Emsisoft participated in the Virus Bulletin VB100 Comparative Review on Microsoft Windows Server 2008 Server R2 SP1 with Emsisoft Anti-Malware for Server. The test is designed to see how well a scanner detects malware as well as how taxing it is for the server. Emsisoft Anti-Malware for Server detected all malware and received the highest award that Virus Bulletin offers.
After the baseline installation was complete, the standard VB100 test sets where deployed based on the v4.008 certification edition on the WildList release list. This means that Virus Bulletin used a set of malware as samples to test as a baseline. Every vendor receives the same baseline so the examination is standardized and fair.
The WildList is a list of malware that are reported from a variety of organizations once confirmed positive. It is not considered a ‘most common list’, but more appropriate of whats out in cyberspace currently or ‘In the Wild’ (ItW). Anti-Malware is not aimed to look for just the most common malware, because it leaves other malware undetected. You would want an anti-malware that is flexible and can pick up undetected malware. In real life, or ‘in production’ as the world of IT knows, you would always want to defend for the worst case scenario – not the best. The goal of the examination is to simulate a ‘real world’ approach to detecting and defending malware. Participants who contribute to ItW lists come from Microsoft, AVG Technologies, NANO Security and Dell SonicWALL, to name a few.
Scanning with In the Wild Access and Demand scenarios
The first part of the test consisted of ItW on Demand, which means that all scanning includes the main-memory, boot sector (the part of the disk where the computer boots from) and disk memory, plus the part where the user requests for a manual scanning of the server. In this case, Emsisoft’s Anti-Malware for Server scored 100.00% of malware detected.
Another great achievement was that Emsisoft Anti-Malware for Server scored 100.00% on the ItW on Access, where the scan engine scans only files that are being loaded into main-memory before execution. The purpose is to detect malware before it runs in main-memory. If the malware does happen to run in main-memory, the malware will be able to infect and cause all sorts of damage to the server such as corrupted files, root kits being installed and back doors being opened (back doors can give attackers access and control of your server).
Emsisoft Anti-Malware for Server was given a Stability Score of 0 (zero) and a Stability Rating of Solid, which is the highest marking that a product can receive from Virus Bulletin VB100’s certification exam. According to Virus Bulletin, “the interface is attractive and clear, with nice large icons indicating status and leading to a strong set of controls. Stability was great, with no issues noted.”
Before the updates were applied – up until the zero-day
The scanning is conducted in terms of window times – before updates are applied and then after. This part of the exam is ‘before’ the testing date where no updates are used. It’s a fresh installation using Emsisoft Anti-Malware for Server. The ‘before’ windows are called Set -1 and Set -2. Set -1 is 1 to 5 days before the test begins. The Set -2 is 6 to 10 days before testing. Think of it as integers; -5 -4 -3 -2 -1 0 +1 +2 +3 +4 +5. Zero Day is the day of the test; basically, you have 10 days to find all the malware before the day of the test.
Just like any other test that you study for, you would also make your own cheat-sheets. It is the same concept here. So Set -1 is from 1 to 5 days before testing and Set -2 is 6 to 10 days before the testing day. With a fresh installation and no software updates, Emsisoft Anti-Malware for Server detected 94.84% of sampled ItW malware. Look at it this way, one of the competitors detected 54.94%, leaving the the server extremely vulnerable to malware infection because the scanner is unable to detect malware efficiently. Also, the longer the server administrator takes to apply the updates, the more time it gives the malware to infect the server. At 94.84% detection rate, you have a proven product in Emsisoft Anti-Malware for Server for protection.
After the updates were applied – and what all these updates mean
The last part of the exam was ‘after’ the testing date, which means the updates have been applied to the anti-malware scanner. It is were Emsisoft Anti-Malware for Server recieves its updates and then starts to scan for malware. In this case, they use Set +1 and Set +2. Set +1 is where 1 to 5 days after the exam date updates are applied. Set +2 is 6 to 10 days after the exam date and updates are applied as well. The updates that are being applied to the scanner are used to update its library for what malware to look out for. Just like Websters Dictionary adds new English words every year, so do the updates that the anti-malware receives, but much more frequently.
Anti-malware programs require updates because new malware is being introduced into the wild everyday – thousands of them. Emsisoft Anti-Malware detected 93.82% of the malware after the updates were applied. A competing vendor received an overall detection rate of 84.32%, which means that 15.68% of malware was not detected. Compare that to Emsisoft Anti-Malware which received an overall detection rate 94.50% and only 5.50% of malware was not detected – very impressive!
Virus Bulletin concluded that Emsisoft’s Anti-Malware’s “detection was strong, barely wavering through the RAP sets, and the certification sets were handled with no unwanted misclassifications. Emsisoft’s good work earns it a VB100 award.”
Emsisoft Anti-Malware for Server contains the same functionality as Emsisoft Anti-Malware, but optimized for use on server operating systems.