Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Tuesday, 24 July 2018

Detected, blocked, quarantined, cleaned?

What happens when your choice of security software handles an attack?

Latest reports now online.

It should be simple. You've clicked on the wrong link, opened a malicious email or installed something inadvisable. A threat is now attacking your PC and it's up to your choice of anti-malware product to handle things.

But what does it actually do under the hood?

Detection is important. The product should recognise that a threat exists, even if it can't fully handle it. At least you can receive an alert and seek help (or an alternative anti-malware program!)
Blocking threats is also very important. Ideally the protection system will prevent the malware from running. Sometimes that doesn't happen and the malware runs. In that case one hopes that the security software would recognise that bad things are happening and stop them. This is what we call 'neutralisation'.

Following a neutralisation your computer might not be completely clean. There could be some rogue code still on your hard disk, possibly even on your Desktop. There might also be entries in the Registry and elsewhere that will try to run this code (or code that has been deleted or quarantined).
You probably want your system to be protected by having threats blocked and, in cases where they are not, that they be removed as fast as possible and all significant traces removed. We call this happy state 'complete remediation'.

In SE Labs tests we measure all of these outcomes, including the worst one: compromise.

If you want to know how the different products tested in this report handled threats in detail, check out the Protection Details table and graph on page 10 of our reports. We don't show details of which products completely remediated threats and which did not when neutralising but the Protection Ratings on page eight take these into account.

If you spot a detail in this report that you don't understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.

SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define 'threat intelligence' and how we use it to improve our tests please visit our website and follow us on Twitter.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.