PROTECT

PROTECTsTAR medium, high) were tested in the area of could be improved for some products, or happens if a computer system is attackedDoS attacks, for example in the “Microsoft the attacks could be sorted according to directly from within the “trusted zone” – theSMS Client”, “ping of death”, “RPC DCOM their priority. A port scan, for example, is LAN?Interface DoS”, “MS RPC Services null really not an attack and the user shouldpointer reference DoS” and “WinLogon. only be informed about a port scan if, for To find this out, the security experts fromexe DoS”. In the area of Microsoft example, it originates from the trusted the ProtectStar Test Lab analysed theBulletin and Windows attacks, examples zone.of what was tested include “Buffer Overrunfirewalls at their default settings with regard(Q326886)” etc.applications, brute force, CGI abuses,to the protective effect in the LAN within Messenger Service (828035)”, “Buffer BitDefender,BullGuard,F-Secure, different attack and security tests. TheOverflow in Windows Troubleshooter Kaspersky and Symantec performed in tests included the currently known types ofActiveX Control (826232)”, “Windows an exemplary manner at default settings denial-of-service (DoS) attacks as well asNetwork Manager Privilege Elevation with regard to warning messages and the weak points of the operation systems,alerts.useless services, backdoors and otherIn the default setting, standardised port The firewalls BitDefender and BullGuard security checks.scans checked for open TCP and UDP are particularly praiseworthy with regardports. All ports (0 – 65535) were scanned. to their configurability. Both products allow Most of the products showed someAs a second step, the firewall was the user to configure even the smallest weaknesses – very much in contrast to thesubjected to a SYN port scan (half-open), detail. However, the user should have otherwise excellent external protection.the so-called stealth scan.sufficientexperienceandknowledge In order to satisfy the increasing demandsregarding IT security before he manually for more user friendliness, some publishersIn addition, the personal firewalls were modifies rules or defines new ones.subjected to 33 special types of attacksconfigure their firewalls as “user friendly”by default for the trusted zone. This, foragainst firewalls. All personal firewalls It would be ideal if in the future the security example, enables computers to exchangeblocked the attacks successfully. suites were able to recognize the specific data over a network, to use a commonThe port scans (tcp-connect and syn/ nature of attacks in more cases and to printer and to access shared folders,half-open) did not find any open ports or notify the user of the attacks. As already without requiring the user to configure theunnecessary services which commonly mentioned, the majority of the security firewall manually.create security problems. Both the suites we analysed only notified the userautomatic test sequence of the hardware- of port scans and simple forms of attack. Because of this, the firewalls of somebased in-house ProtectStar Security Special brute-force attacks and denial-of- manufacturers protect the ports (tcp)Scanner, which carried out an additional service attacks were blocked, but the user 135 (msrpc), 139 (netbios-ssn) und 44511,226 (as of November 2008) safety was not notified of these kinds of attacks, (microsoft-ds) only insufficiently.checks and attacks, as well as the manual even if they continued indefinitely. Onlytests were not able to find any weak points the firewalls of the suites BitDefender, The firewalls of AVG, F-Secure, G DATA,or security risks.Kaspersky and Symantec showed some McAfee, Microsoft, Norman, Steganos,improvements in comparison with their Symantec und ZoneLabs have theseThe firewalls also successfully passed the earlier versions.weaknesses at their default settings.penetration test which lasted for severalhours, without any significant decreaseinperformance.NofirewallshowedTHE FIREWALL - internalprotectionThe security suites of Avira, BitDefender,ESET, Microsoft und ZoneLabs solve thisany weakness in the area of externalproblem differently: after the installationprotection. Only the warning messages, The preceding test showed that all process, these products enable the userlog files and warnings via pop-up, which firewalls offered sufficient protection to choose whether or not the computerare displayed to the user during an attack, against attacks from the internet. But what is supposed to communicate with other5

PROTECTsTAR computers over LAN. The mentioned tcp directly via LAN”). It should be noted that risks mentioned above - TCP Sequenceports are then either protected by the “port forwarding in the LAN” or open ports Prediction und IP ID Field Predictionfirewall or left open. Avira, for example, in the trusted zone are not security risks in Vulnerability at their default settings, insofarasks the user during the installation whether the conventional sense of the word. Only as the user chooses the respective networkor not he wants to allow external access experienced internet security specialists option after the installation. The productsto shared resources such as directories or are able to gain information through open from BitDefender, BullGuard, Kasperkyprinters, bypassing the Avira firewall.ports which may serve as a basis for and Symantec get a bonus point in thefurther attacks. For example, threats such category “internal protection offered by theThe products from Avira, BitDefender, as TCP Sequence Prediction and IP ID firewall” because of their good warningESET, Microsoft and ZoneLabs are thus Field Prediction Vulnerability may result. messages and log files.exemplary in this regard. Other publishers This means that the TCP/IP stack is notshould consider this option. If a firewall has fully protected. The consequence could be As already criticized in the test “Internetthis function, inexperienced users do not that an attacker is able to predict or guess SecuritySuites2008”(http://www.have to block ports manually after installing the sequence number and thus manipulate protectstar-testlab.org/award/protectstarthe product.existing connections.iss2008test eng web.pdf),weagainnoticed that some products notify the userThis option is somewhat difficult to find In addition, an attacker might gain of an attack from the internet, but not if thein the Norton Internet Security 2009 information such as the domain name, the attacks originate from the LAN.by Symantec. Here the user has to click MAC-address, the name of the workstation,“Show home network”, then “Change etc., enabling him to launch further specific Positive exceptions are the suites ofnetwork details” and finally he has to attacks. This however requires the attacker BitDefender, BullGuard, F-Secure, Gchange the security setting to “Restricted”. to be within the trusted zone (LAN) and have Data, Kaspersky and Symantec. TheThe protective effect of the different security the necessary know-how. The products of following table presents an overview of thelevels in the Symantec product are shown Avira, BitDefender, BullGuard, Eset, risks found in the security suites (internalin the following test (see table: “Attacks Kaspersky and Microsoft do not have the and external protection).Attacks directly via internet(ranked by level of risk and number of risksfound)PublisherAVGAttacks directly via LAN(ranked by level of risk and number of risksfound)High / Medium / ure0-011G /07/1/0ADEFZoneLabs0-00/42/8GDate : November 2008Number of attacks (internet):15.632 11.226 26.858Number of attacks (LAN):11.226Product analysed in:Default settingsCaption:AFirewall blocked the attacksB1x “low level” security risk because of “remote system answers to PING command”CShows the difference between the options “strict control” and “allow sharing” which can be chosen after the installation of the product.DPorts 912 (tcp) and 49152 (tcp) [VMware] were recognized as unprotected on the test computerEShows the difference between the levels SHARED/PROTECTED/RESTRICTEDFHelpful log files and warning pop-ups during the attack phasesGShows the comparison between “block zone” and “allow zone”6

PROTECTsTAR MALWARE DETECTION(on-demand/on-access) provided by the functionsbutonlytheretrospectivemalware scanners (as of August 2008). detection rates on the basis of heuristic andThe malware detection rates of the suites Some products offer further additional generic detection.The malware test set forwere determined in cooperation with the protection mechanisms which are, for the on-demand detection consisted of 2.3independent and renowned test centre example, able to detect a virus on the million and the test set for the retrospectivebasis of its behaviour (proactive protection) detection consisted of about r it has been executed by the user. malware programs. This is respectivelyThebehaviour-baseddetectionand divided into Windows viruses, macroIn order to determine the exact detection protection mechanisms (e.g. behaviour viruses, script viruses, worms, backdoors,rate, all products were updated on a blockers, HIPS, etc.) are not evaluated bots, trojans and other malware.certain date and then “frozen”, thus in the retrospective test, because suchmaking an automatic update of the mechanisms only take effect when malware It should be noted that BullGuard is basedproducts impossible. The products were is executed.on a malware engine from BitDefender,also configured to an optimal setting inSteganosononefromAVGandorder to find as many malware programs The retrospective test in Table 2 ZoneLabs on an older anti-virus engineas possible. Table 1 shows only the “Retrospective” [as of November 2008] from Kaspersky. These are the results andsignature-based and heuristic protection therefore does not show the proactive detection rates:Table 1: “On-Demand isherAviraG DATASymantecKasperskyAVG SteganosESETBitDefender e positivesmanymanyfewmanymanyfewmanyfewfewmanyvery fewvery fewOptimal detection rate99,6 %99,5 %99,0 %97,6 %97,3 %96,6 %96,4 %95,8 %95,7 %94,5 %92,6 %92,5 %Captionvery few0 –4 false positivesfew5–14 false positivesmany15 – 100 false positivesNote: status August 2008: wetherefore tested the currentprogram versions of themanufacturers at that time.Table 2: “Retrospective Test”:Pos.manymanymanyfewDetection rate(over one week)71,0 %71,0 %66,0 %54,0 %Detection rate(over four weeks)67,0 %60,0 %59,0 %51,0 %many51,0 %46,0 %very fewfewmanyvery fewmanyfewfew47,0 %44,0 %43,0 %37,0 %25,0 %20,0 %18,0 %44,0 %44,0 %40,0 %29,0 %25,0 %9,0 %8,0 %PublisherFalse positives1.2.3.4.AviraKasperskyG DATAESET5.BitDefender BullGuard6.7.8.9.10.11.12.MicrosoftSymantecAVG SteganosMcAfeeNormanF-SecureZoneLabs7

PROTECTsTAR PROTECTSTAR RECOMMENDATIONOn the basis of the tests we performed on password protection should be activated and does not wish to share folders, files,the security suites, ProtectStar makes by the user. The password should have at printer, etc. with other computers in thethe following general recommendations:least eight characters, comprised of letters, network, he should protect the netbiosnumbers and special characters.In order to improve the security of a securityservices (e.g. port 139, 443, etc.) with thefirewall.suite, every solution should be password This prevents attackers from deactivatingprotected. All of the reviewed products or even deinstalling the complete suite orhave such a feature, which, however, is parts of it such as the virus scanner or thedeactivated in the default settings. The firewall. If a user has a (home) network,E.)Test: USER FRIENDLINESS & PERFORMANCEIn the tests carried out by the ProtectStar test lab, the results for user friendliness andthe performance of the security suites were as follows:AVG Internet Security 8.0 Steganos Internet Security 2009:USER FRIENDLINESS:( ) good and reliable control of the product(-) no boot medium(-) extremely convoluted settings menu(-) updates only downloaded every four hours at the default settingPERFORMANCE:( ) good overall performance(-) slower on-demand scan8

PROTECTsTAR Avira Premium Security Suite 2009:USER FRIENDLINESS:( ) user-friendly configuration already during installation( ) clear user interface( ) well thought-out default settings both for home users and professionals( ) “expert mode” allows user to adjust a multitude of settings( ) easy creation of a boot medium( ) good manual( ) game modus adjustable(-) update only 3-5 minutes after system startup(-) no HIPSPERFORMANCE:( ) very good performanceBitDefender Internet Security 2009:USER FRIENDLINESS:( ) clearly structured user interface with useful activity display( ) great number of setting options for experienced users( ) good integration of the spam module( ) fingerprint technology( ) good reports( ) comes with emergency boot medium( ) features game mode(-) http scan deactivated by defaultPERFORMANCE:( ) performance increased compared to the previous version(-) under Vista, system is booted with great delay9

PROTECTsTAR BullGuard 8.5:USER FRIENDLINESS:( ) good and reliable firewall program control( ) excellent live support chat( ) good factory settings( ) good integration of the spam module(-) confusing user interface and total overview(-) Windows firewall is not automatically deactivated,therefore unwanted dual operation of the two firewalls(-) poor help texts(-) no emergency boot mediumPERFORMANCE:(-) slow virus scanEset Smart Security 3.0:USER FRIENDLINESS:( ) very good update performance( ) clearly structured user interface( ) very good retrospective detection (advanced heuristics“)( ) suited for beginners and experienced users (via Advanced mode)(-) no feedback t o suspicious files that are sent in(-) few additional features(-) few warning messages when firewall fends off attacks(-) no bootable emergency CD available, neither any option tomanually create itPERFORMANCE:( ) test winner in the area of overall performance( ) excellent and fast anti-virus scanner10

PROTECTsTAR F-Secure Internet Security 2009:USER FRIENDLINESS:( ) detailed and good log files and warning pop-ups in case of attacks( ) clearly structured user-interface( ) good help windows( ) helpful live security information( ) elaborate setting options for home-users and professionals( ) via Advanced, a great number of configuration options are available( ) good boot medium( ) simple installation( ) very good http scanner(-) up-date frequency not selectable(-) no history of the scan reports(-) http scan activated by default(-) spam filters difficult to configurePERFORMANCE:( ) increased performance compared to the previous version(-) still resource-hungry compared to competing productsG DATA Internet Security 2009USER FRIENDLINESS:( ) clearly structured and modern user interface( ) excellent and secure default settings in the AV scanner area( ) user-defined installation( ) very good help texts and manual( ) good reports with history( ) simple creation of rescue media( ) IMAP accounts are supervised( ) features game mode(-) rescue media available with only one scan engine (no double scan)(-) excellent protection in trustworthy zones only via manual modificationof the firewall rules(-) insufficient information regarding the firewall in case of attacks(-) integration of the anti-spam module in Outlook onlyPERFORMANCE:( )increased performance compared to the previous version(-) deinstallation takes unusually long(-) http scanner slows down on pages with extensive graphics11

PROTECTsTAR Kaspersky Internet Security 2009:USER FRIENDLINESS:( ) excellent overall impression( ) good and user-defined installation( ) very good elaborate factory settings for home users aswell as professionals( ) detailed warning messages via pop-ups in all security areas( ) very good anti-spam filter and „content filtering“( ) very good update performance( ) excellent and user friendly anti-spam filter( ) scan on weak points in the system( )IMAP accounts are supervised( )Gamer modus (full screen image)( ) good mail protection module with integrated preview of themails on the serverPERFORMANCE:( ) effective „fingerprint“ technology (see F. scan times)( ) little influence on system performanceMcAfee Internet Security 2009:USER FRIENDLINESS:( ) simple and user-defined installation(-) old-fashioned user-interface (GUI), which has remainedunchanged for years(-) insufficient log entries(-) excellent protection in trustworthy zones only via manualmodification of the firewall rulesPERFORMANCE:( ) good overall performance12

PROTECTsTAR Microsoft Live OneCare 2.5USER FRIENDLINESS:( ) clearly-structured configuration options for the firewall( ) comfortable access to Windows functions and system optimizations(-) few setting options for the anti-virus scanner(-) user takes some time to get used to(-) insufficient log entries(-) no warning pop-ups in case of attacks from the trustworthy zonePERFORMANCE:( ) good overall performance(-) slow on-demand malware scannerNorman Security Suite:USER FRIENDLINESS:( ) good introductory wizard including detailed explanations( ) clearly structured and neat user interface( ) good and reliable firewall program control( ) intelligent screensaver scanner( ) powerful sandbox technology( ) „de-installation protection“ via code entry.(-) OutBreak Mode deactivated by default(-) few configuration options for advanced users(-) advanced setting options for the firewall are too hard to find(-) 24 hours as update interval, smallest possible setting 6 hours(-) no boot medium(-) no spam filterPERFORMANCE:( ) good overall performance( ) good performance of the real-time performance(-) slow on-demand scan13

PROTECTsTAR Norton Internet Security 2009:USER FRIENDLINESS:( ) great number of improvements compared to the previous version( ) excellent and user friendly anti-spam filter( ) very well suited for technically unversed users( ) excellent update performance( ) features game and silent mode( ) good detection of attack types( ) excellent online help and support options( ) user friendly program control( ) simple installation and product activation( ) clearly structured and modern user interface( ) bootable rescue medium(-) sufficient configuration options only in the heuristics and quarantine areas(-) log files cannot be deletedPERFORMANCE:( ) quick installation( ) quick anti-virus scanners (on-demand)( ) excellent performance properties( ) effective „fingerprint“ technologyZoneAlarm Internet Security 2009:USER FRIENDLINESS:( ) home-user friendly configuration options( ) good log files and warning messages( )good detection of attack types(-) no setting option, e.g., to download updates every hour(-) few configuration options for the anti-virus scannersPERFORMANCE:(-) slow on-demand malware scanner14

PROTECTsTAR F.) Test: SCAN TIMES(short test)In this brief test, we analyzed the scan this case consisted of the scan times on documents, MP3 files and pictures andtimes or scan speeds of the malware a computer system (Core2Duo E 6300, an additional 155 GB of SystemImages).scanner integrated into the respective 2048MB Ram, WD-Sata hard drive) The entire test files were checked by eachsecurity suite. In the process, each product whose hard drive was occupied by 265 malware scanner three times in a row inwas manually configured with the highest GB altogether (of these, 16GB consisted each case. The table below displays thesecurity settings. The test criterion in of system files, 94GB of user files such as scan times for scans 1-3:Pos.Publisher1st scan2nd scan3rd cAfee00:46:42uvuv7.BullGuard00:52:37uvuv8.G DATA01:17:4301:17:0100:52:019.AVG 7:05uvUvuc unchanged or identical with 1st scanRegarding this brief test of scan times, it modifications are performed on a product’sshould be borne in mind that these times configuration settings or if many differentmerely represent a snapshot and are files and, above all, file formats are totherefore included in the overall result be scanned, scan times are accordinglywithout being rated. If, for example, manual shorter or longer.15

PROTECTsTAR G.) Test: VALUE AND FEATURESPrice(Box)PriceAmazon(Download) priceLicensesContents(Software)POINTSmax. 20AVG-------69,99--53,993x1xAV, FW, AS, WF11sufficientAvira-----59,9539,9544,95---3x1xAV, FW,AS, KS, BP17goodBitDefender-----49,9539,9540,95---3x1xAV, FW, AS, KS,ID, DS18very goodBullGuard-----69,95--------3x1xAV, FW, AS, BP15satisfactoryEset--49,9579,9549,95-----3x1xAV, FW, 0,503x1xAV, FW, AS, KS16goodG Data59,9539,9553,9535,9549,9529,953x1xAV, FW, AS, WF,DS18very goodKaspersky59,9539,9559,9539,9544,9528,453x1xAV, FW, AS, WF,KS, ID18very goodMcAfee54,9534,9554,9534,9530,9523,993x1xAV, FW, AS, KS,DS, BP19very goodMicrosoft-----49,95---31,40---3x1xAV, FW, ID, ST,BP17goodNorman-----49,00--------3xxAV, FW, , FW, AS, 7,953x1xAV, FW, AS, KS,ID, WiFi18very goodZoneLabs-----49,9529,953x1xAV, FW, AS, KS,ID,17goodRatingPrices in eurosLegend: AV antivirus scanner / FW firewall / PC parental control / BP backup / ID identity protection / WF Web filter / DS data shredder / ON onlinescanner / ST system tuner / WiFi WLAN protectionAs far as the relation of value and features Therefore, it always pays to compare to check whether an online mail-orderis concerned, it is striking that there ar

AVG Internet Security 8.0 8.0.169 Avira Premium Security Suite 2009 8.2.0.247 BitDefender Internet Security 2009 12.0.10.3 BullGuard BullGuard 8.5 n/a ESET Smart Security 3.0 3.0.672 F-Secure Internet Security 2009 9.00 build 148 G DATA Internet Security 2009 19.0.0.49 Kaspersky Internet Security 2009 8.0.0.