.com<br />
In Real Time, the products are<br />
tested 24x7x365 against live<br />
malware in a range of attack vectors are relevant to<br />
each product. These include FTP, HTTP, P2P, SMTP and<br />
Malicious Web Sites. Given the nature of the Real Time<br />
testing program and the fact that it is probably the most<br />
rigorous product performance validation of its kind, the<br />
products registered for Real Time testing are eligible for<br />
the Checkmark <strong>Platinum</strong> <strong>Product</strong><br />
Award. Far more than just a measure<br />
of product performance it also acts as recognition of the<br />
vendor’s commitment to the highest level of independent<br />
product validation and a measure of the vendor’s responsiveness<br />
to emerging threats.<br />
The <strong>Kaspersky</strong> <strong>Lab</strong> products holding the Checkmark <strong>Platinum</strong> <strong>Product</strong> Awards are:<br />
• <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Windows Servers Enterprise Edition<br />
• <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Linux File Server<br />
• <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Lotus Domino<br />
• <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 6.0 for Windows Workstations<br />
• <strong>Kaspersky</strong> <strong>Anti</strong>-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition<br />
• <strong>Kaspersky</strong> Security 8.0 for Microsoft Exchange Server<br />
• <strong>Kaspersky</strong> Endpoint Security 8 for Linux<br />
Page 18 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>Kaspersky</strong> <strong>Lab</strong> Certifications in Checkmark<br />
Checkmark Certification Profile for <strong>Kaspersky</strong> <strong>Lab</strong><br />
Awards<br />
Checkmark Certifications <strong>Anti</strong> Virus <strong>Anti</strong> Virus Trojan Spyware <strong>Anti</strong> <strong>Anti</strong> <strong>Anti</strong> Malware<br />
Detection Disinfection Malware Spam Dynamic<br />
<strong>Kaspersky</strong> <strong>Lab</strong> Applications<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for Windows Servers Enterprise x x x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for Linux File Servers x x x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for Lotus Domino x x x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for ISA/TMG x x x x<br />
<strong>Kaspersky</strong> Security 8.0 for Exchange x x x x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 6.0 for Windows Workstations<br />
Windows XP x x x x x x<br />
Windows Vista x x x x x x<br />
Windows 7 x x x x x x<br />
<strong>Kaspersky</strong> Endpoint Security 8 for Mac<br />
x<br />
<strong>Kaspersky</strong> Endpoint Security 8 for Linux x x x x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Spam<br />
x<br />
Awards<br />
Checkmark Certifications Real Time Real Time Real Time Real Time Real Time Real Time<br />
FTP HTTP SMTP P2P Mal URL Spam<br />
<strong>Kaspersky</strong> <strong>Lab</strong> Applications<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for Windows Servers Enterprise x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for Linux File Servers x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for Lotus Domino<br />
x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 8.0 for ISA/TMG x x x x x<br />
<strong>Kaspersky</strong> Security 8.0 for Exchange x x<br />
<strong>Kaspersky</strong> <strong>Anti</strong> Virus 6.0 for Windows Workstations<br />
Windows XP x x x<br />
Windows Vista x x x<br />
Windows 7 x x x<br />
<strong>Kaspersky</strong> Endpoint Security 8 for Linux x x<br />
Page 19 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s’ Conclusion<br />
In this test programme, <strong>Kaspersky</strong> <strong>Lab</strong> products have undergone probably the most<br />
extensive testing carried out by <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s against a single corporate solution.<br />
These tests range from <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>’s established Checkmark Certification to<br />
ongoing performance validation the Real Time system and the custom malware<br />
comparative testing. This programme also includes the first ever product to be<br />
awarded the Checkmark <strong>Anti</strong>-Malware Macintosh certification.<br />
Upon completion of the tests covered in this report it can clearly be seen that<br />
<strong>Kaspersky</strong> are offering an extremely competitive and thorough security package to<br />
businesses and corporate organisations.<br />
For mail-based systems, <strong>Kaspersky</strong> recorded a 100% detection rate on both<br />
Exchange and Lotus against samples which propagate over the SMTP protocol.<br />
While this is an impressive detection rate, it should be noted that the other vendors<br />
also recorded the same detection levels*. This should be an indicator to the level of<br />
importance of email coverage and the perceived threat to business<br />
communications that is held by the security industry as a whole.<br />
On file server-type systems, in this case Windows 2008 and Red Hat Enterprise 5, there<br />
is a differential in detection levels. On the Linux OS, <strong>Kaspersky</strong> recorded the highest<br />
detection rate amongst the solutions on test, whilst on the Windows OS <strong>Kaspersky</strong><br />
recorded the second-highest detection rate. It should be noted that the difference<br />
between first and second in the Windows OS test was just 1/100 th of a percent, thus<br />
putting <strong>Kaspersky</strong> above the Industry Average as defined in the test results.<br />
Page 20 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s’ Conclusion<br />
From the results of the test programme it can be concluded that not only do the<br />
<strong>Kaspersky</strong> solutions offer comparative detection rates to offerings from other<br />
vendors, it is clear that the level of protection afforded by <strong>Kaspersky</strong> <strong>Lab</strong>s solutions is<br />
consistently high across the range of platforms.<br />
Whether corporate organisations require protection for the desktop environment, a<br />
file server, Microsoft Exchange email server, an Apple Mac client, or a server running<br />
Lotus Domino, the <strong>Kaspersky</strong> <strong>Lab</strong> performance is consistent throughout.<br />
Prospective users of <strong>Kaspersky</strong> <strong>Lab</strong> products, and specifically those featured in this<br />
report, can take confidence from the fact that the solutions are rigorously tested on<br />
an ongoing basis through the Checkmark certification system and the Real Time<br />
testing programme to ensure independent validation of a consistently high standard<br />
of product performance.<br />
*Please see footnote on page 16.<br />
Page 21 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Appendix 1- <strong>Product</strong> Feature Set Comparisons<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s were asked to compile a comparative feature list for each of the<br />
products included in this test. This information has been gathered from freely<br />
available marketing literature of those companies included in this test.<br />
As this information is gathered from marketing and other such materials, the<br />
information contained within the following tables should be taken as a high level<br />
overview and does not constitute a comparison of those features that were<br />
examined as part of the extended malware testing.<br />
Research was carried out during September and October 2010 using the reference<br />
points detailed on the following pages.<br />
Page 22 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Page 23 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Page 24 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Page 25 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Page 26 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Page 27 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>Product</strong> Feature Set Comparison References<br />
Reference Points for Comparison on Linux - 6 th October 2010<br />
Symantec Endpoint Protection<br />
http://www.symantec.com/business/endpoint-protection<br />
http://www.symantec.com/business/products/newfeatures.jsppcid=pcat_security&pvid=endpt_prot_1<br />
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-endpoint_protection_DS_12836807-7.en-us.pdf<br />
Trend Micro ServerProtect for Linux<br />
http://us.trendmicro.com/us/products/enterprise/serverprotect-for-linux/<br />
http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/serverprotectforlinux/ds07_splx_060308us.<br />
pdf<br />
McAfee VirusScan Enterprise<br />
http://www.mcafee.com/us/enterprise/products/system_security/servers/linuxshield.html<br />
http://www.mcafee.com/us/local_content/datasheets/ds_virusscan_linux.pdf<br />
Sophos Endpoint Security<br />
http://www.sophos.com/products/enterprise/endpoint/security-and-control/linux/<br />
http://www.sophos.com/products/enterprise/endpoint/security-and-control/linux/sysreqs.html<br />
http://www.sophos.com/sophos/docs/eng/factshts/sophos-sav-linux-dsna.pdf<br />
http://www.sophos.com/products/enterprise/endpoint/security-and-control/management/<br />
ESET File Security for Linux/BSD/Solaris<br />
http://www.eset.com/business/server-security/linux-file<br />
http://www.eset.com/business/remote-administrator<br />
Page 28 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>Product</strong> Feature Set Comparison References<br />
Reference Points for Comparison on Lotus Domino - 7 th October 2010<br />
Symantec Mail Security for Lotus Domino (Multi-platform edition)<br />
http://www.symantec.com/business/mail-security-for-domino<br />
http://www.symantec.com/business/products/sysreq.jsppcid=pcat_security&pvid=848_1<br />
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-prot_suite_abe_DS_21025217-1.en-us.pdfTrend<br />
Micro ScanMail<br />
http://us.trendmicro.com/us/products/enterprise/scanmail-for-lotus-domino/index.html<br />
http://us.trendmicro.com/us/products/enterprise/scanmail-for-lotus-domino/ system-requirements/index.html<br />
http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/scanmailforlotusdomino/scanmail_for_lot<br />
us_domino_datasheet.pdf<br />
McAfee GroupShield<br />
http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/security_email_servers.html<br />
http://www.mcafee.com/us/local_content/datasheets/ds_security_email_servers_domino.pdf<br />
Sophos E-mail Security<br />
http://www.sophos.com/products/enterprise/email/security-and-control/lotus-domino/<br />
http://www.sophos.com/products/enterprise/email/security-and-control/lotus-domino/sysreqs.html<br />
http://www.sophos.com/sophos/docs/eng/factshts/sophos-puremessage-lotus-domino-dsna.pdf<br />
ESET Mail Security for Lotus Domino Server<br />
http://www.eset.com/business/server-security/domino-mail<br />
Page 29 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>Product</strong> Feature Set Comparison References<br />
Reference Points for Comparison on Microsoft Exchange Server - 13 th October 2010<br />
Symantec Mail Security<br />
http://www.symantec.com/business/mail-security-for-microsoft-exchange<br />
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/bmail_security_for_microsoft_exchange_DS-1207718-<br />
3.en-us.pdf<br />
Trend Micro ScanMail<br />
http://us.trendmicro.com/us/products/enterprise/scanmail-for-microsoft-exchange/index.html<br />
http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/scanmailformicrosoftexchange/ds07_sm<br />
ex10_091021us.pdf<br />
http://us.trendmicro.com/us/products/enterprise/scanmail-for-microsoft-exchange/system-requirements/index.html<br />
McAfee GroupShield<br />
http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/security_email_servers.html<br />
http://www.mcafee.com/us/local_content/datasheets/ds_security_email_servers_exchange.pdf<br />
Sophos PureMessage<br />
http://www.sophos.com/products/enterprise/email/security-and-control/microsoft-exchange/<br />
http://www.sophos.com/products/enterprise/email/security-and-control/microsoft-exchange/sysreqs.html<br />
http://www.sophos.com/sophos/docs/eng/factshts/sophos-puremessage-exchange-dsna.pdf<br />
ESET Mail Security 4<br />
http://www.eset.eu/products/eset-mail-security-for-microsoft-exchange-server<br />
http://www.eset.eu/products/system-requirements-eset-mail-security-for-microsoft-exchange<br />
http://download.eset.com/manuals/ESET_EMSX_4_UserGuide_ENU.pdf<br />
Page 30 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>Product</strong> Feature Set Comparison References<br />
Reference Points for Comparison on Windows Server Enterprise -16-24 th October 2010<br />
Symantec Endpoint Protection<br />
http://www.symantec.com/business/endpoint-protection 16/09/2010<br />
http://www.symantec.com/business/products/newfeatures.jsppcid=pcat_security&pvid=endpt_prot_1 24/09/2010<br />
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-endpoint_protection_DS_12836807-7.en-us.pdf<br />
24/09/2010<br />
Trend Micro Officescan server edition<br />
http://us.trendmicro.com/us/products/enterprise/officescan/ 16/09/2010<br />
http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/officescan/ds04_os10.5_100603us.pdf<br />
24/09/2010<br />
McAfee VirusScan Enterprise and VirusScan for storages<br />
http://www.mcafee.com/us/enterprise/products/system_security/servers/virusscan_enterprise.html 16/09/2010<br />
http://www.mcafee.com/us/local_content/datasheets/ds_vse.zip 16/09/2010<br />
Sophos Endpoint Security<br />
http://www.sophos.com/products/enterprise/endpoint/security-and-control/ 16/09/2010<br />
http://www.sophos.com/sophos/docs/eng/factshts/sophos-endpoint-security-and-data-protection-dsna.pdf<br />
16/09/2010<br />
http://www.sophos.com/sophos/docs/eng/factshts/sophos-endpoint-security-and-data-protection-rgna.pdf<br />
24/09/2010<br />
ESET File Security for Windows File Server<br />
http://www.eset.com/business/server-security/windows-file23/09/2010<br />
Page 31 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>Product</strong> Feature Set Comparison References<br />
Reference Points for Comparison on ISA/TMG - 8 th October 2010<br />
Microsoft Forefront Threat Management Gateway<br />
http://www.microsoft.com/forefront/threat-management-gateway/en/us/<br />
http://www.microsoft.com/forefront/threat-management-gateway/en/us/overview.aspx<br />
http://www.microsoft.com/forefront/threat-management-gateway/en/us/features.aspx<br />
http://www.microsoft.com/forefront/threat-management-gateway/en/us/system-requirements.aspx<br />
Page 32 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Malware <strong>Test</strong> Suites<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s puts considerable effort into ensuring the relevance of samples<br />
used in testing.<br />
There are three key components to this process. The company’s research facilities<br />
continuously monitor the malware attacks and intercept attempts to attack the<br />
corporate network of a global company with thousands of users spread over 4<br />
continents.<br />
WCL also has the advantage of an international system of honeypots, machines<br />
based in many countries on most continents that sit on open networks waiting to be<br />
attacked. When attacks occur the malware is intercepted and reported back to a<br />
central repository, where it is de-duped, checked for corruption and validity, stored<br />
and can then be used as a sample for testing products.<br />
In the Real Time <strong>Test</strong>ing System, which forms one component of the Checkmark<br />
<strong>Platinum</strong> <strong>Product</strong> Award, the malware is sent through the test network almost<br />
immediately and is subsequently considered to be eligible for inclusion in other test<br />
collections.<br />
Another method of collection and validation is through honeyclients. Located in<br />
Europe, Asia and the USA, these are systems designed to trawl the Internet to<br />
discover “drive-by downloads” (where malware is downloaded in the background<br />
unknown to the user who is looking at an otherwise perfectly acceptable web site),<br />
and to download files by visiting these websites and capturing the output. Again, this<br />
malware is sent through the Real Time system almost immediately and is eligible for<br />
inclusion in other collections.<br />
Page 33 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Malware <strong>Test</strong> Suites<br />
Malware in Real Time <strong>Test</strong>ing<br />
In Real Time testing and the Checkmark <strong>Platinum</strong> <strong>Product</strong> Award programme, both<br />
new and older malware still circulating (providing that it has been received in the<br />
recent past) are used, being tested within a few minutes of their arrival at WCL.<br />
Malware is transmitted through the appropriate attack vectors in which they are<br />
received – FTP, HTTP, SMTP, Mal URL or P2P.<br />
Malware in Checkmark Baseline <strong>Test</strong>ing<br />
WCL’s static Checkmark malware certifications normally use both Real Time samples<br />
and also slightly older malware, sometimes derived from sources such as the Wildlist<br />
but usually being malware that was received in recent months and chosen from the<br />
most prevalent receipts.<br />
Malware in Custom <strong>Test</strong>ing<br />
For a custom test larger quantities of malware are used, including some older<br />
malware to verify that the users are still protected against historical samples, and<br />
showing no bias in favour of or against any particular product under test, including<br />
any regional bias (unless the terms of the test so require). It is necessary to have a<br />
balance of malware from around the world because a predominance of malware<br />
obtained in one area of the world will discriminate against those companies with less<br />
exposure to that market. This is ensured through WCL’s corporate network research<br />
plus receipts from WCL’s honeypot and honeyclient networks across the globe.<br />
Page 34 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Malware <strong>Test</strong> Suites<br />
With so much new malware appearing each day, it is necessary to concentrate on<br />
that malware that is most frequently found (or prevalent), and that attacks via the<br />
methods protected by the system under test; it is, for example, pointless sending<br />
“drive-by” malware through an email security product - it would never normally be<br />
spread by email and so the product will never be expected to deal with it.<br />
It is also important to make certain that the malware used reflects what users are<br />
genuinely seeing. Older malware endures in the real world for years after its<br />
appearance, and products must therefore maintain defences against it. It is<br />
tempting to reduce system overheads by removing older definitions, but this must<br />
not be done if the user is then left at risk. All WCL’s static collections therefore<br />
include an element of malware that is not new but that is still bombarding<br />
honeypots and users’ systems, to confirm that protection against it is still effective.<br />
There are many sorts of malware, including (though not exclusively) viruses of a<br />
number of types, worms (spreading both by email and across networks), bots,<br />
downloaders, backdoors, Trojans and keyloggers. The Checkmark certifications<br />
divide them into three large groups, Trojans, Spyware and Viruses. Real Time testing<br />
covers any malware using the diffusion methods under test, and a custom test will<br />
include whatever may be required by the specifications of the test.<br />
The collation of <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s’ test suites also includes a number of processes<br />
ensuring that samples used are viable, valid and appropriate – any samples found<br />
to be unusable are discarded unless there is a specific reason for them being in the<br />
test suite, for example, testing against samples reported as corrupted.<br />
Page 35 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Malware <strong>Test</strong> Suites<br />
<strong>Kaspersky</strong> <strong>Lab</strong>s Comparative <strong>Test</strong> Project<br />
For this particular custom test, testing takes place in five different operating<br />
environments, namely Microsoft Exchange, Lotus Domino, MS ISA (TMG 2010) Server,<br />
Windows Server Enterprise Edition and Linux File Servers. The main test suite is divided<br />
into separate sub-suites used for each environment (although some sub-suites are<br />
used more than once).<br />
For both Microsoft Exchange and Lotus Domino, the main component of the test<br />
suite is a group of malware that spreads itself via SMTP. Of course, many different<br />
files and types of malware can be attached to emails, and therefore the test suite<br />
also includes malware gathered internationally that can be sent by email. Types of<br />
malware used in this part of the test include viruses, bots, Trojans, and especially<br />
those worms designed to spread by email, all of which have been found in the email<br />
intercepts delivered to WCL.<br />
Windows Server Enterprise Edition acts as a network server and repository and so the<br />
appropriate test sub-suites include not only those sub-suites as used elsewhere but<br />
also network worms as being the malware most likely to infect and spread via these<br />
environments.<br />
MS ISA Server acts as a network edge gateway and so the suites considered when<br />
testing this include a wide range of malware concentrating on network traffic<br />
including HTTP, FTP, and Peer to Peer malware as well as network worms – malware<br />
transported by the sort of traffic flow that would be associated with a corporate<br />
network.<br />
Page 36 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Malware <strong>Test</strong> Suites<br />
Linux has a small selection of malware especially designed to run in that<br />
environment, but also needs to recognise Windows malware; although this cannot<br />
run natively in this environment, many companies include both Windows and Linux<br />
machines on the same networks and any failure to recognise Windows malware<br />
might lead to infection of central or shared servers and leave the whole network<br />
vulnerable. For this reason the test sub-suites used in this environment include Linux<br />
malware but also Windows malware as used in some of the other tests.<br />
Page 37 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s Disclaimer<br />
While <strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s is dedicated to ensuring the highest standard of security<br />
product testing in the industry, it is not always possible within the scope of any given<br />
test to completely and exhaustively validate every variation of the security<br />
capabilities and/or functionality of any particular product tested and/or guarantee<br />
that any particular product tested is fit for any given purpose.Therefore, the test<br />
results published within any given report should not be taken and accepted in<br />
isolation.<br />
Potential customers interested in deploying any particular product tested by <strong>West</strong><br />
<strong>Coast</strong> <strong>Lab</strong>s are recommended to seek further confirmation that the said product will<br />
meet their individual requirements, technical infrastructure and specific security<br />
considerations.All test results represent a snapshot of security capability at one point<br />
in time and are not a guarantee of future product effectiveness and security<br />
capability.<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s provide test results for any particular product tested, most relevant<br />
at the time of testing and within the specified scope of testing and relative to the<br />
specific test hardware, software, equipment, infrastructure, configurations and tools<br />
used during the specific test process.<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s is unable to directly endorse or certify the overall worthiness and<br />
reliability of any particular product tested for any given situation or deployment.<br />
Page 38 of 40
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
Revision History<br />
Issue Description of Changes Date Issued<br />
1.0 <strong>Test</strong> <strong>Report</strong> Version 1.0 29/10/2010<br />
Page 39 of 40
USA SALES<br />
<strong>Kaspersky</strong> <strong>Lab</strong> <strong>Product</strong> Performance<br />
Validation <strong>Test</strong>ing & Certification<br />
T +1 (949) 870 3250<br />
EUROPE SALES<br />
T +44 (0) 2920 548400<br />
CHINA, KOREA, JAPAN, TAIWAN SALES<br />
T +86 1 343 921 7464<br />
REST OF THE WORLD SALES<br />
T +44 (0) 2920 548400<br />
CORPORATE OFFICES AND TEST FACILITIES<br />
US Headquarters and <strong>Test</strong> Facility<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s<br />
16842 Von Karman Avenue, Suite 125,<br />
Irvine, California, CA92606, USA<br />
T +1 (949) 870 3250, F +1 (949) 251 1586<br />
European Headquarters and <strong>Test</strong> Facility<br />
<strong>West</strong> <strong>Coast</strong> <strong>Lab</strong>s<br />
Unit 9, Oak Tree Court, Mulberry Drive<br />
Cardiff Gate Business Park, Cardiff CF23 8RS, UK<br />
T +44 (0) 2920 548400, F +44 (0) 2920 548401<br />
Asia Headquarters and <strong>Test</strong> Facility<br />
A2/9 Lower Ground floor, Safdarjung Enclave,<br />
Main Africa Avenue Road, New Delhi 110 029, India.<br />
T +91 (0) 11 4602 0622, F +44 (0) 11 4602 0633<br />
E info@westcoast.com<br />
W www.westcoastlabs.com<br />
Page 40 of 40