AntiVirus and Trojan Technology Report - West Coast Labs

westcoastlabs.com

AntiVirus and Trojan Technology Report - West Coast Labs

October 2005AntiVirus and TrojanTechnology ReportFor Server, Gateway and Appliance SolutionsNorman Virus Control


Test Report 2_______________________________________________________ContentsTest Specifications 3The Product 4Company:Product:Platform:Norman ASANorman Virus Control (NVC)Lotus Domino serverVersion: 5.81 + update of 29 August 2005Update method:OnlineTest Report 5West Coast Labs Conclusion 7Features and Functionality Buyers Guide 8Additional Security Features 10Appendix 11Checkmark AntiVirus Level 1 Test SpecificationsCheckmark AntiVirus Level 2 Test SpecificationsWest Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.www.westcoastlabs.org


Test Report 3_______________________________________________________Test SpecificationsThe overall objective of this AntiVirus and Trojan Technology Report for Server, Appliance andGateway Solutions is to evaluate each product in a controlled environment. Throughout the test period,each product was configured as recommended to update online. The testing environment representedthat of a small to medium sized business or branch office.Products were tested in accordance with the functionality criteria of the Checkmark certificationsystem for AntiVirus Level 1 and, where Checkmark Certification registration permitted, forAntiVirus level 2 and Trojan .Each Test Report is supplemented by a Features and Functionality Buyers Guide and information fromthe product developer concerning the type of business or organization the product is developed for,plus the direct technical and business benefits of the product.Each White Paper looks at a product’s Management, Administration and Functionality.1. Management/Administration.The testing will report on the following functions:-• Installation• Product update process• Logging and reporting function2. FunctionalityProducts will be tested in accordance with Checkmark AV level 1 and Trojan test (where registered) todetermine the ability to detect viruses and Trojans.For those products registered for Checkmark AV Level 2, the testing will report on the following virusdisinfection capabilities:-• Products will be tested to determine their ability to disinfect files infected with viruses.What is a virus? A Virus is a program or piece of code attached to a file or diskette's boot sector and isloaded onto a computer without the user's knowledge. Viruses are manmade (though they can becorrupted in use to form new variants of the virus) and replicate themselves by attaching themselves tofiles or diskettes, often soaking up memory or hard disk space and bringing networks to a halt. Mostrecent viruses are internet-borne and capable of transmitting themselves across and bypassing securitysystems. Minor variants of the same virus are classed as families of viruses.What is a Trojan? Trojan Horses or Trojans are destructive programs that pretend to be benignapplications. Unlike Viruses or Worms, Trojan Horses do not replicate themselves but they can bedamaging to networks by delivering other types of Malware.


Test Report 4_______________________________________________________The ProductNorman has been a member of the Checkmark AV certification scheme since 1999.NVC has been certified on Lotus Domino server since 2001, currently holding the CheckmarkAntiVirus Level One and Level Two certifications.As part of the scheme, NVC is tested on Lotus Domino server on four occasions during a 12 monthregistration period to both AV Level 1 and Level 2 to assess its virus detection and disinfectioncapabilities. The complete test history for this product, including results that may postdate this report,can be found at http://www.westcoastlabs.org/checkmarkcertification.asp.Norman says…about the product.Norman Virus Control is a collection of antivirus software applications and utilities that protect yourworkstations, servers and gateways against malicious software. The most prevalent types of malwareare computer viruses, worms, and trojans.www.norman.comNorman says …about the product’s business benefits.The single most important task for antivirus software is to keep computers free from viruses. NormanVirus Control (NVC) is based on the advanced core technologies of Norman’s Scanning Engine,which accurately detects known and unknown computer viruses, worms and trojans. When infectedfiles are detected, NVC cleans, isolates or deletes them immediately before the destructive code isactivated.Every administrator knows how important it is to have software that is easy to install, deploy, update,configure, maintain, and manage. NVC v5 is just as easy to install and administer in a small LAN as itis in an enterprise WAN.http://www.norman.com/Product/Corporate/Servers/Virus_Control/10686/enNormans says …about the product’s technical benefits.• Norman SandBox… Norman Internet Protection• On-access scanner & On-demand scanner• Automatic updates….Task editor…Utilities• Decompression library…Messaging module for administrators• Norman Management tool - NDeskhttp://www.norman.com/Product/Corporate/Servers/Virus_Control/10686/en/?show=features


Test Report 5_______________________________________________________Test ReportManagement and Administration.Norman aims its security software in particular at small and medium-sized organizations, whereNorman Virus Control (NVC) can be installed as a gateway protection, on servers and onworkstations. To install NVC for Lotus Domino, first the normal NVC installation is carried out andthen an extra module to that program is installed. The installation went as easily as one would expect,and the product was updated without any problems.Once installed, the product offers a GUI showing a number of folders and colourful icons. The foldersare there for organization only, and cannot be selected. The folders available are: Norman ProgramManager, Norman Virus Control and Norman quarantine, with additional icons Install & updateproducts and (in this case) NVC for Domino.If the product is set to be updated online automatically, then both the latest virus definitions and thelatest version of the product are downloaded, so that the need to install minor upgrades becomes athing of the past. The product can also be directed to search for updates on a LAN or WAN asalternatives to the Internet, so that a single Internet update can be used to percolate the latest filesthroughout a corporation, and can be scheduled if so desired.Norman Program Manager offers a view of the installed components and message handling androuting services. A large selection of messages, both locally generated and incoming from externalsources, can be chosen for processing as the administrator chooses, processing that includesforwarding alerts by email, SMS or SNMP.Norman Virus Control also displays a list of components, but more significantly controls all theconfigurable settings for the on-demand and on-access scanners. Most importantly these include theNorman Sandbox, which runs all applications in a simulated computer environment, helping to detectunknown threats before detection patterns can be provided. This is turned on by default and isincluded in the on demand scanning, and in on-access scanning for remote users and services. Aseparate set of parameters is used for on-access scanning of local users and the Sandbox is notincluded in these.Other categories that can also be scanned for are security risks and aggressive commercials (adware),and archives are automatically scanned by default. If required, all of these can be selected ordeselected. Internet protection automatically covers SMTP, POP3, newsgroups and incoming Instantmessaging, though each of these can be deselected if so chosen. Certain attachments can also beblocked if so desired, including those with double extensions and encrypted attachments.


Test Report 6_______________________________________________________Test Report (continued)Infected attachments when found by the module for Domino can be quarantined, cleaned or renamed,the user can be warned or the attachments can merely be logged. Mass-mailer messages can bestopped, warning messages can be sent to the (apparent) originators and archives can be analysed orblocked, but none of these is done by default. It is possible to specify how long an infected attachmentmay be retained in quarantine, and to set a maximum size for the directory.This product has the practical dual functionality of being able to scan not only message traffic ofvarying sorts, but also acting as an on-machine anti virus scanner for the host. The option ofperforming verbose logging and incremental updates are both useful options which, when configured,can greatly assist the Administrator.The ability to perform On Access scanning during both database access and replications adds to theability of this software to serve any Domino based organisation well.Functionality Testing.Given the level of Norman’s membership of the Checkmark Certification program, the functionalitytesting was conducted on the basis of the AV Level 1 and AV Level 2 certification tests.The tests carried out were as follows:Test 1The scanner was used to scan viruses in the June 2005 Wildlist (the Wildlist being released on 11 thAugust), both on-demand and on-access.Using the definitions of 29 August, NVC detected all the viruses in the June Wildlist without anytrouble.Test 2The scanner was used to disinfect infected files and diskettes infected with a selected list of the virusesin the above Wildlists.NVC disinfected the appropriate files without difficulty.Additional FeaturesDetection of items offered as unwanted programs, e.g. spyware, was not tested.


Test Report 7_______________________________________________________West Coast Labs ConclusionEase of maintenance and the Norman Sandbox make consideration of NormanVirus Control essential for anyone in its chosen market. Careful consideration of its configurationoptions will reap further dividends, though less experienced administrators can safely use the defaults.West Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.www.westcoastlabs.org


Test Report 8_______________________________________________________Anti Virus & Trojan Technology ReportFeatures and Functionality Buyers GuideNVCNorman Virus ControlProductIs the product standalone or corporate? S or C S and CIf corporate, is it self-contained or are other productsneeded to deploy/configure/monitor it? Y or N YCertificationIs the product certified to Checkmark AV Level 1 Y or N YIs the product certified to Checkmark AV Level 2 Y or N YIs the product certified to Checkmark Trojan Y or N NUpdatesCan updates be scheduled? Y or N YAre new updates produced daily? Y or N YCan automatic updates be scheduled? Y or N YAre emergency updates produced during outbreaks? Y or N YIf so, are these made available to all customers? Y or N YCan updates be pushed down? Y or N NCan updates be downloaded and installed manually? Y or N Y(If corporate) can updates be distributed? Y or N YAre out-of-date virus definitions reported to the user? Y or N YLogsAre logs produced? Y or N YCan entire logs be printed off? Y or N YCan selected entries be printed off Y or N NCan logs be saved in a file? Y or N YCan selected/filtered entries be saved in a file? Y or N YCan the format of the file be selected? Y or N YCan the logs be sorted? Y or N YCan the user select what information will appear in the log? Y or N NCan user notifications be disabled? Y or N Y


Test Report 9_______________________________________________________Anti Virus & Trojan TechnologyReportNVCNorman Virus ControlScanningAre all file extensions scannable? Y or N NCan files without extensions be scanned? Y or N YAre all file extensions scanned by default? Y or N YCan incoming SMTP traffic be scanned? Y or N YIf so, is it scanned by default? Y or N YCan ZIP and TAR files be scanned? Y or N YAre unscannable files reported? Y or N YCan infected files be quarantined? Y or N YCan infected files be disinfected? Y or N YCan infected files be deleted? Y or N YCan users select the appropriate option when the infected file is found?Y or NYAre product plugins supported? Y or N YDoes the product have system restore abilities? Y or N NAccessoriesIs there a virus encyclopaedia on the hard disk? Y or N NIs there a virus encyclopaedia online? Y or N YCan virus samples be sent to the vendor via email? Y or N YIs the product dependent upon certain service packs being applied? Y or N N


Test Report 10_______________________________________________________Additional Security FeaturesAs stated by NormanNorman’s solution to “Day Zero Attacks" is the world’s leading proactive antivirus technology -Norman SandBox - a security technology that will assist in accomplishing maximum security.The technology is used in all Norman antivirus products and solutions. The aim is to providecontinuous protection to stop new, unknown viruses and other malicious code from the time they arereleased by the virus author.The main difference from traditional virus protection is that it does not only rely on virus signaturefiles to stop new viruses. Norman SandBox stops the viruses before they enter your system byanalysing their behaviour in a simulated environment.url : http://www.norman.com/Virus/Sandbox/http://sandbox.norman.no/


Test Report 11_______________________________________________________AppendixAnti Virus Level 1 CertificationFor a product to be certified to Anti-Virus Checkmark Level 1, the product must be able todetect all viruses currently ‘In the Wild’ as at the time of testing. Test specifications can bedownloaded from http://westcoastlabs.org/cm-briefingdocs.aspAnti Virus Level 2 CertificationFor a product to be certified to Anti-Virus Checkmark Level 2, the product must be able todisinfect all viruses currently ‘In the Wild’ as at the time of testing and capable of beingdisinfected. Test specifications can be downloaded fromhttp://westcoastlabs.org/cm-briefingdocs.asp

More magazines by this user
Similar magazines