Bake-Off: Desktop Security Suites

Despite all the attention being paid to unified threat management systems, secure gateways and mail security, desktop security remains one of the most critical applications for today's PCs. Despite the best efforts of the IT department, individual systems need to be protected from malware such as worms, Trojans, viruses, keyloggers, phish attacks, spam, pharming, zombies, spyware and adware (to name a few). While everyone knows the basicsand#8212;installing and regularly updating security suite and enabling a personal firewalland#8212;very few people stop to consider whether these tools are really effective in protecting against the many different types of threats.

The wide variety of channel-friendly vendors can make the selection process simple and difficult at the same time. For this month's Bake-Off on desktop security suites, the CRN Test Center looked at security suites from Symantec Corp., Cupertino, Calif; Moscow-based Kaspersky Labs; CA, Islandia, N.Y.; McAfee, Santa Clara, Calif.; and Trend Micro, Cupertino, Calif.

McAfee Internet Security Center
The McAfee Internet Security Center has an easy-to-use interface. Split into frames, the left window houses a menu list of available sections, while the right displays information and option settings related to the selected action. Notable features include the capability to manage the network, with a diagram of how the network is mapped out. A lockdown feature blocks all traffic immediately with the click of a single button.

Besides doing virus scans and monitoring the Internet traffic, the Security Center has a QuickClean function that allows the user to delete any or all temporary files such as cookies and the cache. Although this can be done in almost every browser, McAfee's implementation is much more comprehensive. In addition, obsolete files can be shredded to make sure that they are permanently deleted.

During testing, McAfee did very well in protecting our system. It immediately detected and blocked all the rogue Web sites we attempted to visit except for one. Two of the sites were blocked with a pop-up above the system tray explaining which infection it was blocking. Another brought up a warning that the site was listed in McAfee's online SiteAdvisor database as a reported repository for viruses and scripts.

Although not perfect, the Security Center did allow us to browse to one site that runs a malicious script when visited. This made reviewers a little more disconcerted when the same site was visited using FireFox3, which immediately brought up a warning that the site was reported in Mozilla's database as being unsafe. Manually using McAfee's SiteAdvisor to check the site, the application reported back with a green check mark stating it was tested and no significant problems were found.

Overall, McAfee's security solution is fairly robust. For the most part, the installation is automatic and the default settings do a good job of protecting the system when it is on. It was able to catch and block unsafe Web sites that some of its competitors couldn't, but there's still room for improvement.

Next: Norton Internet Security 2009 (Beta) Norton Internet Security 2009 (Beta)
Symantec submitted the only beta product in this review, the Norton Internet Security 2009. The company said during a briefing that the product was more or less in its final state to fit within the parameters outlined for this roundup. Care was taken to ensure the security tests were conducted with the latest definitions database applied.

The new Norton is broken out in three areas: computer, Internet and identity. The computer panel shows the settings for antivirus, antispyware and advanced protection. The Internet panel has smart firewall, intrusion prevention and e-mail scanning. The identity panel has Identity Safe and antiphishing. A little widget on the left side of the screen shows total CPU usage and how much Norton is using. The application never exceeded 5 percent, even during the full system scan.

Installation was done in 40 seconds and was entirely painless. There was no need to reboot the system after installation, so reviewers began the scan of the clean system immediately. About 15 minutes in, the application returned an error and had to close. It made an attempt to connect with Norton's support Web site to explain what the error was. Reviewers just rebooted the system and restarted the scan; it completed successfully 45 minutes later.

The features are fairly standard and easy to configure. The language is simple to understand. Every time an application tried to access the network, the application logged it but did not display the pop-up boxes, which were limited to infections or things that actually required user intervention. During security testing, a virus tried to access the registry; Norton quietly blocked and removed it but didn't issue an alert. Although it was not very successful at preventing malware from entering the system, the application partially redeemed itself by cleaning up the system.

Kaspersky Internet Security 2009
The Kaspersky Internet Security 2009 features an updated antimalware engine that reportedly scans the system faster than previous versions. The software scans for malware in a variety of ways, including traditional blacklist and whitelist methods, to analyze unknown code to identify whether it can cause harm. The system pops up little messages in the corner of the screen with alerts, but for the most part works quietly without needing much user intervention.

The Kaspersky Security Analyzer, based on vulnerability intelligence technology from Denmark-based Secunia, scans for vulnerabilities, which can take the form of unpatched applications or commonly used configurations that are security risks. The analyzer points users to a Web site with detailed information on how to fix the vulnerability. Kaspersky 2009 also offers firewall rules, application monitoring and antiphishing virtual keyboard to thwart keyloggers and parental controls.

Kaspersky 2009 uses a color-coded banner at the top of the application to alert users when action must be taken. The first time, since the definition databases were out-of-date, the banner was red; once the update was performed, the banner went back to normal. Later on, when the analyzer found vulnerabilities, the banner turned yellow to indicate there were noncritical actions waiting to be performed. The initial full-system scan on a clean system took an hour and 12 minutes, but the two subsequent scans (that found malware) were much faster, clocking in at 12 minutes, 12 seconds and 45 minutes.

On the test, Kaspersky 2009 successfully prevented only one Trojan (JS Agent) from downloading by diverting the browser to its own page with a red banner, warning the user of the attempt, the name of the threat and the URL of the site. This is also logged by the system. It was unable to detect scripts running or other Trojans being downloaded. After scanning to try to remove the malware that had been downloaded, the suite did not find them at all, which was worrisome. The suite was disabled manually and the initially blocked Trojan was downloaded intentionally. The third scan detected and successfully removed that Trojan but did not find the others.

The reporting interface was comprehensive, with the ability to compare multiple scan reports at once with detailed descriptions of the location of the vulnerabilities, threats and adware. The reports sometimes seemed a little hard to read, and the ability to detect malware being downloaded from rogue Internet sites did not exactly inspire confidence.

Next: Trend Micro Internet Security v.16.10.1079 Trend Micro Internet Security v.16.10.1079
Trend Micro's Internet Security version 16.10.1079 features a number of in-the-box controls like Prevent Unauthorized Changes, a personal firewall and a wireless home network monitor. The interface is intuitive and easy to navigate. The goal of this product is to provide a complete Internet security solution, so not only are the standard antimalware features in place, there are also additional controls like an antispam filter, parental controls and data theft controls.

The parental controls combined with the ability to password-protect changes to Internet Security settings, is an effective way to keep a computer family-safe. That is, until the kids find another way around the controls.

The data theft protection control allows a user to protect passwords, login names and credit-card numbers. This feature prevents instant messaging software, outbound SMTP messages and Web pages from using any of the above specified data without a user's explicit permission.

Trend Micro's Internet Security application has some good features; the parental controls and the data theft preventions aid in adding security to a machine. The on-the-fly Internet malware detection, though, is lacking.

CA Internet Security Suite Plus 2008
After testing CA Internet Security Suite Plus 2008 with some of the latest Trojans in the wild, reviewers got mixed results when testing the critical antimalware tools.

CA's suite installation is straightforward. The suite uses CLucene and libspf2 (LGPL) open-source libraries for searching and sending e-mails, respectively. By default, the suite installs parental controls, antivirus, antispyware, antispam, Web Site Inspector, Desktop DNA Migrator and a personal firewall. While all of the tools are turned on, not all of the settings are enabled. In addition, the personal firewall detects the Ethernet NIC and asks whether to place it in the safe zone. The firewall also asks users to manage applications that are communicating over network ports. Security Center provides an overall control panel. By selecting a tool in the panel, users can quickly modify security features in each tool.

CA's Antivirus tool identified a Trojan code named JS/SillyDIScript.EB in the first Web site. The Trojan was quarantined and deleted. The second Web site had the same Trojan, according to the CA tool. The antivirus tool had a reboot option so that the Trojan could be eliminated immediately from the system. Apparently, if you travel to an infected site more than once, the antivirus tool asks the user to reboot the PC to make sure that the files are completely deleted. IE flagged a warning not to install and run a Remote Data Services program.

CA's suite did not identify any malware in the third Web site. By contrast, IE had the same RDS warning. Likewise, no malware was identified in the fourth Web site. The last Web site showed some characters on the Web page but that's all. The suite also failed to identify any malware on the Web site.

Bottom Line
IT administrators, solution providers and users have long wondered whether security suites really justified their high prices. Despite vendor claims of "thorough and comprehensive" protection, the CRN Test Center had very uneven and unsatisfactory results in testing. While McAfee managed to do better on the security test, it wasn't perfect. Symantec placed second because while on-the-spot detection was weak, it did manage to clean up after itself. Trend Micro and Kaspersky Labs were essentially a tie. They both have a strong channel presence, but Kaspersky had a bit more oomph in its reporting capabilities. CA, a relative newcomer to the security suite space, is about on par with all except McAfee.

Product testing and evaluation for this story were done by Mario Morejon, Fahmida Y. Rashid, Samara Lynn and Brian Sheinberg.