Review: Kaspersky Internet Security 2009by Steve Ragan - Nov 3 2008, 23:43
Kaspersky Internet Security 2009 Review.(IMG:Kaspersky)
The Tech Herald has been reviewing all of the 2009 security suites and now, in this latest review, we look at Kaspersky Internet Security 2009. For most geeks, Kaspersky is known for a number of things. Firstly, the company often has new malware signatures available before any other vendor, and there are several options when it comes to controlling the software. Yet, does this make Kaspersky the best security vendor on the market?
Installing Kaspersky Internet Security 2009
During the test, Kaspersky IS 2009 was installed on an Intel Pentium D 3.4GHz (Dual Core), 1024MB RAM, with Windows XP SP3. Patches and other software were kept current on the lab machine.
Kaspersky is not for the faint of heart. The installation comes with two options, Custom and Express. If you have any hesitation about the layers that go into a security application, it is wise to pick the express option. Kaspersky will still cover you if you take this option, and you will not miss a single layer of protection.
The Custom installation option, despite all the excellent layers of customization, can be daunting. If you are not familiar with the various layers, then this install process will drain you mentally.
Overall, no matter what option you pick, Kaspersky installs fast. On par with Norton Internet Security 2009, Kaspersky installed in about five minutes. The installation process is menu based, so there is an easy guide to follow.
During the test, The Tech Herald installed Kaspersky using the Custom install process and the Express. The Express process was by far the easiest in terms of getting the software updated and online. The Custom install option takes longer, but offers controls that are not seen in other similar products. As mentioned, these options are not for the faint of heart. If you miss a step, or remove a module that you should keep, you will limit the scope of protection Kaspersky offers.
The steps in the Custom install process follow a tree format, where each step of the install wizard offers up a list of modules you can install or remove. Most computer-savvy users will recognize this process, so there is nothing new for them.
You will be asked to pick options for Program and Kernel scanning tasks, System Security (proactive defense, application filtering and firewall controls), Anti-Malware (files and memory, e-mail and IM, as well as Web Traffic based controls), Online Security (network attack blocker, anti-Phishing, and anti-Dialer protections), and Content Filtering; including Anti-Spam, Banner Ad blocking, and Parental Control.
During the Custom install you will be asked to disable the Windows Firewall, and replace it with Kaspersky’s own firewall. This is a recommended system change, and you should do this no matter the type of install option selected.
After installation finishes, you will start the Setup wizard. This is where you will activate Kaspersky with your license key. The setup continues with the selection of Protection Mode, where you can pick automatic or interactive.
Automatic is recommended, as this means Kaspersky will act on your behalf when dealing with potential threats. Interactive means you will have various alerts asking you to allow or deny an action.
Next you will set the update schedule (automatic is the default and should be left as such), and you will be prompted to update the program at that time. The update will download several patches and definitions, taking approximately four to five minutes to complete. After that step you can enable password protection for Kaspersky, this will prompt for a password any time something changes in Kaspersky’s settings. For example, should you wish to disable active protections, you will need to enter this password to do so.
Note: If you enable password protections, DO NOT forget this password. Doing so will prevent any changes to Kaspersky’s install, including reverting to default settings. You will need to use Windows' Add/Remove settings to repair the installation and remove password protections to recover access.
The setup process will ask you to define the types of threats by checking or un-checking a series of boxes. The normal ones are listed, with Virus, Worms, and Trojans mandatory. Other Malware, Adware, Auto-dialers, suspicious compressed files, and Multi-packed objects can be selected or deselected. All of these are checked with the exception of one option listed as Other Programs.
Now you have the option to disable DNS caching, which could hamper the functions of various P2P clients. This is suggested as a measure to avoid data leaks. There is also an unchecked option to log non-critical events. However, logging will come at the expense of operation speed, so this option was left disabled.
The setup process moves along, scanning the system to build a trusted list of Windows operating system files, which takes only a few seconds. After that, you are offered a chance to join the Kaspersky Security Network (KSN).
While not collecting any personal information, this will collect information about virus attacks and other problems, as well as statistics on loaded or executed applications (logically this is used to enhanced the trusted file lists used by all customers in the KSN) allowing Kaspersky to "react faster to emerging threats."
After this, setup is complete, and you will be required to reboot the system.
As you can see, Custom setup is daunting. There are several options to pick from and most of Kaspersky’s clients will love this level of control. However, there is little help during the setup process, and you are expected to know what is being offered for inclusion or removal.
If you miss a step here and remove something that should be included, you will render the level of security offered useless in some regard; so, again, only use Custom installation if you are positive about what it offers.
After rebooting, the login screen for Windows XP has a nice little logo over the upper right of the screen proudly proclaiming that the system is “Protected by Kaspersky Lab.”
Using Kaspersky Internet Security 2009
Kaspersky’s main control panel is segmented to offer clear and direct access to all of its various settings and options. Using the left navigation menu will give you granular controls, while clicking on the right navigation menu offers fast single-click access to various settings.
The single-click access offers a settings menu, report viewing, and enable or disable options. Enabling or disabling the various options will cause Kaspersky to throw a fit, and alert you to the fact you just disabled something. The status bar will remain red until you enable the affected protections, or correct any other issues the software discovers.
The left navigation is split into four sections, Protection, Scan, Update, and License.
The Protection menu controls the heart of the software, allowing access to Anti-Malware, System Security, Online Security, and Content Filtering.
The Anti-Malware section will cover the settings for Files and Memory (monitors for malicious memory modules and malicious files), e-mail and IM protection (monitors for Spam, malicious e-mail attachments and malicious IM attachments), and Web Traffic protections, which combine the Heuristic powers of Kaspersky and extends them to HTTP.
The System Security deals with Application Filtering, Firewall rules, and Proactive Defense. Kaspersky recommends this section be left as default or on recommended settings for optimal protection. However, you can customize any of these settings at will.
The Firewall controls are broken down into applications, resources, network packets, and networks.
Because of the complex nature of the firewall controls, most users can safely avoid altering any of the default settings. More advanced users will love the way packets can be broken down by protocol, and filters created to match or augment most of the NAT commands created within routers.
Another cool feature of the Firewall are the built-in rules that allow various services such as ActiveSync, IRC, Remote Desktop, and DHCP.
Online Security deals with anti-Phishing, Network attack blocking, and anti-Dialer protections. The controls here are simple, either they are enabled or disabled. With dialer protection, you can customize a set of allowed numbers if you need them.
Content Filtering covers anti-Spam, Banner Ad blocking, and Parental Controls. Again, the settings are simple to use, but you will not need to alter them. However, you can create custom blacklists or whitelists for Banner networks, adding to the built-in coverage.
Parental Controls work wonders. Yet, there is nothing over the top about them. The ability to log events, block Web sites based on keyword, or limit access to the Web by time of day or set limit are all featured. There are eight categories to block, all standard, including IM, Porn, Drugs, Violence, and Explicit Language.
The Scan menu will allow you to select either a Quick or Full System scan, as well as create custom scanning, which is run on demand. The Full System scanning was moderately fast during testing, with an average scan time of 00:09:01.6.
On the lab computer, 5.80GBs of space was used on the disk. Of that space, 561MB was used in a folder named 'content'. The content folder consisted of simple files to add bulk and give Kaspersky something to scan.
The files used included fonts, images and icons, PHP, HTML, and CSS files, as well as ZIP and RAR archives for a total amount of 21,816 files. It should be noted that none of these files were malicious.
Full System Scan (Kaspersky Internet Security 2009)
Full Scan 1 - 00:25:20
Full Scan 2 - 00:02:51
Full Scan 3 - 00:04:55
Full Scan 4 - 00:07:28
Full Scan 5 - 00:04:34
Average Scan Time: 00:09:01.6
Note: Randomly, with no consistency at all, Kaspersky would simply halt the system during the scanning tests. There is no proof of cause however, so it cannot be said one way or another that Kaspersky was the direct cause of the crashes. Yet, it is noted in this review because it happened during normal computer usage.
Because of the lack of evidence, the crashes were not held against Kaspersky during the review. It's also worth noting that the crashes stopped after adding a Kaspersky update, as well as the recent Microsoft Update. In the final week of testing, the steps to reproduce the crashes failed.
Kaspersky constantly monitors the computer, proactively scanning new applications launched for the first time and watching the various actions the user and installed software takes. This is a serious plus, because the firewall layer of protection will classify applications based on trust, and allow you to adjust them later. As seen in the Malware testing, there are some issues with this layer of protection, but overall it was rather impressive to use.
Another usage note is related to system resources. Kaspersky hardly taxed the system, the footprint in memory is noticeable when the software updates, but it is a one-time drain that ends as quickly as it started. Scanning spikes the CPU, but there is little performance loss when working while Kaspersky scans.
Updating Kaspersky is hit or miss. The software constantly updates and monitors itself. However, the updates start very slowly, and then rocket to the finish line. An example would be updates that start at about 10k per-second from the Kaspersky server and then balloon to well over 200k by the time they finish.
During testing, no single update lasted longer than the time it took for the post-install update.
Malware testing on Kaspersky consisted of 39 samples. The initial test placed all 39 samples in a single folder, each inside a password-protected ZIP archive. Kaspersky was then initiated to scan the folder and attempt to detect the Malware and, if possible, remove it.
This is where things got interesting. Unlike Norton and BitDefender, not only did Kaspersky scan the malicious archives, because they were password protected, it flagged each and every one of them as questionable and suggested removal. This detection makes Kaspersky the first vendor to pass the password test.
Now, sadly, once the passwords were removed from the malicious archives, and the files extracted, Kaspersky had some issues. In previous testing, the open Malware was bagged and tagged almost instantly. However, during this part of the test Kaspersky missed three samples.
Missed Sample Reporting:
Bot 11, one of the missed samples, was executed. Since it was a new application, Kaspersky scanned it, and after scanning placed it on low restriction. The malicious .exe was allowed to run, and because of the low restriction, Kaspersky asked for permission to run the application. Permission was granted.
This was done because most users who may have this Malware attached to an application they assumed was legit would allow it without a second thought. After all, Kaspersky detected nothing abnormal about it and most new files that are unknown are placed on low restriction. For example, Adobe’s Acrobat.com, when launched, was scanned and assigned to a low restriction.
Once the malware sample was allowed, Kaspersky warned: "Malware.exe belonging to group 'Low Restricted' is trying to create file belonging to group Operating System/system files."
The warning came only after the Malware attempted to connect to a server that serves known malicious files. Once those were downloaded; Kaspersky prevented the secondary payload from installing.
(14/32 as of 3-29-08 when 1st scanned)
(15/32 as of 10-28-08 when rescanned for Kaspersky Lab test)
Like Bot 11, the second malicious sample missed by Kaspersky was a well known and established bit of nasty code.
The sample, PWS-A, is reported by Virus Total as being flagged by Kaspersky as "Not-A-Virus.PSWTool.Win32.PassView.162." Yet, when the same file is scanned on the desktop, Kaspersky reported the file as clean and allowed the software to run. Kaspersky flagged the secondary payloads, as each one of them was a common password-stealing Trojan.
(13/32 as of 7-27-06 when 1st scanned)
(15/36 as of 10-28-08 when rescanned for Kaspersky Lab test)
Finally, the third sample missed by Kaspersky belonged to the Rustock family of Malware. The sample, Rustock-D, locks Kaspersky when scanned on its own to confirm results of test. It not only allows the file but scanning it halted Kaspersky and forced a reboot.
Running the file directly infected the computer, but Kaspersky blocked and prevented the payloads from doing any damage. Still, this was after it allowed the Malware to be executed in the first place, and the payload files all contained known malicious signatures that would be blocked by Kaspersky with no problem.
(14/34 as of 7-8-08 when 1st scanned)
(21/36 as of 10-28-08 when rescanned for Kaspersky Lab test)
The second malicious file test, involved a self-extracting zip file with several hundred KeyGens. KeyGens are used to crack commercial software, and most of the ones you download online are malicious. This particular file is known to be malicious, as several of the KeyGens included in the package are Malware.
Scanning the KeyGen archive showed nothing malicious. The second the archive was executed, however, Kaspersky placed the self-extracting zip in the untrusted group of applications and refused it access to run.
Malicious URL Detection
The malicious URL detection test consisted of five URLs, known to be malicious and picked at random from a current list of rogue Web sites. These sites contain Drive-By-Downloads, or malicious software, each with the goal of infecting the user who visits them.
Each site was tested as follows: Did Kaspersky IS 2009 block the URL outright (Firewall or Toolbar warning), or did Kaspersky IS 2009 detect any malicious software after interacting with the site?
To pass this test, Kaspersky had to complete one of the two options. The idea being to either warn the user straight off by using the Toolbar or Firewall or, if a user downloaded something, say fake Spyware tools, it had to detect the Malware and remove it.
Kaspersky displayed no warnings when this site was accessed. When the .exe was downloaded, Kaspersky scanned and placed 7-v3av.eve in a restricted category, thus refusing it any permission to operate.
Kaspersky blocked the download of “skash.exe” from this site by detecting “Backdoor.Win32.UltimateDefender.gfg” and prevented it from being installed on the system.
The fake codec this site was attempting to load was detected as "Trojan-Downloader.JS.Small.dm" and blocked.
Once this Web site loaded, Kaspersky detected and blocked "Trojan-Downloader.JS.Psyme.alv" from installing itself.
Kaspersky had some serious issues with this domain. The site offers Anti-Virus 2009, a known malicious and rogue anti-Virus application.
Once the “free scan” offered on the site is triggered, you are prompted to download and install a .exe file. Kaspersky listed the application as low restriction, as it would with any unknown .exe, so the test started with a positive.
From this point, the test went downhill. Once the .exe was executed on the system, Kaspersky asked to block the downloader from downloading the installation files. However, it quickly gave a prompt to allow or deny access to A8INSTALLER.EXE. This installer is what starts the download process for the malicious content that makes up the bulk of Anti-Virus 2009. Kaspersky recommended that this program be allowed access.
Following the recommended action from Kaspersky, the A8INSTALLER.EXE file was allowed access to the outside. This triggered a loop where the user is prompted repeatedly to either allow or block access to A8INSTALLER.EXE. Eventually, a rule is created to stop the cycle of prompting. Each prompt gave a recommendation of allow for the A8INSTALLER.
After that happened, Kaspersky recommended blocking A8INSTALLER for creating a DAT file, and then recommends another block, preventing a registry edit. However, after the registry edit is blocked, A8INSTALLER is once again given a recommendation for allowing access to the Internet a final time.
The last allow completed the base requirements and Anti-Virus 2009 was successfully installed on the system.
Kaspersky fails this test, not only for failing to recognize Anti-Virus 2009, but for offering confusing instructions to the user. The system lagged with Kaspersky and Anti-Virus 2009 installed, which is the fault of the rogue AV.
Scanning was halted and resumed after Anti-Virus 2009 was uninstalled to look for malicious or suspicious files. Scanning with Kaspersky after Anti-Virus 2009 was uninstalled dragged out longer than normal, and took several minutes to complete. After a system reboot, Full Scanning was back to normal speeds. Kaspersky detected no traces of the rogue AV despite the temp files remaining along with one registry key.
Spam Detection and Filtering
Kaspersky Internet Security 2009 has a solid Spam filter built into the program. The protection is trainable, so you will have to first start with a basic training run with the software, and then continue to monitor the training for some time after the fact. It took about four days of testing and training to allow Kaspersky to get a feel for the e-mail contents sent to the lab.
The Spam test consisted of 408 e-mails in total. Of those, 356 e-mails were Spam. There were 308 e-mails correctly marked as Spam, with 48 e-mail messages missed by Kaspersky. This leaves Kaspersky with an out-of-the-box 87 percent detection rate (rounding up).
While the Spam testing requires an out-of-the-box score of 95 percent or higher, much like we did in the recent BitDefender review, The Tech Herald extends some credit to Kaspersky. The credit extension is for the low training time needed for the Spam filter, and the fact that it is easy to manage for users of all skill levels. Therefore, we gave Kaspersky a score of one point for this test.
Extras and other features
Kaspersky Internet Security 2009 is a rounded security application. The little things, such as the System Restore feature or Rescue Disk creator, each have a place in the overall health and security on the system. Kaspersky gives you what you want in a security program, and avoids the bloat that can come from “All-in-one” solutions.
With that said, the control over the program will leave some uses frustrated. The massive amount of control that Kaspersky offers could very well be too much for some people. However, before you consider that as a deal breaker, it is important to note that the help offered by Kaspersky is extensive.
Everything has a help article associated with it, not a single setting or option was missed in the Kaspersky help manual. Add to this that there is ready access to the support team by clicking a link within the software.
Kaspersky Internet Security 2009 is a well-rounded and solid security application. While there are some areas that require improvement, the overall product would serve most advanced computer users well. In truth, Kaspersky would be better utilized by an advanced user over a general user.
It isn’t that Kaspersky will fail to protect the general user, but all of the options and advanced settings would go to waste. There are simply too many ways for someone who knows just enough to get themselves into trouble after altering settings.
Take for example the Firewall controls, which to date are the best any 2009 offering has served up, yet they can cause havoc on a network if incorrectly tinkered with. The problem is, while Kaspersky offers a “restore” feature that undoes almost all changes and sets things back to default, the location of this option is not clear and rather hidden within the Settings menu.
If you like complete control over your software, Kaspersky is worth looking into, if not ordering outright.
The final score for Kaspersky Internet Security 2009 is 88.22 out of a possible 100.
Kaspersky Internet Security 2009 was installed on a Windows XP computer with Internet Explorer 7 and Service Pack 3. The Microsoft updates were current and all additional software updated. The system used was an Intel Pentium D 3.4GHz CPU (Dual Core) with 1024MB RAM.
The following is a breakdown of the lab testing with point values.
Installation (10 points total)
This test covers how fast the software installs, and rates the configuration options. How simple is it to install?
Kaspersky Internet Security 2009 earned 10 points.
Navigation and Controls (10 points total)
This test rates how easy the software is to navigate and use. Are all the menus and controls easy to locate? Are the various functions and controls easy to understand? Is there help for the options? If help is available, how easy is it to locate?
Kaspersky Internet Security 2009 earned 9 points.
Scanning (15 points total)
Scanning covers the scanning speed, the various scanning options, and control. One aspect that is important in the control measurement was how easy it was to halt a scan in progress.
Kaspersky Internet Security 2009 earned 15 points.
Detection (15 points total)
This test centered on signature updates and controls, as well as monitoring and detection. One of the focal points was how accurate the detection was when locating Malware.
Kaspersky Internet Security 2009 earned 11 points.
Resources (15 points total)
Does the software drain system resources? Can the software be completely disabled? If there are help files available, how complete are they? Are the help documents easy to follow and are they relevant?
Kaspersky Internet Security 2009 earned 15 points.
Software Options (10 points total)
Does the software include other features that layer security? Are there other features that are added in that are non-security related? Are these features useful? Do they overlap one another or other features on the computer?
Kaspersky Internet Security 2009 earned 9 points.
Malware Testing (10 points total)
This test uses 39 samples of Malware, each worth .26 points (rounded up). The goal is to have each one discovered by the detection engine. The test is in two parts, where the samples are zipped in a password-protected archive and scanned, and then placed into an unprotected archive and scanned.
There is a loss of one point if there was no detection for password-protected archives. This is because some engines will flag password-protected files for inspection, which is a good protection point. As the bulk of the AV market allows exemptions for various files and file types, the legit password-protected files could later be exempted.
Kaspersky Internet Security 2009 earned 9.22 points.
The KeyGen Test (5 points total)
The KeyGen test is a simple test to pass for any vendor. As the self extracting executable launches, the first thing it does is write a temp file that links to a downloader. The downloader, as well as the various KeyGens in the archive, all link to Malware.
Kaspersky Internet Security 2009 earned 5 points.
Malicious URL Testing (5 points total)
The malicious URL test takes five random URLs, known to be malicious, and judges the software's reaction to what the user does. The software is judged based on its response to visiting the site and its reaction to any software downloaded. The software must react in order to pass this test.
Some of the URLs tested were discovered by the team at Malware Database (http://malwaredatabase.net) and shared with The Tech Herald.
Kaspersky Internet Security 2009 earned 4 points.
Spam Blocking Test (5 points total)
This test rates the Spam-blocking ability of the software. A full score means that the software blocked 95 percent of the Spam samples sent.
Kaspersky Internet Security 2009 earned 1 point.