Antivirus Test for Polymorphic Viruses Detection (February 2008)

Table of Contents:

- Introduction
- Test Results and Awards

 

Introduction

Polymorphic malicious programs (also referred to hereafter as viruses) are capable of completely mutating with every new infection, generating multiple samples of themselves.

When scanning files on a computer using the traditional method, antivirus products search for specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is modified, it will no longer be possible to detect it using that signature. A polymorphic virus is capable of performing such modifications to any of its parts.

Detecting polymorphic viruses is possible due to using detection algorithm that is specially developed for each individual virus. The aim of this test is to assess the quality of the special algorithm function in various antivirus products.

Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do so reflects the level of professionalism of an antivirus product’s developers. They not only have to analyze the complex variants of the viruses but also develop a reliable procedure and methodology to ensure 100% detection rates.

Methodology for Antivirus Test for Polymorphic Viruses Detection »
Awards Guide of Antivirus Test for Polymorphic Viruses Detection»

Malware that makes use of polymorphic technology to avoid detection is always the most difficult to detect for antivirus software.

Virus polymorphism consists of virus code mutating ‘on the fly’, while the code generation procedure itself can also vary and undergo modifications with every new infection. In other words, polymorphic viruses are capable of completely altering themselves every time they infect, generating multiple versions of a single virus. (More information about polymorphic code can be found here.)

When scanning files on a computer using the traditional method, antivirus products search for specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is modified, it will no longer be possible to detect it using that signature. A polymorphic virus is capable of performing such modifications to any of its parts.

Detecting polymorphic viruses therefore requires the use of a detection algorithm that is specially developed for each individual virus.

The aim of this test is to assess the quality of the special algorithm function for detecting the latest polymorphic viruses.

Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do so reflects the level of professionalism of an antivirus product’s developers. They not only have to analyze the complex variants of the viruses but also develop a reliable procedure and methodology to ensure 100% detection rates.

The following antivirus programs were tested:

  1. Agnitum Outpost Security Suite Pro 2008 (VirusBuster)
  2. Avast Professional Edition 4.7
  3. AVG Anti-Virus Professional Edition 7.5
  4. Avira Antivir Personal Edition Classic 7.06
  5. BitDefender Anti-Virus 2008
  6. DrWeb 4.44
  7. Eset Nod32 Antivirus 3.0
  8. F-Secure Anti-Virus 2008
  9. Kaspersky Anti-Virus 7.0
  10. McAfee VirusScan 2008
  11. Microsoft Windows Live OneCare 2.0 Pre-Release
  12. Panda Antivirus 2008
  13. Sophos Anti-Virus 7.0
  14. Symantec Anti-Virus 2008
  15. Trend Micro Antivirus plus Antispyware 2008
  16. VBA32 Workstation 3.12.6

The test was performed using 11 families of polymorphic viruses, each with a specific functionality. The initial samples and resulting test collection of malware was generated in compliance with the stated requirements.

The following families of polymorphic viruses were compiled for the test:

  1. Allaple.1, Allaple.2, Allaple.3, Allaple.4
  2. Alman.1, Alman.2
  3. Twido.1, Twido.2
  4. Virut.2, Virut.3, Virut.4

Testing of the antivirus programs was performed on a Windows XP SP2 operating system from 15 January to 20 February 2008 strictly in line with the stated methodology

 

Test Results and Awards

Tables 1-2 show the detection results of the antivirus products for the different families of polymorphic viruses.

 

Table 1: Detection rate for different families of polymorphic viruses (part 1)

Antivirus product \
Virus family
Allaple.1 Allaple.2 Allaple.3 Allaple.4 Alman.1 Alman.2
Agnitum 99.92% 99.72% 98.19% 99.21% 99.48% 99.01%
Avast 99.96% 99.89% 99.32% 93.81% 99.90% 100%
AVG 100% 99.90% 100% 99.75% 100% 100%
Avira 100% 100% 100% 100% 100% 100%
BitDefender 99.84% 99.72% 93.11% 93.48% 98.74% 98.61%
DrWeb 100% 99.88% 99.77% 93.69% 100% 100%
Eset 100% 99.99% 98.31% 99.48% 100% 100%
F-Secure 100% 100% 100% 99.98% 100% 100%
Kaspersky 100% 100% 100% 99.98% 100% 100%
McAfee 99.73% 99.77% 96.16% 99.16% 96.96% 100%
Microsoft 99.92% 99.93% 98.76% 99.64% 100% 100%
Panda Security 100% 99.87% 97.63% 96.20% 99.90% 99.80%
Sophos 100% 99.39% 78.98% 71.89% 99.69% 100%
Symantec 99.53% 99.51% 90.40% 91.26% 99.16% 99.80%
Trend Micro 100% 100% 100% 100% 99.90% 100%
VBA 99.49% 99.51% 92.2%% 94.06% 77.91% 100%
Total samples in family: 2569 8240 885 4785 955 504

 

Table 2: Detection rate for different families of polymorphic viruses (part 2)

Antivirus product \
Virus family
Twido.1 Twido.2 Virut.2 Virut.3 Virut.4
Agnitum 0% 0% 99.10% 96.31% 98.74%
Avast 100% 100% 100% 99.33% 99.67%
AVG 98.04% 0.24% 99.64% 98.64% 99.23%
Avira 100% 100% 100% 99.90% 99.51%
BitDefender 97.70% 0% 100% 99.23% 99.23%
DrWeb 99.93% 88.05% 99.82% 98.34% 99.01%
Eset 97.97% 0% 100% 98.36% 98.47%
F-Secure 100% 99.67% 100% 100% 100%
Kaspersky 100% 99.67% 100% 100% 100%
McAfee 11.01% 0.00% 23.65% 40.25% 13.10%
Microsoft 100% 100% 53.25% 77.93% 13.97%
Panda Security 11.48% 0.00% 97.11% 98.36% 97.48%
Sophos 19.99% 21.63% 99.46% 90.63% 96.99%
Symantec 0% 0% 100% 91.49% 100%
Trend Micro 0% 0% 98.01% 67.80% 40.33%
VBA 99.12% 0.16% 97.47% 94.61% 96.27%
Total samples in family: 1481 1230 554 6757 1825

 

Diagram 1: Protection against the Allaple virus family

Protection against the Allaple virus family

 

Only Avira and Trend Micro were capable of providing 100% protection against the viruses of the Allaple family.


Diagram 2: Protection against the Alman virus family

Diagram 2: Protection against the Alman virus family

 

Avira, Kaspersky, ESET, Avast, DrWeb, F-Secure and Microsoft provide 100% protection against the viruses of the Alman family.

 

Diagram 3: Protection against the Twido virus family

Diagram 3: Protection against the Twido virus family

 

Avira, Avast and Microsoft provide 100% protection against the viruses of the Twido family.

 

Diagram 4: Protection against the Virut virus family

Diagram 4: Protection against the Virut virus family

 

Kaspersky and F-Secure provide 100% protection against the viruses of the Virut family.
A number of antivirus programs have problems when detecting polymorphic viruses from the Twido.2, Twido.1 and Virut.4 families. The first two of those families caused 11 of the 15 antivirus products that were tested to fail.

Alman.2, Allaple.1 and Allaple.2 proved to be the easiest to detect with all the antivirus products achieving a detection rate of 90% or higher.

In accordance with the awards scheme, the results from tables 1 and 2 have to be converted into points. A total of 3 points are awarded if the antivirus program detected 100% of the samples from a virus family. This demonstrates that the detection algorithm was developed properly and underwent the correct testing.

Two points are awarded if the antivirus program detects between 99 and 100% of the samples from a virus family. The detection algorithm, in this case, was not developed perfectly or did not undergo the necessary testing.

One point is awarded for a detection rate of 90-99% of the samples form a virus family, suggesting the detection algorithm was developed with errors or failed to undergo the necessary testing.

If less than 90% of the samples in a virus family were detected, the detection algorithm for that family was deemed to perform poorly and no points were awarded to the antivirus program.

Table 3 shows the total score for all the products that participated in the test and the type of award they received.

 

Table 3: Antivirus product ranked according to result and award

Antivirus Award Total points
(maximum 33)
Avira Antivir Personal Edition Classic 7.06 Gold Anti-Polymorphic Protection Award
Gold Anti-Polymorphic Protection Award
31
F-Secure Anti-Virus 2008 31
Kaspersky Anti-Virus 7.0 31
Avast Professional Edition 4.7 Silver Anti-Polymorphic Protection Award
Silver Anti-Polymorphic Protection Award
25
AVG Anti-Virus Professional Edition 7.5 22
DrWeb 4.44 21
Eset Nod32 Antivirus 3.0 20
Microsoft Windows Live OneCare 2.0 Pre-Release Bronze Anti-Polymorphic Protection Award
Bronze Anti-Polymorphic Protection Award
19
Trend Micro Antivirus plus Antispyware 2008 18
Symantec Anti-Virus 2008 17
BitDefender Anti-Virus 2008 16
Agnitum Outpost Security Suite Pro 2008 15
Sophos Anti-Virus 7.0 14
Panda Antivirus 2008 14
VBA32 Workstation 3.12.6 14
McAfee VirusScan 2008

Failed

11


Avira Antivir Personal Edition, F-Secure Anti-Virus and Kaspersky Anti-Virus achieved the best polymorphic virus detection results, missing just a few samples out of 30,000. Those three antivirus programs received the Gold Anti-Polymorphic Protection Award.

Avast Professional Edition, AVG Anti-Virus Professional Edition, DrWeb and ESET Nod32 Antivirus also scored highly, although all of them – with the exception of Avast – failed on one family of polymorphic viruses. They all received the Silver Anti-Polymorphic Protection Award.

Microsoft Windows Live OneCare, Trend Micro Antivirus, Symantec Anti-Virus, BitDefender Anti-Virus, Agnitum Outpost Security Suite, Sophos Anti-Virus, Panda Antivirus and VBA32 Workstation all achieved satisfactory results. Of particular note was the antivirus product from Microsoft, which showed a high level of detection for several virus families, but failed to achieve a higher score after performing poorly with the Virut 1-3 virus families.

McAfee VirusScan, unfortunately, failed to attain the minimal amount of points needed to pass the test.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Fill in the blank