G Data Total Security 2010

2009-09-01

John Hawes

Virus Bulletin, UK
Editor: Helen Martin

Abstract

VB's test team decided to test drive G Data's latest complete suite product and were thoroughly impressed with the breadth and quality of the product.


G Data Software was founded in Bochum, Germany in 1985 and has been in the anti-virus business for over 20 years. Alongside its long-time flagship product formerly known as AntiVirusKit (AVK), the company now produces a range of security offerings including business-oriented protection software, and has an expanding global presence.

The company may not have the highest profile among security firms, outside its native Germany at least, but the name will be well known to regular VB readers thanks to a consistent record of excellence in VB100 testing. The company’s products have built up an impressive chain of passes, with only two fails since 2003 – one for a fairly minor false positive, the other from an issue with scanning floppy disks, back in the days when such things were still important. In recent comparative reviews our new RAP rating system has highlighted the superb detection capabilities provided by the company’s dual-engine approach, placing it consistently among the leading performers in our RAP quadrants. Similarly impressive scores have been achieved in other independent tests.

With the latest complete suite product promising a wide range of extras in addition to the top-class anti-malware protection, we decided it was time to take a closer look.

Web presence, information and support

The company operates a number of websites in a variety of languages, with the main English-language hub to be found at gdatasoftware.com. From here, users can navigate to a localized site for their region, most of which seem to offer much the same experience. The site is simple, clear and responsive, and is happy to run with scripts disabled – something which far too many security firms seem to consider an unacceptable impediment to their marketing efforts. The home page is heavily product-focused, with a list of the full product range given pride of place beneath a colourful advertisement for the latest 2010 version. This is accompanied by details of recent favourable reviews and the latest upgrade opportunities, and followed by a selection of news items on recent security issues. A selection of links lead to the main subsections of the site, top of the list being the inevitable online shop and access to free trials, which seem to be offered for most of the home-user product range.

This is followed very sensibly by the support section, which continues the plain and simple layout of the rest of the site; a large and clear search box is the main item, and contact telephone numbers – so often these days buried out of sight to prevent any chance of human contact – are displayed prominently on every support-related page. An online contact form is also provided, along with detailed contact information for local and global offices. For more standard support issues, a well-stocked FAQ covers a range of common issues with clear and sensible solutions, and is easily searchable. A downloads section provides access to more detailed manuals, although these are not yet available for the new 2010 edition, as well as a selection of additional tools, including a bootable CD image for those tricky cleaning jobs.

The ‘Security Labs’ section provides a more general range of advice and assistance, with information on malware and malware issues, a well-stocked library of news stories and alerts, and a set of handy tips and tricks to improve security in general, including advice on password selection and backing up of data. Some fun statistics are also available, with maps and graphs showing malware and spam outbreaks (including an amusing ‘massiveness’ meter), number of active zombies and so on.

Finally, a selection of data is provided on the company and its business partners, including an impressive list of recommendations from existing customers, predominantly in Germany. Technology partners also include a roster of collaborations with leading security firms.

Having perused the information available online, and not yet having thought of any issues which might warrant testing the support system, we took our copy of the top-of-the-line Total Security product into the lab.

Installation, configuration and assistance

Installation of the product is fairly straightforward, with a few pauses at various stages on lower-powered systems but generally fairly speedy. Options are provided to install additional components, including parental controls and a data shredder, and the now standard community system can also be joined (or not) at this stage. With little further ado things are up and running, but of course an update is required to bring things up to speed.

Somewhat surprisingly, the build provided for download seems not to include any detection data added in the last few months, so a rather lengthy initial update is required. It would seem that the extra labour involved in keeping the standard online build reasonably up to date would be balanced out by the reduced strain on update servers, and the better immediate protection provided to users, but doubtless there are other factors involved too.

Once up and running, the product presents a very appealing interface, reflecting the unfussy feel of the company web presence. The design is fairly standard, with a list of the various components and modules along with status information and links to configuration and control, with a fairly large pane down the left-hand side dedicated to licensing information and some nice little graphs of system and scanner load. Checking quickly through the various options menus showed immediately that a commendable depth of control is available. This all seemed at first glance to be logically laid out and accessible; we decided to look at each section in greater depth later on, pausing only for a brief skim through the help system.

The help system is accessed via a link from the main GUI window, but only from the main page, with few additional contextual links from within the various subsections of control, which is often a fast and useful way of accessing information on a specific subject. The information provided is pretty thorough and generally clear and lucid, with just the occasional infelicity of style or grammar hinting at translation issues. Though rather short on screenshots and links to control areas back in the main product, it covers the ground pretty thoroughly, with a very nice selection of ‘tips’ guiding users through performing specific tasks, rather than simply detailing what each button or checkbox is intended to do.

All in all, the product seemed pretty well designed and laid out on the surface; it was time to see if it still had what it takes under the hood.

System protection and malware detection

We have already noted G Data’s consistent excellence in terms of malware detection, demonstrated by superb performances in VB100 and other tests. The product’s high level of detection is assured by the use of two separate engines, which have occasionally been switched in the past as different developers and labs prove themselves worthy of inclusion. In the past the Kaspersky engine, so popular with OEM products, has been a stalwart component, but this time G Data has opted to move on to newer ground, bundling together engines from BitDefender and Alwil. With both these engines doing extremely well of late, the combination promised to provide as good if not better detection rates while slightly reducing scanning times in some areas, judging by our recent measurements in VB100 comparatives.

Running the product over our sample collections proved this to be right on the money, with all sets totally destroyed by the scanner, which easily handled just about everything we threw at it. On the evidence of the range of impromptu scans we carried out, G Data looks set to further improve its excellent ranking in our RAP quadrants over the next few months. Scanning proved solid and stable, with no problems handling our sets of difficult malformed files which have tripped up many others in the past, and the on-access monitor held up well under extremely heavy bombardment from all directions.

No behavioural or HIPS-type blocking is included in the product, but with both the engines included showing some great scores in the reactive part of our RAP sets lately, protection against new and unknown malware should be about as good as it can be with static scanning using advanced heuristics and generic detection. We also found the overheads imposed to be fairly reasonable despite the two-pronged approach, with most systems functioning perfectly well and even the low-powered netbook barely registering any slowdown in normal operations.

On-demand scans, designed to be as fast and thorough as possible, do impose considerable restrictions on using the system for anything else while they are being carried out, but an option is provided to cede control when the user wants to get on with something else. This can even be enabled mid-scan, taking a few moments to take effect but soon returning the machine to full speed, and resuming high-power scanning once resources are made available. There is also a pretty decent caching system which causes files previously scanned or listed in whitelists to be ignored; this kind of technology is not yet accurately covered by our comparative speed measurements, although we hope to introduce an updated system in the near future. As a slightly less than scientific measure however, it seemed pretty clear that speeds picked up considerably once the scanner got to know the local system.

Hampered as ever by a lack of time to go into too much depth, with yet another comparative to prepare for and the annual VB conference fast approaching, we weren’t able to look as closely at removal and disinfection as we would have liked, but the selection of items we did manage to get installed on a system were easily and cleanly removed once those all-encompassing definitions were updated to provide detection. Throughout we found the control system to be both simple to use and impressively thorough, with no option we could think of that was either absent or even difficult to find. For both the on-access monitor and the on-demand scanner, the option to use one or other of the two engines (coyly referred to as ‘Engine A’ and ‘Engine B’) is provided, with the default being to use both in both modes. Engine A is described as having stronger detection but slightly lower performance; Engine B is recommended for faster scanning speed but not such complete detection.

The simplicity of operation extends to the web and email protection, which is given a separate section in the main interface but closely tied in with the anti-malware scanner. Traffic via HTTP, IM and email (both inbound and outbound) is scanned, with a few configurables such as size limit for scanning downloaded files and attachments, the addition of ports to scan and so on. The user can also opt to report infected sites back to base, to improve protection for the whole community.

Moving on to the other main protective element, the suite of course includes the now-obligatory firewall. In this area there are some simple measurements of success: the efficacy of the standard settings, the intrusiveness or lack thereof on the user experience, and the usability of the fine-tuning for more advanced users. In all three G Data scores pretty highly. By default, the firewall operates entirely on ‘auto-pilot’, taking a selection of standard rules and creating new sets for whatever network-enabled software is found running on the system. This all seems pretty well thought out and effective, and the whole experience is completely transparent to the user, with none of the training periods or constant deluges of requests for permission favoured by many systems. For the average user, a very satisfactory level of protection from web-based attacks will be provided invisibly and with no effort whatsoever.

For the more experienced (or more paranoid), there is of course the option to delve deep into the settings and configure things exactly to one’s liking. Such systems are often complex and bewildering, but once again G Data has gone to considerable efforts to provide even less skilled and knowledgeable users with some access to fine tuning. A simple and pleasant wizard system is provided to lead the user through the steps of designing and creating a rule or ruleset based on categories including applications, network connections and services, along with the direction to control and so on. The only thing missing would be the option to block specific applications and behaviours at a local level to turn it into a fully fledged and highly usable application control and HIPS system. Beyond these simplified controls, full and detailed configuration is also provided via an advanced tab, which again is clear and lucid. Logging is complete and detailed, with a nice clear summary available for every incident noted, whether blocked or allowed.

Other functionality

The name of the product is ‘Total Security’ and of course it goes some way beyond the standard components mentioned so far. There is, of course, a spam filter – another pretty compulsory component of a security suite these days. Here, the spam filter is given its own sub-GUI much like the firewall component and it is similarly kitted out with options and controls. This was something else that we weren’t able to test thoroughly, our current anti-spam testing set-up being more geared towards corporate, server-level protection than the home-user end, but running through the layout we found it offered all one could want, from simple allow and block lists to detailed controls of sensitivity and response to suspected detections.

The lower entries on the main interface cover a selection of items only included in the more thorough suites. The first, and probably most common, is a parental control system to protect children from inappropriate content online. We had quite some fun playing around with this, concluding that, once again, the interface was designed extremely well. The area for defining permitted usage hours, based on specific times and/or weekly and monthly allowances, was particularly simple to implement. It even differentiates between Internet use and use of the computer for offline activities. The built-in controls offer filtering of a range of unwanted topics, based both on known bad sites and keywords by the look of things, and also a ‘walled garden’ approach where only a list of known-good sites can be accessed. This list seems reasonably well populated, and is fairly simple to expand with new sites and whole new categories for the committed and diligent parent to configure as they desire. The blocking system is similarly simple, with new unwanted URLs or keywords easy to add.

In implementation, things seem a little less complete however, with a few quirks of behaviour noted when exploring. Occasionally, sites on the allowed list would fail to display, then subsequent pages visited would appear to be masquerading as the missing page, and some of the sites and categories appeared to be in different languages, indicating that the localization of this section is not fully complete. It seems likely that the user’s mileage with this tool will vary depending on their location. The opposite method, of blocking unwanted content but generally allowing access, also had a few oddities, failing the ‘Scunthorpe’ test and apparently defusing some of the blocks if an ‘exception’ keyword is included on the same page. So, a fairly decent stab at a control system, with some excellent configurability, but perhaps a little lacking in the sophistication of the most advanced examples of the genre. Full logging of all activities is included of course.

Moving on, we find a section labelled ‘tuner’, which offers a lot more than the simple clean-up of excess files provided by some of the other suites we’ve looked at. Not only does it clear up the various temporary and cache items collected on the hard disk of a well-used machine, it also probes through the registry for unnecessary dross and checks through the system settings to check that a selection of basic security measures have been taken. Dividing these into security, performance and privacy-related issues, all are enabled by default but can be deactivated, and a trial run can be performed which will produce a list of changes found to be necessary, but without actually implementing them. Full scheduling and logging is provided, and an undo feature can roll back any changes subsequently found to be inappropriate. It all seems pretty thorough, without including any potentially harmful activities, and works surprisingly speedily. Running on a tired old netbook which has seen a great deal of software installed and removed of late, it certainly seemed to make a discernable difference to the system performance, and cleared out all the unnecessary and potentially sensitive information we could think to look for.

The final option in the main interface is a back-up facility, again provided with its own interface which continues the uniformity of design and layout of the rest of the product. Simple back-ups, on demand or scheduled, can be set up to archive specific areas and file types as required, with the archive stored wherever the user wishes, although local hard drive partitions are not recommended; storage on network drives, including an option to post to FTP sites, is preferred, but local archives can be created and burned to CD if desired. Yet again, configuration is both highly in-depth and simple to navigate, and logging is fairly thorough. There is even a system to administer previous back-ups, to remove older or unwanted data.

Having run through such a broad range of utilities, we thought we must surely be at the end of G Data’s offerings, but there remains one more item worth looking at: the shredder mentioned briefly during installation. This has no entry in the main interface but simply provides a desktop icon onto which items can be dropped for secure deletion. It doesn’t seem to have any sort of configuration, eschewing the choice of destruction types offered by some similar utilities, but it does its job in a simple and perfectly effective way without seeing the need to trouble the user with choices of what kind of military-grade, DoD-certified, multi-level-overwriting to perform.

Conclusions

Somewhat overwhelmed by the breadth of this suite, we arrive at the end of this review and remain thoroughly impressed. The coupling of the exhaustive protection of the dual-engine approach with equally exhaustive additional components will doubtless appeal strongly to the more demanding user, who will find little to complain about here other than the lack of full-blown HIPS. Where G Data has really scored, though, is in the layout and design of the product, opening up its many wonders to a much wider audience beyond the more technically inclined. In the vast range of products we see in the VB lab there is a strong tendency to sacrifice configurability for usability, or vice versa, and when a product manages to combine the two effectively it stands out from the crowd.

As security suites mature as a software type and become standard items on every desktop, the range of utilities they offer continues to expand and the quality of those components increases. While a few of the lesser items included here may still lag a little behind the very best in their specific fields, the provision of such a broad range in a single package, and moreover with a single, unified approach to operation and control, will open up new horizons of safety to a wider audience.

Something else worthy of note is the improvement in speed and reduction in resource usage. While previous iterations may have been rather hefty for many users, and while increasing power in desktop systems has led many developers to believe they can get away with growing overheads, G Data has greatly improved the performance of its product without noticeably reducing its ability to protect users. Doing away with the issue of sluggish and unresponsive systems, which many would cite as a major reason to shun the multi-engine approach, could signal G Data’s emergence as a truly major player on the security scene.

Technical details

G Data Total Security 2010 was tested on:

Intel Pentium 4 1.6 GHz, 512 MB RAM, running Microsoft Windows XP Professional SP2.

AMD Athlon64 3800+ dual core, 1 GB RAM, running Microsoft Windows XP Professional SP3 and Windows Vista Business Edition SP2.

Intel Atom 1.6 GHz netbook, 256 MB RAM, running Microsoft Windows XP Professional SP3.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.