Virus Bulletin
Copyright © 2016 Virus Bulletin
Our annual Linux comparative provides a welcome change for the lab team – a different platform, and a very different selection of products. Although the field of competitors for Linux tests is invariably smaller than in our Windows tests, the process of setting up and operating those products tends to be rather more challenging, with GUIs rare and most of the work done via the command line. This makes finding and figuring out often complex and unintuitive methods of configuring and operating products a much bigger part of the testing process; once the initial deciphering has been dealt with, running the tests tends to be a much faster and simpler process, with these business-oriented products tending to be ruggedly dependable, speedy and simple to automate.
With our schedule of publishing reports still somewhat behind schedule, this report has been kept simple to speed up the process of getting it out to our readers.
The Linux variant chosen for this test was SUSE Linux Enterprise Server 12, the latest iteration of one of the larger and more serious business-oriented distributions. With the team well-versed in Linux installation and operation – using various distributions in our back-end systems and even on the official test machines themselves for forensic and re-imaging purposes – setting up the environment was fairly straightforward, helped by the ever-slicker install systems built into modern professional distributions. Having few enough products for each to reside on a dedicated system for the duration of the test also made things easier.
For testing purposes, each system was set up with a Samba share, mounted on a client machine running Windows 10 to simulate a user connected to a corporate fileserver; all on-access tests were run from this client.
The selection of products was small but solid, with most of our most regular participants taking part. As is often the case, we had a couple of additional submissions which proved incompatible with our test design or environment, and which were removed from the test after some initial trials.
The test sets were synchronised for the test deadline of 16 December, with tests commencing in early January and complete by early February. The WildList used was v4.024, released on the test deadline day itself. Our other test sets were updated using our standard processes, with the clean sets little changed from previous tests, still weighing in at around 750,000 files, 160GB of data.
Main version: 2.1.0
Update versions: 16012000, 16012601, 16020200
Last 6 tests: 6 passed, 0 failed, 0 no entry
Last 12 tests: 10 passed, 2 failed, 0 no entry
ItW on demand: 100.00%
ItW on access: 100.00%
False positives: 0
Stability: Solid
 |
 |
Avast's Linux solution is fairly simple to install and operate, using RPM install packages, standard init scripts, and pleasingly clear and simple configuration files and command-line syntax. It blasted through our tests with no stability problems or other issues; the only negative noted by the lab team was a lack of on-read protection, all of our on-access tests being done on write instead. This explains the very low overhead scores in our file access speed measures. Our set of standard activities, which do include a fair amount of writing to disk, were also very fast though, indicating a light and speedy product all round.
Detection was reasonable, and with a clean run through the certification sets a VB100 award is comfortably earned by Avast.
Main version: 13.0.3118
Update versions: 4477/11188, 11443, 11490, 11539
Last 6 tests: 6 passed, 0 failed, 0 no entry
Last 12 tests: 12 passed, 0 failed, 0 no entry
ItW on demand: 100.00%
ItW on access: 100.00%
False positives: 0
Stability: Stable
|
 |
Also using RPM installers and a set of fairly simple and clear command-line tools for its operations, AVG's Linux solution was quick and easy to set up and use. Stability was almost perfect, our rating dented only by a single incident of a scan failing to complete. On-demand scanning speeds were very fast indeed, reasonably light on access, with a fairly low impact on our set of activities.
Detection was solid, well up with the rest of the field, and the core sets were handled adroitly, earning AVG a VB100 award.
Main version: 3.10.0.150323(30597)
Update versions: 3.10.0.140729(29018), 7.64245, 7.64304, 7.64371
Last 6 tests: 6 passed, 0 failed, 0 no entry
Last 12 tests: 12 passed, 0 failed, 0 no entry
ItW on demand: 100.00%
ItW on access: 100.00%
False positives: 0
Stability: Fair
|
 |
Bitdefender's installation RPM comes wrapped in a set‑up script which helps the user through the basic tasks of getting it up and running; the command line syntax is a little more complex than necessary but soon becomes intuitive once the basic structure has been figured out, and a web-based console is also provided for those with an aversion to typing. Stability was a little below par, a number of scans crashing out with segmentation faults and updates also failing a few times. Scanning speeds were fairly average but overheads seemed a little heavy, with our set of activities particularly slow to complete.
Detection was excellent though, with good scores everywhere and the product had no problems earning VB100 certification.
Main version: 7.0-3
Update versions: 7.63834, 7.64245, 7.64305, 7.64371
Last 6 tests: 6 passed, 0 failed, 0 no entry
Last 12 tests: 12 passed, 0 failed, 0 no entry
ItW on demand: 100.00%
ItW on access: 100.00%
False positives: 0
Stability: Stable
|
 |
Incorporating the Bitdefender engine, eScan's Linux product requires installation of a number of RPM packages and manual adjustment of the Samba configuration file to ensure it is protected, but overall the process proved fairly quick and simple. Operation required a dual approach, with most tasks accessible via the command line but some requiring the use of a web interface. Stability was good, with the only issue noted being an oddity with some of our performance testing tools, which repeatedly crashed when trying to run from the protected share. Following a quick analysis of the problem by the developers, a patch was deployed, which soon fixed this minor issue. Scanning speeds were pretty similar to other participants this month, file access overheads a little on the high side, and our set of tasks ran through in very good time.
Detection rates very closely matched those of Bitdefender, as one might expect, and with a good showing across the board a VB100 award is easily earned by eScan.
Main version: 4.5.3
Update versions: 12732, 12899, 12929, 12966
Last 6 tests: 6 passed, 0 failed, 0 no entry
Last 12 tests: 12 passed, 0 failed, 0 no entry
ItW on demand: 100.00%
ItW on access: 100.00%
False positives: 0
Stability: Solid
|
 |
The last entry on this month's rather short list of products is of course ESET, yet to miss out on a VB100 award in many, many years. The vendor's Linux edition is provided as a single RPM file, with operation performed properly through traditional configuration files, which proved clear and simple to work with. Stability was impeccable, with no issues observed, and scanning speeds were pretty good too, with a pleasingly light impact on our set of tasks.
Detection was also fairly strong, and with yet another perfect run in the certification sets, ESET adds another VB100 award to its huge collection.
Additional products were submitted for testing by iSheriff and Norman; both were found to lack some of the required features and were dropped from the test.
Linux remains a fairly niche platform on the desktop but holds a strong share of the server market, particularly for web and virtualization purposes. As such, it remains a major target for cybercriminals as well as a simple vector for spreading malicious infections through an organization, so protection is vital. It's good to see that there is a selection of well-built, dependable products available to admins.
This month's set of products all met the basic requirements of VB100 certification, and went much further in their strong detection rates and useful features. Next time we will be back on Windows, with a much wider range of products, and no doubt a correspondingly wide range of levels of quality.
All tests were run on identical systems with AMD A6-3670K Quad Core 2.7GHz processors, 4GB DUAL DDR3 1600MHz RAM, dual 500GB and 1TB SATA hard drives and gigabit networking, running SUSE Linux Enterprise Server 12, SP1. On-access and performance tests were performed from a client using the same hardware and running Microsoft Windows 10, 64-bit Professional Edition, connected to a Samba share on each test server.
