18 Corporate Protection Solutions Put to the Test under Windows 10
There are ever more frequent media reports citing attacks on corporate networks. In Europe, the flurry of published incidents would also appear to be related to the new EU General Data Protection Regulation (EU GDPR), which involves a duty to report the loss of personal data. The use of an antivirus solution is also compulsory.
18 corporate solutions put to the test
The laboratory at AV-TEST examined 18 corporate solutions in three categories: in terms of protection, performance (operating speed) and their influence on the work PC's usability. For all test categories, the laboratory awards a maximum of 6 points each. The top score in the test is thus 18 points.
All the tests occurred in the period from July to August 2018. In this timeframe, each product was required to undergo all the tests twice. Despite the high hurdles in the checks, the laboratory was able to award many products not only a certificate for their security but also the distinction as a TOP PRODUCT. Only products achieving an overall score of 18 to 17.5 points earn this accolade. Each of the two products from Bitdefender and Kaspersky Lab earned this distinction, not to mention Microsoft, Avast, Check Point, Trend Micro and Symantec with two solutions.
Security solutions for corporate users
Detection rates for corporate solutions
Outstanding performance in terms of protection
With the so-called real-world test and the test with a reference set, the laboratory evaluates a solution's protection capability. The object of this first test segment is to detect and fend off roughly 300 new malware samples – dangerous 0-day malware. Some of the malware samples are only a few hours old. In the second test segment, just under 20,000 already known malware samples then have to be identified and removed. These, however, are no more than 2 weeks old. The laboratory has very precise knowledge of the age and risk potential of the malware samples. After all, AV-TEST singlehandedly fishes them out of the Internet – each day, around the clock. Using its own tools, it tests and classifies the threats, stores them and enters them into a database. This is how AV-TEST has amassed its own collection of malware samples. The current status of the database at the end of September 2018: over 830 million malware samples!
The findings of this test in the area of protection is outstanding compared to the previous tests: 17 of the 18 products tested achieved the maximum 6 points in the test for protection. Considering strictly the scan rate as a percentage, then 14 products each successfully completed all 4 test segments with 100 percent detection. While 3 products did indeed commit minor errors, which showed up as decimal place changes, they still achieved the full point score.
Frequently low system load at the height of good protection
As companies are not always running the most high-performance PC models, the testers also take a close look at the system load placed on the client by the protection software. In order to test this thoroughly, various operations are carried out on a standard and a high-end PC: copying data, calling up websites or launching software. The times required for this are then used as reference times. Afterwards, the individual products are installed on the test PCs, all the operations are repeated, and the times required are logged. In this area as well, protection solutions can earn up to 6 points. However, only 9 out of 18 attained this score. A full 6-point score was attained by each of the two security solutions from Bitdefender, Kaspersky Lab and Symantec. The products from Microsoft, Seqrite and Trend Micro also achieved 6 points.
The solutions from Avast, Carbon Black, Check Point, Palo Alto Networks and Sophos followed with what was still an excellent score of 5.5 points, placing a slight load on the client. All other products achieved 5.0 to 4.5 points. Coming in last is Comodo with quite a high load, reaching only 3.5 points.
Microsoft Windows Defender
False alarms make users uneasy
Under the term of usability, AV-TEST examines the products for false positives when visiting websites, scanning software files, and installing and launching software. That sounds easy, but it's not: because in the test, 500 websites are visited, nearly 1.4 million normal files are scanned, and dozens of programs are installed and launched. And this is done with each product!
Many solutions failed at the task. Only 8 out of 18 products achieved the full 6 points: two products each from Bitdefender and Kaspersky Lab, along with those from Avast, Check Point, McAfee and Microsoft. All additional solutions achieved what was still a good score of 5.5 points. Only Seqrite committed more errors and received 5.0 points, Carbon Black merely 4.0 points.
Very high-quality test field
A total of 10 out of the 18 products evaluated completed the test with the top score of 18 and 17.5 respectively, earning the distinction as a TOP PRODUCT. This number is outstanding compared to older tests. The top finishers with 18 points are made up of two solutions each from Bitdefender and Kaspersky Lab, along with Microsoft. The protection solutions from Avast, Check Point, Symantec (both products) and Trend Micro follow with 17.5 points.
Also finishing with good scores of 17 points are the packages from McAfee, Seqrite and Sophos. The last 5 spots in the table range between 16.5 and 15 points. That is still a very high level.
The test demonstrates the high quality of the solutions tested. Even Windows Defender as a client for the server protection module was able to make an impressive showing for the first time in its test history.
Next Generation Endpoint Security
CTO AV-TEST GmbH
Since roughly 2012, new companies have made a forceful debut on the Endpoint Security market, generally referred to as "Next Generation Endpoint Security". The players include Cylance, CrowdStrike, SentinelOne, Ensilo, DeepInstinct, Carbon Black, Palo Alto, FireEye and others.
What they all have in common is the aim to make many improvements over traditional antivirus products:
- detection without reactive signatures, in particular without the regular signature updates
- detection of even the latest, unknown malware samples without previous analysis
- lower impact on the system performance of the client system
- partly offline detection as well
In order to achieve this, various techniques are deployed: Artificial intelligence and machine learning, in order to detect files purely based on their "appearance", even prior to their launching as malware.
Put simply, an algorithm learns on the basis of training quantities, i.e. clearly confirmed malware and benign software, to distinguish between good and evil. The algorithm is fed with constantly new training quantities and ultimately evaluated against files that are not part of the training quantity.
The advantages: Once the algorithm has learned each training quantity and computed a model of what certain malware looks like, then it will easily be able to detect all new variants and without updates. By contrast, a signature can only detect one file or certain closely-related variants of malicious software.
The disadvantages: In practice, this leads to an increase in the rate of false positives, which has been witnessed in the tests on a recurring basis.
The tests also demonstrate that detection per algorithm is only as good as its training quantity. Thus, there were already products that very effectively detected malicious 32-Bit Windows PE program files, but 64-bit versions not at all. This is due to the fact that 99 percent of all Windows PE malware samples are 32-bit versions, and the algorithm had no opportunity at all to learn 64-bit malware's behavior and appearance.
An additional weakness may be that next-gen products concentrate on certain file types, such as Windows PE files. Scripts, for example, are not covered by the machine-learning algorithm. This in turn requires additional modules that separately control the execution of scripts.
Tests at AV-TEST basically confirm that next-gen products are capable of offering protection equivalent to traditional antivirus software. In general, however, higher false alarm rates can be observed, along with what is a mostly minor impact on system performance.