Individuals and organizations frequently use various software security systems to protect their computing devices against abnormal and/or unwanted activity. Such security systems may attempt to detect malicious files, behaviors, and other computing events on an endpoint device and then block, remove, or otherwise prevent these threats from harming the endpoint device.
Customers that purchase or implement software security systems may often wish to evaluate the performance of these systems. For example, a customer may wish to assess a length of time required by a security service to determine the reputation of files after the files are first detected within an endpoint device or enterprise. Traditional systems for performing such evaluations may periodically capture virtual images of security systems and/or security databases implemented on endpoint devices within an enterprise. For example, a conventional evaluation technology may record a virtual image of the malware definitions stored on an endpoint device every day, or as the definitions are updated. The evaluation technology may then retrospectively determine a day on which a security service that provided the malware definitions was first able to detect a particular security threat.
Unfortunately, this process of capturing, storing, and analyzing virtual images of endpoint devices may require prohibitively large amounts of computing resources. Furthermore, conventional evaluation technologies may be unable to comprehensively analyze security information known to a security service on particular days in the event that the security service stores malware signatures and/or other analysis tools remotely. The instant disclosure, therefore, identifies and addresses a need for systems and methods for evaluating security services.