Norman, one of the world's leading manufacturers of data and network security solutions, has obtained T?V certification for its proactive virus protection from the T?V Saarland Group. Norman is the first company in Germany to undergo rigorous testing in this sector, and is therefore the first supplier on the market authorised to use the caption "verified proactive virus protection". The specialist company tekit Consult Bonn GmbH (www.tekit.de) which belongs to the T?V Saarland Group carefully examined Norman's sandbox technology. This represents an approach to a problem whereby a complete computer is simulated with a high number of APIs referencing the operating system and other applications programmes.
In this way, any suspicious file will be executed in this standalone virtual environment where it cannot cause any damage. This involves analysing the suspected malware to see how it interacts with the APIs provided. In addition, it establishes what right/read access activity is occurring in the file system, registry or network interface and, based on the assessment of the executed file's behaviour, a judgement is made as to whether it is malware or not. The objective of this analysis is to determine to what extent the Sandbox can distinguish malware from genuine software.
The analysis
To determine the Sandbox's capability, it was necessary to test it using actual viruses or other malware. These tests were held in an isolated high-security environment within the Tekit laboratory. There were various virus sets available with varying quantities and types of viruses or other malware, together with the Wild List virus encyclopaedia. As it was not possible to execute all viruses in the Sandbox, the most that could be done in order to verify the number of viruses actually available in the individual sets was to sample a specimen file from an anti-virus program. The regular Norman antivirus software was used for this.
The tests on individual sets from the virus encyclopaedia produced recognition rates ranging from 56% (Wild List) to up to 70% which certainly exceeded expectations. In the case of more recent viruses, the Sandbox even managed to recognise all of them. However, this means that the testing base is very small and one cannot expect to achieve figures like this in actual operation either. This is the underlying Sandbox philosophy. Because viruses (or other malware) are mainly identified by certain common features (e.g. writing to the Windows system directory) and Sandbox ultimately has to finish a test within a finite time, it cannot simulate every API which a single virus could use, but has to restrict itself to a sufficiently broad common subset of the various virus actions. Given this background, recognition rates of up to 70% are high.
The results
During the testing both of individual sets as well as the entire encyclopaedia, Sandbox recognition rates in the region of 56% to 70% were recorded. Of course, this type of test can only be carried out with known viruses, meaning that the recognition rate for new viruses by the Sandbox will tend to be at the lower limit. However, because certain virus characteristics will also remain the same in the future (use of particular interfaces, access to the file system or the registry), one can then assume that the recognition rate for new, unknown viruses will generally be a similar ballpark figure. This already signifies a relatively high degree of protection for users, particularly in the case of zero day attacks, just with the Sandbox alone.
The T?V seal
The "verified proactive virus protection" T?V seal is an endorsement of programmes from an independent body, which have undergone several tests and have tested reliably. The Norman Sandbox technology has proved that it is in a position to proactively, i.e. before a signature has been created, recognise viruses on the basis of its effects. Thus, the technology prevents a situation whereby a virus first causes damage to a computer and is then identified as being malicious; rather the file is tested in a virtual environment and, if necessary, flagged as malicious and possibly even deleted.
"We are very proud to have been certified with this prestigious seal of quality by T?V Saarland, a well-known, independent institute", says a delighted Oliver Kunzmann, Head of Professional Services & Support at Norman GmbH Germany. "This demonstrates to us that we are on the right track with our proactive security solutions and can offer our customers maximum protection."
