I explained that Trend Micro had previously declined to participate in some high-profile AV tests. We felt that these tests didn’t match the reality of how threats infiltrate organisations and arguably give a false sense of security.
 
Typically, what happens in these traditional tests is that a file repository is loaded up with a collection of different viruses, Trojans and other malware. The security software is then installed and updated, disconnected from the Internet and set to work trying to detect malware. The headline scores are then generated according to the percentage of those malicious files that are successfully identified.
 
Testers would argue, I suppose, that this creates a level playing field in which to compare different software solutions. I can understand that, but it really doesn’t reflect the threat environment in real organisations, or for consumers. The most common threat vector now is the Internet; the second most common is malware downloading other malware via the Internet. Infected web pages, PDFs, social networking sites and cloud-based services represent just some of the significant real or potential threats that aren’t replicated in the traditional lab-based test environment. Traditional tests focus on the file – can this security software correctly identify this file?
 
A more holistic approach is necessary. Malware and other threats arrive through various channels and to be honest, once they have arrived then some part of your security solution has already failed. And it’s not necessarily through people breaking the rules. An email arrives from your CEO asking you to check out a web site. I’d suggest that most people will click on that link. What a good security solution should be doing is asking a series of questions on your behalf, questions that aren’t just about viruses but your security as a whole:
 

• Is this email really from your CEO?
• Is the link it contains hosted in a bad neighbourhood or does it contain suspicious elements?
• Have we seen other examples of this same mail elsewhere recently?
• Is it trying to deliver files or prompting to change settings?
• Are those files bad?

 
The list can be almost endless, but traditional testing looks at what happens at the last line of defence. It asks one question: a bit like leaving your doors and windows open and unwatched but attaching a burglar alarm to the jewelry in your sock drawer. We believe that a security system should kick-in at the first link in this chain of events, not the last. No solution is 100% reliable at any level, but if you have multiple levels of control, each of which informs the others, then so much the better your chances of avoiding any compromise. Prevention is significantly better than a cure in such situations.
 
Going forward, a move to holistic protection networks and the centralisation of threat signatures is inevitable – new threats are detected every one-and-a-half seconds and as this trend continues, a solution based on signatures downloaded to client machines could neither keep pace, nor allow your machine to continue operating at the performance level you would expect while it’s attempting to do so.

Back in June of 2008 you may remember there was some noise in the IT press, as Trend Micro was declining to participate in some of the well known anti-malware tests, such as VB100. Our argument at the time, and this still stands today, was that those tests simply do not accurately reflect the threat as our customers encounter it, and as such the results may offer a false sense of security.

The internet has emerged as the most abused attack vector, attacks are multi-variant, multi-protocol, distributed in source (botnets), often targeted in nature and can no longer be defeated by the pattern-matching techniques that have been at the core of security software for so long.

Traditional security product testing has mostly been conducted in an isolated lab environment with a selected list of malware and this does not allow modern security software to perform to the best of its abilities. Trend Micro uses the internet based capabilities of the Smart Protection Network to provide real-time dynamic protection, focusing not just on the malicious file, but the malicious email and web site as well, creating smart correlated rule-sets designed to thwart malicious activity.

This is a threat-centric philosophy not a file-centric one. The aim is to break the chain of infection, or block the threat, as early as possible; looking first at the “exposure layer” or where threats come from and subsequently at the infection layer, or “what the threat does when it arrives”.

Independent and importantly unsponsored testing, from NSS Labs, has just been released that underlines the importance of this new approach. In July and August of this year NSS Labs performed 17 days of 24×7 testing on 9 consumer and 10 enterprise products.

Is Trend Micro’s cloud-client Smart Protection Network ready for prime time? I think the results speak for themselves…

"Trend Micro achieved the best download and execution protection with 96.4% overall" - Source: NSS Labs Consumer Report, September 2009

NSS Labs Consumer Report, September 2009

NSS Labs Consumer Report, September 2009

Download the full reports from NSS Labs here