Methodology for Antivirus Self-Protection Test (September 2010)
Testing was conducted on a specially prepared test stand running under VMware GSX Server. “Clean” Windows XP SP3 and Windows 7 x86 virtual machines were cloned for each antivirus product.
The following antivirus programs were tested:
- Avast Internet Security 5.0.462
- AVG Internet Security 9.0 (build 117)
- Avira AntiVir Premium Security Suite 10.0.0.542
- BitDefender Internet Security 2010 (Build: 14.0.23.312)
- Comodo Internet Security 4.1.19277.920
- Dr.Web Security Space 6.0 (12.0.0.58851)
- Eset Smart Security 4.2.40.10
- F-Secure Internet Security 2010 (1.30.15265.0)
- G DATA Internet Security 2011 (21.0.2.1)
- Kaspersky Internet Security 2011 (11.0.1.400)
- McAfee Internet Security 2010
- Microsoft Security Essentials 1.0.1963.0
- Norton Internet Security 2010 (17.7.0.12)
- Online Solutions Security Suite 1.5
- Outpost Security Suite Pro 2010 (7.0)(3377.514.1238.401)
- Panda Internet Security 2011(16.00.00)
- PC Tools Internet Security 2010 (7.0.0.545)
- Trend Micro Internet Security 2010 (17.50.0.1366)
- VBA32 Personal 3.12.12.6
- ZoneAlarm Security Suite 2010 (9.3.14.0)
The default settings recommended by each product vendor were used when installing the antivirus products. All of the actions recommended by the installation programs (e.g., system restart, updating, etc.) were performed. All protection components that were not automatically enabled after installation were enabled manually.
Testing of antivirus product self-protection capabilities included the following parameters:
- Self-protection at the system level:
- Hook restoration
- Modification of file access permissions
- Modification of registry key access permissions
- Protection of the antivirus product's own files:
- Modification / removal of modules
- Deletion of antivirus databases
- Protection of the antivirus product’s registry keys:
- Modification / deletion of important registry keys (manual):
- Startup keys
- Service keys
- Configuration keys
- Protection of the antivirus product’s processes:
- Prevention of process termination:
- From the Task Manager
- User-level API:
- 1. Standard (TerminateProcess)
- 2. Terminate all threads of a process (TerminateThread)
- 3. Terminate process as a task (EndTask)
- 4. Terminate process as a job (EndJob)
- 5. Terminate process using the debugger (DebugActiveProcess)
- 6. Modify instructions pointer (EIP)
- 7. WinStation Terminate Process
- 8. "Bruteforce" message posting
- 9. Delete at next reboot
- System message:
- 1. WM_CLOSE
- 2. WM_QUIT
- 3. WM_SYSCOMMAND/SC_CLOSE
- Kernel-level API:
- 1. ZwTerminateProcess
- 2. ZwTerminateThread
- Modification of processes / code:
- Code injection (CreateRemoteThread)
- DLL injection
- Modification of memory protection attributes (VirtualProtectEx)
- Writing in process memory (WriteProcessMemory)
- Driver unloading
Testing of the self-protection capabilities was conducted manually or using specially developed utilities that imitate attacks. After each attack, the correct operation of the antivirus product (including individual modules, active processes, services and drivers) was verified.
If one of a product's processes was terminated during process termination / modification testing (i.e., if the attack was successful), the remaining processes were attacked again.
The testing process included the following steps:
- Installation of an antivirus program on a clean virtual machine.
- System restart.
- Verification of the successful installation and correct operation of all modules.
- Saving an image of the virtual machine.
- Testing of one self-protection parameter.
- Verification of the correct operation of the program’s modules.
- Rollback to the saved image (step 4)
A separate clean virtual machine was used for each antivirus program (step 1). After testing the antivirus product’s self-protection capability based on one of the criteria, the virtual machine was rolled back to its original state after product installation (step 4).
