This week’s test drive is Ad-Aware Total Security Suite 2011. Also flaunting dual scan engines like last week’s test drive subject, The installer was a little intimidating at almost 400 Megabytes!

For the purpose of this test, I left all settings as they came when first installing, except the firewall, which I set to high security. And then the fun began. As usual, the test consists of trying to infect the test computer by visiting known malicious websites and observing the security product behavior when doing so.

Went to the first malicious website, containing a fake antivirus. Loading the website lagged momentarily (Ad-Aware was checking the content of the website before allowing access) and then denied access to the malicious website, announcing through a pop-up window there was malicious content and access had been denied. HOWEVER, I did get prompted to download a file (info.exe) and when, emulating a less than expert user, I clicked to download it and save it, it did so. And then when I tried to open it, there was no protest from Ad-Aware!

The only reason why the computer did not get infected when doing that was, well, a technical unrelated reason. Just to make sure the file was indeed malicious, I submitted it to a website that checks any given file against 36 different scan engines from different security companies. To be fair, only ONE scan engine labeled the file as malicious. So what we had here was a very new infection that had not made its way yet to the signature files of most scan engines. But regardless, it was a miss and the behavioral (heuristic) module should have detected it. Because of the technical reason that impeded its execution, we’ll give it the benefit of the doubt and not flunk it right away, but keep on testing.

Second try, malicious page on a youtube.com link (very popular these days). One of the scanning engines successfully spotted the maliciousness and denied access to the website altogether, both popping up a window and placing a message smack in the middle of the browser instead of the intended page, letting the user know the link was a malicious one. Pass on this one.

Third round: A Trojan hidden in a malicious website. Similar result to the first round. In fact, so similar, I took the malicious file and executed in a controlled, yet uninhibited environment (a “sandbox”) and soon realized it was basically the same file with a different name. Moving along then.

Fourth round: A different, very malicious type of Trojan, hidden in a Russian website. Ad-Aware successfully identified the malicious code and denied access to the website altogether. Good.

Fifth, sixth, seventh rounds: Like the second round.

Conclusion:

The test drive is considered a pass, since no infection occurred and no malicious payload delivery occurred, and no breach of data or behind the scenes connection happened, no matter the attempts to do so.

A note on system resources usage: I counted 9 different processes running in the background to make Ad-Aware Total Security Suite work, with over 400 Megabytes of system memory being used altogether. So needless to say, old computers with relatively low memory should stay away. Newer computers, with plenty of system memory, won’t mind (My test computer, for example, has about 8,000 Megabytes of memory, so it’s undisturbed by a process using 400 Mb).

So that being said, we can add Lavasoft’s Ad-Aware to the list of security suites that have survived unscathed my test drive. These are, in the order they have been tested:

1. Kaspersky Internet Security 2012.

2. VIPRE Antivirus Premium.

3. ZoneAlarm Extreme Security Suite 2012.

4. Avira Internet Security Suite 2012.

5. Emsisoft Internet Security Pack.

6. Lavasoft’s Ad-Aware Total Security Suite 2011.

Stay tuned for more test drives in the near future. Next one is probably going to be F-Secure, which releases its 2012 version next week.

Following the series of test drives that I’ve been performing on the main brands’ security suites, this time I tested Emsisoft Internet Security Pack. As it is usual with the top security product from a company, Emsisoft’s security pack  includes anti-virus (2 separate scanning engines to be precise) a firewall, web filter and so forth.

After installing it, I put it to my classic acid test of visiting known malicious websites to observe how it behaves in a dangerous environment. I must say I tried multiple times to infect the computer, and all the attempts were thwarted by either the real-time protection module, or the web filter. Read on for what I found to be the problem with this product.

Although this product passed the test described above with flying colors, the problem I found with Emsisoft is its over-restricted and awkward approach to security. Every time ANY program tried to access the Internet, modify the registry, or otherwise perform any questionable action, a pop-up window came up alerting me to it and asking me to make a decision. And the worst part is, even though there was a checkbox to have Emsisoft remember my answer so I would not be prompted again when the same operation repeated, I kept being prompted again for a decision on things I had already decided what course of action to take, AND had told Emsisoft to remember my answer. Glitchy and awkward.

Along that line, I have tried the firewall before, as a stand-alone installation, and besides the above nuisance, I found the firewall to be very resource-hugging and a specific application installed in my computer, for no reason at all, decreased in performance about 2,000%. It was hard to track down too, as there was no evidence connecting the presence of the firewall to the degraded performance of the application, and only through a trial test was I able to ascertain that indeed the firewall was the culprit.

So although a pass on the test drive, I’d stay away from it in terms of the user experience.

Recently released, Avira Internet Security 2012 was taken for a ride. As usual, the test drive consisted of installing the tested program in my test computer, then accessing known malicious websites and their respective malicious files, and in general trying to infect the computer and see what the security program does to counter the effort.

When I first tested Avira (the 2011 version), it failed miserably. Not this time around. No sir. I installed it and left the firewall setting in its default setting, but did change the behavioral detection level to its highest sensitivity setting. And then the fun began.

First round: accessed malicious website, was prompted to download a file, did so. Successfully finished downloading the malicious file, proceeded to open it… And Avira’s real-time protection module jumped to alert me that the program I had just tried to open was a Trojan and should be quarantined. No infection got through. Pretty good.

Second round: similar scenario (but different website), this time WHILE downloading the file and before attempting to open it, the real-time protection module alerted to the maliciousness of the file. Wow, that was even better.

Third round: Somewhat similar, except this time when trying to ACCESS the malicious website, before being even able to start downloading the infection, I was denied access to it by Avira’s web filter module. This was getting better at every attempt!

Fourth to tenth rounds: same as 3rd round.

All different websites, not one infection got through. In fact, no malicious program was even allowed to open!

None of my attempts to infect the computer succeeded. Quite a change compared to the 2011 product!

Conclusion

A triumphant pass, making Avira Internet Security Suite 2012 join the ranks of those security programs that have pass my test. So the list now goes:

1. Kaspersky Internet Security 2012.

2. VIPRE Antivirus Premium.

3. ZoneAlarm Extreme Security Suite 2012.

4. Avira Internet Security Suite 2012.

All trustworthy and recommended.

After my latest article was published last week, I received feedback from some of my readers asking me for clarification of how the stolen certificates situation I talked about in it translated to the average Joe/Jane user. What would he/she run into and what can he/she do?

Let’s see how it would work in a real case scenario. Let’s say, for example, you want to sign in to your gmail email. You’d go to a secure (encrypted) webpage, like

https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&ss=1&scc=1&ltmpl=default&ltmplcache=2&from=login

And from there provide your email address and password. But even before you do that, as soon as you click on the above link, your browser will check the certificate presented by the website, and thus corroborate that indeed, the website is legitimately what it purports itself to be. This all occurs behind the scenes, so to speak. The user does not see this process. However, if for some reason the certificate is expired, is different than expected or contains any other outpoints, the browser will alert you. In Firefox (for example), you might see something like:

You would then be able to avert the impersonation. And that’s how certs help you.

Now, if a cert is stolen and used in, let’s say, a phishing email, and you click on a link of what seems to be a gmail login, but it’s something else, AND it is using the stolen cert, you would not get the alert and thus not realize these are not the androids you’re looking for (Go see Star Wars Episode IV if you don’t get the reference 🙂 ). And so you sign in and thus give the malicious hackers your credentials.

That’s just one possible way of how stolen certs could be used for malicious purposes.

I mentioned in my last article Windows XP and Server 2003 users were the most likely to get affected. Microsoft has just released a Windows Update (KB2607712) that permanently blocks all certificates issued by DigiNotar. The update should be available to you if you have automatic updates enabled in your computer. If you don’t, want to install it manually, and know what you’re doing, here’s the link to it:

http://support.microsoft.com/kb/2607712

If you have any questions, don’t hesitate to ask.

You may or may not have read in the news about this, but in case you haven’t, here it is. First, a couple of definitions.

Digital certificate: A file generated to verify the authenticity of a website, and to enable the ability to connect to it through a secure, encrypted connection. These certificates are issued by a CA (Certification Authority).

Recently, unidentified hackers were said to have stolen digital certificates from a Dutch company (a CA) called DigiNotar. Several sources reported this, but Vasco, a Chicago based company that recently acquired DigiNotar, has acknowledged the fact today. Apparently the hacking took place last month.

At the time and pretty much up until now, one of the stolen certificates could be used to impersonate Google websites, as part of a phishing or “man-in-the-middle” attack.

Over the past 24 hours Google, Microsoft and Mozilla (maker of the Firefox web browser) have taken steps to block the exploitation of the rogue certificate.

All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certificate authority. There is no action required for users of these operating systems because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. Windows XP / Windows Server 2003 users however, beware.

What to do for Windows XP / Windows Server 2003 users

If Google Chrome is your browser of choice, update it to its latest version, which is 13.0.782.218.

Be on the alert for an update of Firefox and apply it when available, if that is the web browser of your choice. 9/3/11: Firefox 6.0.1 has now been released, fixing the vulnerability described in this article.

Be on the alert for a Windows update to help curb the threat.

Based on the feedback from the last two articles, here’s the review of some more security products. Remember, the test consists simply of accessing a known malicious website and observing how the security program deals with the attempts to infect the computer. Other tests such as conflicts with other programs, system performance taxing, ease of use, and so forth, were not performed. The whole focus of the test was, can it defend the average user against the main cause of malware infections, visiting a malicious website? Here’s the results:

Avira Premium Security Suite:

Wow. I had so much hope on this one. First round: Malicious website accessed, Trojan-ransom downloaded, executed, computer infected, restarted by itself, when it came back on it was unresponsive to keyboard or mouse input, files were being encrypted in the background. In short, fail.

Bit Defender Total Security 2012:

In my last article Bit Defender 2011 was evaluated. The 2012 version just came out so I figured I’d give it another try and see how it did. The good news: It did better. The bad: Not by much. First, when installing it, it required I uninstalled an antimalware product I had installed (but it was just the free version of it, with no real-time protection features, firewall, or anything like that. Just a good on-demand scanner that I used to clean-up after some of these products failed). Anyways, reluctantly I uninstalled it, at least for the test. At the first try with a malicious website, Bit Defender real-time protection missed the downloaded malicious program. An on-demand scan resulted in an adjudication of benign…

Bad start, I thought. But kept on testing it just to see if it would redeem itself. Surprisingly, all other attempts to infect the computer were blocked by a Bit Defender web filter feature.

It also has a nice sandbox feature that allows the user to run the web browser (Internet Explorer, Firefox, etc.) in an isolated environment so infections stemming from accessing a malicious or infected website can be better contained. The bad about it: the sandbox feature uses A LOT of space and processor power, so probably not good for any computer that is not powerful.

Oh and one more nice feature: One of the available scan modes is “Rescue mode”. In this mode, the computer will reboot and go into Bit Defender’s own little booting zone, separate from the Windows environment, and run and “offline” check (offline in that the computer has not loaded the Windows operating system). You might say, OK and so what is so great about that? Glad you asked. Booting outside the Windows environment allows for those infections designed to hide themselves and block any attempts to eradicate them, to be exposed and defenseless. So for the really really nasty infections, this is very useful. In fact, one malicious file that was missed by Bit Defender AND my favorite on-demand scanner was detected by using this “offline” scan mode. Very nice.

Avast Internet Security 2011:

I had tested this earlier, in fact it was the first one I tested once I put my test computer together. The first time around it failed the test by letting some malicious download execute and failing to detect it as malware. However, the initial procedure I was following to test drive these security suites changed afterwards, so I decided to test it a second time, using the same procedure I used with every other security suite.

This time around AIS 2011 performed well, in fact it almost passed the test. An on-demand scan after a malicious file had been downloaded and executed was missed. But otherwise the real-time protection, web filter and “Safe Zone” (where the web browser is brought up in a sandbox environment) features worked very well. The suite has some nice features such as voiced announcements for certain actions, a “scan at boot time” option that allows it to get to the deeper malware infections, and so on.

Microsoft Security Essentials:

 This free antivirus program put out by Microsoft has impressed me from the moment it was released over 2 years ago. Although by no means a complete security suite, it performs surprisingly well as far as detection of recent malware in real time is concerned. MSE performed as well as the best security suites in this series of articles.

 AppGuard:

They key ingredient in my favorite security model, AppGuard is not a security suite, not even an antivirus, at least not in the traditional way users think of one. AppGuard performs four simple tasks: 1) Prevents applications (programs) from launching (opening) outside of the application’s “legal” zone, thus thwarting most of the infected programs attempt to take over a computer, 2) Prevents programs already running in your computer from changing other programs running in it, thus thwarting one of the favorite infection vectors of malicious processes that might be already running, 3) Prevents programs from starting from a USB flash drive or any such USB storage device, thus thwarting the second most common infection vector (some malicious programs propagate by copying themselves to any existing USB storage device and then copying themselves to the next computer the USB device is plugged into), and 4) Prevents unauthorized programs from accessing your files and documents, thus thwarting hackers’ attempts to get a hold of your data. So in short, it does a lot of thwarting.

Just to show what AppGuard can do, I installed in it my test machine, without any other security program installed, and with the default, out-of-the-box Windows firewall provided in Windows 7 enabled. I then proceeded to infect my computer. I of course had to disable AppGuard’s protection first to be able to open the infected sample file I had chosen. So that would not have even happened had AppGuard been, well, en guarde. With that accomplished, I opened the infected file, a trojan named Zeus, which being the case would make AppGuard’s name Cronus 🙂 . Anyways, the program immediately got busy downloading a second file, creating a third, and that third file was the main executor of the whole operation. I was laughing at how something called Zeus looked so powerless as it kept going in circles trying to inject code to other processes, create other files, establish internet connection with a remote website, etc.

Now, AppGuard is not meant to run alone as a full defense, it’s just an additional layer on top of the traditional antivirus that helps prevent infections when the traditional antivirus misses the mark. For detection, eradication steps, an antivirus is needed. For closing the door to most attack vectors, AppGuard is ideal.

Summary

Although the reigning champs in these tests are still Kaspersky Internet Security 2012 and VIPRE Premium, some close competition came from other security companies. But remember, none of the security suites by themselves will provide complete protection unless the 4 elements of protection are implemented in your computer.

As mentioned in my most recent article, I recently put together a computer with the exclusive purpose of being a test machine, a guinea pig to evaluate software and so forth. Well, I’m glad to report that I’ve been busy testing away. In fact I tested all the major brands’ top security suites, the test consisting of installing it in my test machine, visiting known malicious websites that have malware in it and will try to infect the computer that visits them, and observing detection and handling effectiveness of the security program in such environment. Here’s a summary of my test results, in no particular order:

Panda Global Protection 2012:

What a disappointment. It was doing so well in the beginning when visiting malicious websites… and then it let one through. And then tried to contain the infection… and failed.

Simple operations like decompressing some files became 5 times slower than with other protection suites.

Norton Internet Security 2011:

It was doing so well… on downloading any files it automatically scans them and labels them as safe or a risk and handles accordingly. But while doing my standard test, at about the 5th round, it let a malicious one right through… some ransomware, no less. It was game over. So 1 out of 10 or so is not too bad. I wouldn’t say crap, but can’t give a thumbs up either. Best to stay away probably.

AVG Internet Security 2011:

What a disappointment. Or not really. I didn’t have a good impression of AVG despite its popularity, based on the amount of computers I’ve had to disinfect that were being “protected” by it. Like Norton, it used to be good years ago but not anymore. At the first TWO attempts to visit malicious websites, it succumbed. Crap, like I thought. Stay away from it, or walk away if you have it.

BitDefender Total Security 2011:

Fail. At the first attempt to download a malicious file and run it, it allowed it. Then the firewall, which I had set to explicitly alert of any outbound connection attempts (such as the ones that infected programs will attempt to establish in order to “phone home”) alerted me that the program in question was trying to access the internet, but the scan engine had adjudicated that it was not malicious and therefore legit! This is what happens when you depend on a signature-based scan engine. Anyways, fail.

ESET Smart Security 4:

Another failure. Detected some, missed others, had to be bailed out with a good on-demand scanner that found what ESET had missed. Firewall also feels a little quirky if put in interactive mode.

Zone Alarm Internet Security Suite:

Well, we seem to be having a bad day in cyber-security world, aren’t we? I had a lot of hope in Zone Alarm, but nooooo. To its credit, it started pretty well. The first attempt to infect the computer was not caught when downloading a malicious file, or even trying to open it (although it did prevent a malicious change to the system by alerting and giving the option to allow or deny it) but an on-demand scan of the downloaded malicious file was met with a labeling of malicious. However a couple of samples later, it simply failed to detect or stop  a trojan infection aptly named “Zeus”. An on-demand scan yielded no results. Some people swear by Zone Alarm. I can’t say I recommend it.

VIPRE Antivirus Premium:

A small  letdown. Not because VIPRE didn’t perform well compared to others – in fact it was the best among the ones tested in this article – but because I had the highest hopes for it. It is in fact my current choice of antivirus for my own computer. But alas… when testing it, on the very first malicious link, let’s be honest, it did detect that the website itself was malicious, thanks to its web filter module. But when I disabled it to see what the scan engine and real-time protection modules could do, they both failed. A malicious file was downloaded to my computer, and neither downloading it nor opening it was met with any protest from the real-time protection module. Then did an on-demand scan of the file and again, nothing malicious found. But truth be told, that malicious file would not have been accessed if the web filter was on. So I continued testing. Second round, same exact thing. Oh well, at least without crippling any active modules, VIPRE did come out on top.  More than what can be said of the rest test programs in this article.

Trend Micro Titanium 2011:

It was a joke 4 years ago when I first used it, and it still is. First attempt at a malicious website, Trend Micro got caught flat-footed. Didn’t do anything. The Windows 7 firewall blocked an outgoing connection attempt and Trend Micro’s suite didn’t even know what was going on. Fail.

McAfee Total Protection 2011:

McAfee’s detection rate and general effectiveness has been such a joke in recent years, I wasn’t even going to test the 2011 Total Protection suite. But then I thought, let’s be impartial and have no preconceived ideas, may be they finally got it right… I was wrong. Or right, depending how you look at it. Let’s just say when I first installed it and attempted to visit the first few malicious links, McAfee actually detected, neutralized and destroyed them. But by the 4th and 5th, it was same ol’ McAfee, oblivious to the infections affecting the computer. So scratch that one as well.

Conclusion:

in these recent tests, only Kaspersky Internet Security 2012 and VIPRE Antivirus Premium survived unscathed. Kudos to the respective software makers.

Something better than just all the Security Suites tested is what it would take to be reasonably safe in today’s computer world.  As I said in my pivotal article of 2 years ago, most of these security suites would have withstood the test attack if used in conjunction with AppGuard by Blue Ridge Networks in the 4-prong model described in the article. The fact that the model is still valid 2 years later, in such a dynamic subject like computer security, speaks for itself.