Kaspersky Internet Security 2010 ReviewVersion 220.127.116.116en
by Coenraad de Beer (Webmaster & Founder of Cyber Top Cops)
Posted on 05-04-2010
The Kaspersky Internet Security suite fared quite well the last time I reviewed it (version 7, to be exact). So I was really excited to see how Kaspersky Lab improved their Internet Security product over the years.
Before we get to the installation I would like to make a note on the Kaspersky Security Network Data Collection Statement, the third screen of the setup procedure. I would like to see Kaspersky Lab change this screen a bit. I believe users should deliberately agree to the terms of this statement rather than the setup program preselecting the "I agree" check-box. I don't like the idea of software transmitting data from my computer, just because I missed a simple, preselected check-box. So many users will simply click on the install button without noticing the check-box in the left, so Kaspersky Lab should take every precaution possible to make sure the user knows that he/she is participating in this data collection program. Please note you can still install the software without accepting the terms of participation in the Kaspersky Security Network. OK, I had my say about this, so we can move on to the installation procedure.
Installation was a breeze with a quick activation procedure at the end. No user interaction was required until the Kaspersky Internet Security Configuration Wizard appeared, making the installation effortless and easy. The configuration wizard does a analysis of your computer identifying commonly used and trusted applications used on the Microsoft Windows operating system. Less known applications will off course be analysed upon execution (in other words when you run them). Additional configuration is done when Kaspersky Internet Security starts for the first time, but this process did not take too long on our system. The speed of this process may differ from system to system depending on the memory load, capacity of the processor and the performance capabilities of your system's hardware.
Immediately after installation, Kaspersky Internet Security reported that its databases were obsolete and needed updating. An intuitive “Fix it now” button in the top-left corner, allows the user to attend to known problems immediately. In my case, the update procedure started automatically as soon as I clicked the “Fix it now” button. One downside of the update procedure is that it doesn't show the size of the update beforehand or an estimated time for download, only the size of the data already downloaded, the elapsed time of the download procedure and a percentage of completion. In countries where bandwidth costs are high, you want to know the size of an update beforehand, because file sizes are a big issue in these countries, so Kaspersky Lab might want to add such a feature. It is always good to communicate the size and estimated time of a download to your users, regardless the speed of their Internet connection. I can always calculate these figures on my own, but a computer is supposed to make my life easier, not the other way around. The indicators are not accurate anyway. The percentage indicator showed 100% after 13MB was downloaded, but it continued to download another 2 MB after that. So you see why it is important to communicate the size of the download to your users, at some stage I had no idea how long the update will take to complete. This can be pretty frustrating on a slow connection. Not all components were updated on the first run so I had to run the update procedure one more time.
The update centre shows a list of the different databases and their release dates. This gives you a pretty good idea about the kind of protection Kaspersky Internet Security has to offer. The databases are divided into the following categories: Malware, Banners, Phishing sites, Spam, Malicious scripts, Suspicious Sites, Network Attacks and Rules for security analysis. The Malicious Scripts database is the most outdated (roughly updated 6 months ago) and the Network Attacks and Rules For Security Analysis databases were both updated in the previous month. All the other databases were updated less than a day ago, with the only exception being the Banners database, updated two days ago. So the most important databases are updated quite frequently, protecting your system against the most recent threats. Malicious scripts are not as dynamic as malware, therefore it does not need updating as often as a malware database, for instance. When you deal with malware, you may easily get several variants of the same malware, meaning that the malicious code stays basically the same, the malware only disguises the malicious code in a different way. In other words, two malware samples may look different, but they can still do exactly the same damage. But this is only my theory in this subject, Kaspersky Lab may have a completely different reason for not updating the Malicious Scripts database very often.
Additional Setup Procedures
By now my computer's Protection Status was set to protected, but I still had to train the Anti-Spam filter. Kaspersky Lab seems to focus on white-list training, because the the Anti-Spam filter requires at least 50 non-spam e-mails for training. The process is quite easy. You simply click on the status button and start the Anti-spam Training Wizard. Here you specify non-spam samples and if you have spam samples you can tell the wizard which e-mails you regard as spam. The only drawback is that the training wizard only supports e-mail samples from Microsoft Office Outlook & Microsoft Outlook Express. I will discuss the spam filter's functionality later in my review.
The application has a sleek design and a very modern look. It is easy to do basic tasks like scanning and updating and fixing problems, but when it comes to more advanced tasks you may find yourself walking in circles before you find what you are looking for. For example, I had a hard time configuring the firewall component and in some cases I just gave up on what I was trying to achieve, because the interface frustrated me so much, that it seemed impossible to accomplish common tasks like white-listing or black-listing a specific computer on your local network. But apart from my frustrations with the configuration of certain components, I found the user interface intuitive and easy to use.
Kaspersky Internet Security certainly has a negative impact on your computer's performance, just like any other Internet Security suite would, but I would not call it a resource hog. The first thing you normally notice after installing security software, especially firewalls, is that it takes longer to get past the Windows Welcome screen. Surprisingly, Kaspersky Internet Security did not increase the loading time during the display of the Welcome screen. The system takes a little longer to complete the startup process, but I could not really complain about the rest of my system's performance once Kaspersky Internet Security was installed. The minimum requirements according to Kaspersky Lab's website is an Intel Pentium 300 MHz processor with 256MB of RAM on Windows XP, or an Intel Pentium 800 MHz processor with 512MB of RAM on Windows Vista, or an Intel Pentium 1 GHz processor with 1GB of RAM (32-bit) or 2GB (64-bit) on Windows 7. In my humble opinion, 300MHz with 256MB of RAM on Windows XP is really pushing the computer to its limits (unless KIS2010 is the only program installed on the computer). With the processing needs of today's average computer user, I would say you will at least need a 1GHz processor with 1GB of RAM, just to play it safe on Windows XP. To avoid performance issues on Windows Vista or Windows 7, I recommend that you at least use it on a system with a 2GHz processor and 2GB of RAM.
But why so much processing power? Kaspersky Internet Security packs several different resident shields and all of them take up some processing and memory resources. So if you are used to listening music in Windows Media Player and downloading e-mail in the background while working on several spreadsheets or word processing documents at the same time, you can forget about doing all of that on a 300MHz system with 256MB of RAM (regardless of whether you have security software installed on the computer or not). KIS2010 consists of 13 different security components and provides file and private data protection, overall system security as well as online security. These components are the
- File Anti-Virus: Protects computer's file system against viruses and other malware
- Mail Anti-Virus: Scans incoming and outgoing mail messages for the presence of malicious objects
- Web Anti-Virus: Scans HTTP traffic for the presence of malicious and unwanted objects
- IM Anti-Virus: Scans incoming and outgoing IM messages for the presence of malicious and unwanted objects
- Application Control: Monitors activity of all applications and processes on your computer
- Proactive Defence: Preventive protection against both known and unknown threats
- Firewall: Filters all network activities to ensure security on local networks and the Internet
- Network Attack Blocker: Protects you computer against all kinds of network attacks
- Anti-Spam: Scans incoming messages for the presence of spam
- Network Monitor: Gathers real time information about network activities
- Anti-Phishing: Filtering access to phishing websites and preventing phishing attacks
- Anti-Banner (disabled by default): Blocks advertisements presented as banners on websites and user interfaces of some applications
- Parental Control (disabled by default): Restricts and tracks access to Internet resources, email, chat and more
So it is clear from the list above that Kaspersky Internet Security 2010 does a lot of work and provides protection against computer security threats on a very wide field. There is basically not a single computer security threat that I can think of, that's not covered by KIS2010. But lets take a closer look at each of these components.
File Anti-Virus Component
This component is the resident shield that provides real time protection against malware attacks. The term malware includes viruses and worms, Trojan horses, malicious tools (e.g. hacker utilities), adware (spyware), auto-diallers, suspicious compressed files and multi-packed objects. It scans only new and modified files, added since the last time the system was scanned, by utilising iChecker and iSwift (for NTFS file systems) technologies, specially developed to improve scan speeds. Heuristic analysis is also used to scan for unknown malicious objects, not yet added to the malware signature databases. Scanning is done on the basis of deciding whether scanning is necessary, by analysing the operations performed on a specific object (for example if you work on a Microsoft Office document, it is only scanned when the file is opened and closed and not when it is overwritten by intermediate operations). This mode of scanning is called Smart Mode and is used by default. Several other scan modes exist, namely “On access and modification”, “On access” and “On execution”. These modes are rather self explanatory and I won't discuss them any further.
Mail Anti-Virus Component
Another resident shield that scans e-mail messages received via POP3, SMTP, IMAP, MAPI and NNTP protocols (including scanning on secure SSL connections for POP3 and IMAP). It appears to me as if this component acts as a proxy between the mail server and your e-mail client, in other words, it scans your e-mail for viruses before delivering them to your e-mail client. The body and attachments are scanned for malicious code and if malicious code is found it will attempt to disinfect the e-mail, by deleting the infected object and inserting text into the subject line to indicate that the e-mail has been processed by Kaspersky Internet Security. Potentially malicious code is not disinfected, but the suspicious part of the e-mail will be placed in the Quarantine area, a special storage area for infected objects, thus isolating them from the rest of your system.
Both incoming and outgoing e-mail streams are scanned by default, but can be limited to incoming e-mail only. Heuristic analysis is also used, just like with the File Anti-Virus, but while the File Anti-Virus does a light heuristic scan by default, the Mail Anti-Virus does a medium heuristic scan by default. Quite understandably, because e-mail is a very common entry point for malware, so the scanner needs to be on extra alert when scanning e-mails.
Another handy feature is the attachment filter. Here you can define an attachment type policy for your computer by allowing only certain types of attachments or by renaming certain types of attachments to prevent accidental infection. The last character of the file extension is replaced by an underscore, for example file.exe will be renamed to file.ex_, making it impossible to execute the file by accident or even on purpose.
The Mail Anti-Virus component seems to support Microsoft Outlook/Outlook Express/Windows Mail, Mozilla Thunderbird, Eudora, The Bat! and Incredimail, but it has issues with mail filters in Mozilla Thunderbird, when e-mail is transferred via IMAP. Additional plug-ins are provided for Microsoft Office and The Bat!
The Web Anti-Virus component scans HTTP traffic for malicious data and dangerous scripts. I guess you could call this component a Protocol Traffic Scanner. What are the benefits of a protocol traffic scanner? It basically scans the web traffic at its root, regardless of the program you are using, so you don't have to switch to a different browser to make use of the protection provided by this component, you can continue to use your favourite browser without sacrificing your online security. It has one limitation though, scripts are only scanned in Microsoft Internet Explorer, so if you use another browser you will only get the benefit of HTTP traffic being scanned. This doesn't make sense to me, the scripts are transferred via the HTTP protocol anyway, so why differentiate between scripts and other HTTP traffic, if the malicious code can be detected and removed before passing it on to the browser (regardless of the browser)? I mean, simply intercept the HTTP traffic, remove the malicious code and pass the sanitised HTTP traffic to the browser. Security software should be able to detect a malicious script without executing it.
The component scans HTTP traffic and scripts simultaneously and implements heuristic analysis as well. It does not only scan for malicious code, but it also checks for suspicious links to websites like phishing scam sites. Kaspersky Internet Security will block access to a link if it is found in the base of suspicious web addresses or the base of phishing web addresses. An additional plug-in for Microsoft Internet Explorer and Mozilla Firefox, called the Kaspersky URL advisor, allows the Web Anti-Virus to visually mark phishing and suspicious URL's displayed in the browser. The component allows you to white-list certain websites (i.e. exclude trusted websites from being scanned) or a blacklist of websites (i.e.. explicitly force the component to scan these sites).
Instant messaging platforms like ICQ, MSN, AIM, Yahoo!, Jabber, Google Talk, Mail.Ru Agent and IRC are often overlooked by software security products and this oversight has frequently been exploited by cyber criminals. Most Internet Security products include protection for Instant Messenger clients these days and KIS2010 is definitely one of them. Both incoming and outgoing messages are scanned, by default, for dangerous objects or URL's, listed in the databases of suspicious web addresses and/or phishing web addresses. Files transferred via IM clients are passed to the File Anti-virus component for scanning, a classic example of collaboration between the different components of the internet security suite, operating as a tight unit. In addition to the databases of suspicious web addresses and/or phishing web addresses, the component also applies heuristic analysis during the scanning process.
One of the core components of Kaspersky Internet Security 2010 and there is quite a lot to say about it. However, explaining this component in detail goes beyond the scope of this review, so we will only be touching base here. The access rights of your applications make or break your system's overall security. By controlling the access rights of the applications, executed on your system, you prevent certain applications from exercising rights that are not appropriate for them in specific situations. Right, that's maybe a lot to swallow, so let me put it this way. The Application Control component divides your applications into three groups namely, Safe, Dangerous and Unknown. Safe applications are the ones developed by well-known vendors, provided with digital signatures. Since the vendor is trusted you don't have to worry about applications abusing their access rights to do harm to your system. Dangerous applications applies to known threats, in other words, applications known for malicious intent. Finally the Unknown group applies to applications developed by unknown vendors, with the absence of a digital signature. These applications need to be treated with due diligence and it is recommended to restrict their access to system resources only (i.e. limit their access to user data).
The Application Control component applies a mechanism of access rights inheritance. Certain malicious applications use trusted applications to gain access to restricted data, but the Application Control component looks beyond the application accessing the data, it looks at the parent application that executed the trusted application. So in effect, malware can't operate on your system by hiding behind a trusted application. If the parent application has restricted rights, the child process, in this case the trusted application, will also have restricted rights (inherited from the parent), even though it normally has full access to system resources and data when it is executed directly by the user. For example, a Trojan Horse can't use regedit.exe to make changes to the Windows Registry, but when the user executes regedit.exe on its own, it will have the necessary access rights to modify the Windows Registry.
When an application is executed it goes through a set of analytic procedures. These procedures are explained in detail in the documentation of KIS2010, so I'm not going elaborate on these procedures in this review. The first thing that comes to mind is performance. If the application is analysed each time it is started, won't it slow my computer down quite considerably? Not really. The application is analysed only once and the Application Control component only checks its integrity for each execution thereafter. In other words if the application was not modified since the last analysis, it won't be analysed again until you download an update for the application, for instance. Once an application is analysed it is assigned a specific status, which can be one of the following four: Trusted, Low Restricted, High Restricted and Untrusted. Each application status is basically a set of rules for read, write, delete and create permissions. These rules are applied to a set of resource categories which should be protected by Kaspersky Internet Security, namely the Operating System category and the Identity Data category. The first category includes registry settings, system files and folders and the latter includes user files, data, registry keys and settings that should be protected. The predefined settings cannot be edited, but you can renounce the protection of an item or you add extra items that you feel should be protected by the Application Control component.
KIS2010 has a feature called the Safe Run or Sandbox environment. This is a virtual, protected environment in which you can run third-party applications for improved security and protection of your system and personal data. For example if you run your browser in the Safe Run mode, KIS2010 will prevent malware from penetrating your system through your browser, thus protecting your system's integrity as well as your personal data. Kaspersky Lab recommends that you do not run applications whose authenticity is not evident to you, when working in Safe Mode. I can understand some applications could make improper changes to your system due to the restrictions placed on an application when it is run in Safe Run mode, but doesn't this beat the whole purpose of the sandbox effect? I mean, a protected virtual environment is an ideal place to examine an unknown program without putting your system at risk. But I guess the sole purpose of the Safe Run mode is to add an additional layer of protection around known applications, where the risk of an attack through such an application is very high, for instance a web browser like Microsoft Internet Explorer. This feature works fine in a 32-bit environment, but there seems to be issues on the 64-bit versions of Windows Vista and Windows 7 (This feature is not available on computers running Microsoft Windows XP x64).
Kaspersky Internet Security has a good firewall component, but it is not without its faults. The firewall is able to assign proper access to applications and networks with minimal user interaction. That is a bonus for inexperienced users looking for an easy to use Internet Security Suite. Some firewalls virtually drown you in firewall alerts and drive you up against the wall with all the pop-ups and confirmation boxes, but the Firewall Component of KIS2010 is unobtrusive and easy to use, but configuring the firewall and changing its settings is not meant for every user, so some form of experience with firewalls is a given, so don't go fiddling with the firewall settings if you don't know what you are doing. However the lack of confirmation pop-ups has a downside too, there are situations where a pop-up would be useful, but Kaspersky makes its own decision, which is not always the right one.
Like any firewall, it has a set of rules for different applications, divided into four groups, namely Trusted, Low Restricted, High Restricted and Untrusted. They have the same names as the four status groups of the Application Control component, but their application and rules are completely different. Each network you connect to can be assigned one of three statuses namely, Public network, Local network and Trusted network. The Public network is suitable for networks like the Internet where you want to keep your data private and share as little as possible with other users on the network. The Local network speaks for itself, you will assign this status to a network where you wish to share files and printers with other users of the network, but certain restrictions still apply and need to be granted or denied when the firewall prompts you for action. The Trusted network status will be assigned to networks you consider to be absolutely safe and where there are no chance of network attacks and unauthorised attempts to gain access to privileged data. All network activity is allowed on Trusted networks.
Although the firewall is unobtrusive and easy to use, it is a pain in the neck to change the network status of a specific application (for example changing the status from High Restricted to Trusted or vice versa). The Filtering Rules tab has buttons to edit and delete certain rules, but they are all disabled, even the Move up and Move down buttons are disabled. What I can't understand is, why do you add buttons to a screen if the user can't use them (they only seem to work for Packet rules). Luckily you can change the status of the application while it is running. On the main screen you have to click on My Security Zone and then on the 'Application activity' link, next to the graph with the green, yellow and red bars. Right-click on the application in question and make your selection from the 'Change status' menu. You can also change the status of applications not running, but then you have to choose the 'All' option from the list of categories and it can be quite difficult to find the desired application among the long list of applications. With all being said, this method of changing the network status of an application is cumbersome and frustrating.
A ran a couple of leak tests on the firewall and it performed quite well, but not flawlessly. KIS2010 successfully blocked the outbound transmissions (in other words data being transmitted from the PC without the proper authorisation), but I was able to determine the PC's MAC address and that it was up an running by doing a simple port scan on the network (but that was about it, all other information about the PC and its ports were successfully concealed by the firewall. Also see my discussion of the Network Attack Blocker). The firewall component detected the port scan, but did not give me any option to blacklist the PC where the port scan originated, which is quite frustrating, because I should be the one to decide whether the transgressor should be blocked or not, not the firewall. Kaspersky Internet Security reckoned that the IP address could be spoofed and therefore did not block the IP address where the port scan originated. In this case the IP address wasn't spoofed, so a word of advice to Kaspersky Lab, if there are too many variables to consider, rather leave it up to the user to decide whether to block or not.
Apart from the couple of issues mentioned above, I can't find any other faults with the operation of the firewall. The firewall keeps running even if you terminate the application interface and the firewall will only terminate once the system totally stops.
The Proactive Defense component is basically the heuristic analyser of Kaspersky Internet Security. This component operates on a preventative basis, opposed to the signature based scanners operating on a reactive basis. The Proactive Defense component analyses an application's activity and if the activity is found to be suspicious or similar to the behaviour of malicious software, it will prompt the user for action, by default. It uses a list of dangerous sequences, normally associated with malicious behaviour. This list is updated from time to time when new forms of malicious behaviour is discovered by Kaspersky Lab. It must be noted that these operations could be used for legitimate purposes as well, so it was a good move from Kaspersky Lab to make “Prompt for action” the default behaviour. System processes are not monitored by default, but this can be enabled from the Settings screen, but monitoring system processes could have a negative effect on your system's performance if you do not have adequate processing power and physical memory (RAM).
Network Attack Blocker
The name speaks for itself, but I find it strange to have a separate component for network attacks. It is actually the firewall's job to prevent network attacks. Closer investigation revealed that certain ports are concealed by the Network Attack Blocker and not the firewall. Apart from disabling it and changing the duration for blocking an attacking computer, there is not much to do with the Network Attack Blocker. If there is so little to do with this component, why not integrate it with the firewall component?
I mentioned the Anti-Spam component earlier in my review. A little training is required to make the spam filter work, however, 50 e-mails is hardly enough for most spam filters and it normally takes months before the training really starts to pay off. So it is not possible to test a Bayesian spam filter effectively within a limited amount of time. But even with that being said, I'm disappointed with the results of the Kaspersky Internet Security's spam filter. For starters, I had a hard time getting the spam filter to work in Thunderbird. The Options button in the Add-ons screen did not work at all and the Kaspersky Anti-Spam module icon, in the lower-right corner of Thunderbird, was grey (meaning the plugin was not functioning correctly). Exiting Thunderbird and running the following command from Start > Run, fixed the problem: regsvr32 "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\asppp.dll". So apparently the plugin has to be registered manually if Kaspersky Internet Security 2010 was installed before Thunderbird. To some extent it makes sense not to register a DLL if it is not going to be used, but enabling and disabling support for a specific e-mail client should be done from the security suite itself, in this case the Anti-Spam Settings screen, and not via a complicated method like the one mentioned above. When I say complicated, I say it with novice users in mind, they will never think of registering DLL's to get the component to work.
But even after I got the plugin to work, I did not have the same level of flexibility with spam filtering as in Outlook Express. Marking an e-mail as spam, does not automatically move the message to the Junk folder, no Kaspersky Lab suggests you use filtering rules to check for the [!! SPAM] and [?? Probable Spam] tags in the subject line. So there is still a bit of work to be done with this plugin. To add insult to injury, the plugin does not work in Thunderbird 3 and I can't see why Kaspersky Lab is taking so long to release an updated version of the plugin. Release Candidates and Alpha versions have been available for quite some time, so it is obvious Thunderbird is not a priority for Kaspersky. Not a wise business move in my humble opinion, Thunderbird users are very loyal and will rather move on to a different Internet Security product than abandoning their trusty e-mail client.
The Kaspersky Internet Security 2010 Anti-Spam filter has a lot of potential (Heuristic analysis, GSG technology for image recognition, analysis of RTF files and self-training text recognition with iBayes), but when it comes to actual spam filtering, it really disappoints me. Obvious spam e-mails are not marked as spam (after it has been trained with 50+ spam e-mails and 50+ non-spam e-mails), so how much training is needed before the user can see any results? The spam filtering started to improve after training the spam filter with another 100+ spam e-mails, but even after all the additional training it still allowed obvious spam e-mails to come through. The spam filter can be customised to scan for specific keywords and the Mail Dispatcher can be used to preview the headers of e-mails before downloading them to your e-mail client. This is all very helpful for advanced users, but novice users need a spam filter that works out of the box and the Anti-Spam component, unfortunately, is not one of those.
This feature is disabled by default, because banners can be useful for navigation on the web some times. However in some instances a banner can become annoying (for example the ads in your IM client), so instead of using the common banner list, you can specify your own Black list of addresses that should be blocked or a White list of addresses that should be allowed. It is a nifty little tool that allows you to block unwanted banners and allow the ones you like.
The Parental Control component remains one of the most effective parental controls I've seen so far. It gives you as a parent a lot of options of what to block and what to allow. I tried to open several websites with inappropriate content for children and each web page was blocked successfully, whether I tried to visit the site directly or via a search engine like Google. The success of this component does not lie in an extensive database of inappropriate websites, but rather its heuristic analysis. Most of the blocking is done by a heuristic scanner, so there is less worries about sites not included in some kind of database of forbidden sites. This makes your job as a parent easier, because you don't need to know the addresses of all the forbidden sites for children and enter them one by one into a black list. You also don't need to know all the addresses that's safe for children, it is practically impossible. However the Parental Control component has a white list where you can exclude specific websites you regard as safe for your children and a black list where you can explicitly block specific websites you regard as inappropriate for your children. KIS2010 can be password protected to prevent unauthorised deactivation for the Parental Control.
Malware Tests –
Apart from all the fancy features of a Internet Security suite, it all comes down to one thing. Is it able to protect a computer against malicious attacks? The first thing I did was to start a Vulnerability Scan. The scan was rather quick and finished within 10 minutes. Several, high-risk vulnerabilities were successfully detected and KIS2010 made a clear distinction between critical and low-risk vulnerabilities. It does not only scan for generic system vulnerabilities but also for specific vulnerabilities in the applications installed on your computer. Each system vulnerability listed, has a “Fix it” and a “Details” button. The “Fix it” button provides an instant fix for the problem and the “Details” button provides a detailed description of the vulnerability. Fixing the vulnerabilities one by one may be the safest route to follow, but a “Fix all” button with a confirmation that the user reviewed all vulnerabilities, will serve the same purpose and will be much more convenient. Each application vulnerability has a “Details” and “Add to exclusions” button. The “Details” button produces a detailed report on how to fix the vulnerability, which normally involves an update or patch to be downloaded from the vendor of the software in question. Kaspersky Internet Security was able to fix most of the system vulnerabilities, except the problem with the Automatic Update settings. I deliberately disabled the options on the Automatic Update settings dialog to see if the Vulnerability Scan could detect and fix it. KIS2010 detected the vulnerability but failed to restore access to these options, because it did not remove the AUOptions and NoAutoUpdate values in the Windows Registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, it only removed the DisableWindowsUpdateAccess value under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\WindowsUpdate
Malware Tests – Full
An initial full scan will take some time to complete, but subsequent scans are much faster because KIS2010 only scans files modified and created since the last scan. The scanner picked up almost all our malware samples and only failed to detect one or two. I expected a 100% pass rate but no malware scanner is perfect. Several samples were disinfected but most malware samples were either quarantined or deleted (which is common behaviour for a malware scanner). The scan was completely automatic and required no user interaction, so you can start a scan and leave the rest to Kaspersky Internet Security. At the end of the scan I had the option of neutralising all infections, not yet treated by the scanner, at once.
But it is always easy to remove dormant malware samples just waiting to be detected, so I infected the test PC with a couple of randomly selected samples to see how KIS2010 performed against a live threat. It took several scans and restarts and at some stage it looked like Kaspersky Internet Security was running around in circles, but it eventually succeeded in removing most threats completely.
OK so we scanned some files, we removed some threats, but how about attacking the security suite directly? KIS2010 is very stable and crashing it is a tough task to accomplish, so malware will have a hard time getting rid of this security suite. I tried several termination methods and all of them failed. Kaspersky Internet Security holds its ground against external interference quite well.
KIS2010 does a complete removal of all files related to the security suite, but you have the option of saving certain application objects like the activation data, anti-spam databases, protection settings, etc. All components were completely removed and I had absolutely no issues with left-over firewall settings or file access errors (which are common issues after removing poorly designed security software). So 10/10 to Kaspersky Lab for restoring my system exactly to the state in which it was before KIS2010 was installed.
Kaspersky Internet Security is a solid Internet security suite providing state of the art protection against the latest malware threats and online fraud. There are a lot of good things to say about this security suite, but you can't ignore its weaknesses and areas of poor design (for example the anti-spam and firewall components), so there is obviously some room for improvement. It may be a bit expensive in terms of price, but you pay for a lot of useful and important features. People may argue that you can buy 3 licenses of another well-known Internet security suite, for more or less the same price. That may well be the case, but what is the use of 3 licences if you only have one PC? I give a definite thumbs up to Kaspersky Internet Security 2010.