Beyond Testing: What Really Matters. Andreas Marx CEO, AV-TEST GmbH

Similar documents
The WildList is Dead, Long Live the WildList!

Testing Exploit-Prevention Mechanisms in Anti-Malware Products

Test Strategies & Common Mistakes International Antivirus Testing Workshop 2007

DETERMINATION OF THE PERFORMANCE

Android Security Product Testing

Retrospective Testing - How Good Heuristics Really Work

Invincea Endpoint Protection Test

Insecurity in Security Software

Kaspersky Internet Security - Top 10 Internet Security Software in With Best Antivirus, Firewall,

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Security Gap Analysis: Aggregrated Results

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

The professional IT management platform

WHEN YOUR COMPUTER SLOWS TO A CRAWL

An Introduction to Virus Scanners

Get BitDefender Security for File Servers 2 Years 5 PCs computer new software download ]

Course Outline (version 2)

Free antivirus software download

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Transparency report. Examining the AV-TEST January-February 2018 Results. Prepared by. Windows Defender Research team

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

Securing Today s Mobile Workforce

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

Symantec Antivirus Manual Removal Tool Corporate Edition 10.x

BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide

Securing the SMB Cloud Generation

Ryan KS office thesee

Antivirus Technology

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Airtel PC Secure Trouble Shooting Guide

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Why ESET. We help more than 100,000,000 users worldwide to Enjoy Safer Technology. The only vendor with record-breaking protection

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

GFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall

Quick Heal Total Security Multi-Device (Mac) Simple, fast and seamless protection for Mac.

Symantec Endpoint Protection 14

How To Remove Virus From Computer Without Using Antivirus In Windows Xp

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Zillya Internet Security User Guide

VIETNAM CYBER-SAVVINESS REPORT 2015 CYBERSECURITY: USER KNOWLEDGE, BEHAVIOUR AND ATTITUDES IN VIETNAM

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

Seven secrets to making the most of your computer system. Chris Jeffery Proprietor/Chief Guru CyberGuru

Maximum Security with Minimum Impact : Going Beyond Next Gen

Viruses and Malicious Code: A Community Defense Perspective

AV is Dead! Is AV Dead? AV is Dead! Is AV Dead?

User s Guide. SingNet Desktop Security Copyright 2010 F-Secure Corporation. All rights reserved.

Remove Trend Micro Titanium Internet Security Without Password

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

MESSAGING SECURITY GATEWAY. Solution overview

Built without compromise for users who want it all

GFI product comparison: GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Stopping Advanced Persistent Threats In Cloud and DataCenters

How To Remove A Virus Manually Windows 7 Without Antivirus Security Pro

Defend what you create. Why Dr.Web

EXECUTIVE REPORT 20 / 12 / 2006

MRG Effitas 360 Degree Assessment & Certification Q4 2017

BUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, Magdeburg, Germany

Coupon BitDefender Corporate Security 3 Years 10 PCs internet download software for pc ]

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Single Product Review. escan Internet Security 11. Language: English September 2010 Last revision: 13 nd October

Avira AntiVir Server

How To Remove Personal Antivirus Security Pro Virus Manually

Anti-Virus Comparative

DEFENDING THE MOBILE WORKFORCE Karim Toubba-Vice President Product Marketing and Strategy-Security Business Unit

Insight Frequently Asked Questions version 2.0 (8/24/2011)

Discovering Hidden Threats

Cloud Security & Advance Threat Protection. Cloud Security & Advance Threat Protection

Endpoint Protection : Last line of defense?

Free Download BitDefender Client Security 1 Year 50 PCs softwares download ]

Presentation by Brett Meyer

About Lavasoft. Contact. Key Facts:

Get Max Internet Security where to buy software for students ]

Cisco Advanced Malware Protection. May 2016

Anti-Virus Comparative No.7

whitepaper: Whitelisting Without The Complexity

9 Steps to Protect Against Ransomware

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

MRG Effitas 360 Degree Assessment & Certification Q1 2018

Cybersecurity For The Small Business & Home User ( Geared toward Windows, but relevant to Apple )

COMPARATIVE MALWARE PROTECTION ASSESSMENT

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

Cracked BitDefender Client Security 2 Years 20 PCs lowest price software ]

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

How To Remove A Virus Manually Windows 7 Laptop Using Antivirus Program

Tales from cloud nine. Mihai Chiriac, BitDefender

2018 By: RemoveVirus.net. Remove A Virus From Your PC In 5 Simple Steps

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

Dataprise Managed Anti-Spam Console

Symantec vs. Trend Micro Comparative Aug. 2009

Herd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist

Free Download BitDefender Business Security 3 Years 5 PCs full version free software download ]

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

Transcription:

Beyond Testing: What Really Matters Andreas Marx CEO, AV-TEST GmbH Microsoft Security Response Alliance Summit 2013 - July 10th, 2013 1

AGENDA About AV-TEST GmbH Innovations and Presentations The AV-TEST Approach Part 1 Protection, Performance, Usability and Repair Microsoft as Baseline The AV-TEST Approach Part 2 Summary Q&A 2

ABOUT AV-TEST GMBH Decades of experience in the field of virus research and analysing antivirus software We are a global acting and independent service provider in the field of IT security and antivirus research. We have almost 20 years of experience in the field of malware and antivirus software. We process more than 700 Terabyte testing data, including 120 million clean files and 150 million malware samples. We feature more than 1 Petabyte storage space, with over 300 client and server systems. We offer 30 employees and several students a secure, variable and interesting position. 3

ABOUT AV-TEST GMBH The AV-TEST Institute in Magdeburg/Germany Hightech in historical ambience 4

WHERE IS MAGDEBURG? Our region is the cultural heart of Germany IMG Investment and Marketing Corporation Saxony-Anhalt 5

INNOVATIONS AND PRESENTATIONS Find our research papers and conference presentations on www.av-test.org/en/publications 6

INNOVATIONS AND PRESENTATIONS The story so far AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing 7

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Retrospective Testing - How Good Heuristics Really Work VB Conference At the time of writing, this was a state-of-the-art single-feature test but such tests are now obsolete, as on-demand tests are outdated and you cannot freeze AV updates anymore and cloud access should not be limited, and not single features should be tested anymore. 8

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing (Porn) Dialers - Another Class of Malware? VB Magazine 12/ At that time, dialers were a heavy problem to the Windows world, now the problem has shifted to mobile phones (especially in the Android space), calling expensive numbers or sending out text messages 9

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing The Sober Effect: Disinfection Disasters VB Magazine 12/2003 Products had problems to effectively clean-up infected systems, e.g. due to the self-protection of malware (tasks cannot easily be killed) Fact: Repair is still one of the most challenging things these days Many more papers and presentations by us followed, still disinfection is often not tested at all or not tested properly 10

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Antivirus Outbreak Response Testing and Impact VB Conference 2004 How long does it take until signature updates are publicly available in cases of major worm outbreaks? Still a valid question, but replace the word outbreaks with background noise malware, something around 200,000 unique samples per day Ideal protection is when the malware is blocked at the time it arrives at the system (it doesn t matter if this is an hour or just a minute before, as long as the system is not compromised) 11

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Insecurity in Security Software VB Conference 2005 The paradox: Security software is meant to secure the system, but nowadays it introduces new security holes. Every error could be security relevant when it happens in security software! Trustworthy computing development lifecycle: Secure by design, Secure by default, Secure in deployment, Communications 12

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing The WildList is Dead, Long Live the WildList! VB Conference Problems at this time: The Changing Threat Landscape, Number of Malware Samples, Nobody Wants to Report, Outdated WildList Problems today: The Changing Threat Landscape, Number of Malware Samples, Nobody Wants to Report, Outdated WildList Quite a lot of suggestions have been made to make it better Main issue: WildLists tests are easy to pass (you know the test set in advance), they are good for marketing purposes, but doesn t tell you anything about the real capabilities of AV programs 13

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Testing of 'Dynamic Detection AVAR Conference Historic: Static detection as part of the traditional way of AV testing Newly introduced: Dynamic detection -- and we demonstrated how to test it First full-feature Real World test description presented more than 6 years ago (the first Real World tests have started earlier in the year ) Ideal setup : real (not virtualized) hardware, base system with recent operating system and patch level, default settings of products under test, high volume and many different malware types, use the appropriate introduction vector (e.g. e-mail, web, download, P2P, USB key, network port), Record the impact of the security software and compare the result to the actions of the malware on the clean base system, check for detection, reporting and blocking With some minor changes, most parts of the setup are still valid 14

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Why In-the-cloud Scanning is not a Solution HOME USER VB Conference In-the-cloud scanning is helping the vendors to get their static detections rate up With reputation systems and further statistical analysis, those approaches can help even further in detecting malware But: In-the-cloud scanning is still only a part of a whole security infrastructure (and not every product can access the cloud, e.g. in critical infrastructures) New (much better!) developments these days: reputation services instead of pure blacklisting and whitelisting 15

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Testing Exploit-Prevention Mechanisms in Anti-Malware Products CARO Workshop Extension to the Real World testing methodology from to cover drive-by attacks etc. Testing needs to reflect these additional protection mechanisms: Whole product evaluation instead of only testing (possibly misleading) on-demand scanning capabilities 16

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing Android Security Product Testing AVAR Conference 2012 Wrong focus in past: Are malware detection and all the other technical features really the most important items? Problem: Results don t help the user to choose the right product, according to his or her needs What really matters: What happens when I lose my phone? Can I get it back? Anti-Theft (Locate Device) Is my data safe? Remote Wipe, Remote Lock, Encryption Can I get my data back? Online Backup Is my privacy ensured? Which apps spy on me and can security software tell me and protect me? Is malware or adware a problem for me? Malware and PUA Detection rates I want to protect my child from inappropriate content on the phone. Parental Control 17

INNOVATIONS AND PRESENTATIONS AV-TEST was founded Porn Dialers 2003 Disinfection Disasters 2005 Insecurity in Security Software 'Dynamic Detection' Exploit Prevention 2013 Retrospective Testing 2004 Outbreak Response Times The WildList is Dead 'In-the-cloud' Scanning 2012 Android Security Product Testing A wide range of other security-related areas are covered, too, e.g. Spam More Dangerous than Ever Before Google vs. Bing: Search Engines Deliver Infected Websites as Their Top Results 18

THE AV-TEST APPROACH PART 1 More than 3,000 individual and comparative tests per year MOBILE DEVICES HOME USER CORPORATE USER 19

THE AV-TEST APPROACH PART 1 PROTECTION Tested monthly PERFORMANCE Tested every second month USABILITY Tested every second month REPAIR Tested bimonthly during the last years, now 1 to 2 times a year 20

THE AV-TEST APPROACH PART 1 Baseline All results are presented together and are comparable against the industry average and Microsoft as baseline. 21

THE AV-TEST APPROACH PART 1 Products are tested having these items in mind: Home user products: use default settings only Corporate products: test with settings as provided (suggested) by the vendor Always most current publicly available version of all products Can update themselves at any time and query their in-the-cloud services Products have to demonstrate their capabilities using all components and protection layers (nothing is deactivated) Vendor review (feedback) phase after the end of testing phase (usually around two weeks) 22

THE AV-TEST APPROACH PART 1 PROTECTION Protection against malware infections (such as viruses, worms or Trojan horses) Protection against 0-day malware attacks, inclusive of web and e-mail threats ( Real World Testing) more than 100 samples per test-run and product manual work with automation in place for preparation and tracking of system changes on the file system, registry, processes, threads, network; no replay tests all items are reviewed (with different IP addresses) at (almost) the same time for all products, using the real internet (in a safe way for other internet users) 23

THE AV-TEST APPROACH PART 1 PROTECTION Detection of widespread and prevalent malware discovered in the last 4 weeks (the AV-TEST reference set) Also using a full Real World approach: all 10,000 to 15,000 samples are not only scanned, but all misses are executed, too! Only prevalent samples are used (based on telemetry data received from many sources, incl. Microsoft) Products without an on-demand scanner are testable using the same criteria, e.g. whitelisting solutions can be tested in the same test as traditional AV products 24

THE AV-TEST APPROACH PART 1 PERFORMANCE Average influence of the product on computer speed in daily usage Use cases: visiting websites, downloading software, installing and running programs and copying data What a normal user does, some items are not covered, e.g. system start-up time as many products are cheating here and it's not clear when the system is really up and the guard is fully working Low Performance impact is important (as this is what users are experiencing every day) 25

THE AV-TEST APPROACH PART 1 USABILITY Impact of the security software on the usability of the whole computer False warnings or blockages when visiting websites False detections of legitimate software as malware during a system scan False warnings concerning certain actions carried out whilst installing and using legitimate software False blockages of certain actions carried out whilst installing and using legitimate software This includes the impact of the suite on the Usability of the whole system, all kind of noise messages only a human tester will see and details which might be missed if a fully automated testing system is in place All tests are static and dynamic, simulating the whole user experience, using a Real World test approach 26

THE AV-TEST APPROACH PART 1 REPAIR Cleaning and repair of a malware-infected computer Detection of actively running widespread malware (including Rootkits and stealth malware) Removal of all active components of widespread malware (including Rootkits and stealth malware) Removal of further malicious components and remediation of critical system modifications In case of an infection, Repair gets important. We test it less frequently now, but with more samples and covering more test criteria, including: Malware is activated before the security product is installed (and not only after the AV/ISS software is running) All kind of offered rescue options are used, including the product itself, stand-alone cleaning utilities and rescue CDs Not all products and OS can be tested equally (e.g. Microsoft Windows 8 comes with Defender out-of-box) 27

WHY MICROSOFT AS BASELINE? Microsoft Baseline: the out-of-box protection Windows 8 includes Windows Defender as fullfeature anti-virus program For older OS, Microsoft Security Essentials is available free-of-charge from the OS vendor Question: Why should I install a different AV when a baseline protection is available for free? Free AV: might want user data, display ads Paid AV: why pay, what extras can I get? What can 3rd party tools do better than the baseline? Let's focus on this! 28

WHY MICROSOFT AS BASELINE? How good is the Microsoft baseline in the Windows world? Protection: Scores usually in the area of 85-95% in our tests, not very good, leaves room for improvements Performance: Good to very good, many 3rd party products are slower Usability: Excellent, we can rarely see any false positive or misleading warning messages Repair: Overall good results, much better than the industry average 29

WHY MICROSOFT AS BASELINE? How good is the Microsoft baseline (85-95% protection) compared with other OS out-of-box protections? As tested by AV-TEST in 2013: Google Android (App Verification): cloud service, only available for Android 4.2 and up, not enabled by default, hard to test (only a few valid responses until the system will switch to a random mode), but protection against Android malware is less than 50% (more than 900,000 Android malware samples exist) Apple (OS X Gatekeeper): blocks less than 50% of OS X malware threats (we know about 2,000 different samples for the Apple platform), but the protection can be configured in more secure way, e.g. to deny all apps with no valid developer ID from Apple Linux (ClamAV?): blocks about 60% of Linux-related malware (about 5,000 samples are known to us), good response times to new threats, acceptable scan speed, extremely high number of false positives for certain file types (e.g. Windows EXE files) Think Linux 30

THE AV-TEST APPROACH PART 2 What is AV-TEST doing? Test as many products as possible Test as many aspects of the products as possible Test as many scenarios/samples as possible Perform the tests as often as possible Use all common OS platforms (32 and 64 bit) High quality in methodology and sample selection 31

THE AV-TEST APPROACH PART 2 That is only half of the story Generating all the data is necessary but not enough No user could dig through all the raw data Interpretation of the data, according to certain real scenarios has to be done From the different testing criteria it will be possible to derive answers for users questions Different user groups and their different demands can be considered 32

THE AV-TEST APPROACH PART 2 Ultimately providing three different answers AV-TEST certifies products that perform well overall and are a good choice for most of the scenarios Using AV-TEST data you can find the best fitting products for certain demands Yearly AV-TEST AWARDs for the best-performing products in each tested category 33

THE AV-TEST APPROACH PART 2 Advantages for Vendors Quality assurance through reliable and independent tests. Certification as a proof of high quality and as marketing tool. Advantages for Home User Test results as a decision aid. Find solutions for PC and mobile devices. Advantages for Corporate User Decision guidance for the right anti virus software solution. Costs and time can be saved. 34

SUMMARY AV products have developed significantly over time (additional layers of protection). Our testing methodologies have been implemented and adjusted to cover these changes. Many testers haven t evolved over time, and are still too focused on old ideas. We presented our approach and of course, we re highly interested in all kind of feedback. 35

WWW.AV-TEST.ORG Thank you for your kind attention! Are there any questions? 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback