Dear friends and colleagues!

I need to make the following very important statement. Unfortunately, the Russian representative office of ESET, backed by Leta-IT, is continuing to discredit the Anti-Malware.ru portal, the Anti-Malware Test Lab and me personally.

Recently, it has come to my attention that ESET, at the suggestion of its Russian subsidiary, is conducting a propaganda campaign (particularly in the West) in which they claim the portal is associated with Kaspersky Lab. Their actions very nearly jeopardized the alliance with AV-Comparatives. Evidence of the ESET subsidiary spreading false or distorted information has come to my notice on several occasions over the last few months.

The final straw was when a scanned image of my passport started circulating with my real name (rather typical of the company’s style, wouldn’t you say?) in an attempt to prove that I work at KL. I’ve never actually tried to hide the fact that I work for KL (read here).

What’s all this about, you may ask. What kind of threat does Anti-Malware.ru pose to ESET? It’s all perfectly simple:

1. Our tests. The results have put a proverbial spanner in the works when it comes to ESET’s strategic advancement of their products. Say what you like, but at the end of the day, their products don’t perform as well as their advertising or web site would have you believe.

2. An unsuccessful takeover attempt. In a word, it is straightforward blackmail: "Sell us your portal or we’ll shut you down by waging an information war!" Alexander Chachava, CEO of Leta-IT Company, and Dmitry Popovich, ex-CEO of Eset Russian, were involved in the negotiations. The latter hinted several times that the portal would suffer the consequences if there was a refusal to sell. I can’t stand being threatened or blackmailed. So go ahead, try and shut us down! 

In connection with the facts outlined above, the Anti-Malware Test Lab is forthwith severing all ties with the Russian subsidiary of ESET and Leta-IT.

Free vocabulary

• Eset war tests takeover

Polymorphic malicious programs (also referred to hereafter as viruses) are capable of completely mutating with every new infection, generating multiple samples of themselves.

When scanning files on a computer using the traditional method, antivirus products search for specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is modified, it will no longer be possible to detect it using that signature. A polymorphic virus is capable of performing such modifications to any of its parts.

As a rule, detecting polymorphic viruses makes use of a detection algorithm that is specially developed for each individual virus. The aim of this test is to assess the quality of the special algorithm function in various antivirus products.

Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do so reflects the level of professionalism of an antivirus product’s developers. They not only have to analyze the complex variants of the viruses but also develop a reliable procedure and methodology to ensure 100% detection rates.

• Methodology used in testing of polymorphic virus detection »
• Composition of polymorphic virus samples for antivirus detection testing »
• Analysis of testing results and awards»

Latest test results (28/02/2008)

Award	Products
Download GIF image (500х500px)	Avira Antivir Personal Edition Classic 7.06 (31 out of 33 points) F-Secure Anti-Virus 2008 (31 out of 33) Kaspersky Anti-Virus 7.0 (31 out of 33)
Download GIF image (500х500px)	Avast Professional Edition 4.7 (25 out of 33) AVG Anti-Virus Professional Edition 7.5 (22 out of 33) DrWeb 4.44 (21 out of 33) ESET Nod32 Antivirus 3.0 (20 out of 33)
Download GIF image (500х500px)	Microsoft Windows Live OneCare 2.0 Pre-Release (19 out of 33) Trend Micro Antivirus plus Antispyware 2008 (18 out of 33) Symantec Anti-Virus 2008 (17 out of 33) BitDefender Anti-Virus 2008 (16 out of 33) Agnitum Outpost Security Suite Pro 2008 (15 out of 33) Sophos Anti-Virus 7.0 (14 out of 33) Panda Antivirus 2008 (14 out of 33) VBA32 Workstation 3.12.6 (14 out of 33)
Failed	McAfee VirusScan 2008 (11 out of 33)

 Key results from the testing of antivirus software for the detection of polymorphic viruse in HTML»

Complete results for each antivirus product are available only in HTML (click on the link above).

This post in my blog is the reaction to some rumors spreading across anti-virus industry. I must clarify this question for all antivirus vendors and our readers.

Rumors about affiliation with antivirus vendors
(e.g., Kaspersky Lab, Symantec or Avira)

As an individual, I have worked for Kaspersky Lab as an outside expert. I have also worked with a Russian partner of Symantec, whose name I cannot disclose under the terms of our agreement.

As regards independence, the work I did for these companies never overlapped with my Anti-Malware Test Lab work and was in the field of marketing research.

My work for these companies was in the area of market research and other marketing projects. For example, I prepared antivirus product functionality comparisons and did other market research for Kaspersky Lab, as well as some marketing audits. In the case of other companies, my work had to do with developing analysis and promotion concepts.

Sergey Ilyin is my official pseudonym

Publicity imposes certain constraints and can be a nuisance not only to public persons but also to those around them. With this in mind, when first developing the project I decided to use a pseudonym in order to protect my personal life from unnecessary pressure from players in Russia's antivirus market.

It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is obvious – they make it possible to hide malicious programs and their components from PC users and antivirus programs. Numerous source codes for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various Trojans or spy programs (spyware/adware, keyloggers, etc.)

There are numerous specialized anti-rootkit products available for the detection and removal of these types of malicious programs. Furthermore, many antivirus developers state that their products include a function to detect active rootkits. 

The aim of this test is to evaluate the ability of the most popular antivirus and anti-rootkit products to detect and remove malicious programs (‘in-the-wild’ samples) that use rootkit technologies and actively circulate over the Internet, as well as checking proactive detection capabilities to detect proof-of-concept rootkits hidden on a system.

It should be noted that although testing of in-the-wild malware samples is of real practical use, there is also a great deal of research value in ascertaining the capabilities of proactive detection when combating the hidden threat of rootkits.

• Methodology used in this antivirus/anti-rootkit software testing »
• Selection of malware and proof-of-concept rootkits for this testing »
• Analysis of testing results and awards»

Summary of anti-rootkit testing results (24/01/2008)

Award	Products
Gold Anti-Rootkit Protection Award Download GIF image (500х500px)	Rootkit Unhooker 3.7 (7.5 out of 8 points) GMER 1.0 (7 out of 8) Kaspersky Anti-Virus 7.0 (6.5 out of 8) Avira Rootkit Detection 1.0 (6.5 out of 8)
Silver Anti-Rootkit Protection Award Download GIF image (500х500px)	AVG Anti-Rootkit 1.1 (5.5 out of 8) Panda AntiRootkit 1.08 (5.5 out of 8) Sophos Anti-Rootkit 1.3.1 (5.5 out of 8) Dr.Web 4.44 (5 out of 8) Trend Micro RootkitBuster 1. (5 out of 8)
Bronze Anti-Rootkit Protection Award Download GIF image (500х500px)	Symantec Anti-Virus 2008 (4.5 out of 8) F-Secure Anti-Virus 2008 (4 out of 8) McAfee Rootkit Detective 1.1 (3.5 out of 8)
Failed	BitDefender Antivirus 2008 (3 out of 8) McAfee VirusScan Plus 2008 (1.5 out of 8) ESET NOD32 Anti-Virus 3.0 (1 out of 8) Trend Micro Antivirus plus Antispyware 2008 (1 out of 8)

Key test results for detection and removal of rootkits by antivirus/anti-rootkit software in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complite testing results in PDF format »

Rootkits description in PDF format »

Complete testing results in Microsoft Excel format »

The industry has recently witnessed a shift in emphasis to so-called proactive methods of antivirus protection, which allow antivirus software to combat malicious programs that have undergone modifications and those that are as yet unknown. This development trend is the most promising on the market and almost every developer likes to emphasize just how good their proactive defense is.

There are even attempts to contrast the newer proactive technologies with the older reactive technologies that use signature-based methods to detect malware and that require continuous and rapid updates of antivirus databases.

The concept of proactive protection is, of course, extremely attractive: a virus hasn’t even appeared and already there is protection against it. But the question arises as to just how effective these technologies are.

It should be noted that proactive technologies encompass a broad range of concepts and approaches, and including them all within the framework of a single test is simply not feasible. In this test we will only compare the heuristic components of antivirus protection (heuristic + generic detection, i.e., extended signatures), without taking into account an analysis of system events (behavior blockers or HIPS).

The results of the test make it possible to say how effective a heuristic analyzer is and in which antivirus product this component performs the best.

As an addendum, a final measurement of the detection level for the collection of malware samples was performed on the updated antivirus software a week after the main test. As a result, the quality of detection for new viruses, as well as the effectiveness of the classical signature-based method of each antivirus program was ascertained in addition to their heuristics. 

• Methodology used in testing of proactive antivirus protection »

Latest test results (14/01/2008)

Award	Products
Gold Proactive Protection Award Download GIF image (500х500px)	Avira AntiVir Personal Edition Premium 7.0 (71%) BitDefender Antivirus 2008 (65%)
Silver Proactive Protection Award Download GIF image (500х500px)	ESET NOD32 Anti-Virus 3.0 (59%) Dr.Web 4.44 (57%) Sophos Anti-Virus 7.0 (56%) Avast! Professional Edition 4.7 (52%) VBA32 Antivirus 3.12 (48%) Kaspersky Anti-Virus 7.0 (45%) McAfee VirusScan Plus 2008 (43%)
Bronze Proactive Protection Award Download GIF image (500х500px)	Symantec Anti-Virus 2008 (38%) AVG Anti-Virus Professional Edition 7.5 (37%) F-Secure Anti-Virus 2008 (36%) Trend Micro Antivirus plus Antispyware 2008 (30%) Panda Antivirus 2008 (20%)
Failed	Agnitum Outpost Security Suite 2008 (12%)

 Key results from the proactive antivirus protection test in HTML»

Complete results for each antivirus product are available only in HTML (click on the link above).

The antivirus industry of today devotes much effort to preventing virus infections. Various proactive technologies are developed and tested, new threat response times decrease, and detection rates increase. At the same time, the rate at which new kinds of and modifications to malicious programs appear is also rapidly increasing. As a result, no antivirus vendor can guarantee 100% protection to users. Malware infections are still quite common, and very few Internet users have not dealt with a virus at least once.

To make matters worse, virus writers keep perfecting their software. Some malicious programs are very hard to remove from the computer, because they use various methods to mask their presence in the system (including via rootkits) and to avoid detection and removal by antivirus programs.

What can be done if a computer is infected? Will an existing antivirus product cope with the problem or will it be necessary to install a competitor’s product?

In this test, we analyzed the ability of popular antivirus programs to treat active infections -- that is, when a malicious program has been executed and installed on a computer and may be using various methods to prevent detection and removal by antivirus solutions.

Testing results (September, 2007)

Award	Products
Gold Malware Treatment Award Download GIF image (500х500px)	Dr.Web Anti-Virus 4.44 Beta (82%)
Silver Malware Treatment Award Download GIF image (500х500px)	Kaspersky Anti-Virus 7.0 (71%) Symantec Norton AntiVirus 2007 (71%)
Bronze Malware Treatment Award Download GIF image (500х500px)	Panda Antivirus 2008 (59%) Avast! Professional Edition 4.7.1029 (53%) AVG Anti-Virus 7.5 (47%)
Poor results	McAfee VirusScan 2007 (29%) Trend Micro Internet Security 2007 (29%) Avira AntiVir PE Premium 7.0 (24%) F-Secure Anti-Virus 2007 7.0 (18%) Eset NOD32 Antivirus 2.7 (18%) Sophos Anti-Virus 6.5 (18%) Dr.Web Anti-Virus 4.33 (12%) BitDefender Antivirus 10 (6%) VBA32 Antivirus 3.12 (6%)

Key results of the testing of antivirus products for the treatment of active infections in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »