Labs

Corporate anti-virus software

The most common method of testing anti-virus software is to use detection rates as a benchmark. However, test viruses used often call into question the validity of the results. It's debatable whether using simulated viruses is a suitable test, as most products should be able to recognise these as bogus and not flag them for attention. Rosenthal Utilities (slonet.org/~doren) offers a tool for creating a collection of fake viruses, but even the author points out that these are designed to be used for testing and validating security measures and aren't a replacement for the real thing.

Rather than test detection rates, we feel it's more important to see each product's defences. In the home, a single PC will be at risk. In a network environment, the danger increases exponentially, so the software must offer the tools to efficiently and effectively block a potential infection in its tracks. To this end, we look at how each product responds to an infection attempt and what features it offers for clean-up operations. Alerting is also important, as administrators need to know the moment their network is exposed to a threat and what the software is doing about it.

All but one of the products relies on a signature or definition list to recognise viruses. This must be updated swiftly if the product is to be effective against the next identified threat, so we want to see how easy it is to download the latest updates and what automation is provided for deploying them speedily across the network.

The testing environment is made up of five systems, with one running Windows 2000 Server and the others installed with Windows 2000 Professional, XP Professional, 98 SE and ME - all with the latest security patches and Service Packs. Each anti-virus product is initially installed on the server and then deployed to each system using the tools provided. All product updates and the latest definition files are downloaded, installed and deployed via a proxy server. External access is severed during testing. We introduce genuine viruses on the closed network, comprising Bugbear, Nimda, Badtrans, Loveletter and Magistr-B plus a couple of floppy disks infected with the old-timer boot sector baddies Form and V-Sign and watch how each product responds to their presence.

When choosing the best products, we take into account a number of areas. The software must be manageable and offer plenty of information about its current status such as which systems are protected, the nature of attacks and what the software is doing about them. Updates are also a key component to the software's effectiveness, so these must be easily accessible, simple to download and swiftly passed on to all systems.