Active Malware Treatment Test (October 2012)

Table of Contents: 

- Introduction
- Test Results and Awards
- Analysis to Previous Tests

 

Introduction

New malware samples appear every day. Virus writers invent more and more new methods in opposition to malware code detecting and deleting such as masking rootkit technology. In such conditions, no antivirus can guarantee 100% computer safety that’s why an ordinary PC user always runs an infection risk even with an antivirus protection installed.

When let into the computer, malware application can often remain unnoticed at the computer even with an antivirus installed and functioning. In such a case the user has a false sense of safety as his or her antivirus never signalizes any danger while the intruders are collecting confidential data and trying to manipulate an infected computer for their own purposes. One can also see that an antivirus often detects a malware but cannot delete it making the user apply for support services or remove this infection all by himself using additional utilities of third-party vendors or applying to a specialized service VirusInfo.Info experts for help.

Antivirus vendors can and should protect their customers by developing malware code detection technology to detect and remove it correctly from your PC. But practices prove that only some of them pay due attention to this aspect.

This test objective is personal antivirus versions testing on their ability to detect and remove active malwares penetrating into your computer without breaking an operation system efficiency.

 

Methodology for Active Malware Treatment Test »
Awards Guide of Active Malware Treatmant Test »

 

Antivirus products of 15 vendors take part in the testing inlcuding:

  1. Avast! Internet Security 7.0.1456
  2. AVG Internet Security 2012 (2012.0.2197)
  3. Avira Internet Security 2012 (12.0.0.1127)
  4. BitDefender Internet Security 2013 16.16.0.1348
  5. Comodo Internet Security 5.10.228257.2253
  6. Dr.Web Security Space Pro 7.0.1.07100
  7. Eset Smart Security 5.2.9.1
  8. F-Secure Internet Security 2012 (1.62)
  9. Kaspersky Internet Security 2012 (12.0.0.374(i))
  10. McAfee Internet Security 11.0.678
  11. Microsoft Security Essentials 4.0.1526.0
  12. Norton Internet Security 2012 (19.8.0.14)
  13. Outpost Security Suite Pro 7.5.3 (3942.608.1810)
  14. Panda Internet Security 2012 (17.01.00)
  15. Trend Micro Titanium Internet Security 2012 (5.0.1280)

The following malwares for Windows XP x86 were tested that were selected by the following requirements:

  1. TDL (TDSS, Alureon, Tidserv)
  2. Koutodoor
  3. Win32/Glaze
  4. Sinowal (Mebroot)
  5. Rootkit.Protector (Cutwail, Pandex)
  6. Worm.Rorpian
  7. Rootkit.Podnuha (Boaxxe)
  8. Virus.Protector (Kobcka, Neprodoor)
  9. Rustock (Bubnix)
  10. Email-Worm.Scano (Areses)
  11. Rloader (WinNT/Simda)
  12. SubSys (Trojan.Okuks)
  13. Rootkit.Pakes (synsenddrv, BlackEnergy)
  14. TDL2 (TDSS, Alureon, Tidserv)
  15. TDL3 (TDSS, Alureon, Tidserv)
  16. Xorpix (Eterok)
  17. Pihar (TDL4,TDSS, Alureon, Tidserv)
  18. SST (PRAGMA, TDSS, Alureon)
  19. Zeroaccess (Sirefef, MAX++)
  20. Cidox (Rovnix, Mayachok, Boigy)

And some malwares for Windows 7 x64:

  1. Pihar (TDL4,TDSS, Alureon, Tidserv)
  2. SST (PRAGMA, TDSS, Alureon)
  3. Zeroaccess (Sirefef, MAX++)
  4. Cidox (Rovnix, Mayachok, Boigy)

Thus, 24 different malware samples were selected for the testing on two types of operating systems. Antivirus software treating capacities for active infections were tested in accordance with definite methodology.

 

Test Results and Awards


Table 1: Results of active malware treatment for different antiviruses (beginning)

Antivirus \ Malware Avast! Internet Security AVG Internet Security Avira Internet Security BitDefender Internet Security Comodo Internet Security
TDL (TDSS, Alureon, Tidserv) + + - + -
Koutodoor - - + + -
Win32/Glaze - - + - -
Sinowal (Mebroot) - - - + -
Rootkit.Protector (Cutwail, Pandex) + - + + -
Worm.Rorpian + - - + -
Rootkit.Podnuha (Boaxxe) + - - + -
Virus.Protector (Kobcka, Neprodoor) - - - - -
Rustock (Bubnix) - + - + -
Email-Worm.Scano (Areses) - - + + -
Rloader (WinNT/Simda) - - - - -
SubSys (Trojan.Okuks) + - - + -
Rootkit.Pakes (synsenddrv, BlackEnergy) + + + + +
TDL2 (TDSS, Alureon, Tidserv) - - - + -
TDL3 (TDSS, Alureon, Tidserv) - + - + -
Xorpix (Eterok) + + + + -
Pihar (TDL4,TDSS, Alureon, Tidserv) - - - + -
SST (PRAGMA, TDSS, Alureon) + - - + -
Zeroaccess (Sirefef, MAX++) - - - - -
Cidox (Rovnix, Mayachok, Boigy) - - - + -
Pihar (TDL4,TDSS, Alureon, Tidserv) x64 - - - + -
SST (PRAGMA, TDSS, Alureon) x64 + - - + -
Zeroaccess (Sirefef, MAX++) x64 - - - - -
Cidox (Rovnix, Mayachok, Boigy) x64 - - - - -
Cured/All 9/24 5/24 6/24 18/24 1/24

 

Table 2: Results of active malware treatment for different antiviruses (continued)

Antivirus \ Malware Dr.Web Security Space Pro Eset Smart Security F-Secure Internet Security Kaspersky Internet Security McAfee Internet Security
TDL (TDSS, Alureon, Tidserv) + - - + -
Koutodoor + - + + +
Win32/Glaze + - + + -
Sinowal (Mebroot) - - - + -
Rootkit.Protector (Cutwail, Pandex) + - - + -
Worm.Rorpian + + - + +
Rootkit.Podnuha (Boaxxe) + - - + -
Virus.Protector (Kobcka, Neprodoor) - - - + -
Rustock (Bubnix) + - - + -
Email-Worm.Scano (Areses) + - + + -
Rloader (WinNT/Simda) + - - + -
SubSys (Trojan.Okuks) + - - + +
Rootkit.Pakes (synsenddrv, BlackEnergy) + + - + +
TDL2 (TDSS, Alureon, Tidserv) + - + + -
TDL3 (TDSS, Alureon, Tidserv) + - - + +
Xorpix (Eterok) + + + + -
Pihar (TDL4,TDSS, Alureon, Tidserv) - - - + -
SST (PRAGMA, TDSS, Alureon) + - - + -
Zeroaccess (Sirefef, MAX++) + - - + +
Cidox (Rovnix, Mayachok, Boigy) + - - + -
Pihar (TDL4,TDSS, Alureon, Tidserv) - - - + -
SST (PRAGMA, TDSS, Alureon) + - - + -
Zeroaccess (Sirefef, MAX++) + - - + -
Cidox (Rovnix, Mayachok, Boigy) + - - + -
Cured/All 20/24 3/24 5/24 24/24 6/24

 

Table 3: Results of active malware treatment for different antiviruses (conclusion)

Antivirus \ Malware Microsoft Security Essentials Norton Internet Security Outpost Security Suite Pro Panda Internet Security Trend Micro Titanium Internet Security
TDL (TDSS, Alureon, Tidserv) - + - - +
Koutodoor + - - - +
Win32/Glaze + + + + +
Sinowal (Mebroot) - - - - -
Rootkit.Protector (Cutwail, Pandex) + - - - -
Worm.Rorpian + + + - +
Rootkit.Podnuha (Boaxxe) + - - - -
Virus.Protector (Kobcka, Neprodoor) + - - + -
Rustock (Bubnix) + + - - -
Email-Worm.Scano (Areses) + + - - +
Rloader (WinNT/Simda) - - - - -
SubSys (Trojan.Okuks) + - + - -
Rootkit.Pakes (synsenddrv, BlackEnergy) + + + + +
TDL2 (TDSS, Alureon, Tidserv) + + - - -
TDL3 (TDSS, Alureon, Tidserv) + - - - -
Xorpix (Eterok) + + - + +
Pihar (TDL4,TDSS, Alureon, Tidserv) - - - - -
SST (PRAGMA, TDSS, Alureon) - - - - -
Zeroaccess (Sirefef, MAX++) - - + - -
Cidox (Rovnix, Mayachok, Boigy) - - - - -
Pihar (TDL4,TDSS, Alureon, Tidserv) - - - - -
SST (PRAGMA, TDSS, Alureon) - - - - -
Zeroaccess (Sirefef, MAX++) - + - - -
Cidox (Rovnix, Mayachok, Boigy) - - - - -
Cured/All 13/24 9/24 5/24 4/24 7/24

 

We’d like to remind that, in accordance with the applied test results and awards analysis scheme, (+) means that antivirus removed the active system infection successfully and the system operation capacity was restored (or was not affected); (-) means that antivirus couldn’t remove active infection or the system operation capacity was seriously affected.

As we can see from Tables 1-4, Sinowal (Mebroot) Trojan Horse modifying the hard drive master boor record (MBR) turned out to be traditionally difficult to detect and remove as well as Rloader (WinNT/Simda) and Cidox (Rovnix, Mayachok, Boigy) for х64 that are new for our test. Kaspersky antivirus and Dr.Web were the only ones to delete these malwares correctly.

And only three of all the tested antiviruses managed to cope with Cidox (Rovnix, Mayachok, Boigy) for х86, Zeroaccess (Sirefef, MAX++) for х64 and Virus.Protector (Kobcka, Neprodoor).

SST (PRAGMA, TDSS, Alureon) for х86 turned out to be difficult too: only four of all the tested antiviruses managed to remove it.

Unfortunately, a number of vendors continue to turn their blind eye to complicated types of malwares. Separate malware files detection is added formally that does not allow to detect active infection when its masking methods start working. You can find detailed information in our complete testing report.

Table 4: Test Results and Awards  

Antivirus

Award

% treated

Kaspersky Internet Security

 Platinum Malware Treatment Award
Platinum Malware Treatment Award

100%

Dr.Web Security Space Pro

 

Gold Malware Treatment Award
Gold Malware Treatment Award

83%

BitDefender Internet Security

Silver Malware Treatment Award
Silver Malware Treatment Award

75%

Microsoft Security Essentials  Bronze Malware Treatment Award
Bronze Malware Treatment Award

54%

Avast! Internet Security

Failed

38%
Norton Internet Security
Trend Micro Titanium Internet Security 29%
Avira Internet Security 25%
McAfee Internet Security
AVG Internet Security 21%
F-Secure Internet Security
Outpost Security Suite Pro
Panda Internet Security 17%
Eset Smart Security 13%
Comodo Internet Security 4%

 

Only 4 of 15 tested antiviruses showed good results in active infection treatment this year that is much worse as compared to the previous year.

According to the award system that is applied to such testing, Kaspersky Internet Security antivirus managed to become the best and win Platinum Malware Treatment Award as it coped with every single complicated infection variant.

Dr.Web Security Space also showed good results and succeeded in treating all the complicated infections in our testing with the exception of four of them. This antivirus wins the deserved Gold Malware Treatment Award. But for embarrassing failures in BSOD its result would share the first place with the winner.

Surprisingly, BitDefender Internet Security showed good results and took the third place after treating 18 of 24 infections. It deserves Silver Malware Treatment Award.

Microsoft Security Essentials showed worthy results and won Bronze MalwareTreatment Award.

As we can see, Russian antivirus vendors have been keeping the leadership in complicated cases treatment for many years. Romanian BitDefender try to compete with them but it’s too early to speak about systematic approach in complicated infections treatment for this vendor by one year results.

Surprisingly, we can’t see Avast! and Norton among the winners as these two vendors showed good results in the tests of such kind for many years.

To get detailed testing results and check them out for yourself, please download the testing result in Microsoft Excel format.

Analysis to Previous Tests

In conclusion, we’d like to analyze the results of all our active infection treatment testing in 2010-2012. To do that, we added the results of two previous tests to the testing results: you can see them here.

Thus, you can track the progress in the efficiency of complicated infection treatment for every tested product. See Diagram 1.

 

Diagram 1: Antivirus progress in active malware treatment effectiveness

 Динамика изменения возможностей антивирусов по лечению активного заражения

 

Diagram 2: Antivirus progress in active malware treatment effectiveness

Динамика изменения возможностей антивирусов по лечению активного заражения

 

As we can see in Diagram 1-2, we can’t see any progress in complicated infection treatment in this industry on the whole. In fact, one can observe the result degradation. Many vendors consider the problem of complicated malware detection and correct system restoring as boring and difficult. BitDefender, Trend Micro and McAfee were the only ones that showed positive dynamics in the last testing. The results of the other antiviruses got worse or remained on the same level.

Kaspersky antivirus and Dr.Web are the two products that remain the best antivirus software for active infection treatment for the many years.

The results for Avast and Norton that were among the leaders in this testing earlier got even worse. For example, in some cases, Avast stopped treating the malware it coped with successfully a year ago. The results of Microsoft got worse as compared with the previous years as well.

The results of other antiviruses are balancing on unsatisfactory level or, that is even worse, degrade.

 Ilya Shabanov, managing partner of Anti-Malware.ru:

“Much to our regret, active infection detection and treatment becomes a unique capability of only some antivirus products. By these testing results, we can name only four antiviruses that can do that well enough. All the other vendors might consider it unnecessary to spend their resources on that. They consider every infected user as a loser that has to solve his problem all by himself. But in practice we see hundreds of evidences when an optimal antivirus can do nothing with an infection. In this case a user has to apply for external support services such as VirusInfo.info where one can see hundreds of such cases.”

 

Vasily Berdnikov, expert of Anti-Malware.ru:

“Recently, a number of malware families that are known as bootkits has increased greatly since the last testing. That is caused by appearing x64 operating systems allowing malwares to avoid OS protection mechanisms. Malwares penetrate deeper into the system getting a more complicated masking whereas their number continue increasing. But most antivirus vendors don’t pay due attention to complicated infections detection and correct treatment of infected systems. Or they pay attention to publishing of the articles in the blogs instead of protecting their users.”

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Fill in the blank