Thursday, May 15, 2008 8:14 PM/EST

The Port of Richmond Is Watching

This week, I took a tour of the port of Richmond, Calif., where ADT Security Services was showing off the brand-new video surveillance system it put together to monitor the port against intruders, theft or possible terrorist action -- utilizing an all-wireless network to move data from all the cameras back to the centralized video analytic equipment.

Monday, May 05, 2008 9:00 PM/EST

Expanding the Reach of Least User Privilege

For several years, I've been a big proponent of operating Windows-based desktop computers in a Least User Privilege mode, removing Administrator (or Power User) rights from end users so they cannot install unapproved applications (or unwanted malware). However, instituting such a policy throughout an enterprise is not the easiest thing in the world because many applications still require administrative rights to run correctly and some power users need to do more (unpredictable) things to their computers than the average user.

BeyondTrust addressed the first problem a few years ago with its Privilege Manager application (formerly known as DesktopStandard's PolicyMaker Application Security), which helps administrators change the privileges token of a process or application via centralized policy-based controls. This allows, in a nutshell, a limited rights user to run certain preapproved applications with administrative rights on those applications only.

In the years since the product first came to market, BeyondTrust has heard about the second problem many times. According to a survey the company conducted among its customers, two-thirds of those asked had been able to remove administrator privileges from 90 to 100 percent of the users in their organization. Of the remaining third of its customers, however, BeyondTrust found that special use cases -- users such as system administrators or developers, or laptop computer users -- were generating too many support calls to be effectively pulled into the Least User Privilege initiative.

As a response, the latest iteration of Privilege Manger looks to squarely address those special use cases, as Version 4.0 adds a series of new features aimed at easing administration amid the unpredictability generated by these users.

First of all, Privilege Manager adds another way for administrators to batch-approve software from a particular vendor. Administrators can approve rights escalation for applications or installation packages based on the digital certificate used to sign the code. An administrator can simply allow the system to escalate rights for any Microsoft signed application, for instance.

With Privilege Manager 4.0, administrators can also approve privilege escalation for software that comes from a particular CD or DVD, as administrators can approve the serial number of a particular piece of media. This allows administrators to control the flow of new software installations in remote instances, sending out a preapproved disk full of new applications or updated versions of existing ones.

The best news for users, however, is that Privilege Manger 4.0 allows approved users to perform on-the-fly exemptions at their discretion. Users can right-click an application or installation package, and see a new context menu item that allows a temporary privilege escalation. Administrators can audit the use of this exemption by asking the user to type in a reason for the request and by requiring the user to enter a password before the escalation can take place.

Privilege Manager 4.0 also looks to extend some of the native features of Windows Vista. BeyondTrust already did some work in Version 3.5 to tone down the chattiness of Vista's User Access Control feature, and now in Version 4.0, BeyondTrust has extended the security afforded by Vista Integrity Levels to applications other than Internet Explorer. In essence, with Vista Integrity Levels, a process with Low Integrity cannot interact with processes rated Medium or High Integrity (but a High Integrity process can interact with anything with a lower rating). According to BeyondTrust representatives, a standard Vista user will normally run all applications with a Medium Integrity level -- except for Internet Explorer, which operates with a Low Integrity level (enabling IE Protected Mode).

In a WebEx demonstration, BeyondTrust engineers showed me that the Integrity Level protection could be extended via policy to any other Internet-facing application, so administrators could lock down the behavior of Mozilla's Firefox browser in the same way that IE is protected.

Monday, March 17, 2008 6:34 PM/EST

BeyondTrust Roots Out Bad Apps

BeyondTrust is all about solving problems that perplexed me six years ago. And I mean that as a compliment, since no one else has really addressed those problems in all this time.

Before I came to eWEEK in 2003, I worked at an IT consulting firm serving small businesses in and around San Francisco. One of our hallmarks was an early encouragement of the practice that later became known as "Least Privileged User." Basically, we persuaded a lot of clients to have their users run only with local User permissions, rather than with Administrator rights.

As a result, our customers had a lot less trouble with viruses, spyware or unwanted applications. Of course, we also had to make work all the applications they needed to use on a day to day basis -- and we ran into hundreds of applications that wanted Administrator rights, often for pretty banal reasons ("We write our preferences file in the c:\Windows directory!")

Identifying those applications that would have a permissions problem was kind of a crap shoot and I spent hundreds of (non-billable) hours poking around various apps and watching other people over their shoulders. It was hardly an effective way to identify troublesome apps, but there wasn't a tool to do it and it was bad PR for a customer to find them before we did.

And I don't even want to talk about the various things we did to actually fix the permissions problems once we discovered them. Kludgey does not even begin to describe that process.

Of course, BeyondTrust (along with a couple other companies that don't really exist anymore) helped solve the "fix" problem a couple years ago with its Privilege Manager product (formerly known as Desktop Standard's PolicyMaker Application Security). And now, finally, it is trying to solve the identification and location problem with a new product called BeyondTrust Application Rights Auditor.

Of course, Microsoft has offered a tool kit for a while that allows idividual scanning of applications for permissions issues, but that solution didn't really scale well for companies with a large application base, particularly one already deployed and in use.

With Applications Rights Auditor, BeyondTrust is looking to fill that gap. And it's free (as in beer).

The product gets deployed to a representative sample of desktops throughout an enterprise, for a two-pronged search for applications needing administrative rights. The client software first performs an inventory to identify all executable applications on each machine. The findings are then transmitted to BeyondTrust's repository, where the found applications are compared against a database of known applications and versions.

For applications that are not already in BeyondTrust's database, the client software continuously monitors unknown application as it is being used, recording and flagging specifically when (and what) Administrator privilege is required.

Administrators can then look at the inventory results of the two types of scans and run reports for individual clients or the collective to see what applications will need permissions help in a move to Least Privilege. Because all the data is stored on BeyondTrust's network, there is no need to install a local database or application server, so it should be pretty easy to get started quickly.

The hosted model scared me a little bit, for security and privacy reasons, but the folks at BeyondTrust assured me that each customer has its own unique certificate that gets generated when the customer first acquires the code. All of the agents deployed within a company transmit their data with the certificate, so all the information should be isolated from other companies' data.

Unfortunately, BeyondTrust has not yet decided to take the additional steps to make Application Rights Auditor even more valuable. Since it is collecting information specific to applications that are already in use, it makes sense that one should be able to automatically create policies based on the information provided by Auditor in order get going quickly with Privilege Manager. But of course, you can't yet do that.

Wednesday, January 23, 2008 3:44 PM/EST

Fortify's 'New Face of CyberCrime'

Last week, I attended the San Francisco premiere of a new short documentary, "The New Face of CyberCrime." Directed by Frederic Golding and brought to fruition by the folks at Fortify Software, the film was screened for select members of the media as well as IT executives from around the Bay Area and was followed by a panel discussion moderated by Fortify founder and Chief Technology Officer Roger Thornton.

The panel featured:

Howard Schmidt, president and CEO of R&H Security Consulting and former White House cyber-security advisor

Ted Schlein, managing partner of Kleiner, Perkins, Caufield and Byers

Grant Bourzikas, director of Information Security for Scottrade

Frederic Golding - director of the film

The 20-or-so-minute film talked at a high level about the cyber-crime landscape, focusing on the role organized crime now plays because there is money to be made out there. Discussions with a few grey-hat hacker types, some IT folks and analysts around the industry, and Schmidt himself hammered home the point that this is a dangerous time on the Internet, and people need to be aware of how they and their information can be tricked, captured and compromised online. However, there really wasn't any prescriptive advice to be gleaned from the movie, which left me (and, I felt, many in the audience as well) wanting more.

Given Fortify's niche in the industry (code scanners), it is unsurprising that the film concentrated on how poor development practices and shoddy code open doors for thieves in the current threat landscape. As far as I can recall, cross-site scripting was really the only type of vulnerability that was discussed at length, as we got to see a grey-hat hacker type sit in an outdoor cafe, talking about the things that he could do from there over the Wi-Fi network. Hardly compelling visually, and probably hard to grasp for those unfamiliar with the ins and outs of coding best practices.

In fact, the whole film seemed to suffer from a bit of a lack of focus. In the panel discussion, an audience member asked what I was thinking, "Who is this film aimed at?" The quick-cutting visual style, featuring a lot of talking heads interspersed with jerky shots of racks of servers and network cables, and the high-level gloss-over of the problem with no real prescriptions, kind of indicated that film was directed towards a very mainstream audience. Like something you might catch on Nova on Saturday afternoon.

Yet cross-site scripting seems like a poor choice of angle for a mainstream audience, which would probably benefit more from a more endpoint-focused perspective, or better yet a look at how to actually protect and monitor your digital assets.

Golding made very clear that he did not intend the film to be a call to action, but rather an opportunity to initiate a dialog and help people in the industry build awareness of cyber-security. Something with recommendations or deeper discussion of the issues would be more of a corporate film rather than a documentary.

Thornton indicated that the filmmakers and producers needed to weigh the balance, keeping the audience engaged while still providing some meat. Apparently, they had initially planned to reach out to more criminal elements to show that side of the equation, but were warned off that course by law-enforcement advisors who told them they could get killed if they weren't careful with what was shown or who they talked to.

Golding consistently expressed surprise at the things he learned during the filmmaking process, and clearly showed his unfamiliarity with the technical matters at the heart of his film (honestly, why would any Joe User know about coding best practices and PCI compliance?) And I fear his unfamiliarity with the subject matter gave Fortify's folks a chance to steer the subject matter toward their own bread and butter -- a rather unfortunate, but unsurprising development.

Ultimately, the question of target audience was never answered during the panel, so I posed the question to the PR representative who invited me to the screening in the first place. His answer surprised me:

"The documentary will not be made publicly available, but I can send you a copy of the DVD if you like. I just need you to agree that the DVD will be for your own personal use and will not be made public."

So really, this film is only going to be shown to prospective Fortify customers. It's a marketing film. Super (I feel used). Some full disclosure up front would have been great, as it turns out that the panel itself was peppered with Fortify board members as well. Five minutes of research turned up the fact that both Schmidt and Schlein are on Fortify's board of directors.

Nonetheless, the panel discussion was a little more interesting, as the audience let loose some of its unrest regarding the film. Since the director intended the film to provoke a dialogue, in this one sense, it was successful.

An impromptu poll taken of the audience indicated that the majority of those in attendance thought of themselves as information security workers, while a handful of people were in software development, and almost no one considered themselves to be both. And if I may generalize a bit, the security-oriented audience had the reaction of, "We know all this. Now what are we supposed to do about it?"

Of course, Fortify's answer was an unspoken but quite evident, "Buy our products."

Scottrade's Bourzikas ultimately was the most interesting speaker as he weighed in on subjects like the biometrics and the efficacy of PCI compliance mandates.

Bourzikas called PCI compliance "Uh, interesting." He intimated that that kind of security doesn't really make you more secure. In the end, authorized users query a database and get a response. How do you ensure that that user is who he purports to be? Ultimately, these are business decisions and at some point security becomes a hindrance. The company first of all needs to make money, and can't tell users how to behave.

When two-factor authentication was mentioned as a solution, Bourzikas made it clear that his customers did not want it, and weren't willing to bear the additional expense to institute it.

TJ Maxx was used frequently as a case in point during the film and the panel discussion -- highlighting the real financial consequences for a business cleaning up a data theft mess, while hinting at what it means for end users as well -- the latter described basically with two words, "identity theft." But counter to the PCI discussion above, it seems the TJ Maxx example actually could have been prevented by conforming to PCI regulations, as evidence has pointed to wardrivers cracking WEP (Wired Equivalent Privacy) encryption on TJ Maxx's wireless network and culling customer information that way -- a situation clearly addressed in PCI.

The film is scheduled to be shown again on Jan. 24 in New York and Jan. 29 in London. For those who can't wrangle an invite, you'll have to make do with the preview.

Tuesday, January 15, 2008 4:38 PM/EST

Skyhook's iPhone Possibilities

The news that most caught my attention during Steve Jobs' Apple keynote today was not the MacBook Air, but rather the announcement that the new iPhone firmware—Version 1.1.3—includes location-based tracking for Google Maps that use not only cell phone triangulation, but Wi-Fi-based locationing services as well.

The Wi-Fi location tracking is apparently being provided by Skyhook Wireless, a company that has spent the last few years building and (constantly) updating a massive database of Wi-Fi access point positions in major cities across the United States. Unlike traditional GPS services, Skyhook's technology could and should work indoors—depending on whether a Skyhook-enhanced Wi-Fi client can see access points that are already in their database.

According to Skyhook's Web site:

"To pinpoint location, WPS (Wi-Fi Positioning System) uses a massive reference network comprised of the known locations of over 18 million Wi-Fi access points. To develop this database, Skyhook has deployed specialized vehicles to survey every single street, highway and alley in 2500 U.S. cities, scanning for Wi-Fi access points and plotting their precise geographic locations."

and

"Skyhook's Wi-Fi Positioning System's subsecond time-to-fix, +99% indoor availability and 10-20m accuracy in urban areas is the perfect compliment to GPS' known limitations."

The service is reliable enough that one laptop recovery service, CyberAngel Security Solutions, last year added a Wi-Fi-based tracking service to their portfolio based on Skyhook technology. CyberAngel's product provides an authentication and encryption layer to standard laptops. Users (or administrators) define a secured partition, where confidential data and applications are stored encrypted. When a user authenticates, the store is decrypted automatically for use. Conversely, a bad log-in attempt triggers alert to CyberAngel's servers (via LAN, WAN or modem connection) that the computer could be in a compromised state. Obviously, there needs to be an escalation process to avoid false positives for every failed log-in.

With the WiTrac service layered on, the alerting laptop can also report home any Wi-Fi access points it can see, sending to the service the MAC addresses of the access points detected, as well as the relative signal strengths of each detected device. This information can then be compared with Skyhook's database to return longitude and latitude coordinates of where the laptop is located. CyberAngel claims the service is accurate to around 10 meters.

When we spoke with CyberAngel's CEO Bradley Lide over the summer, the service cost $69.95 per laptop for a 1-year license, $129.90 for 3-year license, with volume discounts available as well. The Skyhook service was included in that price.

What will be interesting is, with the new iPhone SDK on target for delivery in late February, whether we may see CyberAngel (or someone else using Skyhook) provide recovery services for the iPhone as well—and perhaps authentication and encryption capabilities. These capabilities would suddenly make the iPhone—and its industry-leading mobile browser—a much more compelling solution for businesses exploring a Web application-oriented mobile solution.

For end users, it may not make fiscal sense at the prices listed above, but if such a service were offered as part of an extended AppleCare warranty service for the iPhone with a small premium (depending on the levels of functionality available from the service), many of us may actually consider it for a device that has fast become a centerpiece in our lives for both work and play.

Wednesday, January 09, 2008 3:57 PM/EST

Time, Money and the Lies Others Tell You

Securitywatch's Ryan Naraine notes that new Secunia users are finding their computers insecure, as applications have fallen out of date. As a Secunia user, I can say there are a lot of causes for my inability to keep my primary system up to date (by Secunia's standards.)

For instance, on my work PC at this moment, Secunia's PSI is telling me that I currently have 4 insecure applications, 1 End-of-life application, with 76 up-to-date apps. Better than most, but hardly perfect. 5 of 81 are not secure - a 6.2% failure rate.

Basically, I can be hacked via known vulnerabilities.

Of the four vulnerable applications, 2 are Adobe Flash. I've tried upgrading to the latest version. I've tried uninstalling, then reinstalling. I've tried uninstalling completely. None of these steps have gotten PSI to recognize any difference. I guess I can figure out how to manually remove Flash for good - but it may be a lot of work.

One is my anti-virus program. Work provides and manages this software, so there's not much I can do (other than badgering IT, and I am sure they are sick of my badgering), unless I decide to fully manage my own AV solution. Looking through the release notes of the current and recent iterations of the software, there are no mentions of patched vulnerabilities are jumping out at me. Lots of bug fixes and improvements, but maybe not any plugged security holes. But the free version of PSI does not make that distinction.

The other vulnerable application is QuickTime. I've got Quicktime Player installed because I need iTunes to sync my iPhone to my Outlook calendar. I've covered my dismay with this setup plenty in the past, but it is the only reliable way I've been able to sync the data I need.

When I upgraded to iTunes 7.5, the install package included Quicktime 7.3. Since then, Quicktime moved to 7.3.1, but iTunes stayed at 7.5 So the Apple Software Update application tells me I am up to date, but a check of the Quicktime website tells me I am ever so slightly behind.

Essentially, one of the many tools I am forced to rely on to keep my system up to date is lying to me.

The end of life program is a prior version of Winzip. I guess my company actually paid for the Winzip license (I never see that annoying Expiration notice on this PC). I can see why the company may not want to pay for the new version, since the old one does everything that our users want it to do, presumably. But to get security updates, we're beholden to pay for licensing upgrades to get the new version, chock full of features we don't need?

Yes, of course. This is one of the costs of security that everyone must face. But personally, this case is out of my hands. Or I suppose I could install the latest WinRAR.

Secunia's PSI is a means to an end. People downloading these kind of tools are presumably wanting to check their status, likely knowing something is out of date. So they can fix it - if they are allowed to and it is relatively easy.

Given the Apple and Winzip anecdotes above, I'd say perhaps the numbers Ryan notes are really a larger indictment of the software makers - their crappy update applications and their upsell tactics used in the name of security.

Tuesday, January 08, 2008 4:19 AM/EST

CES: The 10 O'Clock Flat Tire

The first day of CES saw some cool wireless developments (new chip sets, more 802.11n), and a major reawakening of the personal NAS space (everyone under the sun seems to have an appliance coming soon). The day was also marred by bad shoes and some unfortunate static discharge.

Of the non-visual accounts, SanDisk showed me its technology preview of a 12GB MicroSD card. Yes, it works. However, SanDisk isn't going to sell it. The company is just proving it can, and will wait until the next step up (16GB) to release a product.

And now for some pictures:

I've got a review of the Syspine version of Microsoft's Response Point coming online any day now. Here's the D-Link iteration: DVX-2000MS Appliance (top), DPH-124MS (middle) and DVG-3104MS Analog Trunk Gateway (bottom).

Mio was showing its concept design of integrated GPS and Tri-band phone. Big deal, you say? This one is two-faced, hence the name Dual-Sided NAV Phone.

Netgear announced 18 new products at CES this year. I'm going to talk about the wireless stuff in a separate post later, but Netgear also had some new NAS appliances. Lots of protocol support (Samba, NFS, Bonjour), and xRaid technology to autoconfigure the RAID, allowing online volume expansion. At top, the four-bay RND4000 ReadyNAS NV+. At bottom, the two-bay RND2150 ReadyNAS Duo.

The Nokia booth was bustling with activity every time I passed, as the booth had many display units available for hands-on play (very Apple Store). However, all that traffic was really messing with the carpet in Nokia's booth, which was shedding like long-haired cat. After scooting across the carpet to try out a phone, I got a huge static shock as I picked up the device -- causing me to scurry away before I could find out whether I had killed it.

During a chat with folks from the Wi-Fi Alliance, I was shown this sample of a new 802.11n chip set meant for mobile phones. Atheros and Broadcom aren't showing any mobile-N chips (I talked with them), but RedPine is.

Otterbox has some new ruggedized cases for the iPhone. This one, which has a hardened shell under a separate rubber skin, took me almost 10 minutes to crack open. There's also a waterproof one.

Zyxel was showing the new version of its WiMax base station for Sprint (top, middle). The booth people didn't seem wild about the fact that I kept calling it "the coffee maker." Zyxel also has a new version of its SIP phone (bottom).

At Showstoppers, I ran into Yoggie -- whose original device I quite liked last year. Now Yoggie has announced a slimmed-down, firewall-only device called the FireStick Pico.

Before my day really got started, my shoe completely fell apart even though I've only worn that pair four or five times so far. Thankfully, the good folks at Broadcom were handy with the duct tape.

Friday, September 21, 2007 3:38 PM/EST

With the Right Tools and Perspective, Whitelisting Can Work

Unlike some of my counterparts here at eWEEK, I am among those who think application whitelisting is definitely an interesting idea whose time has come for greater exploration in the enterprise. But administrators don't need to buy into the concept over the whole enterprise, as there are places where it makes more sense - particularly from an ease-of-administration perspective. But with the right tools and the right plan, whitelisting is feasible.

A few vendors are already doing application whitelisting for enterprise customers with some interesting results. For instance, I reviewed Bit9's Parity earlier this year and found it to be a pretty compelling product that just needed a little more polish . What I liked most about the product, however, were the tools Bit9 had created to identify and vet applications on the web. Their ParityCenter and FileAdvisor services actively acquire software from the web, determining who signed the file and scanning it for malware - then placing the code found into buckets of unsafe vs safe applications, thereby giving administrators a frame of reference to base policy decisions upon.

Also, Lumension (formerly Patchlink which bought SecureWave) has been mining the whitelist area for awhile, teaming it with excellent port blocking controls, something Bit9 has also improved upon in their latest version.

If other vendors with more clout and more resources (like Symantec) want to get into the practice of vetting and giving a seal of approval (for whitelisting purposes) to applications - rather than just finding and IDing malware - then I see that as a good thing for the security industry. Since their automated tools are undoubtedly already culling and examining "good" code anyway in their sweep for bad code, an actionable list of that "good" code would be easy to produce, and could lead to much more secure computing environments for those willing to take the leap to whitelisting.

With some tools and technology already out there to do whitelisting, and it is up to the administrator to decide if and where such a technology would be best utilized. For instance, application whitelisting is absolutely intriguing when we are talking about servers. If you have a virtual server farm, with each instance performing a limited, core set of functions, why not whitelist? You already know what should be on there and you want to prevent anything else from running.

On the desktop, obviously the argument for application whitelisting is more complicated, as various deployments will stray mightily from the golden image when you account for all the different task-specific permutations of applications that are necessary to do this job or that. In our Bit9 test, I found it easier to deploy whitelisting with fresh systems rather than on an in-place desktop or laptop fleet, due to the large disparity of configurations.

But when beginning the project from a known starting place, whitelisting can be a fine complement to a Least Privileged User configuration. Administrators can then adjust whitelist policy, by knowledge-group, to adjust for the different approved applications needed for workers to do their jobs - whether these applications are bought, open-sourced, or home-grown.

The big question with application whitelisting should instead rest on who ultimately has control over the list. If an AV vendor like Symantec - or a security software company like Bit9 or Lumension - rules the whitelist with absolute authority, then no, whitelisting will not work. But if the IT administrator has the flexibility to adjust the whitelist, along with the tools to identify differing applications and adjust policy accordingly, then I think whitelisting is a feasible approach.

Thursday, September 13, 2007 12:34 AM/EST

The Automatic 'Automatic Updates' Update

I've always been one to put a leash on Automatic Updates. Sure, you can download the patches to my machine, but please notify me before they get installed. I always look through the knowledgebase articles before installing anything. Inevitably, I accept everything the agent offers me, but I still want that control over what goes onto my system.

When Microsoft Watch's Joe Wilcox asked for the eWeek Labs to confirm whether Automatic Updates was doing unauthorized updates of itself, of course I was intrigued. I wouldn't put it past Microsoft to do it, but without notifying the user or asking permission? Seemed an unwise practice to get into.

Tuesday, May 22, 2007 5:38 PM/EST

Testing Anti-virus Products

Whenever I've done anti-virus or anti-spyware testing in the past, getting live samples has always been something of a challenge. I've made several attempts to archive malware for testing purposes, but often found the samples to be antiquated when the time comes to do a test. This makes it difficult to extrapolate differences between products being tested, as signatures were created long ago for my malware.

Similarly, Web sites that I have counted on in the past as a guaranteed source of malware have come and gone, making it a drag to find new, active strains on the Web on short notice. And Google's newfound commitment to vetting links can also get in the way. Even some of the most traditionally pernicious adware vendors have made strides to clean up their acts.

This time, I tried a more cutting-edge approach to collecting malware for use in eWEEK Labs' tests. Cameron Sturdevant recently met with a company called Robot Genius, which operates a specialized malware-seeking Web crawler called RGcrawler. RGcrawler seeks out every Windows executable file, ActiveX control and .zip file on the Web, then downloads the code to Robot Genius' network for automated installation and testing. From these tests, Robot Genius can identify known malware or suspicious behavior to positively ID real threats available on the Web.

Robot Genius gave us a list of links to almost 300 malware-infected executables. Looking for a wide diversity of malware, I culled that list down to 35 samples by eliminating many similar entries that originated at the same Web site. I looked for a combination of known threats that Robot Genius could classify plus unknown threats identified as malware by their behavior.

Trying to ensure that we had legitimate malware, I took those 35 samples and ran them through the scanners at VirusTotal, which checks user-submitted malware against 31 different signature engines to identify possible threats. Of the 35 samples, six came back with a clean bill of health from VirusTotal. While this is not conclusive proof that these six samples were benign, I nonetheless eliminated those six from consideration in our tests to avoid the chance of holding a false positive from Robot Genius against the products tested.

This left me with a total of 29 vetted malware samples. These files represented a mixture of adware, spyware, worms and Trojans with files sizes ranging from only 27KB to over 9.5MB.

To put the anti-malware solutions through their paces, I focused my testing on detection of new threats, rather than elimination of existing ones. To test the real-time detection, I copied the samples to the local hard drive through a variety of means -- from a Windows file share, from a USB drive and via VMware's drag-and-drop copy between virtual host and client.

For the samples that survived the real-time scan, I conducted a full disk scan to attempt to find inert but present-on-the-disk malware, like when a bundle stays resident in the browser cache even if the original file is long gone.

For samples that made it through rounds 1 and 2, I then attempted to install each of the remaining samples onto the protected system, to see whether the anti-malware solution would catch on as the bundle was exploded out or as new content was downloaded from the Web during installation, and to see whether malicious behavior (like a process injection or write to the local host file) triggered an alert. I installed each threat individually on a fresh virtual instance, trying to ensure that any detections were specifically related to the particular sample being tested.

Note: I had some problems with Microsoft Forefront Client Security and VMware Workstation 5.5 right from the start. As I reported in the review, Forefront's real-time detection did not work correctly on a virtualized Windows XP SP2 client instance. I found that I could copy malware to the Forefront-protected instance willy-nilly - from a file share, over the Web or from a thumb drive - and Forefront acted like nothing was wrong until I ran a full disk scan.

To counter this, I performed tests 1 and 2 on a Forefront-protected laptop computer. However, I still performed test 3 on the VMware-based instance to ease the process of resetting the system after each infection attempt. Spot checks of the installation of a couple strains on the laptop revealed identical behavior in both instances.