Performance Validation Testing Kaspersky Lab Corporate Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Contents Changing Malware Threats in Corporate Networks 3 The Test Objectives 6 Malware Test Suites 8 Malware Detection Test Results 9 Kaspersky Lab Corporate Security Solutions 10 Checkmark Certifications for Kaspersky 14 Checkmark Certification Profile for Kaspersky Lab 15 Conclusion 16 Product Feature Comparisons 17 Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition 18 Kaspersky Security 8.0 for Microsoft Exchange Servers 19 Kaspersky Anti-Virus 8.0 for Linux File Server 20 Kaspersky Anti-Virus 8.0 for Lotus Domino 21 Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition 22 Disclaimer 23 Contact Information 24 2 of 24 www.westcoastlabs.com
Changing Malware Threats in Corporate Networks The Evolution of Malware, Security focus in corporate networks shifts away from the Technologies and Services desktop, into mobile, cloud and virtual computing resources, security software needs to protect these By Lysa Myers, environments too. director of research, The way malware spreads has also changed – there West Coast Labs is less concern for infecting oneself with a floppy disk (how many of us even have a floppy disk drive now?) or via poorly worded and spelled mass-mailer viruses. T here are few who are unaware of the malware landscape changing since the release of When malware authors discovered there was profit to be had in spreading their malicious wares, they began to take many of the tactics used by Search Engine the first few viruses decades Optimizers and improved their social engineering craft, ago. But it seems there are placing files where people were most likely to run just as few people outside the computer security industry who understand the across them. Consequently, the Web is now where nature of that change. No longer is malware as the majority of people become infected with malware ethereal a threat as an urban legend, and no longer and, given the extent to which the internet is such an is the virus outbreak of the day making the evening integral part of all corporations’ business activities, the news. Threats now come not by ones and twos but Web is a potent threat vector. Company’s websites are by the many tens of thousands each day with the regularly targeted for defacement or infected to spread known total hovering in the tens of millions. And malware to the site’s visitors. threats come quietly, remaining as far below the radar Given that the Internet is operating system agnostic as possible to maximize their stay on an affected and because current scripting languages allow for machine. Corporations are now victims of targeted attacks, as well as the regular masses of malware and queries of the specific browser version of each visitor, have specific needs for the protection of corporate malware can be spread which in a manner which information assets. While malware activity has increased, security budgets certainly have not. Many corporate security staff find themselves facing a tidal wave of new threats without extra personnel or resources. They need security software to work faster, harder and require less manual interaction while providing detailed reports as to what actions have been taken. Machines which are infected need to be cleaned completely so as to get systems back up and running quickly and painlessly. Anti-Malware software is only as good as its research and support departments. They are vital in order to have excellent response times to new threats and to provide top-notch customer assistance. As 3 of 24 www.westcoastlabs.com
infects any particular visit. In the last few years, test of anti-malware functionality, it is far from a this has been a tactic which has proved increasingly complete picture of overall product performance. popular with malware authors, increasing their reach as In order to accurately reflect a user’s experience the market share of new technology increases. with malware, it is important to gather the full spectrum Obviously, anti-malware products had to change with of malware from a variety of sources from throughout the times as the onslaught of malware has increased the internet, which circulate on various protocols. This and the tactics of malware authors has shifted. The means including not just email-based malware, but first anti-malware products were designed strictly malicious files on P2P networks, as well as on the Web as signature scanners, which only ran when a user and other attack vectors. Because malware does not specifically initiated a scan. In short order, this was stop when the work day ends nor does it recognize changed to allow the scanner to run continuously in geographic boundaries, threats must be collected all the background so that each file was examined as it day from around the world. was accessed, without users having to think about it. This approach has become more widespread, so that products require little interaction – users can automatically have the most up-to-date protection running at all times. Another thing which has changed with the times is the complexity of the scanning processes. No longer are anti-malware products simply signature-based scanners. They now include advanced heuristic technologies and generic signatures which can proactively detect new variants of existing families and new malware families. The best products include a variety of security features such as web or spam filtering, behavioural analysis or a firewall technology which As anti-malware products have begun to include can help protect against brand new threats. With more wide-ranging technologies including ones which these new, intensive scanning technologies, vendors are initiated upon execution of a file, testing must have come up with many ways to decrease the overall incorporate dynamic functionality by running threats processing load, so that scanning will not noticeably on test machines. This naturally takes more time than decrease access times or interrupt workflow. scanning an immobile directory of files, so one must As both the malware landscape and anti-malware take care to select the most relevant sample set which products have changed, so has the security testing a customer is most likely to encounter. This takes industry. When products under test were updated into account not just prevalence, but attack vector periodically, used on-demand scanning and the total popularity on which it’s spread, potential for damage on known malware was in the thousands, it made sense an infected system, as well as geography. to have only a single pass or fail test which was Malware authors are always abreast of technology performed a few times a year over a static test-bed of trends – where do people share their information, samples. This is no longer the reality of the current how do people share files? At West Coast Labs we’ve user experience. While it can be a meaningful baseline already begun to see an increase of attacks on things 4 of 24 www.westcoastlabs.com
like digital picture frames, USB thumb drives, mobile overall service to meet not just security, but also phones and on popular Web 2.0 sites. So, suffice to business needs. say, if you know a few people who use one or other When considering product performance in a or all – malware authors are looking to exploit them corporate network environment, ‘Protection’ is more for financial gain. Likewise, anti-malware vendors are than current malware detection capabilities, it’s also developing technologies to protect them and testers about the extent of a vendor’s product research like West Coast Labs are developing methodologies and development strategy that anticipates threats to mirror the user’s risk and potential infection and trends to ensure proactive network protection. experience. In order to keep up to date on the It can be further defined as the extent to which evolving malware landscape, one need only see which malware protection is delivered for a multi-platform new widgets are being used in infrastructure through efficient home and business network environments. “It’s also about the and easily managed solutions with wide inter-operability But in the corporate world, capabilities. ‘Protection’ is keeping updated on the latest extent of a vendor’s also about the extent to threats and technologies which business interests are is not enough – TCO and ROI need to be considered. product research and protected through vendor service strategies that now How well do advanced include optimised and cost- technologies proactively development strategy effective security plans tailored detect? How quickly are to individual corporations’ new threats added? How is customer support response? that anticipates threats needs for maximising business productivity, lowering the and trends to ensure How easily can the solution total cost of ownership and be managed remotely? How maximising the return on much CPU time is used investment. Also, given that for scanning? To find the answers to many of these proactive network corporations are operating in a worldwide ‘e-economy’ all protection.” questions, take a look at this needs to be supported by product performance data trusted and responsive global from leading independent support plans. test organisations such as West Coast Labs and the Yes, the threat landscape is continuing to evolve performance validation programmes they deliver – with new malware threats spawned at an alarming rate, such as Real Time Testing. but no longer is malware protection and information You can also take a close look at how individual security in general just a technical issue - it’s a vendors are responding to the changing threat business issue. That’s why vendors’ product and landscape and the implications for the security of service solutions are evolving to suit these changing corporate networks. Nowadays, vendors are defining needs and West Coast Labs is developing independent ‘Protection’ differently. No longer is it just product product performance programmes that ensure that performance-related but also related to business and these products and services are tested and validated customer service issues, delivering a higher value accordingly. 5 of 24 www.westcoastlabs.com
The Test Objectives Kaspersky Lab commissioned West Coast Labs to the appropriate and commonly supported Operating carry out the following testing: System and software detailed in the next section of this • Checkmark Certification for the Baseline, Dynamic report. During installation, all default values were kept and Real Time testing programme on seven corporate and, where a choice was required, the course of action security solutions: recommended by the solution and/or the attendant • Kaspersky Security 8.0 for Microsoft Exchange product documentation was adhered to. Servers Each solution was updated to the latest available • Kaspersky Anti-Virus 8.0 for Windows Servers definition, engine, and signature releases before a Enterprise Edition forensic image was taken and stored for later use. Up- • Kaspersky Anti-Virus 8.0 for Linux File Server dates were allowed during the test period through any • Kaspersky Anti-Virus 8.0 for Lotus Domino normal scheduled and automatically enabled update • Kaspersky Anti-Virus 8.0 for Microsoft ISA mechanism present in the product, and a further foren- Server and Forefront TMG Standard Edition sic image was taken on the last day of testing for each • Kaspersky Endpoint Security 8 for Mac combination of products. • Kaspersky Endpoint Security 8 for Linux Each solution was tested against an appropriate • Comparative testing of selected Kaspersky test set extracted from the 100,000 samples men- products against a range of competitor products in a tioned above and made up of real-world, “solution ca- “static” test environment (see below). pability specific” samples taken from West Coast Labs’ • A comparison of product feature sets using collections, including samples received in the West publicly available information on vendor websites and Coast Labs Global Honeypot Network. For example, marketing collateral. the Exchange-based solutions were tested against mal- A comprehensive list of all Kaspersky Lab Check- ware known to propagate over email. Test sets and the mark Certifications and Checkmark Platinum Product methodologies were constructed so as to mirror the Awards can be found on page 15. experience of a real-life installation as far as possible and not to advantage any one vendor over the others. The Comprative Product Testing *For a description of the malware used in this test The comparative testing comprised a basic evaluation programme, refer to Appendix 1 of this report. of each product’s malware detection capability in a static test environment. WCL built a test suite of 100,000 live Comparative Product Testing – Test Network malware samples* from its own independent resources Testing was carried out on distinct networks which com- that covered all appropriate attack vectors. prised various server and client machines needed to run Each solution was installed to a server running the respective technologies and operating systems. Corporate Security Solutions Used in the Comparative Product Testing Microsoft Exchange Test Kaspersky Security 8.0 Symantec Mail Security Trend Micro ScanMail McAfee GroupShield Sophos E-mail Security ESET Mail Security Lotus Domino Test Kaspersky Anti-Virus 8.0 Symantec Mail Security Trend Micro ScanMail McAfee GroupShield Sophos E-mail Security ESET Mail Security Microsoft ISA Server (replaced by Forefront TMG 2010) Test Kaspersky Anti-Virus 8.0 Forefront TMG 2010 Windows Server Test Kaspersky Anti-Virus 8.0 Symantec Endpoint Protection Trend Micro Officescan Server McAfee VirusScan Enterprise and VirusScan for Storages Sophos Endpoint Security ESET File Security Linux Test Kaspersky Anti-Virus 8.0 Symantec Endpoint Protection Trend Micro ServerProtect McAfee VirusScan Enterprise Sophos Endpoint Security ESET File Security 6 of 24 www.westcoastlabs.com
In order to provide a balanced reporting process, tests, along with desktop machines to act as remote West Coast Labs recommended that all client machines points of control and for test management. should run Windows XP and Service Pack 3 and that server platforms ran the highest OS version commonly Comparative Product Testing – Test Methodology supported across each of the solutions. In each test case, the protocol most likely to be used In some cases this meant that they may not have was employed to test the solutions – detailed below. been running on the latest version of a particular Microsoft Exchange testing: Testing was conducted operating system, but this method meant that any on an “On Access” basis. All samples were sent via testing carried out was more directly comparable. De- email from accounts on a real-life, resolvable domain tails of highest levels of common operating systems owned and controlled by West Coast Labs to the per component available at the time of testing are as products under test over a live internet connection follows: with appropriate firewall rules in place to allow only Network 1 – Microsoft Exchange communication between the hosts used in the testing. This network comprised 12 systems – 6 desktops and This enabled West Coast Labs to report on those 6 servers (one of each for each solution). Each of the emails that were stopped at the Exchange Server and desktop machines were paired up with a server system track those emails that were bounced to allow for in order to allow an Exchange Server and Outlook client resending to ascertain the gateway protection offered. configuration. Windows Server testing: Testing was conducted on Server OS: Windows 2003 Server 64 bit, Exchange an “On Demand” basis. All samples were copied on Release: 2007 64 bit. to the appropriate server in a number of directories. Network 2 – Windows Server The solution under test was asked to scan the server This network comprised 12 systems – 6 desktops and Operating System to report any infections it found. 6 servers (one of each for each solution). Each of the Linux testing: Testing was conducted on an “On desktop machines were paired up with a server system Demand” basis. All samples were copied on to the in order to allow a server/client configuration. appropriate server in a number of directories. The Server OS: Windows 2008 64 bit solution under test was asked to scan the server Network 3 – Linux Operating System to report any infections it found. This network comprised 6 systems running the Red Lotus Domino testing: Testing was conducted Hat Enterprise release 5 version of Linux. on an “On Access” basis. All samples were sent via Network 4 – Lotus Domino email from accounts on a real-life, resolvable domain This network comprised 12 systems – 6 desktops and owned and controlled by West Coast Labs to the 6 servers (one of each for each solution). Each of the products under test over a live internet connection desktop machines were paired up with a server system with appropriate firewall rules in place to allow only in order to allow a Lotus Domino server and Lotus communication between the hosts used in the testing. Notes client configuration. This enabled West Coast Labs to report on those Server OS: Windows 2003 32 bit, Lotus Domino emails that were stopped at the Domino Server and Release: R8 track those emails that might get bounced to allow for Network 5 – Microsoft ISA Server (Forefront TMG resending to ascertain the gateway protection offered. 2010) TMG 2010 testing: Testing was conducted on an “On This network comprised 4 systems – 2 desktop and Access” basis. All samples were provided from a real-life 2 servers (one of each for each solution). Each of the resolvable web, FTP and P2P server on a domain wholly desktop machines were paired up with a server system owned and controlled by West Coast Labs. in order to allow a server/client configuration. Attempts were made to download the samples Server OS: Windows 2008 64 bit, Forefront TMG over a live internet connection with appropriate firewall 2010 rules in place to allow only communication between the Supporting these five networks there were a number hosts used in the testing using HTTP, FTP and P2P to of servers designed to collect data from each of the ascertain the gateway protection offered. 7 of 24 www.westcoastlabs.com
Malware Test Suites W est Coast Labs puts considerable effort into ensuring the relevance of samples used in testing. There are three key components to this process. five different operating environments, namely Microsoft Exchange, Lotus Domino, MS ISA (TMG 2010) Server, Windows Server and Linux File Server. The main test The company’s research facilities continuously monitor suite is divided into separate sub-suites used for each malware attacks and intercept attempts to attack the environment (although some sub-suites are used more corporate network of a global company with thousands than once). of users spread over four continents. For both Microsoft Exchange and Lotus Domino, WCL also has the advantage of an international the main component of the test suite is a group of system of honeypots, machines based in many malware that spreads itself via SMTP. Of course, many countries on most continents that sit on open different files and types of malware can be attached networks waiting to be attacked. When attacks occur to emails, and therefore the test suite also includes the malware is intercepted and reported back to a malware gathered internationally that can be sent by email. Types of malware used in this part of the test include viruses, bots, Trojans, and especially those worms designed to spread by email, all of which have been found in the email intercepts delivered to WCL. Windows Server acts as a network server and repository and so the appropriate test sub-suites include not only those sub-suites as used elsewhere but also network worms as being the malware most likely to infect and spread via these environments. MS ISA Server acts as a network edge gateway and so the suites considered when testing this include a wide range of malware concentrating on network traffic including HTTP, FTP, malware as well as network central repository, where it is de-duped, checked for worms – malware transported by the sort of traffic flow corruption and validity, stored and can then be used as that would be associated with a corporate network. a sample for testing products. Linux has a small selection of malware especially Another method of collection and validation is designed to run in that environment, but also needs through honeyclients; systems designed to trawl to recognize Windows malware; although this cannot the Internet to discover “drive-by downloads” (where run natively in this environment, many companies malware is downloaded in the background unknown include both Windows and Linux machines on the to the user who is looking at an otherwise perfectly same networks and any failure to recognize Windows acceptable web site), and to download files by visiting malware might lead to infection of central or shared these websites and capturing the output. servers and leave the whole network vulnerable. For this reason the test sub-suites used in this environment Comparative Test Project Malware Samples include Linux malware but also Windows malware as For this particular custom test, testing takes place in used in some of the other tests. 8 of 24 www.westcoastlabs.com
Malware Detection Test Results TEST 1 – Microsoft Exchange Total Malware Samples – 8042 Test Date Detection Rate Test Location Kaspersky Security 8.0 16/09/2009 - 23/09/2010 100%HH WCL UK Lab Product Performance AverageH 100%HH WCL UK Lab Product A 16/09/2009 - 23/09/2010 100%HH WCL UK Lab Product B 16/09/2009 - 23/09/2010 100%HH WCL UK Lab Product C 16/09/2009 - 23/09/2010 100%HH WCL UK Lab Product D 16/09/2009 - 23/09/2010 100%HH WCL UK Lab Product E 16/09/2009 - 23/09/2010 100%HH WCL UK Lab TEST 2 – Windows Server Enterprise Total Malware Samples – 25640 Test Date Detection Rate Test Location Kaspersky Anti-Virus 8.0 20/09/2010 - 23/09/2010 99.68% WCL USA Lab Product Performance AverageH 99.54% WCL USA Lab Product A 20/09/2010 - 23/09/2010 99.45% WCL USA Lab Product B 20/09/2010 - 23/09/2010 99.50% WCL USA Lab Product C 20/09/2010 - 23/09/2010 99.36% WCL USA Lab Product D 20/09/2010 - 23/09/2010 99.69% WCL USA Lab Product E 20/09/2010 - 23/09/2010 99.57% WCL USA Lab TEST 3 – Linux Total Malware Samples – 25640 Test Date Detection Rate Test Location Kaspersky Anti-Virus 8.0 05/10/2010 - 08/10/2010 99.95% WCL USA Lab Product Performance AverageH 99.59% WCL USA Lab Product A 05/10/2010 - 08/10/2010 99.64% WCL USA Lab Product B 05/10/2010 - 08/10/2010 99.24% WCL USA Lab Product C 05/10/2010 - 08/10/2010 99.40% WCL USA Lab Product D 05/10/2010 - 08/10/2010 99.80% WCL USA Lab Product E 05/10/2010 - 08/10/2010 99.53% WCL USA Lab TEST 4 – Lotus Domino Total Malware Samples – 8042 Test Date Detection Rate Test Location Kaspersky Anti-Virus 8.0 06/10/2010 - 10/10/2010 100%HH WCL UK Lab Product Performance AverageH 100%HH WCL UK Lab Product A 06/10/2010 - 10/10/2010 100%HH WCL UK Lab Product B 06/10/2010 - 10/10/2010 100%HH WCL UK Lab Product C 06/10/2010 - 10/10/2010 100%HH WCL UK Lab Product D 06/10/2010 - 10/10/2010 100%HH WCL UK Lab Product E 06/10/2010 - 10/10/2010 100%HH WCL UK Lab TEST 5 – ISA Server (Forefront TMG) Total Malware Samples – 18680 Test Date Detection Rate Test Location Kaspersky Anti-Virus 8.0 14/10/2010 - 19/10/2010 99%HH WCL UK Lab Product A 14/10/2010 - 19/10/2010 99%HH WCL UK Lab HDefined as the performance average of the products included in the tests, which are deemed to be leading solutions in their own rights. HHSamples used in these tests are those found to be in circulation on West Coast Labs’ SMTP malware feeds immediately prior to the commencement of testing. Although appearing unusual, the 100% detection rates are indicative of two key facts. Firstly, the paranoid behaviour of email protection systems and the degree of protection extended to vital communication systems such as these, Secondly, the changing nature of attempts to compromise end users over this vector. Whilst executables and binaries travelling over this vector are still highly prevalent, they are becoming less diverse, ie that there are not as many frequent outbreaks of email based malware as there were and that the targets are more likely to receive phishing emails and links to websites rather than files. 9 of 24 www.westcoastlabs.com
Kaspersky Lab Corporate Security Solutions Kaspersky Lab Statement Kaspersky Security 8.0 for Kaspersky Lab has developed highly-effective anti-malware solutions Microsoft Exchange Servers for use in medium and large-scale corporate networks with complex (Kaspersky Security 8.0). topologies and heavy loads. Combining ease of use with high standards of performance across multiple attack vectors, the products are cost Kaspersky Security 8.0 provides effective solutions which meet both business and technical needs anti-malware and anti-spam protec- tion for mail traffic on corporate worldwide. networks. Its integration with Exchange allows for detection and removal of malware and spam at West Coast Labs’ Executive Summary Report the gateway level. The product is easy to install The launch of the Kaspersky Lab’s solutions available anywhere in the and its user-friendly interface, flex- range of anti-malware products for world today. ible administration and straightfor- the corporate network environment Details of the specific tests to ward configuration and reporting provides security managers with which the products are exposed system does not place excessive an extended choice of effective are published elsewhere in this demand upon Administrator’s time. solutions for dealing with threats report, but the overall outcome No extra setup is required on in attack vectors across multiple of the certification testing is the Exchange and malware protection operating systems. achievement of the Platinum began immediately. West Coast Labs’ independent Product Award for these prod- Management of the solution is testing and performance valida- ucts, which is the highest level simple as Kaspersky Security 8.0 tion of the products confirm that of independent validation from employs a Microsoft Management they combine ease of use and West Coast Labs possible for Console (MMC) snap-in, providing management with high levels of an anti-malware solution. This is an intuitive interface with full ac- performance, all of which is driven complemented by very respect- cess to all features. Database and by Kaspersky Lab’s own research, able malware detection test results signature updates run automatical- development and customer sup- which position the performance ly, as often as every two hours, but port programmes. of Kaspersky Lab products very if required may be run on-demand. Kaspersky Lab has made a favourably alongside more widely Although there are fewer options significant commitment to the inde- recognised corporate security available compared to other corpo- pendent validation of its products’ solutions. rate products on the market, it can efficacy and performance through The specific malware detection be argued that all the necessary West Coast Labs’ Checkmark capability testing of both Kasper- options are available thus leading Certification System. This provides sky Lab and a number of com- to a streamlined user experience. a range of static, dynamic and petitive anti-malware solutions was In the ongoing Checkmark Certi- real-time tests which make these carried out in September and Oc- fication Static and Real Time tests, Kaspersky solu- tober 2010 while the Checkmark like all the Kaspersky products, this tions possibly Certification testing of its products solution has achieved high consis- the most inten- is performed on an ongoing basis. tently standards of performance. sively tested Custom test reports and details of For the comparative performance corporate certification testing are available at testing to measure the product’s anti-malware www.westcoastlabs.com detection capability of malware t t 10 of 24 www.westcoastlabs.com
known to propagate Test Networks and Methodology over SMTP, Kaspersky Security 8.0 achieved In a heterogeneous network 100% detection rate situation it is important to know that a security solution is both compliant of the 8042 malware and compatible. Throughout the samples used in the comparative test programme for test. This performance ISA/TMG, Linux, Lotus Domino and is equivalent to and WSEE, WCL utilised the following matches that of the network configuration to simulate a corporate network environment: competitor products • 64-bit Windows 2008 machine included in the test. running as a gateway/DNS server We also test HTTPS. hosting Forefront TMG/ISA Server • 32-bit Windows 2003 machine Kaspersky Security 8.0 Update Process running Lotus Domino mail server Kaspersky Anti-Virus 8.0 for • 64-bit servers running Linux and Microsoft ISA Server and Windows 2008, both acting as file Kaspersky Anti-Virus 8.0 allows servers Forefront TMG Standard Edition permission or denial of various While each of the solutions Kaspersky Anti-Virus 8.0 sits on top traffic types – HTTP, FTP, SMTP were tested independently of one of Microsoft Forefront TMG 2010. and POP3 – plus the ability to another, results of these tests and While TMG acts as a standalone define what, if any, of the protocols the observations made point to the various Kaspersky Lab solutions security solution in its own right, the should be subject to scanning. providing a multi-faceted security addition of Kaspersky Anti-Virus 8.0 Data on network status includ- framework for a corporate network. provides a multi-layered security ing the protocols which are being Taking a hypothetical network into solution. blocked, numbers of files scanned, account, as below, one can see how Installation of Kaspersky Anti- and the number of resulting infec- each of the solutions would interact Virus 8.0 is simple, using a stan- tions is readily available. with and secure the network. Anti-malware protection, at dard Windows Installer and settings In the performance testing over the gateway level, is provided by imported from TMG during the the HTTP and FTP attack vectors, scanning email coming into the install process. The default settings the combination of Kaspersky ‘corporate network’ over SMTP with provide fast protection, but a more Anti-Virus 8.0 and TMG provided an initial scan by Kaspersky Anti- tailored installation can be achieved 99% detection of the range of Virus 8.0 sitting on the TMG server. In turn, the email is then received if required. malware samples which were by the Exchange or Domino server The solution is managed via included in the test. and a further scan conducted by MMC with an additional central mon- the appropriate solution. Should itoring screen and network policies any user require the downloading of Kaspersky Anti-Virus 8.0 for email from an external POP3 server, which can be be added to comple- Linux File Server the Kaspersky for TMG solution ment those of TMG; making the scans the traffic as it passes whole process Kaspersky Anti-Virus 8.0 for through the gateway. of management, Linux installs from the command When dealing with files any that administration line, using a shell-script installer. are downloaded over HTTP/FTP are and ongo- Although some degree of familiarity scanned on the TMG/KAV combined ing use very with Linux is required, even junior server. Should any network user then attempt to upload any files to straightforward. network administrators with a basic either a Windows or Linux based file server then here the respective Kaspersky Lab solution will provide t t further defense-in-depth. 11 of 24 www.westcoastlabs.com
KAV 8.0 for Linux File Server interface. Application interface of KAV for ISA anti-malware product, the make-up possible to ensure consistency of of the interface is very familiar – it performance. understanding of Linux should be is both clear and intuitive. However, Kaspersky Anti- comfortable with the process. On-Access and On-demand Virus 8.0 sets itself apart in this Managed via a web-based protection are available as regard. It is well implemented, as GUI running on a non-standard standard. Administrators can demonstrated in the comparative port, Kaspersky Anti-Virus 8.0 browse the Quarantine folder from performance tests where it led is configured from the GUI. No within the product interface to with a 99.95% detection rate secondary interfaces or files need review any malware logged and on the 25640 malware samples to be changed and updates are thus decide what actions to take. tested compared to an average either scheduled or run on-demand. Given the complexities performance rate of 99.52% For security admin staff who involved with porting anti-malware for 5 other leading corporate may be familiar with a file-server solutions to Linux, it is not always solutions. Kaspersky Anti-Virus 8.0 for Lotus Domino Anyone familiar with Lotus Domino will find the installation straightforward. It is performed using a Lotus .nsf database file which is opened through Lotus Notes to run. Admin- istrators can set various actions to be performed when malware is detected, however they will need to be familiar with Lotus in order to get the best out of the solution when rolling Kaspersky Anti-Virus 8.0 out to a Domino server. Delete or quarantine actions are easily defined for detected malware and for deleting infected attachments. Licensing process on Kaspersky Anti-Virus for Lotus Unlike some of the other vendor prod- t t 12 of 24 www.westcoastlabs.com
ucts included in the comparative Kaspersky Anti- performance review, Kaspersky Virus 8.0 for Anti-Virus 8.0 does not need the Windows Servers installation of a desktop anti- Enterprise Edition malware product to be able to use the desktop product’s scanning Kaspersky Anti-Virus engine signature files. 8.0 for WSEE uses In the comparative testing the standard Windows against 5 other leading corporate Installer interface. solutions, the test methodology em- Two installations are ployed a sender machines running required, one for the a Linux distribution. Scripts devel- Administration tools oped by WCL were used to send and one for the solu- the emails that contained infected tion itself. However, Update Process on Kaspersky Anti-Virus WSEE attachments over a live Internet importing an existing connection. configuration file to Emails were sent to servers keep existing settings is possible required setting. On Demand scans running Lotus Domino 8.5 on when upgrading a previous version. can be set to a pre-defined security Windows 2003 that each picked Installation is quick and trouble-free. level or customized to meet the up emails for a FQDN owned and Managed through an MMC demands of the organisation. controlled by WCL. Client machines snap-in, the product allows product Similarly, On Access protection running Lotus Notes 8.5 were used updates to be rolled-back if needed. can be set with a preference for to pick-up the messages from the It provides a quarantine area and a either high speed scans or high Domino servers and analysed the backup facility just in case the Ad- protection levels. attachments to aid calculation of ministrator deletes a file that needs Throughout the comparative test the overall detection rate which to be restored. The interface, as a programme, WCL found the scans for Kaspersky Anti-Virus 8.0 was whole, provides a rapid means of ran quickly with an overall detection of a particularly high standard implementing malware security poli- rate for Kaspersky Anti-Virus 8.0 of which mirrored that of the competi- cies on the solution. 99.68% compared to an average tor products included in the test All of the available features are performance of 99.51% for the programme. easy to locate without the need other 5 security solutions included. All solutions attained a 100% de- for drilling down through multiple tection rate during the test period. options screens or hunting for a WEST COAST LABS VERDICT Combining ease of use with high levels of performance, the Kaspersky Lab solutions under test have delivered comparable and at times, better detection rates to equivalent products. With a consistent level of anti-malware protection across the network topology, users of the Kaspersky Lab products featured in this report can be confident that they are all rigorously tested through the Checkmark Certification and the Real Time testing programme to provide ongoing independent validation on performance. 13 of 24 www.westcoastlabs.com
Checkmark Certifications for Kaspersky T he Checkmark Certification System is recognised globally as probably the most comprehensive independent functionality and performance validation In Real Time, the products are tested 24x7x365 program of its kind. against live malware With three tiers of certification – Baseline, Dynamic in a range of attack and Real Time testing – vendors have the opportunity vectors are relevant to commit to the System at a level that suits the to each product. performance of their products and services in the real- These include FTP, world. HTTP, P2P, SMTP and The Baseline certifications comprise a series of Malicious Web Sites. static benchmarking tests that measure detection Given the nature of capability against a finite suite of known malware the Real Time testing threats. Whereas the addition of Dynamic and Real program and the fact Time testing transforms this certification program into that it is probably the a threefold process that results in the most complete most rigorous product evaluation of an Anti-Malware vendor’s products performance validation of its kind, the products available. registered for Real Time testing are eligible for the • Static Testing – baseline tests that measure Checkmark Platinum Product Award. detection capabilities against known threats. Far more than just a measure of product • Dynamic Testing – measures product performance performance it also acts as recognition of the in relation to malware executing as end users and vendor’s commitment to the highest level of corporations experience them in the real world . independent product validation and a measure of the • Real Time Testing – measures critical vendor’s responsiveness to emerging threats. performance characteristics in a network environment The Kaspersky Lab products holding the Checkmark 24x7x365. The testing provides results in metrics Platinum Product Awards are: including; performance in relation to time, attack • Kaspersky Anti-Virus 8.0 for Windows Servers vectors, heuristic behavior analysis, signature update Enterprise Edition and vendor research effectiveness. • Kaspersky Anti-Virus 8.0 for Linux File Server The combination of these three, distinct test • Kaspersky Anti-Virus 8.0 for Lotus Domino programs provide the highest • Kaspersky Anti-Virus 6.0 level certification of product for Windows Workstations performance available. • Kaspersky Anti-Virus 8.0 All the Kaspersky Lab for Microsoft ISA Server products that form part of this and Forefront TMG Standard test program are registered Edition in the Checkmark System • Kaspersky Security 8.0 for for all three levels of testing Microsoft Exchange Server – Baseline, Dynamic (where • Kaspersky Endpoint appropriate) and Real Time. Security 8 for Linux 14 of 24 www.westcoastlabs.com
Checkmark Certification Profile Checkmark Anti Virus Anti Virus Trojan Spyware Anti Anti Anti Malware Certifications Detection Disinfection Malware Spam Dynamic Kaspersky Lab Applications Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Editon l l l l Kaspersky Anti-Virus 8.0 for Linux File Server l l l l Kaspersky Anti-Virus 8.0 for Lotus Domino l l l l Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition l l l l Kaspersky Security 8.0 for Microsoft Exchange Servers l l l l l Kaspersky Anti-Virus 6.0 for Windows Workstations Windows XP l l l l l l Windows Vista l l l l l l Windows 7 l l l l l l Kaspersky Endpoint Security 8 for Mac l Kaspersky Endpoint Security 8 for Linux l l l l l Kaspersky Anti Spam l Checkmark Real Time Real Time Real Time Real Time Real Time Real Time Certifications FTP HTTP SMTP P2P Mal URL Spam Kaspersky Lab Applications Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition l l Kaspersky Anti-Virus 8.0 for Linux File Server l l Kaspersky Anti-Virus 8.0 for Lotus Domino l Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition l l l l l Kaspersky Security 8.0 for Microsoft Exchange Servers l l Kaspersky Anti-Virus 6.0 for Windows Workstations Windows XP l l l Windows Vista l l l Windows 7 l l l Kaspersky Endpoint Security 8 for Linux l l The above chart denotes those certifications in which the respective Kaspersky solutions are currently enrolled. It is not reflective of each solution’s test results or full protection capabilities. 15 of 24 www.westcoastlabs.com
Conclusion I n this test programme, Kaspersky Lab products have undergone probably the most extensive testing carried out by West Coast Labs against a single second-highest detection rate. It should be noted that the difference between first and second in the Windows OS test was just 1/100th of a percent, thus putting corporate solution. Kaspersky above the Industry Average as defined in These tests range from West Coast Labs’ the test results. established Checkmark Certification to ongoing From the results of the test programme it can be performance validation the Real Time system and the concluded that not only do the Kaspersky solutions custom malware comparative testing. This programme offer comparative detection rates to offerings from also includes the first ever product to be awarded the other vendors, it is clear that the level of protection Checkmark Anti-Malware Macintosh certification. afforded by Kaspersky Lab solutions is consistently Upon completion of the tests covered in this report high across the range of platforms. it can clearly be seen that Kaspersky are offering an Whether corporate organisations require protection extremely competitive and thorough security package for the desktop environment, a file server, Microsoft to businesses and corporate organisations. Exchange email server, an Apple Mac client, or a For mail-based systems, Kaspersky recorded a server running Lotus Domino, the Kaspersky Lab 100% detection rate on both Exchange and Lotus performance is consistent throughout. against samples which propagate over the SMTP Prospective users of Kaspersky Lab products protocol. While this is an impressive detection rate, it and specifically those featured in this report, can should be noted that the other vendors also recorded take confidence from the fact that the solutions the same detection levels. This should be an indicator are rigorously tested on an ongoing basis through to the level of importance of email coverage and the the Checkmark certification system and the Real perceived threat to business communications that is Time testing programme to ensure independent held by the security industry as a whole. validation of a consistently high standard of product On file server-type systems, in this case Windows performance. 2008 and Red Hat Enterprise 5, there is a differential in detection levels. On the Linux OS, Kaspersky recorded The full West Coast Labs Test Report for this project the highest detection rate amongst the solutions on is available online at www.westcoastlabs.com/ test, whilst on the Windows OS Kaspersky recorded the productTestReports/ 16 of 24 www.westcoastlabs.com
Product Feature Set Comparisons W est Coast Labs was asked to compile a comparative feature list for each of the products included in this test. This information has been within the following tables should be taken as a high level overview and does not constitute a comparison of those features that were examined as part of the gathered from freely available marketing literature of extended malware testing. those companies included in this test. Research was carried out during September and As this information is gathered from marketing October 2010 using the reference points detailed on and other such materials, the information contained the following pages. 17 of 24 www.westcoastlabs.com
Kaspersky Product Comparison Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition 18 of 24 Feature KAV 8.0 for Microsoft ISA/TMG SE Microsoft Forefront Threat Management Gateway 2010 1. System Requirements Minimum Processor Spec: 1 GHz processor for ISA Server 2006 Standard Edition and 64-bit dual-core processor for Forefront TMG Standard Edition Not specified Minimum RAM Spec: 1 GB RAM for ISA Server 2006 Standard Edition and 2 GB RAM for Forefront TMG Standard Edition 2 GB Minimum available Hard Disk Space 2.5 GB 2.5 GB 2. Operating Systems Supported Supports Windows 2008 R2 Yes Yes Windows 2008 SP2 Yes Yes Microsoft Windows Server 2003 SP2 Yes Yes Microsoft Windows Server 2003 R2 Yes Yes 2. 3rd party platforms/software supported Supports Microsoft Forefront TMG Yes Yes Compatibility with VMware (Vmware Ready) Yes 3. Security Technology components Anti-Virus detection Yes Yes 4. Key Product Features Anti-Virus engine Detected objects: viruses, mass-mailer worms, Trojan horses, spam, spyware Yes Yes Real-time antivirus protection Yes Yes Update rate anti-virus every 1-2 hours not specified Creation of backup copies Yes Yes* Scanning traffic Scanning of HTTP and FTP traffic Yes Yes Scanning of HTTPS traffic (Forefront TMG only) Yes Yes Scanning of POP3 and SMTP traffic Yes Provides management, but needs separate product for Exchange Scanning of HTTP and FTP traffic from published servers Yes Yes Scanning of VPN connections Yes Yes Anti-Virus Settings Exclusions from scanning Yes Yes Flexible policy settings Yes Yes Administration Management via MMC Yes Yes Monitoring of application status through the administration console Yes Yes Flexible policy management Yes Yes Support for non-standard FTP commands Yes Yes Export and import of settings details Yes Yes Notification system Yes Yes Logging system Yes Yes Detailed reports Yes Yes Control over performance through the Windows Performance Monitor Yes Yes Performance Automatic scalability Yes Yes Server load balancing Yes not specified Optimal use of system resources Yes Yes *This solution offers a comparable technology but is not referred to specifically by this name, or this technology is not specifically documented in the publicly available literature. www.westcoastlabs.com
Kaspersky Product Comparison Kaspersky Security 8.0 for Microsoft Exchange Servers Feature Kaspersky Security Symantec Mail Security Trend Micro ScanMail McAfee GroupShield Sophos PureMessage ESET Mail Security 4 1. System Requirements 19 of 24 RAM 256 MB 1 GB 1GB RAM, 2GB RAM 512 MB minimum, 1 GB 256 MB to 2 GB 2 GB recommended (5MB of recommended recommended (services) RAM per mailboYes) Available disk space required 512? MB 352 MB 1GB” 740 MB minimum Console: 150 MB 1.9 GB Services: up to 2 GB 2. Operating Systems Supported Microsoft Exchange Server 2010 Yes Yes Yes Yes Yes Yes Microsoft Exchange Server 2007 Yes Yes Yes Yes Yes Yes Microsoft Windows Server 2008 R2 Yes Yes Yes Yes Other Software Information Microsoft Exchange 2003 is supported by Exchange 2010, 64 bit Native 64-bit support for Windows 2000-2003 Windows 2000- 2003 Windows 2000- 2003 another version – Kaspersky Security for Windows, VMware and Hyper-V Exchange 2010 and 2007; Microsoft Exchange 2003 Virtualized environments 32-bit support for Exchange 2003/2000 3. Security Technology components Anti-Virus detection Yes Yes Yes Yes Yes Yes Anti-Spam detection Yes Yes Yes Yes Yes Yes Heuristic analyzer Yes Yes Yes Yes Yes Yes Linguistic analyzer Yes not specified Yes* not specified Yes No Real-time UDS requests Yes not specified not specified Yes* not specified No Graphical signature analyzer Yes not specified Yes No Yes No SPF and SURBL technologies Yes No No No No No 4. Key Product Features Anti-Virus engine Detected objects: viruses, mass-mailer worms, Trojan horses, spam, spyware Yes Yes Yes Yes Yes Yes Real-time antivirus protection Yes Yes Yes Yes Yes Yes Background on-demand scanning Yes Yes Yes Yes Yes Yes Update rate anti-virus every 1-2 hours “rapid release definitions” “immediate protection” “AutoUpdate” “Updates automatically” No Anti-Spam engine Classification of incoming messages Yes Yes Yes Yes Yes Yes Spam detection for different languages Yes No* No* No Yes No Update rate antispam every 5 min not specified not specified not specified “constantly” No Anti-Spam settings Intensity level Yes Yes Yes Yes Yes Yes Black and white listing Yes Yes Yes Yes Yes Yes Configurable scanning eYesceptions Yes Yes* Yes Yes Yes* Yes Anti-Virus Settings Configurable scanning eYesceptions Yes Yes Yes Yes Yes Yes Whitelisting Yes No Yes Yes No No Creation of backup copies Yes No In-memory scanning Yes No No Yes No* No* Administration and notifications via MMC Yes No No No No No Notification system Yes Yes Yes Yes Yes Yes Logging system Yes Yes Yes Yes Yes Yes Detailed reports Yes Yes Yes Yes Yes No* Performance Automatic scalability Yes No No No No No Optimal use of system resources Yes Yes Yes Yes Yes Yes Server Architecture Clusters support Yes Yes Yes Yes No No Compatibility with DAG in Microsoft Exchange 2010 Yes Yes Yes* Yes Yes No VMware ready Yes Yes No No No No *This solution offers a comparable technology but is not referred to specifically by this name, or this technology is not specifically documented in the publicly available literature. www.westcoastlabs.com
Kaspersky Product Comparison Kaspersky Anti-Virus 8.0 for Linux File Server Feature KAV 8.0 for Linux FS Symantec Endpoint Protection Trend Micro Server Protect for Linux t McAfee VirusScan Enterprise Sophos Anti-Virus for Linuxt ESET File Security for Linux/BSD/ Solaris 20 of 24 1. System Requirements Intel Pentium II processor 400 MHz or higher Intel Pentium processor or compatible) Inte Pentium II 266 MHz or higher Intel x86 or x64; AMD x64 no information i386 (Intel 80386), AMD64 (x86_64) architecture (32-bit and 64-bit 512 MB RAM 1 GB RAM 256 MB min 256 MB min 256 MB 32 MB Cache size 1GB or higher 2 GB hard disk space for installation and 4 GB 50 MB for /opt + 50 MB for /tmp 500 MB 100 MB min 32 MB temporary files. 2. Operating Systems Supported Red Hat Enterprise Linux 5.5 Server Red Hat Enterprise Linux 3.x, 4.x, 5.x Red Hat Enterprise Linux (AS, ES, WS) 4.0 Red Hat Enterprise 4.x, 5.x Red Hat Enterprise 3, 4, 5 Linux Kernel version 2.2.x, 2.4.x or 2.6.x; glibc 2.2.5 or higher; Fedora 13 Fedora Core 10, 11, and 12 CentOS-5.5 CentOS 4.x, 5.x SUSE Linux Enterprise Server 10 SP3, 11 SP1 SuSE Linux Enterprise (server/desktop) SuSE Linux Enterprise Server 9 SuSE Linux Enterprise Server/Desktop 9.x, 10x, 11 SuSE Linux Enterprise Server 8, 9, 10, 11; 9.x, 10.x Desktop 10 Sun Solaris 10 Novell OES 2 SP2 Novell Open Enterprise Server (OES/OES2) Novell Linux Desktop 9 openSUSE Linux 11.3 openSUSE Linux 10/10.1 Mandriva Enterprise Server 5.1 (32 bit only) TurboLinux 10/11 Server Ubuntu 9.10 Server Edition Ubuntu 7.x, 8.x Ubuntu 8.04, 9.04, 9.10 Ubuntu LTS Server Edition 6.06/8.04 Ubuntu 10.04 LTS Server Edition Debian GNU/Linux 5.0.5 Debian 4.x Debian 3.1 FreeBSD 7.3, 8.1 FreeBSD: Version 5.x, 6.x, 7.x Miracle Linux 4.0 Dazuko kernel module 2.0.0 or higher (optional) Asianux 2.0/3.0 NetBSD 4.x 2. Security Technology components Anti-Virus detection Yes Yes Yes Yes Yes Yes Backup/Quarantine Yes Yes Yes Yes Yes Yes 3. Key Product Features Anti-Virus engine Detected objects: viruses, Trojan horses, spyware Yes Yes Yes Yes Yes Yes Real-time antivirus protection Yes Yes Yes Yes Yes Yes Background on-request or on-demand scanning Yes Yes* Yes Yes* Yes Yes Update rate anti-virus every 1-2 hours daily every 1 hour every 1 hour “as often as every 10 minutes” daily Creation of backup copies Yes No* No* No* No* No* Scanning of critical system areas Yes Yes Yes Yes Yes Yes* Scans and treats archived files Yes Yes Yes Yes Yes Yes Anti-Virus Settings Assigning trusted zones /users Yes Yes No* No* Yes No* Flexible setting of scan times Yes No* Yes No* Yes No* Additional settings for Samba servers Yes No* No* No* Yes No* Administration Centralized administration Yes Yes Yes Yes Yes Yes Administration via Kaspersky Web Management Console Yes n/a n/a n/a n/a n/a Command line administration Yes Yes No* No* Yes Yes Notification system Yes Yes Yes Yes Yes Yes Logging system Yes Yes Yes Yes Yes Yes Detailed reports (PDF, XLS, CSV, etc.) Yes Yes Yes Yes Yes Yes Performance Automatic scalability Yes Yes Yes* Yes* Yes* Yes* Optimal use of system resources Yes Yes* Yes* Yes* Yes* Yes* Server load balancing Yes Yes* Yes* Yes* Yes* Yes* Continuous server operation Yes Yes Yes Yes Yes Yes t The McAfee and Sophos products support other Linux implementations but only for on-demand scanning, not on-access scanning *This solution offers a comparable technology but is not referred to specifically by this name, or this technology is not specifically documented in the publicly available literature. www.westcoastlabs.com
Kaspersky Product Comparison Kaspersky Anti-Virus 8.0 for Lotus Domino Feature KAV 8.0 for Lotus Domino” Symantec Mail Security for Domino Trend Micro ScanMail McAfee GroupShield Sophos PureMessage for ESET Mail Security for Multi-platform Edition Lotus Domino Lotus Domino Server 21 of 24 1. System Requirements Processor Intel Pentium 32 bit / 64 bit or higher) 1 GHz Pentium or Higher Intel Pentium P4 or higher Intel or compatible 133 Mhz processor Not specified. Not specified (or equivalent Memory 512 MB of RAM (1GB or more recommended) 512 MB of RAM (1GB or more recommended) 256 MB - 1 GB (depends on platform) 256 MB or higher 256 MB Not specified Disk space to install 1 GB of free space on the hard drive (3 GB or more recommended) 300 MB minimum 300 - 800 MB 1 GB 500 MB Not specified Recommended size of swap file: 2 times larger than the physical memory 2. Operating Systems Supported Microsoft Windows 2000 Yes Yes Yes Yes Yes Yes Microsoft Windows Server 2003 x32/x64 Yes Yes Yes Yes Yes Yes (32 bit only) Novell SuSE Linux Enterprise Server 9, 10, 11 x32/x64 Yes Yes 9, 10 10 No No Red Hat Enterprise Linux 4, 5 x32/x64 Yes Yes Yes 5.x No No Supported Lotus Notes/Domino servers: Lotus Notes/Domino version 6.5, 7.0, 8.0, 8.5 Yes 7.x or later Yes 6.x or later 7, 8.x Yes 2. 3rd party platforms/software supported Supports Linux Yes Yes Yes Yes No No Compatibility with VMware (Vmware Ready) Yes No No No No No 3. Security Technology components Anti-Virus detection Yes Yes Yes Yes Yes Yes 4. Key Product Features Anti-Virus engine Detected objects: viruses, mass-mailer worms, Trojan horses, spam, spyware Yes Yes Yes Yes Yes Yes Real-time antivirus protection Yes Yes Yes Yes Yes Yes Background on-request or on-demand scanning Yes Yes Yes Yes No No Update rate anti-virus every 1-2 hours not specified “immediate protection” “Always up to date” “Latest protection” not specified Creation of backup copies/Quarantine Yes Yes Yes Yes Yes Yes Protection against malware outbreaks Yes Yes Yes Yes Yes Scans and treats attachments, including archived files Yes Yes Yes Yes* Yes* Yes* Lotus Domino specific features Scanning of databases, documents and other objects Yes Yes* Yes* Yes Yes Yes Anti-Virus Settings Exclusions from scanning Yes Yes Yes Yes Yes Yes Administration Centralized management of server groups Yes Yes* Yes Yes Yes Distributed management of protection parameters Yes Yes No No No No Replication of application statistics Yes No No No No No Control of inserted parameters Yes No No No No No Role-based administration and management of access rights Yes Yes No Yes Yes No Installation and management via a web interface Yes No* No* Yes Yes No Installation and management via the Lotus Notes Client Yes No* No* Yes Yes Yes Notification system Yes Yes Yes Yes Yes Yes Logging system Yes Yes Yes Yes Yes Yes Detailed reports Yes Yes Yes Yes Yes Performance Automatic scalability Yes No* No* No* Yes No Scalable configuration Yes Yes Yes Yes Yes No Optimal use of system resources Yes “Optimized for high performance” “Optimized for high performance” “reduced server load” No* No Server load balancing Yes No No No No No Flexible adjustment of server load Yes No No No No No Server Architecture Supports operation in server clusters Yes Yes Yes Yes* Yes* No *This solution offers a comparable technology but is not referred to specifically by this name, or this technology is not specifically documented in the publicly available literature. www.westcoastlabs.com
You can also read