How to fight malware

5 products that deliver effective protection against Web-based attacks

Tests of five Web security gateways reveal that performing inline inspection of network traffic is a must, as is querying cloud-based databases of the latest malware. The current crop of anti-malware tools offers strong protection against spam, spyware, phishing, botnets, rootkits, viruses and other Internet-borne attacks.

Two distinct and important new security trends emerged in our testing of antimalware gateways.

First, the current crop of antimalware gateway products are migrating from the classic approach of referencing a local (customer premises) database of malware signatures and instead using a "just-in-time" approach of querying a central (vendor site) malware database in order to deal with brand new malware instances.

Also, vendors strongly recommend inserting a gateway device inline, between the Internet and the local network, rather than connecting it to a span/tap port.

The need for greater security is behind both these trends. Vendors told us even frequent updates of a local customer-site database of malware signatures, URLs and IP addresses can't always keep up with the rapid spread of new malware instances. (In the future, companies may need to plan for a little extra speed in their Internet links in order to accommodate what will likely be a growing number of cloud-based queries of vendor malware databases.)

Charts of malware blocking success,

Next, deep and thorough inspection of network traffic has become the only effective way to keep malware off the network. An approach that simply monitors for malware and reports the results to administrators, who then manually clean up the mess, is cumbersome and nearly unworkable.

Similarly, an approach that uses zero-latency "TCP RESET" commands to cancel malware traffic leaves open a small window of risk (see related story).

Today, malware takes many different forms – malicious Web sites, hijacked advertising banners on otherwise innocent-looking but insidious sites, phishing attempts, spyware, spam, viruses, Trojans, botnets, rootkits, Instant Messaging (both public IM and that offered by Microsoft Office Communications Server and IBM Lotus Sametime) malware, peer-to-peer (P2P) file sharing malware, Skype malware, social networking malware, hijacked Facebook applications, gaming malware and Web 2.0 application malware.

The list is long, and these Internet-borne threats cannot be ignored.

Web attacks are now one of the most dangerous and sophisticated vectors used by cyber criminals. Attacks can come from malicious Web pages, redirects, hijacked legitimate sites, phishing e-mails and social networks.

For example, you may think you're safe because your users visit only "good" Web sites. Unfortunately, because cyber criminals quite often hijack advertising banners, even this reason for avoiding putting an effective security barrier between you and the Internet is no longer valid.

If you don't protect yourself now, you could find that criminals have sucked corporate and personal information quickly and silently out of your computers. Moreover, the advent of extremely sophisticated rootkits has made spyware a stubborn, intractable problem. Removing the latest spyware threats "by hand" is, to say the least, problematic.

The quest for perfection

The ideal antimalware gateway identifies and thwarts virtually all malware. It performs with alacrity (such as low latency), thus giving users a responsive Internet experience – as if the device weren't even present.

It prevents malware from "phoning home" (sending credit card or other sensitive data back to the cyber attacker). The perfect product helps remove malware from infected endpoint computers. It produces useful reports and timely alerts. It's robust and reliable, it scales well and it's easy to use and deploy.

Five vendors answered our call to submit products to our lab for evaluation. We received antimalware gateway devices from McAfee (WW 1900E Web Gateway V6.8.6 appliance), Facetime (Unified Security Gateway V3.0 appliance), Symantec (8450 Web Gateway 4.5 appliance and 8300 Mail Security V7.5 appliance) and Websense (Web Security Gateway V10000 appliance).

Trend Micro sent software that runs on servers that you provide – Interscan Web Security Virtual Appliance 5.0 and Interscan Messaging Security Virtual Appliance 7.0, plus a central console reporting module (Advanced Reporting and Management 1.0).

McAfee's Web Gateway appliance wins the Clear Choice award, but the race was a tight one. McAfee's appliance thwarted more malware – with lower latency – than the other gateways. The other products, however, also did a credible job of keeping malware off our network.

Blocking malware

It's clear that the most important criterion for an antimalware gateway is its success rate at blocking malware. McAfee Web Gateway fared best in our tests, turning aside 99% of the malware instances we threw at it.

We attacked each vendor's product with 100 spyware, adware, Trojan and rootkit downloads. These malware instances included older classics such as CashBackBuddy, Casino Dialer, SearchEssistant [sic], Searchforit, SearchMiracle.EliteBar and SearchSquire, as well as freshly-minted malware such as Generic Downloader.x!brz, Generic Rootkit.dt.dr, W32/Akbot.gen.a, Bredolab.gen.h, FakeAlert-MaCatte, Whitewell, Opachki.a, Ransom-N and PWS-CuteMoon.

Coming in tied for second with a 96% success rate were the The Facetime Unified Security Gateway and the two Trend Micro products. Symantec Web Gateway and Mail Security and the Websense Web Security Gateway V10000 managed to block 94%.

Phish phase

When we tested how well the products thwarted phishing attempts, McAfee's Web Gateway fared best, recognizing and foiling 90% of the scams. We fed each gateway a diet of 500 selected phish accompanied by another 500 non-phish messages.

We composed several of the phishing messages ourselves, embellishing the text and obfuscating both the syntax and spelling in order to sneak our phish around the net. Accurate recognition of good vs. bad was our criterion.

The Trend Micro Interscan Web Security Virtual Appliance and Interscan Messaging Security Virtual Appliance recognized 84% of the phishing attempts, the Symantec Web Gateway and Mail Security identified 76% and the Websense Web Security Gateway V10000 achieved 73%.

The Facetime appliance we tested was not able to scan for phishes. However, the vendor announced recently that the latest version of its Unified Security Gateway will be able to scan for phishing attempts when the product is used in conjunction with a Bluecoat proxy device, and, eventually, ISA and Squid proxies, as well.

Low latency leaders

The McAfee Web Gateway exhibited the lowest latency – 28 ms – when we downloaded executable files through these antimalware gateways. The Facetime Unified Security Gateway gave us 34 ms latency, the Websense Web Security Gateway V10000's latency was 36 ms and the Trend Micro Interscan Web Security Virtual Appliance and Interscan Messaging Security Virtual Appliance achieved 48 ms latency. The Symantec Web Gateway and Mail Security devices trailed the other gateways with a latency of 62 ms.

Moving into the cloud

We looked at the extent to which these products access a central vendor Internet site with malware queries (or plan to in the future)?

 Symantec's Mail Security appliance uses both a local (onboard) malware database and queries to a "cloud" database maintained at Symantec. Its Web Gateway uses a local malware database.

 Trend Micro's approach is a hybrid of local (onboard) scanning and, for executables not found in the local database, queries to a "cloud" database at Trend Micro's central site.

 McAfee proactively uses "spider" programs that traverse the Web to examine Web pages' active (such as executable) content for bad behavior, and McAfee additionally relies on TrustedSource's Web reputation technologies to distribute malware database updates to its customers.

 Websense uses a multi-phased approach that consists of a local (onboard) database and, if a downloaded executable program isn't in the local database, a Real Time Security Scanning engine that goes beyond signatures to statistically profile executables for malicious intent.

 Facetime's appliance contains a malware database updated by both Facetime and Sophos, from which Facetime licenses its database. Facetime indicated that it is migrating toward a hybrid approach combining queries of a local malware database and a "cloud" database.

These vendors update their products' local (onboard) malware databases hourly or, when a significant threat surfaces, on demand.

Coincidentally, the McAfee, Facetime and Websense appliances we tested were all Dell PowerEdge 1950 computers (Dell EMU01s). The Symantec Mail Security 8300 device was also a Dell PowerEdge 1950, while the Symantec Web Gateway 8450 was a Dell R200 computer. All were 1-U rack-mountable.

For parity's sake, we installed Trend Micro's software (Interscan Web Security Virtual Appliance, Interscan Messaging Security Virtual Appliance and Advanced Reporting and Management) also on Dell PowerEdge 1950s.

For performance-measuring purposes, then, all the products except for the Symantec Web Gateway 8450 ran on essentially the same hardware.

Ease of use

McAfee's Web Gateway (formerly Secure Computing's Webwasher) sports an easy-to-use, intuitive browser-based interface that's especially responsive. Reports are quick and informative, and the Web Gateway dashboard is completely customizable.

The McAfee Web Gateway installation was the slickest. A USB memory stick containing a configuration program accompanies the device. Insert the memory stick in a Windows machine, run the program, save your configuration, move the memory stick to the Web Gateway before boot time and – voila! – the Web Gateway uses the IP address and other configuration data you've specified.

Websense's Web Security Gateway V10000 has a browser-based interface that provides administrators with fingertip control over how more than 130 protocols (such as IM and P2P) affect applications on the network. It comes with more than 55 useful reports, and the user interface displays a thoughtfully-designed dashboard.

Trend Micro's Interscan Web Security Virtual Appliance, Interscan Messaging Security Virtual Appliance and Advanced Reporting and Management gave us consolidated threat reporting and corporate policy management across our network. We easily varied security policies by network segment, company division and company department, at our option. We particularly liked Trend Micro's unified view of network security across an entire enterprise.

You install the Interscan Web Security Virtual Appliance, Interscan Messaging Security Virtual Appliance and Advanced Reporting and Management software on your computers, thus giving you fine control over the speed and capacity of your gateway. Installation is a snap.

The Symantec Web Gateway (acquired from MI5) and Mail Security (from BrightMail) devices have somewhat disparate user interfaces. Both are browser-based. Web Gateway has a useful Executive Summary report screen that tells, at a glance, the security threats and activity levels the Web Gateway is experiencing. Symantec Web Gateway additionally produces about a dozen reports on malware activity. These show, for example, infections classified by spyware name, potential attacks, client application usage and sorted lists of your network's Web destinations.

Symantec Mail Security's browser-based interface features an intuitive dashboard, an Executive Summary (quite different from the Web Gateway's Summary), reports for monitoring e-mail activity and spam levels and even a compliance summary that highlights potential violations of corporate policies regarding message content.

The Symantec Web Gateway installs via a browser-based wizard, but the Symantec Mail Security appliance installation needs to have a one-time monitor and keyboard connected for initial setup.

The Facetime Unified Security Gateway appliance has a Web-based user interface for setting configuration options, seeing real-time status and viewing reports. The Unified Security Gateway appliance interface is intuitive to use and easy to navigate. The USG status screens and reports are comprehensive and highly informative.

Installing the Websense Web Security Gateway V10000 or the Facetime Unified Security Gateway consists of cabling the box to your network, powering up and assigning an IP address via a one-time monitor and keyboard connection.

All these products' manuals were clear, comprehensive and easy to follow. All were online, with Symantec also providing hardcopy booklets and manuals.


McAfee's Web Gateway appliance is our Clear Choice winner. It does an excellent job of keeping malware (both Web site-based and e-mail-borne) at bay, is responsive, has an intuitive, customizable user interface and scales well. The other four products weren't far behind and all offer effective protection against Web-based attacks.

Nance runs Network Testing Labs and is the author of Introduction to Networking, 4th Edition and Network Programming in C. His e-mail address is

NW Lab Alliance

Nance is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022