It has become common practice to consider end user experience when building software or software-as-a-service products. After all, in today’s easy-in/easy-out paradigm that has come with cloud applications, it’s never more important to ensure our products do not frustrate or hinder our end-user.
Secure is slow
It’s a commonly accepted paradigm that secure is slow. User experiences are normally polarised between content that has been properly scanned, albeit having had to wait for it versus a slick user experience where in all likelihood the security has been sacrificed to do so. We have all become accustomed to this paradigm because of the limitations in current malware detection technology when it comes to speed and scalability. In most cases it’s reasonable to expect a virus scan as a minimum (even though in some cases, even this isn’t feasible) and at best it’s been through a sandboxing application to identify potential malware that is unknown at the time. The problem is that sandboxing is often too much too late, often taking minutes to arrive at a conclusion. If you’re someone who has disabled some of the features in your sandbox such as the number of iterations, some of the checks or limiting analysis to files of a certain type or size for the sake of speed, then you’ll understand what I mean.
The dreaded false positive
Another important aspect that usually gets overlooked is accuracy. Accuracy comes in two parts: 1) detecting real threats with high efficacy and 2) ensuring that legitimate content doesn’t get blocked. The wrong file getting blocked at the wrong time is a disaster for the end-user and has proved to be the undoing of many of a deployed system and the wonderfully recurring revenue with it. Not inconveniencing end-users is a no-brainer in maintaining a good user experience.
What should I do?
Add metrics to your testing that go beyond than just measuring what malware files your chosen anti-malware technology can find.
- Throw a good mix of large and small files at the technology. Not just a few… several tens of thousands at least. Measure how long it takes to process the files. Both individually and at volume.
- Measure the resources the engines require to process volume. This is where volume of files is crucial. What might look like a nice, efficient engine, processing your carefully curated file set might turn into a leaky memory monster when it has to process over a million files in a day.
- Include different file types. Archives, PDFs, Office Files, Executables etc. Get a feeling for where the technology is strong and where it is weak. You might need more that one for good coverage.
- Test real-world traffic, not just malware files. It’s important to see what different engines can catch that others can’t as well as which ones are prone to all important false-positives.
- When it comes to unknown malware detection, there are alternatives that are much faster than sandboxes and that can provide a similar output that leads to detection. Especially if you’re one of those who have disabled much of your sandbox’s functionality. Varist’s Hybrid Analyzer is one such solution.
At Varist, we have huge amount of experience in providing Anti-Malware solutions that our customers rely on for speed and scalability to provide end-users with a great user experience. Find out more at www.varist.com.