7.4 C
Friday, November 24, 2017
Home Tags Security

Tag: security

Dashlane 4

When your password manager is famed for its slick interface and ease of use, finding ways to improve can be tough. But don't worry, the folks at Dashlane are up to the challenge. Dashlane 4 is even slicker, more attractive, and easier to use. But that's not all. Its automated password changer now handles more than twice as many popular sites, and advanced features like emergency access and secure sharing keep Dashlane at the top of the heap. And despite these enhancements, the price is the same, $39 per year. You access Dashlane in two distinct ways. Most of the time the small menu that you pull down from the browser toolbar button is sufficient, but for some activities you need to open the full user interface. And, of course, it captures credentials as you log in and replays them when you revisit sites without any need for either the pull-down menu or the full interface. Dashlane is free to use, with one condition: You can only use it on a single device, without the ability to sync with your smartphone, tablet, and so forth. That's a pretty strong limitation, enough that I don't review Dashlane as a free product. With the free LastPass 4.0 you can sync any number of desktops, any number of smartphones, or any number of tablets, as long as you stick to one of those three categories. LogMeOnce Password Management Suite Premium is free without any similar limitation. User Interface EnhancementsDashlane has always displayed your saved logins as tiles, with large or small icons representing the site in question. New in this edition, you can choose to view them as a list instead. Interestingly, LastPass 4.0 Premium, which used to only offer a list view, has added a Dashlane-style tile view. I do wish Dashlane had gone for smaller icons in the list view. As it is, switching to list view doesn't let you see significantly more items at once. If you've got a ton of saved passwords, you may find it handy to view them by category. Switch to that view, collapse all categories, and open just the one you want for easy access. Of course, the simplest way to access your passwords is to type in the search box at top left. As you type, a list of found items narrows to show just the items that match. New in this edition, you can launch a site directly from the list of found items, or open a full menu of actions for an item. This menu lets you edit the saved info, see password history, share the item (more about sharing later), and more.  The interface also rearranges the options in the left-rail menu for better consistency. The Wallet category still includes payment-method data for form filling and the receipts Dashlane has collected for you. Personal Info and IDs (also used for form filling) are now under Wallet as well. Previously, Dashlane fully supported English and Spanish, both localizing the user interface and optimizing program actions for the locale. Version 4 adds similar full support for Spanish, Portuguese, German, Italian, and Japanese. Basic FeaturesThe folks at Dashlane want to make it easy for you to get started. You can import passwords stored (insecurely) in Chrome, Firefox, and Internet Explore. Jumping ship from another product? You can import data exported by LastPass, RoboForm Everywhere 7, and several other competitors. LastPass is even more welcoming, with the ability to import from several dozen competitors. As noted earlier, Dashlane automates the process of capturing login credentials as you type and playing them back when you revisit a website for which you've saved data. If multiple logins are available, it displays them as a menu. And of course you can launch a saved site from the browser menu or from the full UI. You may occasionally run across a site whose login screen is weird enough that Dashlane doesn't recognize it. LastPass, RoboForm, and Sticky Password Premium handle this problem by letting you manual ask to save all data fields. Dashlane doesn't include this rarely-needed manual capture feature. Protect Those PasswordsAs always, it's important to use a strong password as your master password. Dashlane requires at least eight characters, including at least one digit, one lowercase letter, and one uppercase letter. That bar is set pretty low. I would strongly advise at least 12 characters, using all character sets. For added security, you'd be well advised to enable two-factor authentication. You can choose whether Dashlane will require the second factor on every login, or just when you (or someone else!) attempts to log in from a new device. Dashlane specifically supports Google Authenticator and work-alikes such as the free Duo Mobile and Twilio Authy. Just snap the QR code displayed by Dashlane with your authenticator app to make the connection. You can also set Dashlane to authenticate using Touch ID on iOS devices that support it. LastPass's free edition supports smartphone-based authentication, like Dashlane, and even includes the option to authenticate using a printed wallet-sized grid. LastPass Premium adds authentication by YubiKey, fingerprint reader, or a specially-configured USB drive. Sticky Password and RoboForm support fingerprint authentication. True Key's core functionality centers on multi-factor authentication. Factors include possession of a trusted device, fingerprint authentication, and facial recognition. In fact, with sufficient second-factor authentication, True Key lets you reset your master password, something few others do. Password GeneratorAny time you click in a password field to create a new account or change an old password, Dashlane pops up an offer to generate a secure password for you. On the plus side, this offer pops up right below the password field, so it's easy to click. On the minus, you don't get an opportunity to configure the password manager at this point. If you want more control over how the password manager works, click the browser toolbar button and click the password generator button. Here you can set the generated password length and choose from three character sets, digits, letters, and symbols. Dashlane doesn't distinguish between uppercase and lowercase letters. Like LastPass, Dashlane defaults to a 12-character password using just letters and digits. That's up from a default of 8 characters in the previous edition, but I suggest you raise the length to 16 characters and check the box to use symbols as well, then click the Use as Defaults button. Note that 16 characters using all character sets is the default for True Key by Intel Security. Security DashboardGetting all of your passwords into Dashlane is a great first step, but you can't stop there. You need to clean up your passwords, fixing any that are weak and replacing any that you've used on multiple sites. Don't worry; Dashlane makes this process extremely simple. Click the Security Dashboard item on Dashlane's left-rail menu for a quick percentage rating of your security level, much like what you get with LastPass's Security Challenge. I like the fact that Dashlane always offers a couple of "quick wins" to increase your score. It might identify a specific weak password and point out that you could gain three percent by fixing it. The real action takes place when you click to view the detailed password analysis. Here you can view a list of all passwords, or limit it to weak, reused, or compromised passwords. Now Dashlane, like LastPass, also lets you list old passwords, meaning ones you haven't changed in a long time. Do note that the measurement of "old" starts when you add the password to Dashlane; new users won't see any old passwords for a while. Probably the most useful view comes when you sort the list by safety level. For each password, Dashlane displays a safety percentage as well as a color coded description: very unsafe, unsafe, not so safe, safe, and super safe. You can point to any item for details on how it got that rating. For example, a perfectly complex password may be on the unsafe list because you've used it on several different sites. Fixing the weak and reused passwords can be a tough slog, but don't let that stop you. Pick the worst five or six and click the Replace now button for each. That will log you in to the site. From there, go to the change password dialog and let Dashlane create and save a new, strong password for you. Password ChangerYou may notice that the button next to some weak passwords is titled Auto-replace now, rather than just Replace now. Clicking that button invokes Dashlane's automatic Password Changer. For the full automated experience, though, you're better off clicking the Password Changer link at the top of the main password list. Tech experts at Dashlane have analyzed hundreds of popular sites in order to devise scripts that automate the password change process. That lets Dashlane perform a hands-off password update for any supported site, and with Version 4 the list of supported sites jumps from 200 to 500. In the Password Changer window, you can check off any or all of the supported sites and click one button to have Dashlane change them all. You'll see a progress indicator by each item, advancing as Dashlane logs into the site, navigates to the password-change screen, and updates the password. LastPass's similar feature supports about 80 sites, but it need to launch a browser tab for each site, and warns you strongly to leave those tabs alone. If you've enabled two-factor authentication for any of your secure sites, Dashlane may need your help. When possible, it pops up a notification ask you to enter the verification code for that site. You do need to pay attention—if you wait too long and the verification code expires, Dashlane isn't equipped to request a new code. But no worries; if that happens, just try again. I'm a huge fan of automatic password updates. Since Dashlane remembers all your passwords, there's no real reason for you to be involved at all. There are a few exceptions, though. Some passwords you just have to type yourself, like the Microsoft ID that you use to log in to modern Windows versions. And some sites have password-format requirements that Dashlane's automatic password generator can't meet. But for most sites, it's fantastic. Secure SharingWhen a buddy asks for your password to some website "so I can check something," you know the answer. Just Say No! But sometimes you really need to share credentials with a colleague or partner. Dashlane has you covered. Just point to the item, click the menu icon, and select Share item. Enter the email address of the recipient, and specify how much access you're offering. If you choose to limit access, the recipient can use the shared item but can't view, edit, or share it. A recipient with full rights to the shared item can view, edit, and share it, or revoke access by others who share it—even you! You can enter a personal message before sending the request. As with the similar feature in LastPass, the recipient will both receive an email and get a notification in Dashlane's Sharing Center. A recipient who doesn't yet use Dashlane will need to set up a free account, of course. Once the recipient accepts, the item in your own Sharing Center will change from Pending to Full Rights or Limited Rights, depending on your choice. You can click the wrench icon to switch between full and limited, or click the minus icon to revoke the share. Emergency ContactsWhat happens if you get hit by a meteor tomorrow? Will your heirs tear their hair out, trying to figure out how to access your accounts? Dashlane's emergency contact feature ensures that you can pass along your digital legacy after your demise, and it doesn't even require probate. Setting up an emergency contact to inherit your passwords is just as simple as sharing one password, with one important difference. You can set a waiting period for full access. If your supposedly-trusted contact tries to get your credentials while you're still around, you can respond to the notification email to deny access. And they look for a more-trustworthy contact. LastPass's latest version includes a similar feature, but Dashlane takes it a step further. In addition to defining an heir for your entire stash of passwords, you can also give access to a subset of those passwords. For example, you could make your boss the recipient of only your work-specific passwords. Advanced Form-FillingLike many password managers, Dashlane also has the ability to help you with filling personal data in Web forms. But Dashlane takes the concept farther than many. RoboForm is the most flexible in this area, which is no surprise given that it started life as a form-filler. It lets you record a wide variety of personal data, names, email addresses, bank accounts, and more. And it supports multiple entries for every field. With LastPass, you can declare any number of full personal profiles or credit-card-only profiles. Dashlane divides personal info into name, email, phone, (snail-mail) address, company, and website. You can add any number of each type. When Dashlane detects a Web form, it puts a tiny impala icon in each entry field. You click in any field and select the desired entry from the popup menu. At that point Dashlane fills all the fields using the first available entry, but you can change any of those with another click. For example, you might fill the phone number first, then click in one of the address fields to select a different address. Payment information is handles separately, and gorgeously. In the main Dashlane interface, you enter as many credit cards, bank accounts, or PayPal accounts as you need. For each credit card, you specify the color and the issuing bank—Version 4 adds support for many more banks. When you click the credit card field on a Web form, you'll see images of your cards, each with the proper color and logo. It's especially great for those with a more visual orientation. Dashlane handles passports, driver's licenses, and other IDs in a similar fashion. Your passport displays using the color and style of the country you selected, and your driver's license looks like an actual license, with the state clearly displayed. Receipt CaptureOn shopping sites, Dashlane's help with Web forms doesn't end when you've filled in all your personal data. Dashlane offers to capture its own receipt for the transaction, with the full amount and, when possible, a list of purchased items. It even snaps a screenshot or two, in case you have trouble with the merchant and need to show some added proof. In the event Dashlane doesn't capture the item name, you can edit that before saving. From the main Dashlane interface, you can view your list of receipts, dig in for details, and view the associated screenshot for each. It's a handy record of your online shopping. Mobile FeaturesPart of the user interface update in Dashlane 4 involved making the Android and iOS editions as identical to the Widows edition as possible. There are a few differences. For example, the mobile editions don't capture receipts for your purchases. Dashlane can manage app passwords, but only for apps that support the Dashlane App Extension. This feature has been around for a while, but it's now gaining traction. More than 180 apps support it, including some big names like eBay, Flipboard, Tumblr, Twitter, and Uber. The Android edition also supports auto-login for apps. Once you give it a few Accesibility permissions, it can log in to any app, with no special app extension required. Both mobile editions include their own browser which can automatically fill passwords and Web forms. And both can be configured to fill passwords in the default browser. More Capable Than EverDashlane 4's user interface is even slicker and easier to use than before, and you can now use it natively in seven languages. It offers uncommon features like secure sharing and password inheritance, as well as a unique receipt-capture feature for your online shopping. And you can use it on all your Windows, Mac, iOS, and Android devices. It's still a winner. LastPass Premium 4 goes a bit beyond Dashlane in some technical areas such as two-factor authentication, and it now includes password inheritance. Sticky Password Premium does an especially good job with off-the-wall login pages and application passwords. These two, along with Dashlane, are our Editors' Choice password managers.
Facebook is expanding its presence on Tor with experimental support for Android devices via a tool developed in part by an intern. The social network in October 2014 launched a Tor-friendly version of its website, allowing folks to access a more stable version of the service. Now, Facebook is rolling out Android support over the next few days. To get started, visit the Google Play store or Orbot F-Droid repository to download Orbot: Proxy with Tor. Orbot lets mobile phone users to access the Web, IM, and email without being monitored or blocked by their carrier, Tor explains on its website. "We're releasing this feature over the next few days to seek feedback which will help us create a great experience for using Facebook over Tor on Android," the company wrote in a blog post. Once installed, navigate to Facebook's App Settings menu to enable the function via a new preference switch. Excited? Thank Will Shackleton, former Facebook intern and current computer science student at the University of Cambridge. The developer behind apps like Network Spoofer, DroidPad, and Bright Day is also responsible for bringing Tor to the Android platform. One of my Facebook internship projects got launched today - adding Facebook #Tor support on Android via #Orbot! https://t.co/eJWzDZgFRZ— Will Shackleton (@wshackleton) January 19, 2016 Tor did not immediately respond to PCMag's request for comment. But a spokeswoman told Reuters that Android support goes a long way in helping to expand the anonymous network. "Everybody in the world needs more privacy online and almost everybody is on Facebook," she told the news site. "This will allow people to choose whether to share their location or not. For some people, this is convenience. For others it is lifesaving." Don't hold your breath, though, for iOS compatibility; Tor has no plans to support Facebook's app on Apple iDevices, Reuters reported. Keep an eye on the Facebook over Tor page for more details. A free network of tunnels for routing Web requests and page downloads, Tor makes it impossible for the site you access to figure out who you are. It was once an acronym for "The Onion Router," the implication being that it offers many layers of security.
F-Secure Protection Service for Business, which begins at $110 for five seats per year (or $22 per seat per year), is an above-average endpoint protection service that secures Windows desktops and servers, Linux, Mac, Android, and iOS devices. F-Secure Protection Service for Business adds operating system (OS) patch management to the usual anti-malware features typically found in small to midsize business (SMB)-hosted endpoint protection solutions. Looking at the management console and feature set, it's clear that F-Secure has worked its way down to SMB from enterprise, rather than the way competitors such as Avast Software Premium Business Security, Bitdefender GravityZone Business Security, Kaspersky Small Office Security, and Panda Security Endpoint Protection have worked their way up to SMB from consumer. F-Secure's management console is a bit dated, especially as compared to Avast Software Premium Business Security, Panda Security Endpoint Protection, and our Editors' Choice Webroot SecureAnywhere Business Endpoint Protection. The company gave me a sneak peek at their upcoming version (which was not reviewed but is now live), and I was pleased to see it will bring F-Secure on par graphically with its competitors. Functionality will remain the same, while the look and feel will make the management console much more accessible. Getting Started With F-Secure Protection Service for BusinessThe first time I logged in to F-Secure Protection Service for Business, I was prompted to add computers and mobile devices by sending an email with a link to my users or downloading the install packages. I chose to download the install packages. The download software page can later be accessed by clicking the link on the top left-hand corner of any page. From here, I could download for Windows or Mac workstations, Windows or Linux servers, a mobile security client, or a Windows redistributable install package. The Windows workstation installation required a 98MB download while the server was a 208MB download. Both installations took less than 10 minutes to complete, at which time the agent registered itself with the management console and updated its definitions. The client software is very clear, graphical, and easy to understand, with its color-coded protection status. Working With F-Secure Protection Service for BusinessIn stark contrast to the client interface, F-Secure Protection Service for Business's management console is outdated and difficult to use. This reaches a nadir in the profile editor, perhaps the ugliest of its kind, more reminiscent of a router configuration console circa 2002 than a host SMB endpoint protection product in 2016. I'm particularly concerned that when I accessed the Profiles tab, 116 different profiles appeared. Not only is this confusing, but potentially a security risk as F-Secure customers can see each other's security configuration. In order to edit profiles, I needed to download a Java application that was sluggish, poorly organized, and very difficult to read. F-Secure's poor profile management and configuration casts a pall over the entire product and compares negatively to Panda Security Endpoint Protection, Avast Software Premium Business Security, and Bitdefender GravityZone Business Security. F-Secure offers the most basic of roles-based account privileges where administrators can be given complete control or merely read-only. This is better than Kaspersky Small Office Security and Avast Software Premium Business Security, which lack role-based account privileges, but not as powerful as Bitdefender GravityZone Business Security and Panda Security Endpoint Protection, which allow for more granular settings including limiting an administrator to a specific group of devices. Reporting, Notifications, and HelpF-Secure's reporting leaves a lot to be desired, which is surprising given the product's business lineage. Reports are limited to four charts shown on a single page: Automatic Updates, Internet Shield, Overall Protection, and Virus Protection. Reports can't be customized nor can they be filtered. Reports are also static, meaning I couldn't drill down on an error condition to remediate it. F-Secure lacks both the ability to schedule regular reports and the ability to export reports. F-Secure integrates error condition notifications into the dashboard and anti-malware alerts into the Infections tab. This is a little confusing because I found I could either get an at-a-glance company-wide status from the dashboard or a deeply detailed status from the Infections tab. I found it especially helpful that I could subscribe to an RSS feed of my company's notifications. I'd like to see competitors such as Bitdefender GravityZone Business Security, Panda Security Endpoint Protection, and Avast Software Premium Business Security extend the reach of their notifications by offering an RSS feed like F-Secure's. Email alerts are not the same as notifications, and are focused instead on malware infections. Email alerts, while thorough and timely, are not customizable in terms of alert thresholds and email content. A major drawback to email alerts is that the settings apply to everyone equally. I could not, for example, send an alert about a blocked attempt to myself and an alert about a quarantined file to someone else. F-Secure's is not a user-friendly management console. Terms, settings, and tasks are rarely defined within the management console as they are in Panda Security Endpoint Protection and Bitdefender GravityZone Business Security. Context-sensitive help is available from some pages. Sometimes help is extremely useful and walks you through configuration and operation steps, and sometimes it is not. Clicking the Support Pages link on the top left-hand corner of the page took me to F-Secure's general (not product-specific) support page. There, I could choose between Latest topics and Popular topics, neither of which ever addressed my questions. I could also click Search, which opened a new browser window. Compared to Panda Security Endpoint Protection and Bitdefender GravityZone Business Security, F-Secure's help is awkward and time-consuming. Test ResultsTo test F-Secure Protection Service for Business's ability to block web-based attacks, I used a feed of newly-discovered malicious URLs supplied by efficacy assessment service MRG-Effitas. These links come and go extremely quickly; many of them are gone within hours. For each still-functioning URL, I recorded whether or not F-Secure blocked access in the browser, wiped out the download, or failed to identify and block the download at all. I tested 45 valid URLs. F-Secure's performance was excellent, blocking 72 percent of the malicious URLs and the malware they attempted to download. This places F-Secure significantly ahead of Kaspersky Small Office Security, on par with Avast Software Premium Business Security, and narrowly behind Bitdefender GravityZone Business Security and the leader, Panda Security Endpoint Protection. To measure F-Secure's ability to protect against fraudulent websites, I used a set of recently reported phishing URLs. I fed the same set of URLs simultaneously to four test systems, each with a different form of protection. The first was my Bitdefender test machine. The remaining three used the protection built into Google Chrome, Microsoft Internet Explorer (IE), and Mozilla Firefox. F-Secure's anti-phishing performance was lackluster, barely outperforming the built-in protections of Chrome by two percent, IE by four percent, and Firefox by five percent. F-Secure's anti-phishing protections fall short of those of Bitdefender GravityZone Business Security, Avast Software Premium Business Security, Kaspersky Small Office Security, and Panda Security Endpoint Protection. F-Secure also includes a feature called DeepGuard, which is designed to prevent damage by zero-day malware that is too new to have signatures. DeepGuard watches for a pattern of harmful behavior and blocks applications that seem suspicious. DeepGuard also blocks programs that are rarely or never seen, giving the user the option to allow the program to run and then monitoring that program closely if allowed to run. Technologies such as DeepGuard frequently cause false positives, because good programs often exhibit potentially suspicious behaviors. In order to assess DeepGuard, in particular its ability not to block legitimate applications, I installed a group of 20 PCMag.com utilities. No surprises here, F-Secure allowed me to install and execute them all, with no false positives. DeepGuard flagged about 30 percent of the samples to be closely monitored. To test the firewall, I attacked my test systems using 30 exploits generated by the Core Impact Pro penetration testing tool and none of them breached security. F-Secure actively detected and blocked the attacks as did Avast Premium Business Security and Bitdefender GravityZone Business Security. F-Secure gets excellent ratings from the independent test labs that test the solution. The product received 17 out of 18 points in AV-Test Institute's three-part protection (score of 6), performance (score of 5.5), and usability (score of 5.5) evaluation. AV-Comparatives rated F-Secure an Advanced+ (the highest rating) in a test designed to evaluate zero-day protection. In the other five of the tests they perform, F-Secure was rated Advanced, mainly due to false positives bringing down the score. F-Secure doesn't participate in testing conducted by ICSA Labs or West Coast Labs, and only entered four of the last 12 tests by Virus Bulletin. F-Secure received VB100 certification in three of those four tests. A Facelift On the HorizonF-Secure Protection Service for Business provides excellent anti-malware and malicious URL protection, yet is crippled by an outdated, sluggish, and confusing management console interface. We got a sneak peek at its now-live management console and its graphical approach will do a lot to increase usability. Until we can evaluate the new interface though, we have to caution against F-Secure when presented with more up-to-date and comprehensive options such as Editors' Choice Webroot SecureAnywhere Business Endpoint Protection.
Small to midsize businesses (SMBs) face most of the same security challenges as enterprises on a daily basis yet they typically lack the dedicated security staff expertise and resources of larger organizations. Although precise estimates vary, somewhere around half of all security incidents affect organizations with less than 1,000 employees. Sure, data breaches at Target and the IRS are what make the news, but it's important to remember that the threats to SMBs are very real and just as common—even if staggering dollar figures aren't always involved. In many cases, a SMB's IT administrator faces the same threats that teams of his or her enterprise counterparts face, except that he or she is likely to face them alone while trying to deal with 20 completely unrelated issues at the same time. This makes designing a security solution for a SMB audience a difficult contrast between ease of use and state-of-the-art technology shielding. Small fish still make big target, though. In a Visa and National Cyber Security Alliance (NCSA) survey of 1,000 small business owners, 85 percent believed that enterprises are more targeted than they are, yet another survey by the same group found that 20 percent of small businesses suffered a data breach in 2013. So, as long as your data holds value, criminals don't care how big your company is. Data that holds value includes employee and customer personal and banking information, sensitive corporate intellectual property (IP), sales and product information, and company financial information such as payroll data. There's also another angle: criminals can use the systems of a small business to exploit trust relationships with larger businesses. If this is the case, then the small business is held responsible for the damages done. Small But With High StakesObviously, the stakes are high in SMB security. Therefore, selecting SaaS endpoint protection software is a critical decision for IT administrators of SMBs. In many ways, you're choosing a partner that is going to help you secure servers, desktops, laptops, and mobile devices. This is likely to be a long-term partnership because you don't want to evaluate software solutions, roll one out, remove it, reevaluate, and redeploy. So, look for someone who has a track record of combating threats by evolving, refining, and adding new protection technology as applicable. This partnership is solidified when you choose a SaaS package instead of an on-premises package because, instead of buying software that you run yourself, you'll have daily interactions with software that's administered (and updated) by your vendor. SaaS, or cloud-based, endpoint protection software solutions have the advantage of reducing the complexity formerly required by their on-premises predecessors that typically run on dedicated servers. SaaS endpoint protection software solutions save you a great deal of time and effort that would otherwise have gone into hardening and patching the underlying server operating system (OS), and patching the management console and its underlying infrastructure. Cloud-based services can also be managed outside the office, which was possible to do but not that easy when the management server ran on-premises. In many cases, a hosted management console can be accessed and easily used from a mobile device. As an SMB security administrator, imagine getting an email alert on your phone that the business owner has encountered malware, then being able to log in to the management console from your phone's browser and initiate remediation activities. Another important advantage is that SaaS software solutions provide protections (and updates) to devices that are off of the corporate network. When your coworkers take their laptops on the road with them, they continue to be protected, and you retain the ability to monitor and manage their devices. Previously, once a laptop left the office, a security administrator might have to wait until it returned (or was connected via a VPN) to assess its security status, push updates, adjust policy, or remediate threats. Many SMB's employees heavily rely on mobile devices to do their jobs. This means that mobile platforms represent as rich a target to hackers and malware as office-based systems. Many businesses overlook mobile device security, leaving this data-rich target unprotected or entirely in the hands of employees who may or may not deploy consumer-grade protections. Security vendors are responding to these threats and have added protections for Android and iOS tablets and smartphones. Make sure to ask SaaS endpoint protection software solution providers if mobile is included (or at least available) and can be managed through the same hosted interface. You'll find richer security support for Android than for iOS. Much to the chagrin of customers, Apple selfishly continues to push its marketing agenda that iOS devices are safe from malware and refuses to work with security vendors. Vendors offer to manage devices (e.g., locate and remote wipe) and security policy (password strength, application control, and Wi-Fi settings) for iOS and Android, while offering full security software (e.g., anti-malware application scanning, firewall, and intrusion prevention) only for Android. Evaluating SaaS Endpoint Protection Software SolutionsPicking the right cloud-based or SaaS endpoint protection software solution is an important decision for a SMB. Choosing the wrong product could result in creating a false sense of security amongst users and management, and creating a management nightmare for administrators. Products that are needlessly complex are fine for enterprise security admins who live and breathe inside a management console, but you don't want to waste a SMB security administrator's time and effort—two things that are not in overabundance in any SMB. For this reason, and because there are significant differences between them, management consoles should be a critical decision making factor when selecting a SaaS endpoint protection software solution for your SMB. The best management consoles are uncluttered, intuitive, and have context-sensitive help waiting in the wings. Dashboards should provide a thorough assessment of company-wide security status and, when something is wrong, provide a quick and easy way to dive deeper, assess the issue, and resolve it. Reports should be helpful and informative whether they are active or passive or both. Policies should be preconfigured using best practices, with the ability to quickly and easily make changes should the administrator desire. For a busy SMB security administrator, alerts and notifications can be critical time-savers. Some may choose to stay logged in to a SaaS endpoint protection software solution, occasionally glancing at dashboards and interactive reports. Others may deploy their agents and then move on to other matters, depending upon notifications and scheduled reports to keep them up-to-date on the security of users and devices. If this is the case, pay particular attention to the number of possible notifications (such as malware detected, Web content policy violated, and potential malicious URL visited) and the capabilities of the product to manage (i.e., set thresholds and escalations) the alerts. FEATURED IN THIS ROUNDUP Sophos Cloud Endpoint Protection$14.33SaaS endpoint protection software solution Sophos Cloud Endpoint Protection combines an outstanding management console with good protection scores in our lab tests. Server lockdown, user-based policy management, and new application control features are its strong suits. Read the full review ›› McAfee Endpoint Protection Essential for SMBs$24.65McAfee Endpoint Protection Essential for SMBs talks about making SaaS endpoint protection easy for SMBs likely but doesn't do enough for most. The ePO Cloud management console is complex, with workflows that are often disjointed and awkward. However, if you can handle the interface, testing shows that McAfee's protections are solid. Read the full review ›› F-Secure Protection Service for Business$110.00F-Secure provides excellent endpoint protection but with a dated, cumbersome management console. We welcome the upcoming update to the console's look and feel, although it won't add features we'd like to see such as better reporting, customizable email alerts, and a customizable dashboard. Read the full review ›› Avast Software Premium Business Security$120.00Avast Premium Business Security is a good step up from the free offering, yet lacks many of the features (like reporting) required for businesses to take it seriously. An upsell front and center on my dashboard tells me that Avast doesn't even take itself seriously. Read the full review ›› Kaspersky Lab Small Office Security$149.99Kaspersky Small Office Security is an extremely basic web management console tacked onto Kaspersky's consumer product. It lacks many of the features businesses require and will only appeal to those who usually buy a consumer product for business. Protections are outstanding; management is insufficient. Read the full review ››

Doneo Castle

Even the best antivirus products are fairly utilitarian. You run a scan, make sure real-time protection is turned on, check that malware definitions are up to date, that sort of thing. Naturally the websites for these products are also strongly focused on the task of wiping out viruses (and on getting you to upgrade to a more advanced product). Doneo Castle, which the company claims is the "safest place on earth," varies from the norm. Its main Web page displays an imposing castle, and a sepulchral voice intones the product name ("done-oh castle") when you visit. Fun, right? And you get "completely clean data," without the need for a local antivirus. It's a lovely fantasy, but in reality, relying on this castle's walls to protect you would be a big mistake. Plans and PricingYou won't solve the mystery of Doneo Castle by signing up for a free trial. The closest you can come is an $8.99 refundable Happy Month subscription. There are plenty of other options: A $22.99 Safe Season subscription covers you for 90 days, and a $36.99 Six and Sound subscription is good for six months. For $69.99 you get a Best Year of protection for two devices. There's also a limited-time one-device $49.99 per year offer. They're Bad, We're GoodAccording to the Doneo Castle website, existing antivirus products "have the elementary structure of their first generation," and "still use a 20 year old algorithm which checks all files one by one against their virus database." They have a "primitive client-based structure" and can't match products in "resent [sic] years" that operate in the cloud. Current antivirus products "start scanning after the entrance of a virus in the system, which in any case put your security in danger." There are a few problems with those statements (besides the spelling and grammar). In truth, modern antivirus products use layer upon layer of protection. The old-fashioned signature-based detection system is still present, in most cases, but it doesn't work alone. Behavioral analysis, cloud-based detection, URL reputation checking: There are many technologies that go beyond Doneo Castle's claims, as you can see in our reviews of competing products. In particular, some products are very good at preventing malware from ever reaching your system. I run a test using very new malware-hosting URLs, checking whether products prevent the malware payload from reaching my test system. Symantec Norton Security Premium and McAfee AntiVirus Plus (2016) both earned 91 percent protection in this test. That's a far cry from "scanning after the entrance of a virus." Completely Clean Data?So what does Doneo Castle actually do? Once installed, it functions as a Virtual Private Network (or VPN), diverting all your Web traffic through the company's servers. According to the website, "All data before entering to your device will be checked against viruses, spyware, and malware by several engines." As a result, you receive "completely clean data." Doneo Castle relies on AVG's technology, along with the antivirus fighting powers of Avira Antivirus 2015 and Bitdefender Antivirus Plus 2016. Now, you may wonder why the company would rely on the same "primitive" and "20 year old" antivirus techniques decried by its own Web page. Sorry, I can't answer that. I did check with those three antivirus companies, asking about their partnership with Doneo Castle. The two that responded knew nothing about it; one mentioned bringing in the legal department. Difficult InstallationOnce you've signed up for the service, you can use your email address and password to enter the Chamber—the online dashboard for Doneo Castle. Don't try this on an old, small monitor. Unless your desktop is at least 1,280 pixels wide, you won't be able to see all of the Chamber, and there's no horizontal scrollbar. I had to widen my virtual machine's desktop in order to test this product. If you can't see all of the Chamber, you might not notice that you have some more work to do. Your incoming Internet traffic won't be sanitized until you install the VPN component, called Doneo Bridge. Fortunately, there's a utility to perform the installation. Unfortunately, it didn't entirely work in testing. I downloaded the DoneoBridgeCreator application, overriding Chrome's warning that it might be dangerous. I ran it, with no apparent effect. After some investigation, I found that it only worked if I right-clicked the file and chose Run as administrator. How many average consumers would figure that out? The company fixed this problem just before I completed the review. The fix seems to work, though of course, it doesn't help customers who hit the earlier problem and gave up. Once the utility finished its work, I did find Doneo Bridge as an available network connection. Alas, it rejected my attempt to log in, stating "Connections that use the L2TP protocol over IPSec require the installation of a machine certificate." It took quite a bit of digging to sort that one out. Naturally the real problem didn't relate to a certificate. It seems the installer failed to populate the Doneo Bridge connection's authentication properties with the correct pre-shared key. Going back to the Chamber, I found a link to "instractions [sic]" for manually installing Doneo Bridge. Poring over the steps (more than 20 of them) I found the key, entered it manually, and finally managed to connect to the Doneo Bridge. Whew! The instructions for manually installing the connection are specific to an earlier version of Windows—I'm guessing Windows 7. If you try to follow them in Windows 8.x or Windows 10, you'll hit a wall. Just before the release of this review, the company contacted me, reporting that they'd fixed the missing key problem. I verified that indeed the Doneo Bridge installer now runs correctly and doesn't need the Run as administrator workaround. Once again, though, this doesn't help users who gave up on encountering the problem before it was fixed. Poor ProtectionI double-checked that the product was installed correctly by attempting to download the EICAR test file, from the Anti-Malware Testing Standards Organization (AMTSO) Security Features Check page. Doneo Castle correctly blocked access to direct download of the file, though it failed the drive-by download test using the same test file. My malicious URL blocking test does use direct download, so it was time to proceed. For this test, I use a feed of recently discovered malware-hosting URLs, generously supplied by MRG-Effitas. When I run this test on a full-scale antivirus tool, I give equal credit for blocking URL access and for wiping out the malicious payload. With Doneo Castle, URL-blocking is the sole line of defense. I found that it took a very noticeably long time for the browser to open many of the URLs; I assume this was due to processing time on the Doneo Castle servers. In some instances, I got a large notification in the browser window stating that Doneo Castle blocked an infected file. It listed the filename and also displayed the three antivirus engine names with a checkmark next to the ones that detected the malware. Doneo Castle's accuracy was disappointing. Out of 100 malware-hosting URLs, it blocked just 31. That's a far cry from the promise of "completely clean data." As noted earlier, some products managed 91 percent protection in this test. Comparing it only with URL-based blocking by other products, Doneo Castle still doesn't look great. McAfee and Trend Micro Antivirus+ Security 2016 managed 85 percent strictly at the URL level. A product that offers nothing but Web-based protection needs to be really, really good at it. Doneo Castle isn't. Further DifficultiesAfter I managed to connect to the Doneo Bridge, I observed that nothing changed back in the Chamber. It still advised me to set up Doneo Bridge. Worse, after a reboot the bridge connection was lost, without any indication or warning. The average user wouldn't notice the loss of Doneo Castle protection, and would probably have a tough time figuring out how to log into it again. Among the choices on the Chamber's left-rail menu are My Key (to manage username and password), Statistics, FAQ, and Contact Us. These, along with the other left-rail menu items, did nothing. It turns out this was because I was running the product in a virtual machine. For some reason, Doneo Castle only works with Firefox inside VMware VMs. On a physical test system it functioned correctly under Firefox, Chrome, and Internet Explorer. Clicking the Statistics button got me a more detailed list of URLs that passed or failed Doneo Castle's safety check. It even listed which of the three antivirus engines blocked a bad URL. The Gift menu item is echoed by a Gift button. This lets you give "days of your own residency at Doneo Castle" as a gift. Basically, you shorten your own subscription period by offering a portion of it to a friend. Not surprisingly, the Purchase button and menu item both work fine. They bring up a page that lets you extend your subscription. Have Fun Storming the Castle, Boys!I really wanted Doneo Castle to be a winner. The imposing castle on the home page is so much more interesting than almost any competing site. I even sort of like the slightly wacky stream-of-consciousness screeds on the main page, e.g. "Our Leader Vint Cerf, Father of the Internet, crossed over to the telco side of the force. Cerf Vader and legions of imperial stormlawyers are now defending the death stars against the insignificant ISPwoks." (Not joking.)  Unfortunately, the protection just doesn't perform as promised. Perhaps in the future (or in a galaxy far, far away) Doneo Castle will reappear and make good its promise of "completely clean data." Until then, stick with our Editors' Choice antivirus products Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, and Webroot SecureAnywhere Antivirus. And don't believe anyone who says those products are relying on primitive 20-year-old technology.
What constitutes a "bad" ad ranges from phishing attempts and blatantly counterfeit products to straight-up malware. Just how many people ran afoul of Google's advertising policies in 2015? A lot. According to a new blog post, Google had to block 780 million "bad" ads last year. It also blocked advertising on more than 25,000 mobile apps after app developers violated Google's policies, and it outright rejected 1.4 million apps from websites and app developers who wanted to show Google's ads but not play by the company's rules. "When ads are good, they connect you to products or services you're interested in and make it easier to get stuff you want. They also keep a lot of what you love about the web—like news sites or mobile apps—free," Google said. "But some ads are just plain bad—like ads that carry malware, cover up content you're trying to see, or promote fake goods. Bad ads can ruin your entire online experience, a problem we take very seriously. That's why we have a strict set of policies for the kinds of ads businesses can run with Google—and why we've invested in sophisticated technology and a global team of 1,000+ people dedicated to fighting bad ads." A "bad" advertisement, as described by Google, can come in a variety of forms. Rejected ads include those that attempted to sell blatantly counterfeit merchandise—like fake purses or watches—as well as ads for pharmaceuticals that either weren't approved for people to actually use (not good) or made blatantly false claims about their efficiency compared to prescription-backed alternatives. Google also went after misleading weight loss ads that were just phishing scams ads that tried to encourage users to download malware or other spammy software. Ads whose content was fine, but whose practices were not, also found themselves targeted by Google. "We've all been there. You're swiping through a slideshow of the best moments from the Presidential debate when an ad redirects you even though you didn't mean to click on it. We're working to end that. We've developed technology to determine when clicks on mobile ads are accidental. Instead of sending you off to an advertiser page you didn't mean to visit, we let you continue enjoying your slideshow (and the advertiser doesn't get charged)," reads Google's blog post. Going forward, Google will be going after weight-loss advertising a bit more and beefing up its targeting of advertising that encourages people to visit or install malware. Google likely has a few other tricks up its sleeve to combat bad advertising, but it did not elaborate.
How do you fight human trafficking? Prohibit the sale of smartphones with impenetrable encryption. At least, that's one California lawmaker's plan. Assemblymember Jim Cooper this week introduced a new bill that would "require a smartphone that is manufactured on or after Jan. 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider." If passed by the State Assembly and Senate, then signed into law by Gov. Jerry Brown, the new rule would affect current iOS and Android devices, which are encrypted by default, so not even Apple or Google can crack them. "Human traffickers are using encrypted cell phones to run and conceal their criminal activities," Cooper said in a statement on Wednesday. "Full-disk encrypted operating systems provide criminals an invaluable tool to prey on women, children, and threaten our freedoms while making the legal process of judicial court orders useless." [embedded content] Cooper, who was a captain with the Sacramento County Sheriff's Department for 30 years, acknowledged to Ars Technica this week that the legislation would render the sale of his own iPhone illegal in the state. But that hasn't stopped him from encouraging the change. "If smartphones are beyond the reach of law enforcement, crimes will go unsolved, criminals will not be held accountable, victims will not receive justice and our ability to protect our children and community will be significantly compromised," Sacramento County District Attorney Anne Marie Schubert said in a statement. Cooper's bill, titled "Human Trafficking Evidentiary Access," mirrors a similar, terrorism-focused bill introduced in New York earlier this month. The New York State Assembly is currently examining a bill that would require Apple, Google, Microsoft, and other phone vendors create backdoors for decrypting devices, PCMag's sister site ExtremeTech reported. This marks the second time the proposed legislation has been sent to committee, and there is currently no vote scheduled. The issue is complex. Like Cooper, law enforcement argues that encryption can prevent them from monitoring and stopping criminal activity, from drug deals to terrorism. Agencies like the FBI have requested special, or "back door," access to content on smartphones when necessary, but in a post-Snowden era, major tech companies do not want it to look like they are in cahoots with the government. As such, Apple and Google turned encryption on by default in iOS 8 and Android Lollipop, respectively. Both say that if they create a back door for the feds, that same back door could be breached and misused by criminals. Though the Obama administration has encouraged the tech community to work with law enforcement on the issue, last year it backed off plans to force companies like Google and Apple to change their products.
Every modern Windows installation comes with free antivirus protection from Microsoft built in. We've never advised users to rely on the built-in Windows Defender—the best third-party antivirus applications are significantly more effective. Even the antivirus testing labs treat Microsoft as a baseline, rather than as a competitor. Lately, though, Microsoft has been faring better and better in tests, which puts the pressure on other vendors to match or beat the baseline. Just a few years ago, Microsoft routinely tanked third-party tests, sometimes earning a below-zero score. Microsoft's own security experts argued that their telemetry shows the product really works, and therefore they don't need independent tests to validate its efficacy. Even so, current events suggest that perhaps the Microsoft team is now working to score big both in their own telemetry and in independent tests. Testing MethodsAV-Test Institute is one of the labs that treats Microsoft's test results as a baseline. They don't come out and say this, but if a product doesn't beat the baseline, it's not doing very well. The test in question rates products on protection, performance, and usability, with six points possible in each area. To pass the test, a product need only attain a total score of 10 points, with a non-zero score in each of the three categories. It's been a while since any product failed to reach that minimal level of success. In last November's report, Microsoft scored 14.0 points. Of the 20 tested products, 14 scored better than that baseline. Avira, Bitdefender, Kaspersky, and Norton managed a perfect 18 point score. ThreatTrack Vipre and Chinese antivirus Quick Heal didn't beat the baseline, though. Comodo, G Data, and K7 scored the same as Microsoft, no better. Raising the BarIn the latest results report from AV-Test, things look quite different. Microsoft scored a very decent 15.5 of 18 possible points. This time only 9 of the 20 products beat the baseline. Avira, Bitdefender, and Kaspersky stayed at the top, with 18 points, but Norton dropped to 17. Vipre and Quick Heal also stayed the same—below the baseline. They're joined by AhnLab, Comodo, ESET, and Panda. Four others merely matched the baseline, F-Secure, G Data, K7, and MicroWorld eScan. So, antivirus vendors, you're on notice. Microsoft is raising the bar. This current success and other triumphs like a AAA rating from Dennis Labs mean that third-party antivirus products must up their game, or be left in that dismal spot below the baseline. Image (modified) courtesy of Flickr User Alexander Mueller.
This copycat Chinese shopping app behaves like the real deal, just with some extra malware thrown in. Malware pretending to be legitimate software is one of the oldest tricks in the hacker book. You download an app hoping it does what it says it does and it just loads your phone with ads or spying programs instead. But what do you do when an app performs its intended function while doubling as malware on the down low? The latest mobile threat tip from security company Malwarebytes details a real shopping app that's also real Android malware. Secret ShopperThe fake Taobao Client, designated Trojan.FakeUpdates.f by Malwarebytes, purports to be an update for the real Taobao, a popular Chinese shopping app. By claiming to be an update, the malware hopes users of the legitimate app will download this imposter as well. Unsurprisingly, it's available for download on unregulated third party app stores. Here's where things get tricky. The fake Taobao Client works just like the real deal. You can actually use it for shopping. With other malware, the broken promise is what immediately lets victims know that something is wrong, but not so here. However, something is wrong. As you use the fake Taobao Client, unaware of its true dangerous nature, it begins executing its additional malicious code. This code runs on receiver and service names that start with "com.google" to hide its existence, and it can install more, potentially dangerous app on your device under your nose. Taobao Client isn't the only legitimate Chinese app with a shockingly convincing malware counterpart. Malicious code has also been found in Huawai Hotalk and other Chinese apps. This incident also reminded us of the recent drama over XcodeGhost. In that case, well-intentioned developers were using a bootleg version of Apple's app-creating software and inadvertently infecting their real iOS apps with malware. Staying SafeIf even the most seemingly trustworthy and functional apps on third party markets can still be secret malware, that should tell you that the Google Play store, the official source, is the only safe place to download Android apps. And to make your Android phone or tablet as safe as it can possibly be, get one of the best Android antivirus apps. When even the apps that work can still be malware, what's real anymore, man?

LastPass (for Android)

It's nearly impossible to keep track of all the logins and passwords you need for every app and website, which is why you should be using a password manager like LastPass—even on your mobile device. This excellent Android app lets you easily access your personal information and passwords wherever you are. You can also use it to create new entries, share passwords securely, and even bequeath your passwords to someone else. It's a great value, and an easy PCMag Editors' Choice. Pricing, Setup, and SecuritySetting up a new LastPass account from an Android device is remarkably simple. Just download the free app from the Google Play store, enter an email address, and create a unique master password that will be used to secure all your other passwords. This, in theory, is the only password you need to memorize once you start using LastPass, so make it a good one. I had no trouble starting from scratch on my Nexus 5 or logging into an existing account on my Nexus 6. When you create a LastPass account on a smartphone, you can sync those passwords among any smartphones you own, for free. If you want to use a computer or a tablet in addition to your Android, you'll have to pay $12 a year for LastPass Premium. There are few other perks to a Premium account, but that's the most important one for Android users. Creating a new account with Dashlane is a bit more tedious, but the app starts out by importing all your passwords from other machines. It takes a bit of work, but Dashlane lets you really hit the ground running. LastPass also supports a variety of two-factor authentication options, such as Duo Mobile and Google Authenticator. The app can also be unlocked with a fingerprint reader, should your Android device include one. For more on the advanced features, be sure to read our full LastPass review. In the last few years, we've seen LastPass weather some security storms. One came from a problem with the Windows desktop app which left information exposed in memory. A more recent incident was far more serious: Hackers were able to extract encrypted data from LastPass's servers, but weren't able to decrypt it. (LastPass uses AES-256 encryption.) In both cases, I was impressed with how quickly and honestly LastPass dealt with the crises. No service is completely bulletproof, so I think it's important to judge companies by how they respond to attacks and breaches. Using LastPassAlong with the Web version of LastPass, the Android app has been updated with new features and a more refined interface. The app now moves much more smoothly than before, and features big, colorful icons that make it easier to differentiate between entries. It's a welcome design refresh that looks thoroughly Android. But the Android version gets several features not afforded to iPhones (though an update for iPhone users is coming very soon). For example, LastPass on Android has long supported copy notifications—shortcuts in your notifications list that copy the username and password with a tap. The current version of LastPass goes even further, displaying a pop-up window in Chrome, which matches the website you are visiting to an existing LastPass entry or letting you search for a different entry. LastPass also supports InBrowser, Opera, Javelin, and Javin; and has limited support for Boat, Yandex, HTC Sense, Dolphin, Silk, and Ghostery Private Browser. Plug-ins are available for Firefox Mobile. Dashlane doesn't include this feature, although both it, and LastPass, can fill your login information into apps—a handy trick for Android users. The autofill window works well in my experience, though I sometimes get annoyed at having the pop-up in my face. That's fine: you can suppress the autofill window on specific apps or turn it off entirely. You can also search your LastPass archive for entries you've already saved and launch them like bookmarks using the browser included within LastPass. LastPass form-filling profiles automatically fill the blanks in online forms with personal information such as name, address, bank account, credit card number, and so on. They're great for creating new accounts or making purchases. As of this writing, filling forms only works within the built-in LastPass browser. That's disappointing, but it's still more convenient than filling in the information by hand. I really like that if you fill in a form with new information while using the LastPass browser, LastPass offers to save it as a new entry. Even when you use the app to generate a new password. If you're using a form-fill profile to create a new account, you'll probably need a strong password to go with it. Never fear, as LastPass includes its excellent password generator in the Android app. With just a new tap, you're given a unique, complex password. Of course, you should have the longest and most-complex password the site or app will allow, so LastPass has options for password length, pronounceability, use of capital and lowercase letters, how many numbers to add, whether or not to include special characters, and whether to avoid ambiguous characters like O and 0. I really like how LastPass handles creating new entries and saving generated passwords. Just tap the Plus button in the lower right to create an entry for a website, a Secure Note, or a new Form Fill Profile. You then fill in the information, generate a new password, and save. I particularly like that LastPass automatically suggests URLs as you create your entries, so your Twitter password is linked immediately to Twitter. Alternatively, you can just generate a new password from the hidden left tray and save it as a new entry or overwrite an existing one. One of the most-powerful features in LastPass is sharing, and the same is true for the Android app. Generally, sharing passwords is a really bad idea, but you may share a bank account with a partner or a Twitter account with a work colleague. LastPass lets you share individual passwords, or whole folders of passwords, with other LastPass users. Brilliantly, LastPass can share the entry without revealing the password. This lets you share access but keep the actual password obscured. While you can share individual passwords from the Android App, you can only modify the permissions of your shared folder from the app. To create that shared folder, you need to use LastPass' website. Dashlane has long included a digital legacy tool to pass on your passwords to a trusted individual or individuals should you become incapacitated or die. LastPass has followed suit with a tool called Emergency Access. Like Dashlane, LastPass lets you select how long the person has to wait before he or she can access your information. It's a neat little fail-safe that ensures your heir can't grab access to your passwords before you've passed on. An Essential ToolThough they are irritatingly ubiquitous, passwords matter a lot. One weak, recycled password can lead to a domino effect in which an attacker gains control of every service that uses the same password. If that includes your email, you're in real trouble because now the attacker can use the "forgot my password" link on websites to start changing passwords and locking you out. That's why it's critically important that you have unique passwords for each and every site and app you use, so please, for security's sake, get a password manager.  And when it comes to password managers, LastPass is hard to beat. It offers excellent tools, including ones specially made for mobile users. Its Premium tier is affordable, and its free service extremely generous. Features like password sharing and digital legacy mean that you can finally share passwords in a smart and secure way. That's why LastPass continues to be our top pick for Android password manager.

ESET NOD32 Antivirus 9

The vast majority of popular antivirus products get their names from the publishing company's name, or from a security-related acronym. ESET marches to a different drummer—the company is named after the Egyptian goddess of health, fertility, and protection against disease. ESET NOD32 Antivirus 9 is the company's latest standalone antivirus product, and it proves quite effective in testing. A one-year subscription costs $39.99, roughly the same as Emsisoft Anti-Malware 10.0, F-Secure Anti-Virus 2016, and several other competing products. You can freely tweak your subscription to select the desired number of licenses and years. For example, a one-year three-license subscription costs $59.99. This edition has a brand-new user interface, strongly influenced by ESET's extensive usability testing. The familiar blue and silver ESET robot gazes intently from the main window, just to the right of a status banner that normally displays "You are protected" on a green background. If there's any problem with security configuration, the banner changes to a red Security alert, and a panel below both explains the problem and, when possible, offers a quick fix. Installation is a multistep process that includes downloading the latest program code at the start and downloading the most current malware definitions at the end. In between you have a couple of decisions to make. You can choose whether or not share nonpersonal program activity with the company via its LiveGrid system. And you must choose what to do about Potentially Unwanted Applications, or PUAs. PUAs aren't actively malicious, but they may use up system resources, display annoying ads, or otherwise cause trouble. Most antivirus programs include the ability to detect and remove PUAs, though not all of them enable this feature. ESET insists that you make the choice. You can't complete the installation without choosing whether or not to detect PUAs. Mostly Excellent Lab ResultsFor the most part, ESET's technology gets very good ratings from the independent testing labs. To get a VB100 rating from Virus Bulletin, a product has to detect 100 percent of the malware samples without wrongly identifying a single valid file as malicious. ESET participated in all 12 of the latest 12 Virus Bulletin tests and earned VB100 every time. Bitdefender Antivirus Plus 2016 is the only other product that matched this feat. I follow five of the many tests performed by AV-Comparatives, including a couple simple file detection tests, a whole-product dynamic test, and a test that measures how well antivirus products remove malware infestations. ESET earned Advanced+, the best rating, in four of the five tests. In the malware removal test, it still managed an Advanced rating. Results weren't as uniformly impressive in AV-Test Institute's three-part test. ESET managed 5.5 of 6 possible points for protection against malware, and the maximum 6 points for usability (meaning that it didn't screw up by identifying valid programs and sites as malicious). However, it only earned 3 of 6 possible points for performance, for a total of 14.5 points. Kaspersky Anti-Virus (2016) and Symantec Norton Security Premium managed a perfect 18 points in the same test, as did Bitdefender and Avira. Bitdefender and Kaspersky in particular take top scores across the board in independent lab tests. See How We Interpret Antivirus Lab Tests Malware Scanning ChoicesESET's full scan on my standard clean test system took 28 minutes, a good bit below the current average of 40 minutes. Some products optimize their scanning during that first scan, taking repeat scans from fast to super-fast. For example, both AVG AntiVirus (2016) and Total Defense Anti-Virus (2015) managed a repeat scan in barely one minute. A repeat scan with ESET took just three minutes, so it clearly performs a similar scan optimization. In addition to the ordinary on-demand and scheduled scans, ESET has a few other scanning tricks up its sleeve. From the Help and Support page, you can launch the ESET Specialized Cleaner, which aims to remove complex and persistent malware. For malware that interferes with booting Windows, or with running ESET, you can scan from an alternate operating system. Clicking SysRescue Live on the Tools page gets you the option of downloading a bootable ISO image of the SysRescue antivirus scanner or a program that can create a bootable CD or USB drive containing the scanner. In addition to a malware scanner that sidesteps all Windows-centric malware, the SysRescue environment includes a browser and live chat support tool, a PDF viewer, a number of system tools, and even a partition manager. Hands-On Malware Blocking TestsIn my own hands-on malware blocking test, ESET did a decent job, but not an outstanding one. When I initiated the test by opening a folder full of malware samples, its real-time malware scanner eliminated 36 percent on sight. Many competitors wipes out way more at this point. AVG, McAfee AntiVirus Plus (2016), and Panda Antivirus Pro 2016 all creamed 86 percent of the samples as soon as I opened the folder. I launched the surviving samples one by one and recorded how ESET handled them. It made a clear distinction between definite malware and PUAs. It immediately quarantined the former, displaying a transient popup reporting that a threat was found. For PUAs, it popped up a query explaining the situation and asking whether to let the program execute. I always chose to block PUAs. Overall, ESET detected 89 percent of the samples, and scored 8.6 of 10 possible points. That score puts it in the lower half of products tested with this same sample set. Bitdefender and Avast Pro Antivirus 2016 share the top score in this group, 9.3 points, and Webroot SecureAnywhere Antivirus (2015) managed a perfect 10 when tested against my previous collection. As I've mentioned, I refresh my static set of malware samples about once a year, so this simple malware-blocking test doesn't reflect the latest malware. My malicious URL blocking test, on the other hand, uses malware-hosting URLs no more than a day or two old, from a feed generously supplied by London-based MRG-Effitas. In this test, I launch nasty URLs one after another and note whether the antivirus blocks access to the URL completely, wipes out the malicious payload, or sits idly doing nothing. I continue until I've recorded the results for at least 100 URLs. ESET earned an 84 percent blocking rate, evenly divided between blocking URL access and wiping out downloads. That's better than almost all the competition, though Norton and McAfee both managed 91 percent in this test. Interestingly, ESET distinguished between known malware-hosting websites and sites whose content is uncertain, or potentially unwanted. It blocked the known bad sites outright, displaying a warning in the browser as well as a red transient warning. As with PUAs, it used a yellow-framed dialog box to ask whether it should block the potentially dangerous sites. See How We Test Malware Blocking Impressive Phishing ProtectionYou'd think that a strong ability to block malicious websites would translate into an equally strong ability to protect users from phishing sites—fraudulent sites that try to steal your security credentials. I frequently find, though, that these two don't correlate. ESET, thankfully, performs well in both areas. To test an antivirus product's ability to protect against phishing, I use the most recent fraudulent sites I can get. As much as possible, I use sites that have been reported as possible fakes but not yet analyzed and blacklisted. The products that do best in my phishing protection test actually analyze page content, so they can detect frauds with or without help from the blacklist. Once I've collected my samples, I launch them one at a time in five browsers, one protected by Norton (which consistently does a great job against phishing sites, one by the product under testing, and one apiece by the phishing protection built into Chrome, Firefox, and Internet Explorer. Few products come close to Norton's detection rate; many can't even beat the protection built into popular browsers. ESET's detection rate came in just 8 percentage points behind Norton's, and it beat out all three of the browsers. That's pretty good. Just a handful of competitors tracked Norton's detection rate more closely than ESET. Of recent products, only Bitdefender has scored better than Norton. See How We Test Antiphishing Host Intrusion Prevention SystemWhile it doesn't actively offer firewall protection, ESET's antivirus does include a Host Intrusion Prevention System (HIPS). After confirming with my ESET contacts that this feature should kick in to block exploit attacks, I ran the exploit test that I usually reserve for products that include a firewall. Specifically, I hit the test system with about 30 exploits generated by the CORE Impact penetration tool. I found that ESET detected and blocked about 43 percent of the attacks, identifying the majority of them using the official CVE name. That's actually a better score than achieved by many products that specifically offer firewall protection, though it doesn't come close to Norton's 100 percent detection rate. Other Bonus ToolsIf you allow it to access your system, ESET's LiveGrid system communicates nonpersonal data to ESET central. This includes information about what programs are installed. Whether you participate or not, you can get the benefit of LiveGrid by clicking Running Processes from the Tools page. In addition to listing all processes running on your system, this tool displays the prevalence of the process among ESET users by filling in 10 little person icons. On my test system, even the most common processes only got seven icons filled in. It also reports how long the process has been in ESET's database. A very new process with very few users is naturally suspect. Another tool lets you watch file system activity, reporting the amount of data read and written over recent seconds, minutes, or hours. There's also an option to compare the hourly read/write rates with rates from previous months. The average user probably won't use this tool. The SysInspector tool gathers detailed information about your system's hardware and software. This is most likely to be used by ESET tech support. In testing, I found it took a very long time to generate a log report. A Good ChoiceESET NOD32 Antivirus 9 is visibly improved over version 8, which scored poorly in our antiphishing and malicious URL blocking tests. It earned excellent scores in most (but not all) of the independent lab tests that I follow. You won't go wrong choosing ESET for protection. Even so, you'll get even better protection from our Editors' Choice picks. Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely ace independent lab tests. McAfee AntiVirus Plus protects all of your devices for a single subscription price. And the unusual detection system used by Webroot SecureAnywhere AntiVirus makes it by far the tiniest antivirus around.
The crashsafari.com URL overloads the browser, forcing an iPhone or iPad to heat up and restart. Apple users: Beware of a sneaky link that will crash Safari. As The Guardian reports, those who click on crashsafari.com will, not surprisingly, crash their browser. Apple iPhones will then heat up and reboot thanks to "an ever-increasing string of characters" bogging down a phone's memory. The link also crashes Safari on iPad and Mac. It could also slow down Chrome on Android, Mac, and PC, the paper said, as well as Firefox. Shutting down the competing browsers and rebooting iOS devices, however, appears to fix the problem. It's probably not smart to click on a URL called crashsafari.co, but tricksters could hide the address via a link-shortening program, so be on the lookout. The prank site even has its own Twitter handle: "What better way to prank someone than crash their device," the @crashsafari bio says. According to IT security company F-Secure, one of the shortened "Crash Safari" links was already clicked more than 100,000 times as of Monday. Apple did not immediately respond to PCMag's request for comment. The URL comes eight months after Apple killed a Messages bug that crashed an iDevice with a few choice symbols. Its main purpose, as reported at the time, was to reboot the phone and, in some cases, block a person from using the built-in Messages app. Editor's Note: This story was updated on Jan. 27 to correct the crashsafari.co URL.