Methodology for Active Malware Treatment Test (September 2007)

For the purposes of testing antivirus programs for the treatment of active infections, the expert group from selected 17 malicious programs based on the following criteria:

  1. Detection of the parent file by all of the antivirus solutions tested.
  2. Ability to mask the malicious program’s presence in the system.
  3. Ability to interfere with the installation and operation of the antivirus solutions.
  4. Ability to recover after deletion some program components.
  5. All malicious programs had to be sufficiently widespread and well known.

During the selection of the malicious programs to be used for testing, preference was given to the most sophisticated samples that met the above criteria to the greatest extent.

It should be noted that a critical parameter for the selection of the malicious programs to be used for testing was the detection by all antivirus products tested of the malicious programs selected.

All of the malicious programs used for testing were in the wild samples, i.e., they were collected as they spread over the Internet (in the wild).

The following malicious programs were selected for analysis (the Kaspersky Lab classification is used here):

  1. Adware.Win32. Look2me.ab
  2. Adware. Win32.NewDotNet
  4. Backdoor.Win32.Haxdoor.ix
  7. Trojan-Clicker.Win32.Costrat.l
  8. Trojan-Downloader.Win32.Agent.brr
  9. Trojan-Downloader.Win32.Agent.brk
  12. Trojan-Proxy.
  13. Trojan-Spy.Win32.Bancos.aam
  16. Rootkit.Win32.Agent.ea
  17. SpamTool.Win32.Agent.u

Each malicious program sample was tested for correct installation and operation on the test system.

Until publication of the results of this test, the list of malicious programs was kept secret and was not provided to any of the vendors whose antivirus products were used.

The test was conducted on a specially prepared workstation running under VMware GSX Server. A “clean” virtual machine running under Microsoft Windows XP Service Pack 2 was cloned for each malicious program. All Microsoft Windows patches available at the time of testing were installed. 

The following antivirus programs were tested:

  1. Avast! Professional Edition 4.7.1029
  2. AVG Anti-Virus 7.5.476
  3. Avira AntiVir PE Premium 7.0
  4. BitDefender Antivirus 10
  5. Dr.Web Anti-Virus 4.33.3
  6. Dr.Web Anti-Virus beta
  7. Eset NOD32 Antivirus 2.70.39
  8. F-Secure Anti-Virus 2007 7.02.395
  9. Kaspersky Anti-Virus
  10. McAfee VirusScan 2007
  11. Panda Antivirus 2008
  12. Sophos Anti-Virus 6.5.7 R2
  13. Symantec Norton AntiVirus 2007
  14. Trend Micro Internet Security 2007
  15. VBA32 Antivirus

The default settings recommended by the relevant vendors were used during the installation of the antivirus solutions on infected computers. All actions recommended by the vendors (such as rebooting the system, installing updates, etc.) were performed.

If the malicious code was not automatically detected by the antivirus solution, an on-demand scan of the folder (or folders) where the malicious program’s files were located was initiated.

Testing steps:

  1. The virtual machine was infected with a malicious program (activation of the malicious program).
  2. Verification that the virus was successfully installed and active was carried out.
  3. The infected system was rebooted multiple times.
  4.  An attempt was made to install the antivirus solution and to disinfect the system.
  5. If disinfection was successful, analysis of any remaining traces of the infection was carried out.

A dedicated clean virtual machine was used for each selected malicious program sample (step 1). After attempting to install an antivirus program and perform the disinfection, the virtual machine was restored to its initial state after step 3.