Battle Planned: Real-world Test of Trend Micro, ZoneAlarm, Eset and Webroot

[Trident]

Recent claims have led to plan and execute a video-recorded real-world test that will test the solutions below:

• Webroot - highly advocated product. User claims that the product includes "sandbox"/"isolation"
• Trend Micro - claims include that me and Shadowra have tested it in unrealistic conditions
• ZoneAlarm - product was criticised and its users were deemed to have "insufficient evaluation skills"
• Eset - this will be included just to regulate the test -- it is a highly reputable and regarded product.

So the framework:
On the first stage, the products will be tested with several malicious and phishing links. I will put all links in an HTML page so I can just drag and drop on top of the browser and start clicking, instead of copy/pasting from a document. I will take extra care to remove PUPs and will pre-analyse everything on various sandboxes, to ensure it is malicious.

On the second stage, products will be tested against malware that I am actively hunting on my mac. This malware will be uploaded to a sharing portal and downloaded. I consider this to be a valid real world scenario -- attackers can for example, take over an Instagram account (happens very frequently) and share a malicious link there. You believe it is a trusted document coming from an acquaintance, so you rush to open it.
This malware as well will be in an HTML table so I can just click.

On the third stage, products will be tested against phishing and malicious documents that I am creating myself. These will be downloaded too. They will be as well on an HTML table, so I can just easily click.

No malware will be introduced through unrealistic means, such as malware packs.
If malware has been allowed to execute (not deleted right away), system will be monitored with Process explorer, potentially wireshark and will be scanned with Norton Power Eraser.

The framework predicts 2 verdicts only: pass and fail. Every product will be allowed to miss 1 phishing website and 0 malware samples to pass. (feedback?)

In terms of settings, I need your opinion.
ZoneAlarm (the criticised product) is a fully automated solution with no tweaks.It only allows components to be turned on and off but does not offer settings such as heuristics aggressiveness, anti-phishing aggressiveness, etc, My question is, should I in this case, tweak other products. How many users tweak their products really? I need feedback before I kickstart.

 

[Divine_Barakah]

This sounds interesting. Looking forward to seeing the results. Maybe you can test both default settings and then again with custom settings?

 

[Andrew3000]

My predict: Webroot first on podium

 

[Trident]

My predict: Webroot first on podium

Oh it was ferociously advocated for yesterday, you may have missed and the topic was cleaned.

 

[Divine_Barakah]

Oh it was ferociously advocated for yesterday, you may have missed and the topic was cleaned.

Personally I have not tested Webroot against ay kind of malware, but I can say that their browser extension is very effective. Regarding its performance, though it is said to be very light, it consierably slowed down app launch which made me uninstall it.

 

[Trident]

Personally I have not tested Webroot against ay kind of malware, but I can say that their browser extension is very effective. Regarding its performance, though it is said to be very light, it consierably slowed down app launch which made me uninstall it.

Don't worry, tonight we'll see how effective this solution is.

 

[lyldz]

In my personal opinion, many users just install, activate, and use these applications without making any changes. Very few of us want to modify the basic settings and have control over the security level. To be fair, it seems more appropriate to test based on the default settings.

 

[Divine_Barakah]

Don't worry, tonight we'll see how effective this solution is. It was advocated by a user who is very protective of their "American Jewels" - Trend Micro, Norton, Webroot. Their comments on everything non-American are not flattering (don't wanna pull the comments from the Kaspersky ban thread).

Well, I am not a tester. I am just a casual user and performance is the most important factor for me. I have watched many tests that showed Trend Micro's Hypersensitive Mode protect the system successfully. I remember in a test, HSM failed to protect the system against script malware. I hope you do test TM with both HSM turned on and off and see how it goes. Thank you in advance.

 

[Trident]

Well, I am not a tester. I am just a casual user and performance is the most important factor for me. I have watched many tests that showed Trend Micro's Hypersensitive Mode protect the system successfully. I remember in a test, HSM failed to protect the system against script malware. I hope you do test TM with both HSM turned on and off and see how it goes. Thank you in advance.

I may display Trend in hypersensitive mode, but just on the side, like behind the scene sort of thing. For the framework and verdict to be accurate, maybe I will keep all of them on default? What do others think? Because ZoneAlarm does not have modes.

 

[Divine_Barakah]

I may display Trend in hypersensitive mode, but just on the side, like behind the scene sort of thing. For the framework and verdict to be accurate, maybe I will keep all of them on default? What do others think? Because ZoneAlarm does not have modes.

Yes I believe it is better to test the three products on default settings. Maybe you can do a bonus test with custom settings.

 

[Faxx]

If you are going to touch any default for the other products then for ZA I would only tick on the "malicious websites" under the content filtering settings. Although based on your methodology may not make any difference.

 

[Divine_Barakah]

BTW, in the case of TM, if you run many malware samples, it will automatically enable Hypersensitive Mode to protect the system.

 

[Trident]

BTW, in the case of TM, if you run many malware samples, it will automatically enable Hypersensitive Mode to protect the system.

Yes, over 10 I believe. In addition, over 10 malware samples, it will automatically restart the scan and activate something that in business products is called aggressive scan. But I am not sure at this point that we will reach 10 malware samples, as it will not be needed. My expectations are that some products will fail from the first 2-3. We'll see.

 

[Trident]

Upon failure with one sample (malware missed and establishes C&C communication), product is disqualified and no other samples are tested.

 

[Divine_Barakah]

Yes, over 10 I believe. In addition, over 10 malware samples, it will automatically restart the scan and activate something that in business products is called aggressive scan. But I am not sure at this point that we will reach 10 malware samples, as it will not be needed. My expectations are that some products will fail from the first 2-3. We'll see.

Have you prepared the samples? Would you share more information about what those samples do?

Upon failure with one sample (malware missed and establishes C&C communication), product is disqualified and no other samples are tested.

Hahahaha what a brutal test. I am very curious now.

 

[Trident]

ave you prepared the samples? Would you share more information about what those samples do?

I am looking at samples at the moment. It will take some time. in terms of the documents that I will create, they will simulate real-world phishing documents, some of them will include links to malware.

 

[Jonny Quest]

Upon failure with one sample (malware missed and establishes C&C communication), product is disqualified and no other samples are tested.

Maybe keep going through all samples, so we can see what an utter failure the tested version can be? Otherwise, the die hard fans may say, "well, what about...."? if you just stop at one, or especially if it's the 1st or 2nd sample tested?

 

[mlnevese]

My personal opinion is the vast majority of users will install a product and never look at the settings beyond adding their license key when needed. For a real-world test, the default settings should be used.

A separate test could be done with maximized settings, and HIPS rules for ESET, but that would be a real-world test only for those users who have any idea of what they are doing

 

[Trident]

 

[ForgottenSeer 114834]

Testing should align with the product's design. For advanced user products, configure settings accordingly. Automated products should be tested as designed.

Deviating from this approach would not provide a comprehensive evaluation of the product's features and functionality as specified in the design.