An attack rarely ends when the malware runs. That’s just the beginning…
Latest reports now online.
Testing security software is a challenging task and it’s tempting to take clever shortcuts. However, while doing so might save the tester time and other resources, it doesn’t always produce useful results. And if the results aren’t accurate then the test becomes less valuable to you when you’re choosing which product to use.
We are big supporters of the idea of full product testing. This means installing the security product the way it was intended to be used, on systems commonly used in the real world and ensuring that every component of that product has a chance to defend the system.
In practice this means that we installed the anti-malware products tested in this report on regular PCs that are connected to a simple network that has unfiltered internet access. We visit malicious websites directly, where possible, and use a special replay system when the bad guys start to interfere with our activities.
Since the beginning of this year we started including targeted attacks in our testing. These types of attacks try to compromise the target using infected documents and browser exploits. Once an exploit has succeeded we then continue ‘hacking’ the target. This step is crucial because in many cases it is these post-exploitation hacking activities that can trigger an alert.
Full product testing doesn’t just mean turning on (or leaving enabled) all of a product’s features. It also means running a full attack as realistically as possible. Testers should not make assumptions about how a product works. You need to act like a real bad guy to understand how these products protect the system.