F-Secure Internet Security 2007

2006-11-01

John Hawes

Virus Bulletin, UK
Editor: Helen Martin

Abstract

John Hawes tries out F-Secure's latest release: F-Secure Internet Security 2007.


Introduction

On my return from the VB2006 conference, there remained little time to source and review a product for these pages. With most products these days offering far too much functionality to be covered adequately in just a few days of testing, I opted to avoid the sprawling catch-all corporate offerings and instead to get my hands on something for the workstation, offering all its components in a single package for use on a single machine.

F-Secure has long enjoyed a high public profile, with vigorous marketing activity and a penchant for controversy. The company has strong PR, led by the charismatic Chief Research Officer Mikko Hyppönen, and a solid history in technical tests and reviews alike. With a reputation for making use of technologies licensed from other leading security developers in combination with its own efforts, the Finnish company is strong in both detection and innovation. The company's BlackLight anti-rootkit tool hit the market long before other vendors were able to follow suit, and the company placed considerable faith in mobile phone security some time ago (which now finally seems likely to become as important as the company has long believed it to be).

F-Secure Internet Security 2007 (FSIS2007 from here on in) is very new, having been released in mid-October. The product replaces F-Secure Internet Security 2006. It offers a range of anti-virus, anti-spyware, anti-spam and firewall functionality, much of it improved over previous releases, along with various other security tools including a parental control module, which is new in this version. Also new for 2007 is 'DeepGuard', described as 'a unique proactive detection technology', designed to protect against as-yet-unknown issues.

Priced at a fairly modest 79.90 Euros in the F-Secure online store, the product is aimed firmly at the home user market, and I expected to find chunky buttons and sliders for the ham-fisted mouse user, cuddly cartoon graphics (F-Secure's association with classic Finnish cartoon characters The Moomins is legendary), and simplified or even locked-down controls.

Web presence, information and support

The company's flagship website, http://www.f-secure.com/, is decked out in corporate colours – a chilly pale blue and white, accompanied generally by pictures of cold-looking water, snowy mountains or frozen fields. At the time of writing the front page carried a banner promoting the new product, displaying its packaging with an even chillier polar landscape and the stark slogan 'BE SURE'.

The site features the standard malware and company news sections, areas dedicated to various different customer types and to partners, and a security centre carrying malware descriptions, guides and tools, statistics, and the lab team's blog. This blog is a miscellaneous resource blending the informative with the trivial, often within the same posting, and comes adorned with a group photo of the research team in all their glory, gathered around their long-haired leader.

Prominent throughout the site are references to the company's response time, which apparently leads the field, averaging two to four hours, with updates 'twice as often as major competitors'. The 'Radar' alert system is available to send warnings of security issues to mobile phones and other devices, and applies a rating system to malware based on how widely it spreads and other factors.

I searched elsewhere on the site for some of the company's graphical gizmos, the latest and most awe-inspiring of which were demonstrated spectacularly by Mr Hyppönen during his keynote speech at the recent VB conference. A Virus World Map is linked to from most pages, and displays virus outbreak data. The map depicts either all malware or one of a select list, over time periods ranging from the last hour to the whole of the current year, and covering the globe as a whole or by individual continent. Viewing the map on a larger scale is fairly uninformative, but focusing in is more revealing, and with a few quick clicks of the mouse I learned that Sweden, Finland, Denmark and Belgium were among the most virus-hit places in Europe during October, and that Vietnam had been a hotbed of malware activity that day in an otherwise quiet Asia.

Accessing the area of the site dedicated to FSIS2007, I found an online tutorial, illustrated with photos and artwork appropriate to the given information. F-Secure's trademark cool blue-tinged images of frozen landscapes and close-ups of water reflecting cloudless skies mingled with pictures of Swiss army knives connected to the network port of laptops and cartoons of wriggling worms and scary spiky bombs. The tutorial commences with some general information on the risks threatening computer users, and some tips on computer security and how to be safe online. This is followed by fairly detailed sections on installing and using the software, and an FAQ, spread over numerous short pages embellished with pictures.

The support area of the website carries a more substantial FAQ, supplementing the questions answered by the tutorial. The support section has a slightly different design from the main body of the site, although still sticking to the white-and-blue colour scheme, and along with the product-specific areas also has a selection of tutorials, articles, tools and tips. The 'How to contact support' page seems to try to avoid mentioning the possibility of actually getting in touch with F-Secure, first discussing the wide range of online facilities and other support channels available to various types of customer, before eventually conceding that a call could be made to the company itself and providing a list of contact numbers. Deciding to take a chance, I left the web behind and ploughed ahead with installing the product.

Installation and setup

Without a hard copy of the product to play with, I had to content myself with running the downloaded installer file.

The installation process is simple and straightforward, with few options to bemuse the novice user. Indeed, after selecting my preferred language – from a list including a broad set of European languages as well as Japanese – the only real choice (other than whether or not to accept the licence agreement and where to place the root folder) was whether to drop the parental control functionality from the install. I allowed this module to be installed, as without web access (as is the case in the test lab) it defaults to an inactive state, and thus wouldn't prevent me from doing anything naughty while trying out the other aspects of the product.

The EULA contained all the standard disclaimers and reservations, including granting the rights to display any statistical data that may be gathered in forms such as the World Map mentioned above.

The online FAQ mentioned an ability to detect automatically and remove 'software from the largest security software vendors' as part of the installation process. I checked this out, installing the product over a selection of other security products including anti-virus from Symantec and McAfee, and Webroot's SpySweeper anti-spyware. It detected each of them quickly and ran their uninstallers. The process was a little confusing however, as each opened their 'Are you sure you want to remove me?' and 'I need a reboot now' dialogs behind the F-Secure install window, which showed a progress bar chugging slowly along while it waited for me to let the uninstallation continue. Once I realized what was happening, the process completed smoothly and without further issues.

On a rather weary old machine, rather below the minimum recommended specifications, the final stage of the installation and setup process took several minutes. This time was reduced considerably on more modern hardware, but still averaged around a minute even on a fairly high-powered computer. The install and setup is followed by a reboot to get things fully operational – the reboot mechanism grants the user 300 seconds to prepare themselves, but in my eagerness to get a look at the product I avoided waiting the full five minutes, and hurried things along.

The product's initial action on activation was to attempt to contact home, to verify my subscription and check for updates. Prevented from doing this in my sealed-off lab, it offered me the options to retry the validation, to uninstall the product, or to carry on regardless – in which case the product would deactivate after seven days.

Next up, according to the online tutorial I had so closely followed, should have been a startup wizard, offering configuration of the parental controls, and setup of the spam filtering, application control, an initial scan of the machine and some scheduled checks. Without proper validation, however, these steps were skipped, but could be accessed again later via an option available from the Start menu (with the exception of the parental control sections, the wizard for which was available from the main dialogue).

Operation and documentation

Opening the product from the system tray (no desktop shortcut was provided), I was presented with a surprisingly small and busy GUI that was rather heavy on text. The 'Home' page informed me that updates and the parental control functions were disabled, and that validation had yet to take place, but that all other modules were operating normally.

The other modules comprised 'Virus and spy protection', scanning both file access and email, an 'Internet shield' made up of a firewall, HIPS and application control, and 'Spam control'. Small but smooth buttons down the left-hand side led to individual panes for each section, while clicking on 'Advanced' or any of the numerous 'Change' or 'Configure' links brought up a second window, again text-oriented, with a tree structure and numerous configuration options.

The home page featured a security news ticker, which unfortunately didn't work in my isolated environment. There were also links to the main F-Secure site, and to the support section, while buttons allowed the user to update or validate their software.

Apart from these links to external resources, most of the main GUI was purely informational. Status, and in some cases statistical data, was presented in each section, along with a link to the appropriate page of the 'Advanced' controls. The main exception to this was the 'Scan my computer' link on the 'Virus protection' tab, which opened a small menu of scanning options, including scanning a particular target, a full drive, checking for spyware or rootkits, or performing a complete scan of the system. Each of these in turn opened a further window: the scan wizard. This displayed the file currently being scanned, and details of the number of files scanned and detections, but no estimate of the progress made. There was also an option to run scans from the right-click menu in Explorer, which again led to the same scanning screen.

The 'Advanced' tab contained numerous sub-sections, some of them with their own layers of tabs for further control. Many of these offered information with few options, while others were loaded heavily with tweakable controls. The main on/off functionality for each section tended to be greyed out, and could only be accessed using a 'Change' link from the main GUI; this in turn opened a dedicated dialog from which one could adjust, say, the paranoia level of the virus monitoring. The net result of this multi-window system was perhaps a little confusing, and occasionally left me searching for the settings for a particular feature, but once I had gained a feel for where things were it did seem fairly sensibly laid out.

Help is generally available via a context-sensitive link, opening a large and once again rather chilly-looking window with some information on the given section. Like the interfaces, the help is fairly text-heavy, with little in the way of the friendly diagrams and step-by-step guides I had expected to see in a home-user product. There were also none of the handy links to the corresponding page of controls in the main interface, only descriptions of how to open them for yourself. As such, it was less integrated with the product than some users may find useful, seeming to be aimed more at those wishing to learn how to use the product in full rather than those looking for a quick fix to a given problem. It is, however, fairly thorough for those who have the time and inclination to wade through it all, with most of the hidden or hard-to-decipher functionality explained at some point.

Malware scanning

The first thing I spotted after the initial setup of the product was a message, displayed when hovering my mouse over the system tray icon, informing me that my virus definitions were 'very old'. When the GUI came up, I was reminded of this in bold red text across the top of the main page, this time using the words 'really old'. Checking on the advanced page for the updates, I saw that the virus definitions included with the shipped product dated from late May, and the spyware identities from early June. It seemed a little odd that a product shipping in October should contain such old data (perhaps the datestamps displayed were misleading), but of course for the real user this would be remedied on install, as soon as the software connected to the web for the initial validation and update. For me, however, it presented an ideal opportunity to try out the product's heuristics and the new 'DeepGuard' proactive detection.

I ran a few scans over the VB virus collections, and was not surprised, given F-Secure's performance in most recent VB comparative tests, by the rigorous detection of just about everything we had (barring a few file types that were not scanned in certain modes). What was somewhat surprising – and quite pleasantly so – was the product’s detection rate when faced with some newer files. A scan over some of the more recent additions to the WildList revealed several files that were not detected, either on demand or when accessed by a simple file-opening utility. However, when the files were executed properly, several examples of the older and more numerous WildList favourites – such as W32/Bagle, W32/Mytob and W32/Mydoom, as well as more recent additions such as W32/Areses (aka Scano) – were picked up by generic detection in the virus engine.

Elsewhere, a selection of the latest malware joining the list, including W32/Banwarum and even W32/Stration (aka Warezov), were stopped by the System Control function, which picked up on some suspicious behaviours and added them (after prompting in some cases and automatically in others) to a list of blocked applications. This area of the product, hidden away as a tab on the virus scanning config page, creates a list of blocked applications, offering options to prompt before including. It presumably utilizes some features from the Windows Security Centre, as it is available only under fully patched Windows XP.

The only piece of malware to cause any trouble was W32/Looked (also called 'Philis' and 'Viking' by some naming systems). Of four variants hitting the WildList in July, none were picked up by straightforward scanning. When executed, with the protection setting at its default level, most were blocked by the System Control. With the setting turned up to high, all but one sample were detected as generic P2P worms. Some behaviour was permitted, including dropping some files and creating a few copies, and a couple of variants managed to sneak past the standard level of defence to the extent that files picked up as suspect could not be removed, or the explorer.exe process into which they had injected themselves crashed, on one occasion bringing the whole machine to a standstill. Nevertheless, nothing in the WildList escaped detection of some sort, with at least a warning being given that some suspicious activity was happening. With more up-to-date definitions, of course, all these problems were dealt with more accurately and efficiently.

Clean files caused no problems either, with no false positives on any scan of the standard VB clean sets. Running a random selection of applications, of various degrees of usefulness and taken from both the clean set and other sources, also failed to generate any unnecessary warnings from the monitoring system.

At the end of one scan of what I believed to be a clean machine, the action dialog was presented to me with two items of 'riskware' discovered. The actions offered included delete, quarantine, exclude and do nothing. The names given to the riskware items were clickable, but led only to some online threat information, (which, being in my lab, I could not access), so I was at a bit of a loss to figure out just where these files were, and what they were doing on my freshly-imaged machine. This minor annoyance was solved simply by ignoring the actions and going straight on to the report, but it would perhaps have been useful to know the filenames and perhaps even paths of infected or supposedly dangerous objects, before deciding whether they should be removed or not. In the end I learned that the items in question were merely copies of the old PSKill utility from Sysinternals, stored in a stash of testing tools.

Another scan, running over the full collection and clean sets in full-paranoia mode, took a considerable length of time and eventually froze up scanning a clean file, requiring me to kill it using the task manager. Repeated attempts to reproduce this behaviour brought no luck, however, and I was forced to put it down to a random event. Even in the most thorough mode, with numerous infections and bad files to deal with, scanning a standard Windows install, with a mid-sized drive and a selection of software installed, along with a scattering of typical large media files, never took more than a few hours – a pretty decent result compared to the overnight or even full weekend required by some products.

System overhead seemed fairly reasonable too, with no noticeable slowdown, even during some intensive activity.

Other functionality

The product contains far more than standard anti-malware, of course. The various other components were tried out to a greater or lesser extent, as time was limited and, thanks to a recent relocation, the machines I would normally use to access the Internet were unavailable for most of the review period. Much of the following was therefore assessed in a sealed-off environment, using spoofed services where appropriate.

In the 'Internet Shield' section, the firewall is controlled by a number of rules, ready populated with a comprehensive set of known malicious probes and dangerous activities. These can be edited and added to, creating personalized rules to allow or deny specific actions and communications, and can then in turn be switched on or off as required; many of the pre-defined rules default to off. The system is perhaps a little more intuitive than many firewall control setups, although still requiring some understanding from the user.

Those with a more paranoid approach to their security may prefer the more usual 'training mode' style of firewall setup, which requires the user to grant networking powers specifically to all software attempting to connect from one's machine, giving them the opportunity to ponder the needs of their software, app by app, should they so wish. This functionality is, in FSIS2007, divorced from the firewall configuration section, and instead resides under 'Application Control'.

I was surprised, given its name, that the Application Control functions only over the web, offering no facility to block local use or activity of unwanted software. Such functionality is, of course, more expected in and more suited to a corporate environment, and perhaps a home user would find the title of the section quite appropriate. Selected software can be allowed or denied access to the network, and unknown apps can either be allowed, but logged, or allowed only after user interaction. The first question asked by the startup wizard is whether to allow access to all software, only logging attempts to contact the outside world, or to block everything until permission is granted, the default being the more secure block mode. This can be changed from within the Advanced GUI.

The HIPS system has little configuration available, with only on or off, and block or log only on detection of a suspected intrusion attempt. There is also a dial-up section, where connections to specified numbers can be allowed or denied.

Under 'Spam control', another fairly basic set of controls allow the user to change the spam settings from the default medium to 'relaxed' or 'aggressive', as well as to switch off RBL checking. White- and blacklists of email addresses can be set up, with an option to import Outlook addresses to populate the whitelist. Outlook is integrated automatically, while other clients require some setup of spam folders and filter rules (instructions are provided in the help pages for Netscape and Mozilla, Opera, and Eudora). Separate phishing filtering, which places known phishing scams into a separate phishing folder, is supported only under Outlook. The accuracy or otherwise of the spam filtering, like that of the HIPS system, sadly falls outside the scope of this review.

The 'Parental Control' feature is one of the main items that is new in this version. Once set up from a simple wizard, which involves little more than entering passwords for 'Parent' and 'Teen' users, the access control system is opened on the next attempt to browse the web. From here, settings can be decided for the 'Child' and 'Teen' users.

Younger children are granted access only to an explicitly designed list of websites, a 'walled garden' wherein they can play safely. Full sites or subsections thereof can be entered into the list, and an option is available to allow access to all sites designated child-friendly by F-Secure. On attempting to access a site not included on the list while the child mode is active, the browser redirects to the control page, which displays a clickable list of the permitted sites. The screen is rather stark and cold, in typical F-Secure style, and could perhaps do with a little warming up for the youngest audience.

For the teenager group, a slightly more complex system operates. Certain types of site are barred, presumably using a central blacklist maintained by F-Secure or one of its affiliates. These are grouped into categories, which can then be allowed by more permissive parents (categories are also set up for chat and webmail sites, but allowed by default). Specific sites can be allowed within these groups should the need arise, and others blocked specifically at the whim of the parent, using the same selection system as for children.

A time lock function is also available, to control when the net is available, with separate time settings for the two different groups (no time settings are available for the adult user). Once the parental password has been set, generally as part of the install, it is requested every time changes are attempted to the settings of the product, which reverts to child mode on reboot or on activation of a screensaver.

Were I a parent I expect I would feel fairly happy leaving my offspring in the hands of F-Secure's product, but a few things could be added, I thought. A keyword-based web blocking system is common in parental controls, scanning sites for undesirable words, but these are notoriously 'dumb' and prone to error. Perhaps with more security companies joining the market, some extension of anti-spam technology could be usefully applied to the problem. Also, the blocking of undesirable software, such as games that are unsuitable for younger types, may be handy. The System Control feature creates a list of blocked apps, but seems to lack the option to add things to the list oneself, including them only once they have been flagged as suspicious by the behavioural monitors.

Away from the main set of functions, there are a few other little tools available. According to the documentation, those lucky enough to have the full CD product will find it is possible to boot straight into a scan from the CD – a handy trick which should circumvent the stealth measures used by certain particularly nasty infections.

For those having trouble with their product, the start menu folder contains a diagnostic function, which runs a set of tests and creates a file which can be forwarded to F-Secure tech support to aid in the analysis of problems. The file contains a swathe of logs, stowed in .tar.gz format, packed with data on the system, its makeup and settings, data on the content and layout of the FSIS installation, and information about numerous registry keys related to the product. It was in one of these logs that I saw the only mention of F-Secure's previous name, Data Fellows, still lurking in a number of legacy registry settings.

Conclusions

FSIS2007 provides a pretty thorough selection of security tools designed to guard against a wide variety of threats. Its detection of viruses, trojans and spyware is highly impressive, especially when blocking unknown threats using either generic identities or behaviour patterns, and its speed, overhead and reliability cannot be faulted. The numerous other functions: filtering spam, monitoring network and local activity, and blocking unwanted web content from younger users, covers most of the security issues facing users. The only component that seemed to be missing was full local application control, giving users of the parental functions the option to keep their offspring from using certain types of software.

The user experience, for my tastes, left a little to be desired, with the GUIs possibly a little daunting for the average home user, and a little lacking in obvious fine-tuning options for the more experienced. The multi-window approach gives the product something of a disjointed feel, and adds further complexity to the task of configuring the software to one's individual preferences. Functionally, however, it was a slick and fairly comprehensive set of controls, with no important options absent or unusable. Of course, for the truly novice user, the entire interface can be ignored most of the time, with the default settings providing comprehensive protection straight out of the box.

Overall, this is a solid product that oozes reliability, giving a warm feeling of safety despite the cool themes of its design. Indeed, it could be that the interface deliberately shies away from the friendly, cuddly touches I had expected, precisely in order to foster this sense of solid, professional protection. I only wish I had more time to try out the wide range of features in a more rigorous and scientific manner; doubtless we will meet again on the VB comparative test bench.

Technical details: F-Secure Internet Security 2007 was tested on: AMD K6, 400MHz, with 512MB RAM and dual 10GB hard disks, running Microsoft Windows 2000 Professional Service Pack 4. Intel Pentium 4, 1.6GHz, 512MB RAM, dual 20GB hard drives, 10/100 LAN connection, running Windows XP Professional SP2. AMD Athlon64, 3800+ dual core, 1GB RAM, 40GB and 200GB hard drives, 10/100 LAN connection, running Windows XP Professional SP2 (32bit).

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.