This week on Security for Everyone, we are reviewing F-Secure Internet Security 2010. F-Secure comes after a rather disappointing 2009 incarnation and promises to deliver a streamlined interface, better resource use and better integration. In addition, the suite has full Windows 7 support, joining the crowds of security solutions for Microsoft's latest operating system. Let's see if the waiting has been worth it.
My first impression about F-Secure Internet Security 2010 was anything but favorable. The installation process is very long: it takes roughly 20 minutes on a fast system though, to be fair, that includes a lengthy but necessary initial update. While being a fairly simple process (the automatic mode will literally not ask for anything), its length is somewhat prohibitive.
Installing on an infected system is, unfortunately, a no-go. On my test infected system the installation seemed to proceed correctly, but the scanner would die without any apparent reason. On another test infected system, I had to uninstall and reinstall the program in order to be able to run a scan. This places a severe limitation on F-Secure Internet Security 2010's usefulness in aiding an already afflicted system. Even on an uninfected system, the installation simply froze without any particular reason and I had to restart it in order to successfully install the program.
Ease of use and configuration
F-Secure Internet Security 2010 sports a completely re-designed, task-oriented user interface. This is an attempt to shed a new light on the F-Secure programs, which have long been known only as tools for advanced users. The option for a task-oriented interface is a good approach because most users literally tend to think of their security tool in terms of tasks. In the days of Windows 98, flexible security tools with a lot of options were a good choice, because the operating system could not handle many security tasks. Nowadays, one would like to spend as little time as possible along his security tool.
The main screen allows the user for three routes: Status, Tasks and Statistics, as well as providing quick access to scanning, checking for updates and the settings page. The Tasks screen allows access to the most commonly accessed features: scanning and adding firewall exceptions. The user can also check for updates, allow a blacklisted program to be started, restore programs or files that have been mistakenly removed and access the program's advanced security settings. To be fair, I do not think anyone would actually require anything else after the first two or three times of opening a security suite's interface. The advanced settings page is actually easy to browse and can be used by novice users without much hassle.
The Status page allows for a quick overview of which modules are active, inactive or require attention. While probably of a lesser interest to novice users, the Statistics page will allow tech-savvy readers to quickly assess the state of their grandmother's computer. It shows an overview of scanned and cleaned files and programs, as well as information about the last few updates. Setting up F-Secure Internet Security 2010 provides a reasonable balance between flexibility and strength. Those modules that have a wide range of options (such as the firewall) have configuration starting points through the use of profiles; that is, a set of pre-defined settings are available, adapted for home use, office use and so on, which can be tweaked by more advanced users. Most settings are correctly auto-detected and the default options leave little necessity for post-installation tweaking.
Task-based approaches have been tried before, but most of them have not been successful because they did not narrow the scope of potential tasks well enough. F-Secure Internet Security 2010 manages to do so by hiding more complex tasks which are not of interest for basic users in the advanced settings screen. The result is one of the cleanest and easiest to use interfaces we have seen in our series so far.
F-Secure Internet Security 2010 has a fairly laissez-faire approach to firewall protection which leaves an initial impression of shakiness. However, do not underestimate the excellent degree of integration in its modules; what seems like a shaky approach is in fact a very good combination of strength and ease of use.
Any firewall has to provide protection against two kind of potential network attacks. First come those originating from outside, launched by malicious users such as crackers or some automated tools. Then, there are those originating from the inside, where already installed programs try to sneak malicious programs on the user's computer, or send sensible personal information like passwords. The protection against attacks is done in a traditional fashion: all ports are stealthily and traffic is silently discarded, making the computer seem like a locked building from the outside. In our test, no information was leaked to scanners, and basic script kiddie attacks were handled cleanly.
Protection against inside threads is more sensible, and at first sight F-Secure Internet Security 2010 provides no such protection because, by default, all traffic is allowed. However, at this point, DeepGuard and its friends kick in. Known programs and those that do not try to send any sensible data are allowed to access the network connection by default. Programs that are known to be malicious, those that try to send sensible data or those that produce heavy network traffic are restricted. In addition, the user is allowed to define per-program rules through a very familiar interface.
A method like this one also allows very good protection against leak attacks. Programs that try to sneak some of their friends on a computer without a user's consent are immediately detected, flagged as riskware or spyware, and their traffic blocked. As a consequence, it is difficult to circumvent the firewall by installing a trusted program to act as a man-in-the-middle. Furthermore, the firewall's process is well protected: it cannot be stopped without the user's consent and its settings cannot be tweaked.
This approach is very good in terms of usability, because the user is left with very little to decide. He can override auto-detected settings if he knows that a particular program is clean, but intervention is rarely required. Given the popularity of F-Secure suites, the DeepGuard feature can work very well. Furthermore, the list of known programs is large enough not to require user intervention, meaning that users will rarely be confronted with the question of whether to allow a program to access network resources or not. Furthermore, regular services such as printer or file sharing are not affected.
Managing the firewall's overall configuration is also easy, because in addition to the Normal profile which allows all outbound traffic, a number of other profiles are available. These include settings typical for office use, as well as completely paranoid "Strict" mode which does not allow sharing resources, outbound traffic for unknown programs and so on.
Antivirus and antispyware features
The antivirus module has always been one of F-Secure's stars and F-Secure Internet Security 2010 is no exception. This year, F-Secure comes with a handful of new or improved technologies, the most important of them being DeepGuard 2.0. DeepGuard is a technology that uses in-the-cloud computing to obtain and disseminate information about new threats. As a consequence, it literally takes minutes to have all F-Secure installations secure against a threat, after the threat has been detected. Essentially, F-Secure Internet Security 2010 will detect when an application is launched and uses information gathered on all other computers to assess the risk it poses to security. This is not something we have not seen in this series, but it's in the frontline of desktop security research.
The other major technology behind F-Secure Internet Security 2010's antimalware module is F-Secure BlackLight. BlackLight aims directly at rootkits, trying to detect, identify and remove hidden security threats. Unlike many other tools, the idea behind BlackLight is to work completely automatically, without asking for much user input. Furthermore, detection and removing is done in the background, without requiring a reboot. The latter feature is especially to be appreciated in terms of usability, because it does not disrupt the user's workflow.
With these two technologies behind it, the antimalware module of F-Secure Internet Security 2010 proved to work well above average. The detection rate is top-notch, missing only one recent malware sample, and the removal rate was equally good. F-Secure Internet Security 2010 also correctly identified and removed all but two rootkits, which are the common stumbling blocks on security solutions today. The performance was not as good with keyloggers, unfortunately: more than half of the commercial keyloggers we tested were left behind, and the removal rate was not much better with non-commercial keyloggers. However, failures in removal are correctly signaled to the user, so that he is not left with the false sensation of security.
Cleaning up is divided into four stages, based on the kind of threat. F-Secure Internet Security 2010 will group the threats it detects during a scan in four: viruses, spyware, riskware and suspicious items. The default settings will have the viruses removed or quarantined, spyware programs quarantined, and everything else flagged as suspicious but left untouched for testing. While apparently less secure than one would want, this also has the effect of decreasing the number of false positives to a minimum. Furthermore, the good integration of various modules means that even if riskware and suspicious items do in fact pose a significant threat, the firewall will block them from sending any sensible information or bringing new friends on board. If suspicions do persist, the DeepGuard module will eventually identify these items as either spyware or viruses and they will be quickly removed.
If you are not happy with this, the clean-up process can also be done manually. Unfortunately, it's slow. You have to change whatever settings you feel like changing and then wait for F-Secure Internet Security 2010 to slowly crawl through the list of threats. The automatic clean-up is good and fast enough though and should work for most users.
The active protection feature has a very meticulous approach to its task. When a threat is detected in memory, the first thing F-Secure Internet Security 2010 does is not surprising: it will simply stop its process and remove or quarantine the offending file. This is what every security suite does. However, in addition to this, F-Secure Internet Security 2010 will also launch a special scan, aiming to find any related threats in other files and in the registry. The immediate effect is that it identifies almost every possible problem, and will prevent some particularly persistent malware programs from spreading in spite of its efforts. The disadvantage is that this makes the system slow. Opening a folder with a lot of infected items - which can be any USB stick that has been in the wild for a while, not necessarily my infected USB stick used for testing - will slow the system down to a crawl. Furthermore, removal does not work very well from the active protection module. Only some of the infected samples were removed on sight. The other ones managed to quietly launch their installation programs and partially sneak in, until the F-Secure Internet Security 2010 kicked in and interrupted the installation, then tried to undo it after running the special scan. This is somewhat slow and needs some streamlining.
Active web protection works a little better. It sports a strong detection feature which can find hidden exploits in web pages. This proved to be a very good effort from F-Secure's developers. Only one of the exploits I found managed to sneak past F-Secure Internet Security 2010's protection layer, and did so only after ignoring a handful of warnings from the web browser. To be fair, this is effectively a firewall-level feature, but given its role, I think it is more appropriately discussed here.
Scanning is very fast and the resource consumption is far better than in the last version. Files are whitelisted as they are scanned and only revisited if they have changed, making all scans except the first one last for only a couple of minutes. The only significant slowdown is at boot time, as it is lengthened by roughly 50%. There is some impact to day-to-day operation but nothing we have not seen in other suites and the user's workflow is not disturbed.
Rarely do we see such a complete overhaul in a security tool's usability approach, and it is even less often that such a complete overhaul is successful. Based on the strong technology behind it, F-Secure Internet Security 2010 has a remarkably clean user interface that is simple to use. The suite is still a bit rough around the edges: the explanations provided with some alerts are sometimes clearly aimed at tech-savvy users and the installation process will sometimes fail. However, it can provide excellent protection to novice users, with reasonable resource consumption.