Home » »

Methodology for Antivirus Self-Protection Test under x64 Platform (January 2011)

Submitted by Ilya Shabanov on Thu, 02/10/2011 - 21:13

We tested 20 most popular Internet Security antivirus products in their most recent versions issued by the date of the test (November 24, 2010) for Windows 7 x64. The list included:

  1. Avast Internet Security 5.0.477
  2. AVG Internet Security 2011 (build 1170)
  3. Avira AntiVir Premium Security Suite 10.0.0.565
  4. BitDefender Internet Security 2011 (Build: 14.0.23.312)
  5. Comodo Internet Security 5.0.32580.1142
  6. Dr.Web Security Space 6.0 (12.0.0.58851)
  7. Emsisoft Anti-Malware 5.0.0.0
  8. Eset Smart Security 4.2.67.10
  9. F-Secure Internet Security 2011 (1.30.4220.0)
  10. G DATA Internet Security 2011 (21.1.0.5)
  11. Kaspersky Internet Security 2011 (11.0.2.556)
  12. McAfee Internet Security 2011 
  13. Microsoft Security Essentials 1.0.2498.0
  14. Norton Internet Security 2011 (18.1.0.37)
  15. Outpost Security Suite Pro 2010 (7.0)(3409.520.1244.401)
  16. Panda Internet Security 2011(16.00.00)
  17. PC Tools Internet Security 2011 (8.1.0.0.50)
  18. Trend Micro Titanium Internet Security 2011 (3.0.0.1303)
  19. VBA32 Personal 3.12.14.1
  20. ZoneAlarm Security Suite 2010 (9.3.37.0)

Testing was conducted on a specially prepared test stand running under VMware Workstation 7.1.0 (build 261024). A “clean” Windows 7 (6.1.7600 x64) virtual machines were cloned for each antivirus product. VMware Workstation ran under Windows 7 (6.1.7600 x64) as well.

The default settings recommended by each product vendor were used when installing the antivirus products. All of the actions recommended by the installation programs (e.g., system restart, updating, etc.) were performed. All protection components that were not automatically enabled after installation were enabled manually.

Testing of antivirus product self-protection capabilities included the following parameters:

  1. Self-protection at the system level: 
    1. Modification of file access permissions;
    2. Modification of registry key access permissions.
  2. Protection of the antivirus product's own files:
    1. Modules modification/removal;
    2. Antivirus databases removal;
    3. Removal upon reboot.
  3. Protection of the antivirus product’s registry keys:
    1. Modification / deletion of important registry keys (manually):
      • Startup keys;
      • Service keys;
      • Configuration keys.
  4. Protection of the antivirus product’s processes:
    1. Prevention of process termination:
      • From the TaskManager;
      • User-level API:
        1. Getting the handle of the process and using ZwTerminateProcess;
        2. Getting a list of all process threads, getting the handle of the process and use of ZwTerminateThread;
        3. Getting the handle of the process and use of ZwterminateJobObject;
        4. Getting the handle of the process and use of ZwDEbugActiveProcess;
        5. Using WinStationTerminateProcess.
      • System messages (SendMessage API):
        1. Getting process main window and sending WM_CLOSE using SendMessage, PostMessage, SendMessageCallback, SendNotifyMessage, PostThreadMessage, SendMessageTimeout;
        2. Getting process main window and sending WM_QUIT using SendMessage, PostMessage, SendMessageCallback, SendNotifyMessage, PostThreadMessage, SendMessageTimeout;
        3. Getting process main window and sending WM_SYSCOMMAND (SC_CLOSE) using SendMessage, PostMessage, SendMessageCallback, SendNotifyMessage, PostThreadMessage, SendMessageTimeout;
        4. Getting all process windows and sending all possible window events in the loop using SendMessage and PostMessage.
    2. Process/code modification:
      • Code injection (CreateRemoteThread):
        1. Getting the handle of the process and using ZwCreateThread with ExitProcess address.
      • Code injection (Set New Thread Context):
        1. Getting a list of all process threads, getting the handle of the process and use of ZwSetContextThread with ExitProcess address;
        2. Getting a list of all process threads, getting the handle of the process and use of ZwQueueApcThread/ZwQueueApcThreadEx with the ExitProcess address.
      • DLL injection;
        1. Getting a list of all process threads and injection of DLL closing the process using SetWindowsHookEx;
        2. Getting a list of all process threads and injection of DLL closing the process using SetWinEventHook.
      • Memory Attributes Modification:
        1. Getting the handle of the process and setting PAGE_NOACCESS attribute to every available memory unit using ZeProtectVirtualMemory;
        2. Getting the handle of the process deallocation all available memory using ZwFreeVirtualMemory;
        3. Getting the handle of the process and unmap all mapped objects using ZwUnmapViewOfSection;
        4. Getting the handle of the process and allocation of all available memory using ZwAllocateVirtualMemory;
        5. Getting the handle of the process and allocation of all available memory using ZwMapViewOfSection.
      • Writing in process memory (WriteProcessMemory):
        1. Getting the handle of the process and override available memory using ZwWriteVirtualMemory. 
      • Modification of process objects:
        1. Getting the handle of the process and deallocation of all handles of the process using ZwDuplicateObject;
        2. Getting the handle of the process and allocation of all free handles of the process using ZwDuplicateObject.
    3. Driver unloading.

PLEASE NOTE: all tests were performed in User Mode. We did not test the kernel-level self-protection capabilities of the products as there is no use in such test in the given case.

Testing of the self-protection capabilities was conducted manually or using specially developed utilities that imitate attacks. After each attack, the correct operation of the antivirus product (including individual modules, active processes, services and drivers) was verified. Additionally we tested product malware detection capabilities by means of the EICAR test virus.

If one of the processes was terminated during processes termination/modification test (ie the attack was successful), then all the other processes have been attacked again.

The testing process included the following steps:
  1. Installation of an antivirus program on a clean virtual machine.
  2. System restart.
  3. Verification of the successful installation and correct operation of all modules.
  4. Saving an image of the virtual machine.
  5. Testing of one self-protection parameter.
  6. Verification of the correct operation of the program’s modules.
  7. Rollback to the saved image (step 4)

A separate clean virtual machine was used for each antivirus program (step 1). After testing the antivirus product’s self-protection capability based on one of the criteria, the virtual machine was rolled back to its original state after product installation (step 4).