Active Malware Treatment Test (February 2010)
Table of Contents:
- Introduction
- Test Results and Awards
- Analysis of Changes to Previous Tests
Introduction
Thousands of new malware samples appear on the Internet every day. Virus-writers invent more and more new methods to prevent detecting and removing malware code from the system such as using rootkit-technology masking. No antivirus can guarantee 100% protection of your computer under such conditions that is why an ordinary user will always run into a risk of infection even if he has an antivirus protection installed.
In many cases, a malware let into your computer can stay unnoticed for quite a log time even if an antivirus is installed. In this case, a user will have a false feeling of protection as his antivirus will not alarm any danger while the malefactors will be collecting confidential information or use his computer capacities with the help of their active malware application. If also often happens that an antivirus detects a malware but cannot delete it that makes the user apply for technical support or remove infection by himself using some extra tools.
Antivirus vendors can protect their customers developing malware detection and removing technologies. But practice proves that only some of them pay due attention to this protection aspect.
The objective of this test is to check personal antiviruses for their capacity to detect and corectly remove malware (without interfering with operation system operability) after it penetrated into your computer, started acting and hid its activity.
Methodology for Active Malware Treatment Tests Β»
Awards Guide of Active Malware Treatment Tests Β»
Antivirus products by 17 vendors took part in the test, including:
- Avast! Professional Edition 4.8.1368
- AVG Anti-Virus & Anti-Spyware 8.5.0.40
- Avira AntiVir PE Premium 9.0.0.75
- BitDefender Antivirus 2010 (13.0.18.345)
- Comodo Antivirus 3.13.121240.574
- Dr.Web Anti-Virus 5.00.10.11260
- Eset NOD32 Antivirus 4.0.474.0
- F-Secure Anti-Virus 2010 (10.00 build 246)
- Kaspersky Anti-Virus 2010 (9.0.0.736 (a.b))
- McAfee VirusScan 2010 (13.15.113)
- Microsoft Security Essentials 1.0.1611.0
- Outpost Antivirus Pro 2009 (6.7.1 2983.450.0714)
- Panda Antivirus 2010 (9.01.00)
- Sophos Antivirus 9.0.0
- Norton AntiVirus 2010 (17.0.0.136)
- Trend Micro Antivirus plus Antispyware 2010 (17.50.1366)
- VBA32 Antivirus 3.12.12.0
The test was performed on the malware applications selected in accordance with the following demands:
- AdWare.Virtumonde (Vundo)
- Rustock (NewRest)
- Sinowal (Mebroot)
- Email-Worm.Scano (Areses)
- TDL (TDSS, Alureon, Tidserv)
- TDL2 (TDSS, Alureon, Tidserv)
- Srizbi
- Rootkit.Podnuha (Boaxxe)
- Rootkit.Pakes (synsenddrv)
- Rootkit.Protector (Cutwail, Pandex, Pushdo)
- Virus.Protector (Kobcka, Neprodoor)
- Xorpix (Eterok)
- Trojan-Spy.Zbot
- Win32/Glaze
- SubSys (Trojan.Okuks)
- TDL3 v.3.17 (TDSS, Alureon, Tidserv)
Testing of antiviruses for the treatment of active infections was performed in accordance with the following methodology.
Test Results and Awards
Table 1: The results of testing of antiviruses for the treatment of active infections (beginning)
|
Malware application / Antivirus |
Avast! Professional Edition |
AVG Anti-Virus & Anti-Spyware |
Avira AntiVir PE Premium |
BitDefender Antivirus |
Comodo Antivirus |
Dr.Web Anti-Virus |
|
AdWare.Virtumonde (Vundo) |
+ |
+ |
+ |
+ |
+ |
+ |
|
Rustock (NewRest) |
+ |
- |
- |
- |
- |
+ |
|
Sinowal (Mebroot) |
- |
- |
- |
- |
- |
- |
|
Email-Worm.Scano (Areses) |
- |
- |
- |
- |
- |
+ |
|
TDL (TDSS, Alureon, Tidserv) |
+ |
+ |
- |
- |
- |
+ |
|
TDL2 (TDSS, Alureon, Tidserv) |
- |
+ |
- |
- |
- |
- |
|
Srizbi |
+ |
- |
- |
+ |
- |
+ |
|
Rootkit.Podnuha (Boaxxe) |
+ |
- |
- |
- |
- |
+ |
|
Rootkit.Pakes (synsenddrv) |
+ |
+ |
+ |
- |
+ |
+ |
|
Rootkit.Protector (Cutwail, Pandex) |
+ |
- |
+ |
- |
- |
+ |
|
Virus.Protector (Kobcka, Neprodoor) |
- |
- |
- |
- |
- |
+ |
|
Xorpix (Eterok) |
+ |
- |
+ |
- |
- |
+ |
|
Trojan-Spy.Zbot |
+ |
+ |
+ |
+ |
- |
+ |
|
Win32/Glaze |
+ |
- |
- |
+ |
- |
- |
|
SubSys (Trojan.Okuks) |
- |
- |
- |
- |
- |
+ |
|
TDL3 (TDSS, Alureon, Tidserv) |
- |
- |
- |
- |
- |
+ |
|
Healed/Total |
10/16 |
5/16 |
5/16 |
4/16 |
2/16 |
13/16 |
Table 2: The results of testing of antiviruses for the treatment of active infections (continued)
|
Malware application / Antivirus |
Eset NOD32 Antivirus |
F-Secure Anti-Virus |
Kaspersky Anti-Virus |
McAfee VirusScan Plus |
Microsoft Security Essentials |
Norton AntiVirus |
|
AdWare.Virtumonde (Vundo) |
+ |
+ |
+ |
+ |
+ |
+ |
|
Rustock (NewRest) |
- |
- |
- |
- |
+ |
+ |
|
Sinowal (Mebroot) |
- |
- |
- |
- |
- |
- |
|
Email-Worm.Scano (Areses) |
- |
+ |
- |
- |
- |
+ |
|
TDL (TDSS, Alureon, Tidserv) |
- |
+ |
+ |
- |
- |
+ |
|
TDL2 (TDSS, Alureon, Tidserv) |
- |
- |
+ |
- |
+ |
+ |
|
Srizbi |
- |
- |
+ |
- |
- |
- |
|
Rootkit.Podnuha (Boaxxe) |
- |
- |
+ |
- |
+ |
- |
|
Rootkit.Pakes (synsenddrv) |
+ |
+ |
+ |
- |
+ |
+ |
|
Rootkit.Protector (Cutwail, Pandex) |
- |
- |
+ |
- |
+ |
- |
|
Virus.Protector (Kobcka, Neprodoor) |
- |
- |
+ |
- |
+ |
- |
|
Xorpix (Eterok) |
+ |
+ |
+ |
- |
+ |
+ |
|
Trojan-Spy.Zbot |
+ |
+ |
+ |
+ |
+ |
+ |
|
Win32/Glaze |
- |
+ |
+ |
- |
+ |
+ |
|
SubSys (Trojan.Okuks) |
|
- |
+ |
+ |
- |
- |
|
TDL3 (TDSS, Alureon, Tidserv) |
- |
- |
+ |
- |
- |
- |
|
Healed/Total |
4/16 |
7/16 |
13/16 |
3/16 |
10/16 |
9'/16 |
Table 3: The results of testing of antiviruses for the treatment of active infections (end)
|
Malware application / Antivirus |
Outpost Antivirus Pro |
Panda Antivirus |
Sophos Anti-Virus |
Trend Micro Antivirus plus Antispyware |
VBA32 Antivirus |
|
AdWare.Virtumonde (Vundo) |
+ |
+ |
+ |
+ |
- |
|
Rustock (NewRest) |
- |
+ |
- |
- |
- |
|
Sinowal (Mebroot) |
- |
- |
- |
- |
- |
|
Email-Worm.Scano (Areses) |
- |
- |
- |
- |
- |
|
TDL (TDSS, Alureon, Tidserv) |
- |
- |
+ |
+ |
- |
|
TDL2 (TDSS, Alureon, Tidserv) |
- |
- |
- |
- |
- |
|
Srizbi |
- |
- |
- |
- |
- |
|
Rootkit.Podnuha (Boaxxe) |
- |
- |
- |
- |
- |
|
Rootkit.Pakes (synsenddrv) |
- |
+ |
+ |
+ |
- |
|
Rootkit.Protector (Cutwail, Pandex) |
- |
- |
- |
- |
- |
|
Virus.Protector (Kobcka, Neprodoor) |
- |
- |
- |
- |
- |
|
Xorpix (Eterok) |
- |
+ |
- |
- |
- |
|
Trojan-Spy.Zbot |
- |
+ |
+ |
+ |
- |
|
Win32/Glaze |
+ |
+ |
- |
+ |
+ |
|
SubSys (Trojan.Okuks) |
- |
- |
+ |
- |
- |
|
TDL3 (TDSS, Alureon, Tidserv) |
- |
- |
- |
- |
- |
|
Healed/Total |
2/16 |
6/16 |
5/16 |
5/16 |
1/16 |
Notice! According to analysis of testing results and awards:
( + ) means that antivirus solution successfully removed the active infection, and the system was restored (or was not damaged),
( - ) The antivirus solution failed to remove the active infection or the systemβs integrity was seriously damaged.
As we can see from Tables 1-3, Backdoor-spy Sinowal (Mebroot) was the most difficult to remove as no tested antivirus managed to heal it.
The next most difficult malwares to heal are a notorious Trojan Horse TDL3 (TDSS, Alureon, Tidserv), a worm Worm.Scano (Areses) and a virus Virus.Protector (Kobcka, Neprodoor). Only three of the tested antiviruses managed to cope with them.
TDL2 (TDSS, Alureon, Tidserv), Srizbi, Rootkit.Podnuha (Boaxxe), SubSys (Trojan.Okuks), Rustock (NewRest) and Rootkit.Protector (Cutwail, Pandex) were also very difficult to heal and only about five antiviruses managed to cope with them.
Table 4: Final test results and awards
|
Antivirus |
Award |
% healed |
|
Dr.Web Anti-Virus 5.0 |
 Gold Malware Treatment Award |
81% |
|
Kaspersky Anti-Virus 2010 |
||
|
Avast! Professional Edition 4.8 |
|
63% |
|
Microsoft Security Essentials 1.0 |
||
|
Norton AntiVirus 2010 |
 Bronze Malware Treatment Award |
56% |
|
F-Secure Anti-Virus 2010 |
44% |
|
|
Panda Antivirus 2010 |
Failed |
38% |
|
AVG Anti-Virus & Anti-Spyware 9.0 |
31% |
|
|
Avira AntiVir PE Premium 8.1 |
||
|
Sophos Anti-Virus 9.0 |
||
|
Trend Micro Antivirus plus Antispyware 2009 |
||
|
BitDefender Antivirus 2009 |
25% |
|
|
Eset NOD32 Antivirus 4.0 |
||
|
McAfee VirusScan Plus 2010 |
19% |
|
|
Comodo Antivirus 3.13 |
13% |
|
|
Outpost Antivirus Pro 2009 |
||
|
VBA32 Antivirus 3.12 |
6% |
As far as we can see, only 6 of 17 tested antiviruses showed good results in active infection healing. In accordance with award system applied to all such tests, no antivirus won Platinum Malware Treatment Award
Dr.Web and Kaspersky Antivirus showed the best testing results as they healed the system correctly in 13 of 16 cases and deservedly won Gold Malware Treatment Award.
Avast! Professional Edition and Microsoft Security Essentials that won Silver Malware Treatment Award as well as Norton Anti-Virus and F-Secure Anti-Virus that won Bronze Malware Treatment Award also showed good results.
It is necessary to pay special attention to unexpectedly great results of a new free Microsoft Security Essentials that managed to become one of the best prizewinners of this complicated test on the first try. This result proves that the corporation pays great attention to the problem of active infection healing.
VBA32 Antivirus is also worth mentioning. The matter is that VBA32 AntiRootkit is a part of this virus distribution kit that must be downloaded separately (there is no information about it in the interface) and all the malwares are deleted manually. The same aspect applies to Eset SysInspector tool. In accordance with the testing methodology we could not take them into account (as well as other antirootkits and system healing tools) but we will check them in a separate test in the nearest future.
To stuffy the detailed test results and make sure of the final calculations correctness, you can download the test results in Microsoft Excel.
Analysis of Changes to Previous Tests
In the conclusion, we would like to analyze the results of all our tests for the treatment of active infections in 2007-2010. It demanded that this test results were added to the previous test results (that you can see here).
Thus, you can see the changes in the effectiveness of complicated cases treatment for every product tested (except for Microsoft that did not participate in the previous tests) - see Diagram 1.
Diagram 1: Changes in active infection treatment capabilities of antivirus products
Diagram 2: Changes in active infection treatment capabilities of antivirus products
As we can see from Diagrams 1-2, there is no progress observed in complicated threats healing in the industry on the whole. Only Kaspersky Antivirus and F-Secure showed positive dynamics in the latest tests. Outpost that was a real discovery of the previous test, unfortunately, lost its ground and did not manage to win its position in the leading group.
Four antiviruses including Dr.Web, Kaspersky Antivirus, Avast and Norton keep their stable positions as the best antiviruses for active infections healing. The results for the other antiviruses either balance on a satisfactory level or that is even worse fall down.
Vasiliy Berdnikov, Head of Testing Department, Anti-Malware Test Lab, comments the results as follows:
βAn important characteristic for any antivirus is its capability of infections treatment. As we can see from the test results, not every antivirus can cope with this problem. Moreover, in many cases an infected PC user will have no idea of this part of botnet even if he has a working antivirus with all the updates on his computer. On the assumption of constant development of technologies used in modern malwares, antivirus vendors should pay more attention to the technologies of the system infections detection and effective treatment. The current trends include not file masking on a disk but giving false content when reading the file with antivirus that allowβ.
- Login to post comments
