Testing Guide 1 – General

Testing Guide 1 – General

Getting Information

Test: How Easy is it to get hold of an evaluation copy and pricing?

 

Value: 0/10

 

This might sound like an important thing, or at least a potentially frustrating thing if you can’t get what you’re looking for, but the reality is that many enterprise focused AV products are not available for a simple evaluation and pricing. Here’s a few reasons why vendors do this:

  1. Fears over software being reverse engineered
  2. Advanced features may require some hand holding in a formal Proof of Concept
  3. Cloud management portal requires manual creation by the vendor
  4. Pricing varies by country, reseller and volume. Discounts vary.

The reality is that if you speak to a vendor (or more likely one of their resellers) then you’ll be able to get access to the product and pricing within 24 hours. Any longer than that and you need to talk to a better contact at the reseller. (N.B. Most enterprise security products are sold through resellers. This might not sound desirable but they can usually get pricing cheaper, quicker and with more complete knowledge than going direct to the vendor. Plus, many vendors have 100% reseller sales model so you’ll always end up buying from a reseller anyway.)

However easy it is to get your hands on an evaluation copy of AV software, or getting pricing, this shouldn’t be a plus or minus on your perspective of the product. (You should never have to do this step again.)

Software Supportability

Test: Is the software supported on my machines

 

Value: 10/10

 

If your machines don’t match up to the required spec of the AV product, then it’s game over. Check what versions of operating system and hardware are in operation in your organisation and ensure that the AV product either supports them now or at least in time for the full roll out.

Installation

Test: How Easy is it to install the product onto one machine and many machines?

 

Value: 9/10

 

Installation should be an incredibly painless process. It should be quick, simple and configurable. For just one machine, the installer shouldn’t impact the user at all. So we don’t want to see any reboots or huge downloads of updates that’ll slow anything down. Ideally, a few clicks of Next, insert a license key and that’s it. Anything else should be transparent, silent and unnoticeable in the background. For deployment to many machines you’ll be looking at an automated install, with some kind of script, deployment software or, Operating System. Microsoft SSCM and Group Policy for Windows are common routes here. For the AV product, make sure an MSI installer is available that supports your machines and installation switches/parameters are supported to deliver a customer configuration on first install. E.g. “AVinstaller.msi /desktopnotify /usemgr-192.168.0.1”

Most enterprise class products will excel in the installation/deployment area. When you’re doing your own testing with one installation, just locate the vendor’s knowledge base article detailing the various deployment switches as a test of what features are available. N.B. Watch out for if a product requires deployment using their own software, and not your own deployment tool/installer. This is usually a major headache for initial roll out and ongoing management. It’s rare to see this anymore, but if you do then it’s a big negative.

Compatibility

Test: Can I install the product alongside other endpoint products?

 

Value: 9/10

 

The endpoint security product landscape is increasingly being eroded by high quality products integrated into the operating system, such as firewalls, device control and file encryption. You’ll also see very high quality specialist products for one particular feature that you may be using. In turn, it’s very common to be running multiple products from multiple vendors on the endpoint. Since you’re looking at the very best AV, make sure that the AV you’re testing doesn’t clash with existing security products and that exclusions/configurations can be made to ensure it all works neatly alongside each other. First, check with the AV vendor’s knowledge base for any known issues with specific products, and then try it for yourself to see. If you introduce some malware and two products start fighting over it, causing the CPU to max out then you know there is an issue to look into. The main clash you’ll see is in the memory scanning / HIPS arena where AV products may be both injecting components into processes and causing a clash.

Client Configuration

Test: Can I configure the product on the endpoint only?

 

Value: 2/10

 

All high end AV products are manageable from a central management server or cloud portal. Managing policies locally might sound convenient but can very quickly run into issues of rule overlap/conflict and a management nightmare. Sometimes you do need to have exceptions, such as when you have a server that is in an isolated network. In these cases you need to be able to download a policy one time, isolate the machine and then rely on manual updates in the future. This scenario might be alien to your organisation but it does come up occasionally for some sensitive environments. During the product evaluation, if you feel this is relevant, ask your vendor for information on offline configuration and engine/policy updates and how that all works.

Tamper Protection

Test: Can the AV product be maliciously or accidentally removed or broken?

 

Value: 10/10

 

Malicious software and people will try to remove your AV product, or potentially just disable it whilst they do something bad. Something as basic as changing a client’s network settings would prevent updates and cripple some AV products. So the AV product must contain strong tamper protection to maintain its protection and control by the management station/portal.

N.B. If you users are local administrators on their device, all bets are off. You can have all the controls you like but at the end of the day, an administrator is all powerful and can stop your AV working. For example, in Windows, an admin could amend the hosts file to break AV updates or they could reboot into Safe Mode and amend critical system files or dependencies. Your AV product’s controls will not stop a determined local administrator. This is why local admin rights should be very rarely granted to users.

For Tamper Protection you want to see these features:

  • Prevent the user from stopping the service
  • Prevent the user from blocking/stopping engine/feature/policy updates
  • Prevent the user from uninstalling the software
  • Prevent the user from modifying/deleting AV product files
  • Simple checkbox configuration of Tamper Protection and/or on-time automated installation switch configuration
user-gravatar
Carl Gottlieb

[email protected]

Data Protection Consultant, specialist in anti-malware security solutions and Consulting Director of Cognition Secure. Helping organisations test products for themselves and get the best protection.

Heard about GDPR? Want to know more? Check out our sister site at TheGDPRGuy.com