Posted by: kurtsh | June 1, 2009

NEWS: Microsoft tops latest AV-Comparatives’ testing (05/2009)

imageMicrosoft owns the ‘smartest antivirus’ product on the market with Forefront Security for Clients/Servers.

LEADER IN ENTERPRISE MALWARE DETECTION
This is REALLY COOL.  Basically, my understanding has been that Microsoft’s approach to AntiMalware has historically been “protect against active, “in the wild” & off-radar, “zero-day” malware first and foremost to ensure that users are protected from the most potentially recent, frequent and popular viruses/ spyware/ trojans in use today. 

We also deemphasize old viruses like Code Red, Nimda, SQLSlammer, etc. because frankly, while they’re still technically viruses, they not threats because they can’t infect today’s modern or patched systems/software.  Nimda for example has no relevance in a modern IT environment since the vulnerability points by which it infected its hosts are no longer available. 

The bottom line is that there are hundreds of thousands of viruses that are no longer in circulation because they simply don’t work against today’s software, so there’s no point in testing for them and otherwise slowing down the protection process, taking up monstrous amounts of memory and creating larger, longer to download malware definition libraries. (And I think you know what 3rd party product I’m talking about… <ahem>)

BEST IN DETECTING NEW THREATS & FALSE POSITIVES
Apparently, the latest 3rd party tests prove out our strengths in this area.

Microsoft’s anti-virus technology came out on top in the vaunted “AV-Comparatives” Proactive/Restrospective test, which this month tested 22,685 malware threats, beating such heavyweights as Symantec, McAfee, F-Secure, TrendMicro, Sophos, Kaspersky, etc. particularly in the area of proactive detection, which is arguably the most important area of testing.

The important thing to know is THIS TEST IS NOT BASED ON SIGNATURE DETECTION.  Proactive detection is essentially the science of stopping malware that isn’t in a signature library & ‘isn’t on anyone’s radar’.  To quote the test’s parameters:

In this retrospective test, any “in the cloud” technologies that were implemented in the products under test were, of course, disabled.  The retrospective test is performed using passive scanning and demonstrates the ability of the products under test to detect new malware proactively without being executed.  Even if “in the cloud” technologies provide very fast updates, they are still using an essentially reactive detection method based on signature detection.

If a malicious program is already detected “in the cloud” (that is, it’s already in the database) it isn’t unknown/”new malware”.  To leave “in the cloud” signature detection enabled would be unfair to other products under test that are being prevented from receiving signature updates.

Nowadays, hardly any anti-virus products rely purely on “simple” signatures anymore.  They all use complex generic signatures and heuristics, etc. in order to catch new malware, without needing to download signatures or initiate manual analysis of new threats.

As it can be seen above, most products are already able to detect much completely new/unknown malware proactively.  Such products can do this even without executing the malware, using passive heuristics, while other protective mechanisms like HIPS, behavior analysis, and behavior blockers, etc. add an extra layer of protection.

Additionally, from an accuracy perspective, Microsoft’s Forefront technologies also came out as the #1 product, creating the fewest false alarms out of any of the tested anti-malware products

image

<taken from the Forefront blog>

AV-Comparatives.org published the May edition of its proactive/retrospective testing to measure 16 anti-virus vendors’ capability in detecting new threats.  Microsoft anti-virus received one of only 3 Advanced+ ratings. Our detection rate was 60%, the second best among the participants, and we had the fewest false positive samples. 

This result is consistent with some recent proactive tests conducted by other industry test organizations.  In the VB100 April edition, VB introduced a new metric, Reactive and Proactive (RAP), in their test criteria.  Vendors scored from 8.0% to 94.7%.  Both Forefront Client Security and OneCare score at 80% in the RAP test cases.  In addition, in the Wild List response time testing by AV-test.org in 2008, Microsoft was in the clear leading position on proactive detection.

For details, see AV-comparatives May edition, published here.

DOWNLOAD:   Proactive/Retrospective May Edition Report from AV-Comparatives
http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf

Digg This

Posted in Uncategorized

«
»

Categories