The test was performed on a specially-prepared VMware Workstation version 5.5.3 platform. A “clean” virtual machine with a Microsoft Windows XP SP2 operating system, with all the latest updates at the time of testing, was cloned for each malicious program sample.

The following antivirus programs participated in the test:

1.  BitDefender Antivirus 2008
2.  Dr.Web 4.44
3.  F-Secure Anti-Virus 2008
4.  Kaspersky Anti-Virus 7.0
5.  McAfee VirusScan Plus 200
6.  ESET NOD32 Anti-Virus 3.0
7.  Symantec Anti-Virus 2008
8.  Trend Micro Antivirus plus Antispyware 2008

The following anti-rootkit products also participated:

1.   AVG Anti-Rootkit 1.1
2.   Avira Rootkit Detection 1.00.01.1
3.   GMER 1.0.13
4.   McAfee Rootkit Detective 1.1
5.   Panda AntiRootkit version 1.0
6.   Rootkit Unhooker 3.7
7.   Sophos Anti-Rootkit 1.3
8.   Trend Micro RootkitBuster 1.6

A requirement for all the security software selected for testing was that it should include functionality not only for detecting rootkits in a system but also have the ability to remove them (deletion/renaming of files, deletion/renaming of registry keys/sections).

A rootkit was considered to be detected if the security software located its files, registry keys, processes or traces of its presence on the system (hooking API functions). A rootkit was considered to be neutralized if its system activity was completely eliminated by the security software.

Testing steps:

1. Virtual machine was infected (activation of the malicious program);
2. Verification that the virus has been successfully installed and is active;
3. Multiple reboot of the infected system;
4. Installation (launch) of the antivirus/anti-rootkit program to be tested and attempt to disinfect the system;
5. Analysis of rootkit activity after antivirus/anti-rootkit clean-up.

A dedicated clean virtual machine was used for each selected malicious program sample (step 1). After launching the antivirus or anti-rootkit program and performing the disinfection, the virtual machine was restored to its initial state at step 3.

Testing steps with proof-of-concept rootkits:

1. Installation of antivirus or anti-rootkit program and system reboot.
2. Launch of proof-of-concept rootkit, selection of object to be masked if necessary. If the antivirus or anti-rootkit program is equipped with HIPS, then the ‘permit action’ option is selected to install the rootkit on the system, or actions are taken to hide the installation.
3. System scan to detect rootkit objects.
4. Results recorded (only the detection of a hidden process and/or file).

A dedicated clean virtual machine was used for each antivirus or anti-rootkit program (step 1). After the installation of a proof-of-concept rootkit and scanning, the machine was restored to its initial state.