Home » All tests » Tests Methodologies

Methodology for Active Malware Treatment Test (October 2008)

Submitted by Ilya Shabanov on Sat, 11/01/2008 - 11:54

Test preparation

The expert group at the Anti-Malware Test Lab selected 15 malicious programs for the active infection treatment test of antivirus products. Selection was based on the following criteria:

  1. All the antivirus products tested should detect the malicious program’s components.
  2. The malicious program should not deliberately interfere with the antivirus products’ operation.
  3. The malicious program should actively block its detection/removal by antivirus products.
  4. The malicious program should be able to recover if some of its components are removed.
  5. The malicious program should be widespread.
  6. Malicious programs were selected with a view to providing maximum coverage of technologies used to mask their presence on the system and prevent their detection and/or removal.

When selecting malicious programs for the test, priority was given to the most sophisticated programs meeting the criteria listed above.

It should be noted that detection of malicious program components by all of the antivirus products tested was a critically important parameter in selecting malicious programs for the test.

All malicious programs used in the test were collected by Anti-Malware Test Lab experts in the wild.

The following malicious programs were selected for the test (names are given according to Kaspersky Lab classification):

  1. Adware.Win32.NewDotNet
  2. Backdoor.Win32.Sinowal.ce
  3. Email-Worm.Win32.Scano.bd
  4. Rootkit.Win32.Agent.ea
  5. Rootkit.Win32.Podnuha.a
  6. Trojan-Dropper.Win32.Agent.vug
  7. Trojan-Dropper.Win32.Mutant.e
  8. Trojan-Proxy.Win32.Saturn.cu
  9. Trojan-Proxy.Win32.Xorpix.dh
  10. Trojan-Spy.Win32.Zbot.bsa
  11. Trojan.Win32.Agent.lkz
  12. Trojan.Win32.Monderb.gen
  13. Trojan.Win32.Pakes.cuh
  14. Trojan.Win32.Small.yc
  15. Virus.Win32.Rustock.a

Each malicious program sample selected was tested for correct installation and operation on the test system. Detailed descriptions of malicious programs can be found in the complete test report in Microsoft Excel format.

Testing procedure

Testing was conducted on a specially-prepared computer running under VMware Workstation 5.5.3. A “clean” virtual machine with Microsoft Windows XP Professional Service Pack 3 was cloned for each malicious program sample.

The following antivirus products were tested:
  1. Avast! Professional Edition 4.8.1229
  2. AVG Anti-Virus & Anti-Spyware 8.0.0.2
  3. Avira AntiVir PE Premium 8.1.0.367
  4. BitDefender Antivirus 2009 (12.0.10.1)
  5. Dr.Web Anti-Virus 4.44.5.8080
  6. Eset NOD32 Antivirus 3.0.669.0
  7. F-Secure Anti-Virus 2009
  8. Kaspersky Anti-Virus 2009 (8.0.0.357)
  9. McAfee VirusScan 2008 (12.1.110)
  10. Outpost Antivirus Pro 6.5.2358.316.0607
  11. Panda Antivirus 2009
  12. Sophos Antivirus 7.3.4
  13. Norton AntiVirus 2009
  14. Trend Micro Antivirus plus Antispyware 2008 (16.10.1182)
  15. VBA32 Antivirus 3.12.8.6

Default settings recommended by the respective vendor were used when installing each antivirus product on the infected computer. All the actions recommended by each antivirus program (restarting the system, installing updates, etc.) were performed.

If the malicious code was not detected automatically by the antivirus monitor, an on-demand scan of the folder or folders where the malicious program files were located was initiated by selecting the relevant scan profile from the antivirus product’s user interface.

The testing process comprised the following steps:
  1. Infect a virtual machine which has a “clean” operating system installed on it by activating a malicious program, then create a snapshot of the system (main_snapshot).
  2. Verify that the virus is functioning correctly and that it has been successfully installed on the system.
  3. Restart the infected system.
  4. Verify again that the virus is functioning correctly.
  5. Create a new snapshot of the system (snapshot_virus) and power off the virtual machine.
  6. Repeat steps 1 through 5 for all the malicious programs used in the test.
  7. Load one of the snapshot_virus snapshots and attempt to install one antivirus product participating in the test and disinfect the system.
  8. If disinfection of the system was successful, create a list of the remaining traces of the infection.
  9. Repeat steps 7 and 8 for all fifteen snapshot_virus snapshots and all fifteen antivirus products (225 times in total).