How to
Ryan Harnedy
Aug 2016

Testing Antivirus vs. Anti-malware vs. Behavior-Based Endpoint Security

Photo by Source

security_testing.jpg

Figuring out the best way to test our endpoint security software is something we get asked about regularly.

Like most vendors, we don’t encourage testing live malware due to the obvious risks (though if you’re so inclined to live on the wild side, you should at the very least consult tips for using an isolated virtual environment here).

Instead, what we do is provide prospective customers with a sample piece of "malware" that mimics the behaviors you would see during an attack without actually doing damage to the machine or your network.

It’s a safe way of a) confirming the protection is installed and working; and b) seeing what the protection looks like when it’s triggered into action.

In addition to safety, however, another reason we provide our own testing sample is that our protection works differently than antivirus does, and it won’t necessarily respond to other testing files that have been disarmed or otherwise rendered safe.

The reason is that Barkly responds to malicious behavior, not file signatures. Whereas AV products can be programmed to flag harmless test files (the most common example being the industry standard  EICAR test file), if the file never actually tries to do anything malicious, Barkly won’t bother with it. The second it does try to do something it shouldn’t, Barkly immediately shuts it down.

Similar situations come up when testing a variety of security products. The fact is, different security solutions take different approaches and use different technology to do different things. As a result, they often need to be tested differently, too.

different_tests_for_different_security_tools.jpg

Photo by Nick Southall

Think of it this way: Try to hammer in nails with a screwdriver and you’re going to think you have a defective screwdriver.


The same goes for trying out products like malware removal tools or new behavior-based endpoint security like Barkly. To actually see them working you can’t use tests designed for AV.

With that in mind, here’s a quick rundown of the differences between antivirus, malware removal tools, and behavior-based endpoint protection, along with tips for different ways to test each.

TESTING ANTIVIRUS PRODUCTS

How they work

Antivirus software scans files to see if they match the signatures of known malware (think of it like using a list of fingerprints to identify criminals). It is a great technique for identifying and blocking malware that has been around long enough to be discovered and analyzed by security companies, but if an attack uses a new piece of malware — or even one that’s been slightly modified — antivirus won’t be able to recognize it as a threat.

How to test them

Again, while it may seem exciting, testing antivirus against a live, dangerous virus is obviously not recommended. To make sure that your antivirus is on and working a safer option is to use an EICAR test file to simulate a virus attack on your computer, instead.

An EICAR file is a text file with a string of harmless code that prints out a simple message when you run it in DOS. Antivirus programs are built to respond to it like an actual virus, so by running it you’ll see whether your AV is actually on and how it would handle a live virus attack.

You can download the EICAR file from the EICAR website or you can make your own EICAR file by opening up a text editor, copy-pasting the text below, and then saving it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Testing Pro-Tip:

It's important to note the downside of the EICAR test file is that it really only confirms for you whether your AV is on and running. It's not the same as testing the effectiveness of your AV, or comparing its performance to other vendor solutions. For that, the easiest thing to do is to check out an independent testing site like AV-test.org.

Just keep in mind those sites are really only geared toward testing the performance of antivirus products, not solutions that fall into either of the following categories we'll be diving into below.

TESTING ANTI-MALWARE / MALWARE REMOVAL TOOLS

How they work

Anti-malware solutions, such as the free version of Malwarebytes, are primarily designed to clean machines that are already infected. Their job is to find and remove malware that is on the device and causing problems, and they typically run regularly-scheduled batch scans for any software that they recognize as a threat. In the case of Malwarebytes, a premium version also provides some preventative protection, as well.

How to test them

To see an anti-spyware/malware removal tool do its thing you’re going to need to have an active virus sample running on one of your machines. That raises the same obvious concerns and problems mentioned above, but luckily there are some solutions that can make testing a live sample safe.

First, a number of security firms have developed a variety of test software that mimics the behavior of active malware but doesn’t actually do anything malicious. There are a number of options out there — Wicar.org, Comodo Leak Tests, and SpyShelter Security TestTool to name a few — and many of them are available for free.

Secondly, if you’re really bent on testing out real samples (and again, we’re not condoning this), you can create your own isolated virtual “lab” environment. The fact that it’s risky and potentially dangerous won’t deter everyone. If you’re still considering it, be sure to read more about taking additional precautions.

TESTING BEHAVIOR-BASED ENDPOINT SECURITY (that's us!)

How it works

Unlike antivirus, which scans files against large blacklists, Barkly actively monitors system processes to look for any malicious activity. When it sees malware starting to execute it stops it in real time before it can cause any damage (see screenshots here).

One of the big differences is, unlike with antivirus solutions, there doesn’t need to be a record of the malware on file in order for Barkly to stop it. It simply sees the program trying to do something it shouldn’t, and it stops it (that's how Barkly stopped CryptoWall 4.0 from Day One).

What that means is gone are the days when it takes an unlucky victim or two getting whacked with a zero-day attack before vendors can scramble to update their coverage and protect everyone else.

canary_in_the_coal_mine.jpg

Photo by Steven Mileham

No one wants to be the canary in the coal mine. With Barkly, no one has to be. (Get 15 days of free protection from zero-day attacks here

 

How to test Barkly

Remember, because Barkly watches processes, it won’t detect dummy test files like an EICAR file. That's because those test files aren’t actually attempting to do anything bad. Likewise, an antivirus program may detect an unopened malware file on your machine based on its signature, but as long as it isn’t attempting to execute, Barkly won’t take any action.

That doesn’t mean Barkly protection isn’t working — as soon as the malware is activated, Barkly will immediately recognize and stop the malicious process, before any harm is done. The beauty of this approach is that Barkly stops attacks while remaining extremely lightweight and consuming minimal processing power.

In order to test Barkly effectively, we’ve created a file package that won’t actually infect your machine, but that enables you to simulate an attack and see Barkly in action. You can get in touch with one of our product team members and try it out for yourself by filling out the form here.

Testing Pro-Tip:

Since endpoint security like Barkly is designed to be installed on (you guessed it) your endpoints, it’s helpful to take advantage of the free trial period to see how it runs on a number of different machines. It runs silently, so your users won’t even know it’s there (unless they get a pop-up notifying them of a blocked attack).

Rolling Barkly (or any endpoint security solution) out to multiple devices will help you get a better understanding of how the management console works, and you’ll also have a better chance of seeing how it stops attacks in the wild, since it’s protecting more devices.


Ready to see what’s slipping past your antivirus? Sign up for Barkly's free trial and get 15 days of ransomware and malware protection for free.
Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.