Putting Signature-less IPS to the Test (Blog 4 of 4)

By on Nov 25, 2014

We’ll be releasing four blog posts over the next week.  Each blog will contain a repeated clue word to help you solve the puzzle below.  Track all four clues to help solve the final puzzle and a chance to win a Nikon D3200 DSLR camera and 18-55mm lens!.   To enter the contest, after the last blog, email us at with the right answer and the clue words.   Submissions should be sent in be in by December 3rd

Puzzle:  This comic book superhero is a legend in print and movie

Blog 1 clue (11/13) :   Publishing company
Blog 2 clue (11/18):   Movie
Blog 3 clue (11/20):   His Superhero power
Blog 4 clue (11/25):   The Superhero’s Alias

I’ve been writing recently about the whys and hows of signature-less malware detection. We’ve talked about the exploding volumes of new malware attacks and the stark future of signature-based security. We’ve talked about different types of signature-less detection and the roles they play in a deeply stacked defense. We’ve paid particular attention to dynamic sandboxes—why they’re invaluable, and why they’re vulnerable without static code analysis as a backstop.

Maybe the only thing we haven’t talked about is just how effective signature-less inspection really is when it really matters. So let’s fix that, because the test work has been done and the numbers are stark and conclusive.

Back in May, AV-TEST GmbH, the independent IT security institute, tested the signature-less malware detection performance of McAfee Network Security Platform. AV-TEST analysts configured a test environment consisting of a client PC and a web server loaded with 12,132 prevalent malware samples, 131,871 malware zoo samples, 4,752 malicious PDF documents, and 7,616 malicious Microsoft Office documents. 96,722 clean files were included for false positive testing. Security consisted of a McAfee IPS M-4050 appliance, a McAfee Network Security Manager server, a McAfee Network Threat Behavioral Analysis appliance and a McAfee Advanced Threat Defense appliance.  The client system made HTTP GET requests for each sample on the web server. Requests were transparently passed through the IPS appliance, which analyzed the sample download.

Test sequences were run under two protection policies: (1) all IPS signatures enabled, and (2) all IPS signatures disabled. The results were essentially identical. With signatures enabled AND disabled, McAfee Network Security Platform detected 99.98 percent of 156,371 total samples, including 99.98 percent of prevalent malware, 99.995 percent of zoo malware, 99.66 percent of infected PDF files, and 99.91 percent of malicious MS Office documents. False positive performance was equally stark and impressive: seven false alerts with signatures enabled (0.001 percent), and just two with signatures disabled (0.00 percent).

In their report, AV-TEST analysts write, “The McAfee Network Security Platform from McAfee is a modular and extensible solution for a corporate security infrastructure. Though we endorse McAfee recommendation not to run for extended periods with IPS signatures disabled, this test shows that McAfee Network Security Platform’s signature-less capabilities alone (IPS signatures disabled) are able to detect the majority of malware samples in the network with a minimum of false positives.”

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Categories: McAfee Enterprise

  1. Congratulations Rahul Solanki from London, UK for submitting the winning entry for this blog contest! Keep an eye out for one last blog contest later this week for another fantastic prize!

Subscribe to McAfee Securing Tomorrow Blogs