Review: McAfee Total Protection 2009by Steve Ragan - Nov 17 2008, 17:07
The Tech Herald recently spent some time testing McAfee's latest and greatest, Total Protection 2009. As many home users know, McAfee is second only to Symantec in the personal computer security field. Yet, the truth is both companies could easily switch places when it comes to install base or user opinion. So how does McAfee’s Total Protection 2009 compare to those others recently tested in The Tech Herald lab?
Total Protection 2009 looks almost exactly like the 2008 version. This is a plus for some users, as the familiar look will help them navigate the menus and settings. One of the new features for 2009 is a technology McAfee calls Artemis.
Artemis is supposed to cut the time it takes to detect a new threat and release a signature down to a few seconds, or in some cases instantly. It does this by checking a suspicious file against a massive online database if there is no local signature. The database is a list of known legit and rogue files, so if the suspicious file matches a signature in the online database, it's flagged.
Installing Total Protection 2009:
During the test, McAfee Total Security 2009 was installed on an Intel Pentium D 3.4GHz (Dual Core), 1024MB RAM, with Windows XP SP3. Patches and other software were kept current on the lab machine.
McAfee Total Protection 2009 was simple to install. Users have the option to install from CD or from the Internet. The CD install requires updates, and was the option used during the test. However, subsequent testing showed that there is little difference in install time between the CD or Internet options. Total Protection 2009 installed much slower than Norton 2009, its top rival. The total install time from start to finish was some 15 minutes.
The install process is wizard based, so there is little room for error. Before completing the component installation, Total Protection 2009 will scan the system for threats. After the scan finishes, which takes just a few minutes, users will then create a McAfee account. One issue with the account creation is the limit on password selection. Special characters, such as the '&' or the '( )' symbols, were blocked.
There was no reboot needed after installing from CD during the test. However, once the update manager was run after installation, updates were downloaded that did require a system restart.
Updating launches in the background, there is no way to monitor the process except to follow the icon in the system tray. The little icon is there to alert users of updates according to the TP2009 menu, yet they'll have no control over what is updating, and are also unable to directly follow the progress or cancel the update once launched.
The update moved through the various modules (Virus Scan, Firewall, etc.) and completed in about three minutes for the first update after install and, on average, two to three minutes every other time.
Using Total Protection 2009:
Navigation and controlling Total Protection is easy to do. Anyone who uses Total Protection 2008 will notice that not much has changed in the new version. The main navigation menu comes with two views: Advanced and Basic. For testing, both were used, but for the typical user the Basic menu will likely do just fine.
The main navigation area (Basic mode) is broken up into three sections: Update, Scan, and a Common Tasks menu. Update and Scan buttons, each self explanatory, make launching an update or scan simple for the typical user, thanks to their prominent location.
Under the Common Tasks menu, users will have access to the Home menu for the Common Tasks, the Backup and Restore options for file archiving, Firewall Lockdown, Network management, computer maintenance, support, and their McAfee account.
Starting with the Home section under Common Tasks, users will locate the heart of the security controls. Here they can access four subsections: Computer and Files, Internet and Network, Email and IM, and Parental Controls. As mentioned, this is the heart of the security for Total Protection 2009, and can be left as is for effective protection.
Computer and Files allows users to manage the Local Archive (protect files and folders and restore after accidental loss), Virus Scan, Spyware Scan, SystemGuard (prevents harmful changes), and Script Scanning, which prevents harmful scripts from running on the computer.
Internet and Network manages the Firewall and the Identity Protection services. Email and IM is where users control the IM Virus scanning, Email Virus scanning and anti-Spam filters. Finally there's Parental Controls, which worked great during the test and can be managed and controlled with their own submenu.
The Network Management section under Common Tasks is important to take note of if users have more than one computer in the home. This section will allow users to manage the security and status of McAfee Total Protection 2009 on two other computers, aside from the main system. Users are also allowed three computers per license.
The help offered for the various settings and configurations is extensive. A single link remains static in the upper-right corner of the navigation menu, leading to the help topics. There is also a visible support link, which can be used at any time. The support options include a virtual technician, an FAQ database, and live chat or e-mail.
Scanning with Total Protection 2009:
During the Full Scan test with Total Protection 2009, the major difference between McAfee and Symantec stood out. Scanning with Total Protection 2009 was entirely too slow.
Full System Scan (McAfee Total Protection 2009)
Full Scan 1 - 00:40:07
Full Scan 2 - 00:40:25
Full Scan 3 - 00:40:10
Full Scan 4 - 00:40:03
Full Scan 5 - 00:38:06
Average Scan Time: 00:39:46.2
Another issue during the scan test was the number of false positives that were detected. On the lab computer, 5.80GBs of space were used on the disk. Of that space, 561MBs were used in a folder named 'content'. The content folder consisted of simple files to add bulk and give McAfee something to scan.
The files used included fonts, images and icons, PHP, HTML, and CSS files, as well as ZIP and RAR archives for a total amount of 21,816 files. It should be noted that none of these files were malicious.
Total Protection 2009 flagged eight files from the content folder as malicious during the first scan test, and another two for a total of 10 on the second test. Leaving these flagged files quarantined for the final three scans produced no other false hits.
The files flagged were all PHP files, contained within an RAR archive. When scanned as single un-compressed files, there were no detections made by Total Protection 2009 to backup the hit on the original archive.
This is the first application that has hit on any files within the content folder during the scan tests.
The Malware testing on Total Protection 2009 consisted of 39 samples. The initial test placed all 39 samples in a single folder, each inside a password-protected ZIP archive. Total Protection 2009 was launched to scan the password-protected archive and see if it would detect any of the samples.
As seen in previous tests, Total Protection 2009 could not scan inside a password-protected archive. The second part of the Malware sample test saw each of the 39 samples removed from the archive and placed on the drive.
Total Protection 2009 was launched a second time and detected 38 out of the 39 samples. The missed sample, PWS A, is a known password-stealing Trojan, and has a 44.4 percent ranking on VirusTotal.
Total Protection missed another sample during this test, a member of the RAHack family, but did not have this counted against it because Artemis blocked the application from being launched.
The second malicious file test involved a self-extracting zip file with several hundred KeyGens. KeyGens are used to crack commercial software, and most of those downloaded online are malicious. This particular file is known to be malicious, as several of the KeyGens included in the package are Malware.
Scanning the KeyGen archive showed nothing malicious. The second the archive was executed however, Total Protection 2009 blocked it from executing, and flagged it as the Pauper Trojan.
Malicious URL Detection:
The malicious URL detection test consists of five URLs, known to be malicious and picked at random from a current list of rogue Web sites. These sites contain Drive-By-Downloads, or malicious software, each with the goal of infecting the user who visits them.
Total Protection 2009 uses McAfee’s SiteAdvisor to monitor the computer for malicious Web-based threats. Because of this, each site was tested as follows: Did Total Protection 2009 block the URL outright (Firewall or SiteAdvisor warning), or did Total Protection 2009 detect any malicious software after interacting with the site?
To pass this test, Total Protection 2009 had to complete one of the two options. The idea being to either warn the user straight off by using the SiteAdvisor or the Firewall or, if a user downloaded something, say fake Spyware tools, it had to detect the Malware and remove it.
Since the first rogue AV URL was defeated, there were high hopes for the second Web site, which serves up AntiVirus Pro, another fake AV scanner. Once the page loaded, those hopes were dashed however.
McAfee’s SiteAdvisor showed a vivid green bar in the browser, which most users will associate with an 'all-clear' from McAfee. When clicking on the SiteAdvisor button to view the information connected to the Web site, there are clear comments that explain this is a fake AV application and a complete scam.
However, because SiteAdvisor listed the site as green, the odds that a normal user would check its information are low.
AntiVirus Pro, once downloaded, instantly warns the user of several problems, and will gladly fix and remove these issues once registered. The cost of $29.95 USD includes the offer of $9.95 USD for software updates, and $9.95 USD to get Anti-Spyware protection.
Considering that the user comments listed on the SiteAdvisor profile lists this site as a scam, there is no reason why SiteAdvisor would list the site with a green ranking. The green SiteAdvisor listing, and the fact that AntiVirus Pro was installed with no warnings or issues from Total Protection 2009, means that this test was a failure.
This site was blocked by SiteAdvisor, and once the SiteAdvisor warning was ignored the Malware samples were caught by the active scanning used by Total Protection 2009.
Once this site was loaded, the fake Flash update was blocked with Artemis (Generic!Artemis).
The .exe file loaded here was flagged instantly upon execution as DNSChanger.gen.
Total Protection 2009 rounds out its system coverage with built-in Spam filtering. The e-mail client support includes Outlook, Outlook Express, Windows Mail, Eudora, and Thunderbird.
Like some of those Spam filters tested in the past, Total Protection 2009 needs some training to get up to speed. The e-mail test included 353 mails, of which 303 were Spam. Total Protection 2009 marked 268 e-mails correctly, earning it an 88.45 percent detection rate out of the box. The other 35 e-mails that were missed needed to be blocked manually, earning an 11.55 percent failure rate.
Decent, but not the 95 percent needed to earn full marks on this particular test, or the "New, powerful enterprise-grade Spam protection that catches 99 percent of all spam," McAfee boasts. However, McAfee earned one point on the test (out of five) because the Spam filter can be trained. Once training is complete, the coverage will only get better.
Extras and other features:
Total Protection 2009 is either the most feature-rich application users will ever come across, or the most bloated. Either way they look at it, there are a few little things that should be noted when considering upgrading or switching to McAfee.
McAfee Quick Clean
This little add-on will clean up all the 'junk' on a user's computer. It will sort out clutter that takes over the system in the form of Cookies, Cache files, temp files, lost fragments, registry files that have been orphaned, deleted e-mail messages, and other files that build up over time and waste space.
It can take a few seconds or even a few minutes to finish depending on the amount of files the cleaner needs to sort through, but it is a decent little application to have on hand.
For the paranoid, there is another application called Shredder. This will allow users to delete files with a recommended pass count of seven. They will have the option to use this whenever using Quick Clean, and once you use the Shredder the files removed cannot be recovered.
Depending on the amount of files to be shredded, it will take this application some time to work its magic.
These can be tricky to configure at first, but the help file will walk users through the process. During testing, the content filter worked well, and allowed only legit, age-appropriate content to be displayed.
McAfee’s SiteAdvisor is the central defense used when surfing the Internet. However, SiteAdvisor also checks links in IM conversations and links embedded within e-mail messages.
Overall, McAfee’s Total Protection 2009 is a decent product but it has some shortcomings and lacks many of the extras and revved-up features seen in other 2009 offerings. It would appear that McAfee has layered extras on top of its 2008 offering instead of re-building from the ground up, as was done by its competitors.
With that said, if you are a current McAfee Total Protection 2008 user, you will feel right at home when using the 2009 offering. New users would be best served by testing the software first and comparing it thoroughly to other 2009 suites.
Artemis, which makes the AV engine in Total Protection 2009 stronger, also caused some false positives, so watch the quarantine vault if you notice something amiss.
The final score for McAfee Total Protection 2009 is 86.74 out of 100.
McAfee Total Security 2009 was installed on a Windows XP computer with Internet Explorer 7 and Service Pack 3.
The Microsoft updates were current and all additional software updated. The system used was an Intel Pentium D 3.4GHz CPU (Dual Core) with 1024MBs of RAM.
The following is a breakdown of the lab testing with point values.
Installation (10 points total)
This test covers how fast the software installs, and rates the configuration options. How simple is it to install?
McAfee earned 8 points.
Navigation and Controls (10 points total)
This test rates how easy the software is to navigate and use. Are all the menus and controls easy to locate? Are the various functions and controls easy to understand? Is there help for the options? If help is available, how easy is it to locate?
McAfee earned 10 points.
Scanning (15 points total)
Scanning covers the scanning speed, the various scanning options, and control. One aspect that is important in the control measurement was how easy it was to halt a scan in progress.
McAfee earned 12 points.
Detection (15 points total)
This test centered on signature updates and controls, as well as monitoring and detection. One of the focal points was how accurate the detection was when locating Malware.
McAfee earned 14 points.
Resources (15 points total)
Does the software drain system resources? Can the software be completely disabled? If there are help files available, how complete are they? Are the help documents easy to follow and are they relevant?
McAfee earned 15 points.
Software Options (10 points total)
Does the software include other features that layer security? Are there other features that are added in that are non-security related? Are these features useful? Do they overlap one another or other features on the computer?
McAfee earned 9 points.
Malware Testing (10 points total)
This test uses 39 samples of Malware, each worth .26 points (rounded up). The goal is to have each one discovered by the detection engine. The test is in two parts, where the samples are zipped in a password-protected archive and scanned, and then placed into an unprotected archive and scanned.
There is a loss of one point if there was no detection for password-protected archives. This is because some engines will flag password-protected files for inspection, which is a good protection point. As the bulk of the AV market allows exemptions for various files and file types, the legit password-protected files could later be exempted.
McAfee earned 8.74 points.
The KeyGen Test (5 points total)
The KeyGen test is a simple test to pass for any vendor. As the self extracting executable launches, the first thing it does is write a temp file that links to a downloader. The downloader, as well as the various KeyGens in the archive, all link to Malware.
McAfee earned 5 points.
Malicious URL Testing (5 points total)
The malicious URL test takes five random URLs, known to be malicious, and judges the software's reaction to what the user does. The software is judged based on its response to visiting the site and its reaction to any software downloaded. The software must react in order to pass this test.
Some of the URLs tested were discovered by the team at Malware Database (http://malwaredatabase.net) and shared with The Tech Herald.
McAfee earned 4 points.
Spam Blocking Test (5 points total)
This test rates the Spam-blocking ability of the software. A full score means that the software blocked 95 percent of the Spam samples sent.
McAfee earned 1 point.
86.74 / 100