Exploring Anti-Malware Testing Methodologies

The simple objective in testing an anti-malware product is to verify that it stops execution of malware on the endpoint. Testing in this case is not about features and functions, it’s about preventing the malware from executing.

That’s what an anti-malware product is designed to do — stop malware, and these tests are designed to measure their pre-execution stopping power.

In the recently released book Next-Generation Anti-Malware Testing for Dummies, you will learn about four different testing methodologies for portable executables (PEs) and file-less malware, among other advanced forms of malware.

“We describe a number of tests that are highly simple and deliberately designed to split the field of anti-malware products,” explains Carl Gottlieb of TestMyAV.com. “You’ll be amazed how some big-name products perform in certain scenarios. Some very good, some very bad.”

Testing an endpoint security technology offline can reveal a lot about the product’s architecture and capabilities, which is important in order to make a well-informed decision.

Solutions which rely on cloud lookups may leave the customer at risk by allowing – intentional or not – a “patient zero” scenario and by potentially introducing delays on the endpoint as a result of the latency associated with cloud processing.

If a solution requires cloud lookups to process never-before-seen malware, then it implies that the solution relies on either cloud intelligence (file reputation) or cloud-based emulation.

It’s important to test anti-malware products offline using mutated samples, then test it again online, using the same sample set. If there is a significant difference between the offline and online test result, then the anti-malware product can only function properly when online.

The reason for testing a product’s capabilities while offline is to shed light on its architecture and capabilities.

“To test for the real-world, we need to think about (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog