This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
Symantec was close behind, missing 17.6 percent of specimens on the real-time scan, but performing on a par with Trend, CA and eEye in the on-demand scans.
McAfee was next, with 22.3 percent of our specimens eluding the real-time scan. The follow-up on-demand scan, however, produced some surprising results: Another 10.7 percent of specimens were detected, but none of those were deleted or quarantined. Likewise, in the pure-play on-demand scan, all of the 8,000-plus malware specimens survived, despite an avalanche of alerts. That's because this new McAfee product has a default action of alert-only for on-demand scans, in contrast to the competition and a departure from most earlier McAfee products.
With the help of McAfee support, we used the McAfee client to conduct an on-demand scan with a delete action, a process that requires several rather nonintuitive steps. After that scan, 11.6 percent of our initial specimens remained for both the on-demand scan following real-time scanning and the pure-play on-demand scan. Notably, McAfee blocks all .exe files from a network copy, even benign test files, due to another default setting. Such a feature is likely to cause problems in environments attempting to distribute programs via network file shares, and is certain to be disabled in some enterprises.
When we tested Sophos, every one of our specimens survived the
| initial copy because, by default, Sophos' real-time defenses only look at "read" actions, not "write" actions. Such an approach, possibly done to improve file system performance, prevents the malware from executing, but does not stop infiltration of malware into a file system. Sophos does offer an option for changing this default behavior.
In the end, both the real-time/on-demand combo test and the pure on-demand test left 36.7 percent of the specimens on the target machine.
Sophos' default behavior is to perform "in-place" quarantine, preventing future access of the file but leaving it in its current location. All the other products move malware to a separate quarantine directory or delete it. Sophos says its approach makes restoration of files misidentified as malware easier. If your antivirus tool makes false-positive matches on legitimate files, restoring access in their normal locations is a lot easier than scraping them out of a quarantine directory and finding their homes again. The Sophos tool can be configured to perform traditional quarantine or deletion.
This was first published in November 2007