Comments Off

By Admin, December 12, 2007 08:51

Hot:

I recently came across an article from ‘Information Security’ that reviewed several “Enterprise” class security suites. I have reviewed several here on this blog in the past year and have found very disappointing results. There have been a couple of new comer’s to the land of the personal desktop namely ‘Blink’ by eEye that I have been testing for several months. The tool isn’t ready for personal use, but it’s professional version has been commended for a while. This article compared Blink’s Enterprise tool (at time of writing I haven’t been able to confirm the differences between Pro and Enterprise).

For most readers of this blog, they may dismiss reviews of enterprise class applications but I decided to include it since for most of these vendors the Enterprise version represents the ‘best of the best’ of their offerings. As this review compares all the top providers including Symantec, CA, Trend Micro, ISS, eEye and a few others I decided it was worth while comparing them.

The article can be found here:

(I included the print-friendly version of the article as it is a 15 page review, and 15 pages is ridiculous since every page is barely a screenful on my PC, I prefer reading to clicking links and waiting for advertising to load so…)

A lot of these offerings are strictly for Windows machines, very few have linux offerings or Mac. Something to keep in mind if your network has blended OS’s you will have to seek other options for a network wide protection. However if your network is mostly Windows bases these products will meet your needs.

The offerings were presented and reviewed by many criteria, such as ‘ease of information gathering’ to usage, to malware detection capability.

The most interesting note to this is that NONE of the products had 100% detection. NONE! The best came in around 92% detection.

It’s also important to note that some were plainly incompetent at detecting malware that was present and moving around a machine. This too was a interesting consequence of the article.

Here is the features offered in the product.

The real nice extra feature that only two of the above offer is vulnerability scanning. This is a must to ensure your machines are patched and up to date. However the features can be very valuable in a work environment that can have strict policies, in a home environment its benefits will be less. My experience shows that they typically have inaccurate results so being able to use this as a guideline rather than a definitive state is important. Its still very valuable.

Since we like Blink, it’s also important to note that even the Personal version of their product offers all these features, most of the other vendors are not so accommodating for their lower end versions of the product.

So this review does in fact support our arguments regarding malware. There is NO 100% effective solution, so a multi-tiered approach to malware is wise.

It also proves our case about not relying on a traditional antivirus product alone. This type of product has pretty much no life in todays market. A blended product is what is required which most of these provide. It’s unfortunate that most of these companies cannot improve their offering to be more effective.

Additionally it’s important to note that ‘false positives’ are the #1 problem with most of these packages so it’s critical to compare ‘detection results’ with other products before making a decision to buy. As a lot of spyware vendors like to do with their product offerings is to have LARGE numbers of detection, regardless of it’s importance or even accuracy.

Comments Off

By Admin, January 1, 2007 21:01

Hot:

Well continuing my review of ‘integrated security solutions’ I have once again become dismayed by the terrible offerings by the various security vendors out there.

Today we don’t have massive virus outbreaks, nor do we even have a big problem with Trojans (except when it comes to malware) and worms are even starting to slow down. We can thank enterprise scale solutions and active monitoring of networks for this. Yes, even email/spam solutions are stopping many of these things right at the server at our ISP, so very little should be getting into our machines today, unlike just a couple years ago when ISP’s were leaving each of us to our own solutions.

Today, malware in the form of ADWARE and SPYWARE, as well as BOTNETS and ROOTKITS are our big challenge, and in many of these that we encounter tend to not be detected in many products until they are discovered. In my mind this does not provide a solution but a clean up.

So I don’t recommend people who are pro-active to buy these ‘Internet Security’ solutions that the vendors are pumping. They are just no good and a waste of CPU time.

F-Secure’s offering is probably the worst I’ve encountered to date. But like many of these packages, they taunt you with a free trial offering, which seems to work pretty good.

F-Secure offers the same as every other package, Anti-Virus, Anti-Spam, Firewall, as well as malware detection and a rudimentary rootkit check tool. Let’s start at the top.

The anti-virus solution is definitely the best of the inclusions with this product. When it updated that is. Our biggest challenge was getting this product to work through a proxy. Seems the F-Secure developers don’t comprehend proxies and the awesome solutions they provide, and many times our updates would never get downloaded. An Anti-Virus product is only as good as it’s updates, and we constantly had to fiddle with the settings to do a simple update. Pathetic. So we would just as soon use Avast for FREE which does not seem to have a problem with proxies.

The anti-spam solution was incredibly poor however causing several minutes of delays in processing email from nearly every ISP I tested this with. A normal POP session usually takes about 1 minute and about 10 seconds per email on the slow side. With F-Secure Anti-spam this increased ten fold. We were easily waiting about a minute per email, causing us to go for coffee every time we checked email. Since we use spam-assassin on our free servers and a very pricey solution for our Microsoft exchange server, we really don’t need anti-spam. It was no better at detecting the stuff that made it through these tools so it was simply wasting time.

The firewall was the worst of the bunch. First problem we encountered was one of our test boxes had NVideo Forceware Network Access Manager already installed. This is a firmware based firewall, and it works very well. The downside was that F-Secure Internet Security refused to install “anything” with this product installed. In this box we simply wanted to test the anti-virus and anti-spam solutions but we were forced to install the firewall product also. Trying to disable the firewall and reinstall NAM was ok, and thankfully NAM remembered are old settings saving us more time. Not F-Secure!

Once everyhting was installed in this box, we found out we could no longer access our network shares. Yes F-Secure firewall was blocking these accesses. Adding rules to allow this traffic made no difference. Isn’t a firewall made to configure what “I” want, not what some dork developer wants? I guess not. Nothing we could do (short of disabling the firewall) would allow us access to our network shares again.

The rootkit checker was bland. Featureless, did not detect 22 of our suspicious ADS streams and did not provide any output that could be used to track and discover where potential problems could be. The average person does not understand rootkits enough to be able to troubleshoot this without a lot of hand holding, and this tool has none of that available. Eeye’s BLINK was better for this yet even it was an ineffective tool at current rootkits. Old and very public rootkit technology was noted effectively, but most of the problems these days are botnet driven and none of these were detectable until infection occured and the OS was exploited. Then the anti-virus solution did it’s job.

The anti-malware portion of this software was very paranoid and kept advising us of tools that it didn’t think the average PC should have, like netcat or nmap, even PE builder tools were quarantined by F-Secure which annoyed me to no end. Sure one could build exceptions but shouldn’t the tool ask this during detection, not AFTERWARDS? Barts PE builder broke thanks to F-Secure’s gross paranoia. Perhaps they should devise a color coding like DHS has for terrorist alerts, ah never mind, they’d all be red…

The kicker was purchasing a license and getting technical support. I had to send two emails to get my license since they didn’t bother sending it automatically as part of the order. Very irritating to have to ask after a week of buying a license where it is.

The next kicker was contacting support about our two major issues. Updates and our firewall problems. Neither were addressed in a satisfactory manner. We were advised to disable proxies for updates. Ok, not a big deal but every week this needed to be changed since it seemed to forget the settings. As a consequence we were hardly up to date. This should be automatic and not require tweaking internet settings just to update so we fail this product on this point alone. The other components had very few updates (some never updated in the two months we used this product) so we wonder how effective a solution is if it is never updated. Snort rules for instance are updated almost every day, and they haven’t come close to detecting everything yet, so if I have a choice I’ll stick to a real IDS solution and not the ‘cleanup’ proposed by F-Secure.

Technical support was terrible also. Three phone calls to them and after explaining my problem to some fellow who speaks very poor English, he would offer to ‘email’ me a solution. I think he simply could not grasp the English alphabet over the phone when I tried to spell my email address since on all three occasions I never received an email from him. By phone call#4 I asked if he could simply walk me through this on the phone. He refused and insisted to email it. I then asked if he really was a technical support person? He said yes. I asked if he could REALLY help with my problem or if he didn’t have a clue how to fix my firewall/proxy solutions? He said he could. So I told him that I want him to help me now on the phone. He hesitates, but otherwise agreed..

F-Secure — you call that support? I call that very disappointing and disrespectful of your clients when you continually waste there time. Secondly, get people who can speak English. Make it a requirement of the job for those who prefer to get support in english.

After talking to this guy for about 20 minutes and following his instructions I was able to ‘one time’ update the package (I had to repeat his instructions every time I needed an update), but my firewall issue was not finding a solution. Even with rules in place (confirming I had indeed set them up correctly, but it still didn’t work) with the fellow from technical support still did not lead me to a working solution. I asked if there was a way to remove the firewall component completely. The tech stated I would have to download the Anti-virus program alone to accomplish this. I did not have a license for that product so I would have to buy another product to do this.

At this point I simply stated this product was ineffective and I requested a refund. This the tech support fellow was able to do very quickly, and in minutes I had a email in my inbox to confirm this.

This was the best performance I received from F-Secure.

My suggestion for you considering this ‘integrated solution’ Save your money and just buy the Anti-Virus product alone. IT’s the only thing worth any money, provided you don’t have any proxies to affect your updates.My suggestion was to stick with Avast anti-virus, which does most of this stuff for free and much more effectively.

My rating of this product is 1 out of 10. This should not even be out of beta, but getting a refund was no trouble.