One Sweet Security Suite

It's a security suite called Internet Security 2006. Offered by Finnish company F-Secure, this suite offers not only all the functionality of products from the Big Three, but also rootkit detection—and for $10 less than the Big Three Charge.

Like the Big Three, F-Secure offers anti-virus and anti-spyware capabilities, a firewall, mail screening, and content filtering. But F-Secure's rootkit detection is the most significant feature. According to our best guesstimate, this will be the only security suite on the market to offer rootkit detection for at least the next six months, possibly even for the next year.

For those living under a rock, rootkit detection is tremendously important these days, because this new breed of highly undetectable (or "stealth") malware is prevalent in the wild. A rootkit plays havoc with any system on which it takes up residence. (For more information on rootkit detection, see our recent TechBuilder Recipe, Rooting Out Rootkits.)

F-Secure's Internet Security 2006 retails for $59, roughly $10 cheaper than comparable security suites from other top players in the market. (Norton Internet Security, for example, lists for $69.) While $10 may not sound like a big deal, if you're installing a security suite onto dozens of machines—perhaps even hundreds—then your savings on a volume license will add up significantly.

The Many Benefits of F-Secure Internet Security 2006

Let's start off by taking a look at how F-Secure Internet Security stacks up against Norton Internet Security and Trend Micro Internet Security. For starters, here's what all three suites offer:

• Anti-virus software: All incoming data is screened to block potential infiltration from viruses, worms, Trojans, and other forms of related malware.
• Anti-spyware software: All incoming data and active Web content is screened to block potential infestation from spyware, adware and other forms of related malware.
• Personal firewall: A layer of software interposes itself between the PC and all external network connections. It controls incoming and outgoing traffic on the basis of allowed applications or activities, while denying all other implicitly unauthorized access attempts, both incoming and outgoing.
• E-mail screening software: All e-mail is screened for malware of all kinds. Also, spam filters and other techniques to block unwanted e-mail may be invoked, too.
• Content filtering (aka "parental controls"): This permits users with higher levels of administrative authority to block access to specific sites and materials through explicit URL identification or use of wildcard characters. For example, the admin can set the filter so that the presence in a URL of "XXX," "sex," and other explicit strings makes the Web site inaccessible.
• A single, automatic update setting: This delivers updates to the software and various signature files for viruses, spyware, and other malware without requiring much user effort or attention to their security situation. It also provides as-needed news and updates about potential dangers and immanent threats; user tutorials and security-awareness training materials; and shared information for content filtering. Many security experts consider this an important convenience.

Where F-Secure's Internet Security 2006 goes beyond the suite offerings from the major players in functionality is in rootkit detection. Using the company's rootkit-detection engine, called Blacklight, the software detects and even eliminates active rootkits on a computer. The tool also does a great job of cutting extraneous chatter out of its results, so system builders will no longer be confused by the kinds of false positives that most other tools routinely report.

Pros (and a Few Cons) of Using F-Secure Internet Security 2006

Security suites—like other kinds of "do-it-all" software packages—do their best to tackle everything users expect and want them to do. But they do some things better than others. F-Secure's suite is no exception.

On the plus side, F-Secure Internet Security 2006 gets top marks for its anti-virus software (and fast signature update), firewall, and rootkit detector. Its content-filtering capabilities are adequate for most SOHO situations.

But its anti-spyware and anti-spam capabilities lag behind those of the Big Three's products. This doesn't mean F-Secure isn't a terrific product at a great value. Nor does it mean you'll be exposing your customers to unnecessary risks. And this deficit is easy to address: Simply install the freeware version of Microsoft's Windows Defender, which consistently does well in ratings and rankings for this kind of software.

Further, recent comparison reviews note that F-Secure Internet Security 2006 does a fine job of protecting clean machines from new spyware, they give the product lower marks for its ability to clean up existing infestations and detecting the presence of certain insidious types of spyware, most notably keyloggers. (Keyloggers store all the keystrokes that users make in a file, then periodically ship it off to a presumably malicious third party for harvesting of account and password info, credit-card data, and other sensitive information.) But we won't jump down F-Secure's throat on this function: No suite-based spyware detection software currently matches best-of-breed standalone implementations when dealing with keyloggers.

Omnibus security packages also tend to have sizable system footprints; the smallest of the suites we know is BitDefender. This security suite comes in at a relatively svelte 50 MB. Most other suites consume up to 70 MB at runtime, and even more when actively scanning for malware. In the case of F-Secure Internet Security 2006, a complete install on our test system consumed an average of 92 MB while actively scanning for spyware and viruses, and about 56 MB otherwise. As such packages go, this makes it bit less resource-consumptive than most. Ingredients

To start working with F-Secure Internet Security 2006, all you need is a PC running Windows (Win98 or above) and access to the Internet. Our test system ran Windows XP SP2 with all current security updates installed. (Note: The F-Secure software does not work with Windows Server operating systems.

If the test machine on which you intend to install this software is already running a security suite—or a collection of anti-virus, anti-spyware, personal firewall, or other security related software—you should either create a restore point (on Windows XP), or back up the system first. Next, uninstall any or all of the aforementioned components. While F-Secure Internet Security 2006 will detect and remove most other components of its kind, the operation will go more smoothly if you first get these other components out of the way.

How to Download and Install F-Secure Internet Security 2006

Unless you're on a slow Internet link, the entire process of downloading and installing this security suite should take no more than 15 minutes. The download itself is 60.4 MB, and for us, it only took two minutes to download over our relatively fast cable-modem Internet link. OK, let's get started!

• To obtain a 30-day trial copy of the software, go to the F-Secure Internet Security 2006 trial version download page. Fill out the form, then click Submit. When you get your e-mail reply (ours arrived in less than 10 minutes), follow the download link provided in the e-mail message.
• After following the link, download the package, and save a local copy in a folder where you'll be able to find it. (The file is named fs2006f.exe). We put ours in a subfolder inside our Downloads folder and simply named it F-Secure.
• Double-click the file (again, named fs2006f.exe) to invoke the installer. At first this brings up a file unpack progress bar as the program uncompresses the files necessary to begin the install process. Next, you'll see the warning screen (pictured below), which echoes our earlier advice to remove all security related components from your system before proceeding.
• Click the radio button next to "I accept the terms" for the F-Secure License Terms shown. Then continue through to the next screen by clicking on Next as shown here:
• Next, you have a choice: You can enter a valid license key, which is available to those who pay for this software at prices that start at $40 for a one-year license. Or you can click the radio button for the "Evaluate the service" option as shown in the screenshot below. For now, choose the latter. Then click Next to proceed to the next screen as shown here:
• You'll be prompted to choose a 30-day trial of either Internet Security 2006 or Anti-Virus 2006. The default is what you want: F-Secure Internet Security 2006. Click Next to advance to the next screen, as shown below:
• Now you must choose a home directory into which the application will be installed. The default is C:\Program Files\F-Secure Internet Security. But you might want to use the Browse button to choose a different target. Once you've made your selection, click Next to advance to the next screen, as shown below:
• The initial installation begins at this point. You'll see a variety of screens with progress bars (like the one shown below) or default security settings (which went by too fast for us to screen capture it for this Recipe). The program will eventually complete the initial installation. This took about six minutes on our test machine, a Pentium 4 570J with 2 GB of RAM and a reasonably fast Maxtor SATA drives. Your mileage may vary.
• Next, a screen pops up (shown below) to indicate that installation is both complete and successful. But lest you think your work is done, this is really only the initial installation of the package. As the next sequence of screens will show, there's still quite a bit of work left for you to do!

How to Configure F-Secure Internet Security 2006 and Complete the Install

In the next series of steps, the real fun begins as you configure and tweak the F-Secure security suite you've just installed.

The next phase of F-Secure Internet Security activity occurs after you restart the PC. So, if you haven't already, reboot the system. At that point, the Startup Wizard will pop up to inform you that it will connect to the Internet for new updates, as seen here:

• On the initial Start-up Wizard screen, click Next. This is the part of the process where you'll select program components.
• The next Start-up Wizard screen is labeled "Application Control," as shown below. This invokes the suite's Firewall component, and it is set by default to inform you whenever any new application attempts to connect to the Internet. That way, you can decide if the connection should be allowed or denied. For now, leave this default, which is Yes. Click Next to bring up the next screen.
• The next Start-up Wizard screen is labeled "Web Browser" as shown below. This invokes the suite's Web browser controls for dealing with pop-ups, active content, and so forth. In most cases, the program will detect your default browser correctly. But if you have more than one browser installed, and you wish to designate another as your default Web browser, use the pull-down menu shown at the bottom left of the screenshot below to select it. Then click Next to proceed.
• Now the Start-up Wizard tackles e-mail client settings. First, it will identify what it believes is your default e-mail client. Then it gives you a pull-down list from which you can make changes if you'd like. This is shown here:
• The next item is parental (content) controls, which we skipped during our test. To proceed to the screen labeled "Tasks" (as shown below), click Next. This is where you tell the program what it should do after you complete your work with the Start-up Wizard. By default, all three boxes are checked by default (Perform full computer check, Enable a weekly virus scan, and Show main user interface). That's how we think you should leave things. Click next to get to the final Start-up Wizard screen.
• The Finish screen (shown below) concludes your interactions with the Start-up Wizard. As soon as you click the Finish button at the lower right, your initial setup work is done.

Earlier, during installation, the Tasks screen instructed the software to launch the main user interface for F-Secure Internet Security 2006 (once you finished with the Start-up Wizard). So of course, that's what splashes up on your screen next, as seen here:

This is your control center for the security suite, where its underlying capabilities map to the left-hand buttons as follows:

• Home: This is the same screen shown above. It is the control center for the whole shooting match.
• Virus and Spy Protection: Where you go to access, configure, and use the program's anti-virus, anti-spyware and rootkit-detection capabilities.
• Internet Shield: Where you go to access, configure, and use the suite's firewall, application controls, intrusion prevention, and dial-up control capabilities.
• Spam Control: Where you go to access, examine, set, or tweak e-mail filters (or filtering regimes) for your default e-mail client.
• Parental Control: Where to go to set or manage Web filters, allowed access times for named users, and work with the program's password protection.
• Automatic Updates: Where you go to check auto-update settings or to force an immediate manual update. You'll also find the most current update status information here.

How to Work with F-Secure's Rootkit Detection

Let's now look at F-Secure Internet Security's anti-virus and rootkit-detection capabilities, as well as its firewall operation. They'll provide a clear view into how the program works and operates, and they also show off what we think are the suite's best capabilities.

The program will launch a complete system scan soon after you exit the Wizard, just as you instructed it to in the Tasks screen a few steps back. It's probably a good idea to wait until this completes before trying anything else. You will probably need to wait a while: our relatively modest scan (about 100 GB of on-disk materials) took roughly 30 minutes to complete. Once it's done, here are your next steps:

• Launch F-Secure Internet Security 2006. If it's not already open, Click Start, All Programs, F-Secure Internet Security 2006, and then click Open F-Secure Internet Security 2006. This produces the control center/home screen, as shown above.
• Click on the Virus and Spy Protection button at the upper left (just beneath Home). You'll see the obvious controls that are available for use with anti-virus and anti-spyware capability, as seen here:
• These options include various forms of scanning controls, each with its own set of options under the Change/Configure entry at the right-hand side of the display. Everything is enabled by default and works pretty well. You have numerous options available to handle real-time and e-mail scanning, and you can also manage when scans are scheduled: daily, weekly or monthly, on specific days of the week, and starting at a specific time. Browser and system controls may be either enabled or disabled (they're enabled by default).
• Things get a little more interesting when you click the hyperlink style control at the lower right that reads "Scan my computer…" As shown in the screenshot below, this produces a pop-up menu that immediately makes available some additional controls. Options here include the ability to scan your hard drives for a target for viruses, scan your system for spyware or rootkits, or combine all general checks into a full computer check.
• Because rootkit handling is so important, you can launch a rootkit scan by clicking on the "Scan System for Rootkits entry" in the pop-up menu. This produces a screen like the one shown below, as the rootkit scan goes about its task of looking for evidence of such software:
• As the process grinds through to completion, the majority of users will wind up with a screen that looks like the next screenshot, which reports no evidence of rootkits being found:
• For more detail about what the scan turned up, click the Show Report button, which appears at the lower left of the preceding screenshot. But F-Secure's Blacklight rootkit detector engine produces much less commentary than even the terrific Sysinternals RootKitRevealer engine does; this means there are very few false positives to worry about, making F-Secure better suited for inexperienced users. (While system pros will recognize that many of RootkitRevealer's false positives are temporary files, less-savvy users might think they've been infected when it's not the case.) Kudos to F-Secure for making this tool so end-user-friendly.
• Finish by clicking the Close button. This ends this exploration of the program's anti-virus, anti-spyware, and rootkit-detection capabilities.

How to Work with F-Secure's Firewall Rules

F-Secure's firewall rule-building approach is one of the best-guided and most intelligible we've seen in the dozen or so personal and small-scale firewalls we've worked with over the last seven years. Once you get the hang of it, you'll probably feel the same way.

The application-control capabilities in the Internet Shield sub-menu are worth exploring. They provide more granularity and more controls than we've seen in programs like Norton's Personal Firewall and Sygate's Personal Firewall.

To begin, the Application Control and Intrusion Prevention settings are pretty straightforward. Application Control may be set to either Prompt (the default) or Allow and Log. With Prompt, no application can access the Internet without obtaining the user's permission. With Allow and Log, by contrast, any application can access the Net, but all accesses are logged.

Intrusion Prevention has two settings, too: Block and Log (the default) and Log Only. Block and Log means possible intrusion attempts are blocked as well as recorded. Log Only means they're not blocked at all, but are still recorded. Note: Dial-up control applies only to PCs with telephone modems installed; this control may only be enabled or disabled. If enabled, it imposes additional security checks during dial-up connection attempts.

That said, the real action here is on the firewall. That's where the creation and expression of rules define its run-time behavior. The following steps will take you through defining such a rule, and show you how things work in this environment.

• Launch F-Secure Internet Security 2006. Click Start, All Programs, F-Secure Internet Security 2006, and Open F-Secure Internet Security 2006. The usual home screen will appear.
• Click on the Internet Shield button; it's the third from the top in the column on the left-hand side of the home screen. This produces the Internet Shield display, as shown here:
• Click the Configure… link at the right hand side of the Firewall information line. This opens a new window called Firewall that has three tabs: one each for Rules, Services, and Settings. The Rules tab appears on top by default, as shown here:
• To begin your exploration, create a new rule. Click the Add button at the lower left of the rules pane (as shown in the figure above). The Firewall Rule Wizard opens an Add a New Rule window, as shown below.
• Here, we're going to create a rule regarding Server Message Block traffic, used for local file access within a single IP subnet. We type the string LOCAL_SMB to name this rule, then select the rule's type as Allow. Simply put, this rule permits things to happen; by contrast, a deny rule blocks things from happening. (As an option, Rules can be defined to only apply to dial-up connections, through the check-box at the bottom of this window.) Finally, to advance to the next step in the rule-making sequence, click Next.
• Apply an IP address range, if applicable. In this case, we used the range of valid client addresses in our local subnet—namely, 172.16.1.1 through 172.16.1.254 (one of the private Class B addresses reserved in RFC 1918) as shown in the figure below:
• When you click the Edit button on the right, this opens another window in which you can define individual IP addresses, or contiguous IP address ranges, to which the rule applies (we chose our entire local subnet). When this step is complete, click Next.
• You now select the service to which the rule applies. Use the giant pull-down list of IP services and clicking the checkbox to the left of the one you want; in this case, that would be SMB over TCP/IP (TCP). Next, you can manage flow control. (The client on the left and the world on the right with a two-headed arrow means to/from all clients and the network.) By clicking on the direction column, you can select a two-headed arrow to allow or deny two-way traffic. Or you can pick one-way arrows to allow or deny flows only in one direction. The results of our two-way rule appear in the screenshot below. When you're done with this step, click Next.
• Now it's time to deal with alerting. You have three choices: issue no alert (the default), log the information, and log the information and issue a pop-up message. You can also define a text message to be included in the log and, where applicable, a pop-up. This can be especially handy when dealing with situations where an attack of some kind might be underway. The next screenshot includes only the meaningless TEST_CONFIG string. When you're finished with this step, click Next to finish your rule.
• Finally, the software lets you review the entire rule definition on a single screen, as shown below. If you like what you see, click Finish. If not, use the back button to return to whatever previous step(s) warrant your attention. When you're happy with your revisions, click Finish, and you're done.

F-Secure Internet Security 2006 is a worthwhile software component for the systems you build and maintain. Even though the suite's anti-spam and anti-spyware capabilities are somewhat lacking, the rest of F-Secure's suite is as good as or better than its competitors in all the other categories we covered. Plus, you'll have a rootkit detector, a capability not even offered at this time by any other suite on the market.

If you're looking for yet more information on this suite, check out the F-Secure Internet Security 2006 page. Here you'll find pointers to white papers, case studies, evaluations, and reviewer's guides, as well as a complete manual.

ED TITTEL is a freelance writer and trainer in Austin, TX, who specializes in Windows topics and tools, especially networking and security related matters. JUSTIN KORELC is a long-time Linux hacker and Windows maven who concentrates on hardware and software security topics. Ed and Justin are also co-authors of Build the Ultimate Home Theater PC (John Wiley, 2005).