RE: F-Secure 2006 Review

["Ross, George" <george.ross () atlahq org>]

I know this is an old post but could someone give me an idea what they
think about a 200 user environment choosing
Webroot or F-Secure as their spyware choice.  I know that F-secure
requries the removal of many other things, which
Is fine because we are not running a local firewall and we have CA as an
anti-virus.  Just want to get an idea about
The spyware comparision, which F-Seucre is Lavasoft.  Any help is much
appreciated. 

-----Original Message-----
From: ldruger () gmail com [mailto:ldruger () gmail com] 
Sent: Tuesday, October 11, 2005 5:28 PM
To: security-basics () securityfocus com
Subject: F-Secure 2006 Review

OVERVIEW F-SECURE 2006
I've been running the trial of the security suite and I'm pretty pleased
thus far. It's more resource heavy than ZA, but 3 AV engines two in
house and Kaspresky's AV have all tested better than CA's engine (which
powers ZA's product).  
My main issue is incompatibility with Spybot, F-Secure doesn't want to
play in the same sandbox, but it works with MS-anti-spyware beta. I'm
writing this due to a dearth of actual reviews on the web for this
product.  I have tried to be impartial with regards to F-Secure to the
best of my ability.
That being said I feel it's necessary for the reader to understand my
expectations as they will invariably influence my opinion.  I expect my
firewall company to be paranoid, because people may be out to get me as
their customer. I expect the firewall to protect my computer, even on
open ports. I want to be able to let my wife, who knows nothing about
security, use my PC when I'm out and not come home to find my PC on the
top ten list of spam zombies.  I don't need the UI to be a work of art,
but the controls needn't be too dumbed down.  Allow me the flexibility
to customize every aspect of my connections and work habits.
I did not start using the software planning to write this, so I didn't
take notes or do as detailed analysis as I could (Hey, nobody's paying
me for this). 
ANTI-VIRUS
I've tested a few firewall testers and a "fake AV file" the fake will
download, the zip file open, but it will not allow you to double click
on the file.  I miss is the context sensitive right clicking in explorer
a file to scan, but the active agent should catch it when it attempts to
execute so this is strictly a nice to have. 
The AV claims to incorporate an anti-rootkit engine called "Blacklight".
I didn't have the opportunity or desire to test the accuracy of this
scanner.  
Scan times are acceptable, but on a laptop drive any actual timing data
would be negatively skewed so not timing was done. This can be set to
run during idle system time and Anti-spyware is integrated with the
virus scan.
Also the application had to be disabled when installing most software.
This is a limitation of many AV products, but F-secure seemed to have
more issues than other AV products I've used in the past, this could be
related tot eh three AV engines. It was easier to disable the whole
program rather than the AV when doing an install (via right click on the
taskbar). Ideally I should have the option of temporarily disabling just
the AV from the taskbar, after a configurable amount of time it should
be able to automatically restart, FIREWALL The only firewall "weakness"
is the lack of a browser header referrer block. (Using PC Flank/Sygate's
test site/ GRC) F-Secure withstood anything I threw against it.  Leak
tests simply didn't leak.
Because the referral header is not spoofed web admins can see where you
came from which I dislike.  I've found a Firefox extension that does the
same thing so I can do without this function. The other non-intuitive
thing is, if you want to add a rule, you must first set the protection
to "custom". The system should do this automatically. The rules have a
plethora of options and may be confusing to neophytes.
I had issues attempting to open a range of ports for an application
(thereby limiting its outbound/inbound access.  The help claims you can
do this, but the fields were not editable for some reason (I suspect
this is due to something I didn't do and plan play with this more
later). This can be taken as an unclear UI or user error, or combination
of the two.
ANTI-SPAM
F-Secure 2005 rated poorly in spam prevention and I have no reason to
assume it's changed as I did not test this feature. I will say it's not
very customizable or adaquitly explained.  Does block go to the trash or
Outlook 2003's Spam folder.  Outlook 2003's filter has been sufficient
for my needs.  If there is a request from someone on this list I will
test this, but did not do it for myself.  
ANTI-SPYWARE
Seems effective, but at this juncture it's primarily been for cookie
deletion, it seemed to find Alexia on a system that probably didn't have
it, though fixing it hasn't done any harm and the notification did not
recur, so it's possible I had some traces that were not fully removed by
oter anti-spyware applications.   Scan times are acceptable, but on a
laptop drive any actual data would be skewed so no timing was done.
The system notifies you if your startup has been changed and the details
tab explains the application attempting to make a change.
RESOURCES
Thus far I haven't seen any significant slowdown on a virgin rebuild of
Win XP (1GB RAM 40GB HD on a 1GHZ system). The program was run with
parental rules off and takes up about 16MB of RAM with the various
TSR's. I feel this could be improved, but not at the expense of security
or AV detection/removal. 
SUPPORT
Support is available via e-mail and phone (if you can find the phone
number) they responded to e-mails within ~24 hours.  The E-mail support
seemed a bit more knowledgeable than the phone support though both were
helpful.
USER INTERFACE
Upon getting the product users must tell it to scan within archives.  I
think this should be on by default, but the engine stops malware when it
attempts to execute.
The UI is usable, and for the most part intuitive with some oddities
that could be improved. But the firewall has an IDS/IPS which ZA and
MacAfee lack (IPS is untested as of this writing).  Unfortunately the
dialog cannot be resized and may be hard to read on high resolution
monitors. 
COMPARISONS  
Zone Alarm 6 Suite - Zone Alarm users have had numerous problems with
version 6, my issues continue even though the last build was supposed to
rectify this issue.  Average to poor AV coupled with the lack of an IPS
has prompted this search for a new product.    ZA is lighter on
resources than F-secure and the spam filter is better, but Outlook 2003
seems to do a better job, but is less full featured. 
Support for Zone Alarm, I'm sorry to say is, USELESS.  I've had 2 of the
three E-mails I've sent completely ignored (including an incompatibility
that prevented the use of some features). The third answered a
completely different question and bore no relation whatsoever to the
question asked.
I didn't care for the forum, and feel that as the most wildly used
firewall it's the most likely to be attacked. Needs two scans, one for
AV and one for Viruses. Conflicts with some software that was compatible
with Sygate and disabled several features because of the aforementioned
incompatibility. 
Sygate - Best firewall IMHO. Lite on resources, excellent IPS, no AV in
the version I used but this product has been effectively discontinued.
Support was virtually useless, but the forum members were knowledgeable,
helpful, and responsive and the product was quite intuitive.
Norton 2003 - Bloated, good AV, good UI, uninstall can create serious
issues and I have horror stories even using their "clean tool" it
doesn't clear all of their software from the registry. I stopped using
Norton's in '03 and it would require a lot of work to get me to
re-install or even review this product unless it has been re-coded from
scratch  (hopefully by the recently acquired Sygate team) and new
programming methodologies were used. 
Tiny - Good firewall bad UI
Kerio - discontinued
AREA'S FOR IMPROVMENT
Scanning inside archives should be on by default as should scan all file
types (since the jpeg exploit nothing is safe in my mind).  Context
sensitive virus scanning should be added to explorer and browser header
spoofing should be added to the core product as well.  The product
should be able to live harmoniously with Spybot or a better explanation
should be given. 
The administrative window needs to be resizable and currently is
difficult to read, especially in the rules section. Where the text is
cut off by the small window, the UI, especially for the advanced
configuration options, is really the weakest point of this product and
should be re-evaluated and re-built.  
I'd also like to be able to see a list of all the ports in use on the
system as part of the interface (there are other utilities for this so
it's forgivable).
The alert and logging for F-secure is extensive, but difficult to read,
I was running an app as a server and received constant alerts about UDP
and ICMP from the various outside systems. The alerts didn't stop until
I turned off alerts for everything but intrusion detection. The app in
question seems to work with those ports blocked, so it may well be that
the new version does not use those protocols and those running older
apps are trying to connect to ports that F-secure did (and should if
that is the case) block.
When I rebooted the system F-secure began populating pop-up errors again
(until the app that handles them started.  I'd like better control over
what causes a pop-up alert.
F-Secure attempted no notification when I modified my hosts file.  I
would have expected some notification as it could have been done
maliciously by an unknown Trojan. 
If I seem overly hash it is because I can always see area's of
improvement (you should see write ups of things I dislike).  The fact is
none of the firewalls in this space is perfect, none meets all my needs.
For a market as mature as security I find this disconcerting. This being
said F-secure is a great product, but it's not perfect.
If F-Secure wishes to contact me I have additional suggestions, but some
are outside the scope of this review. I'm not looking for money, but I
do want to make this a program that is both accessible and robust.
SUMMARY 
F-secure is an excellent product, as long as you have a relatively new
PC with enough RAM and understand security concepts. it seems to be the
best choice based on reviews of numerous firewall products. Due to the
UI, this wouldn't be my first choice for a neophyte, especially if they
have my home number, but I would defiantly recommend this for an
average/advanced user.    
F-secure Anti-virus, including Kaspesky, is the best there is and the
inclusion of a rootkit sniffer makes you that much safer, as no other
product attempts to find and remove this malware. (sysinternals has a
scanner but lacks removal functions & you have to be able to interpret
the information and that's not intuitive).
One interesting side note, before re-building my laptop, I accidentally
installed F-secure over Avast.  The products were smart enough to turn
off the real time protection of Avast while allowing manual scans
without conflict, very nice.
More importantly support is helpful and knowledgeable and can be reached
via both email and phone (phone is at ~$4.00 a minute) E-mail responses
are courteous and knowledgeable. The UI trails behind ZA for ease of use
especially in the area of advanced rules. 
While this has an IPS I was unable to test it.  The price is a little
high, but I'm willing to pay for good security.  Once the trial time
expires I will purchase this software, I care primarily about
security/virus protection/adware. I don't need another mail filter, or
parental controls (my son is 11 months old, and I don't plan to let him
online without my being in the room until he's ~16).  These are nice to
have, but not part of the equation at this point in my life. 
 
My Rating:
Features - 8
AV - 10
Adware - 9 (based on others reviews of 2005 and the lavasoft pro engine
10 if this could be made compatible w/ Spybot S&D) Firewall - 10 UI - 8
for basic (7 for advanced) 
 
I'm happy to answer any questions at the address below.

Lance Druger
ldruger () gmail com