The test was performed on a specially-prepared VMware GSX Server platform. A “clean” virtual machine with a Microsoft Windows XP SP3 operating system was cloned for each antivirus program.
The following antivirus products participated in the test:
All the recommended actions (system reboot, updates, etc.) accompanied the installation of the antivirus programs. All protection components were activated if this did not occur automatically after installation.
After the test platform was set up, special conditions were created to check the effectiveness of the heuristic analyzers. This entailed the update function being switched off on all the antivirus programs, i.e., the information in the antivirus databases was frozen on the date the test was initiated.
In-the-wild samples of malicious programs were collected from corporate gateways and private collections two weeks after the antivirus databases were frozen. The uniqueness of the samples was confirmed by comparing the hash codes with those in the Anti-Malware.ru collection that was accumulated in the six months before the test started. Thus, the selection of malicious programs used in the test was, with a high degree of probability, unknown to the antivirus programs when their antivirus databases were switched off.
Important! The gap of two weeks between the freezing of the antivirus databases and when the malicious code started to be collected was intentional in order to minimize the possibility of a virus known to any of the products from ending up in the sample collection.
The result of all these actions was a situation whereby the effectiveness of the classical signature-based protection component was reduced to zero. As a result, the proactive heuristic component would have to be responsible for any detection of an unknown sample using a straightforward on-demand scan, which was exactly what we wanted.
The on-demand scan was performed using optimal settings: heuristic analyzer turned on (highest level), scanning of all files, and detection of all types of malicious and potentially harmful programs.
As opposed to the previous test, due to multiple requests we performed a check of the level of false alarms. For that reason a collection of pure files was formed at the same time of the accumulation of the collection of malicious programs. For this reason we downloaded install packages from download.com. The packages extracted, and only .exe and .dll files (unique in md5) were selected, other files were removed. As a result a collection of 15121 pure files was created.
To determine the level of the false alarm, an on-demand scan of the collection of pure files by all tested antivirus products was performed. We kept the same databases and settings which had been used earlier for scanning the collection of malicious programs.
Important! The detection of ‘unwanted programs’ in the collection of pure files (spyware, adware, remote admin tools and so on) were not counted as false alarm, since a degree of danger of such programs, as a rule, provoke a lot of questions and it is determined by each vendor independently. And what is dangerous for one is safe for another.
As an addendum to the main test following its completion, all the antivirus programs were updated and a repeat scan of the collection was performed (one week after the main test was completed). As a result, the effectiveness of the classical signature-based method of each antivirus program was ascertained in addition to their heuristics.
Steps taken to set up the test environment:
Steps taken during testing:
Each antivirus program was allocated a dedicated clean virtual machine (step 1). A copy of the collection of malicious programs was made for each antivirus product (step 9).
Recent comments
49 weeks 1 day ago
2 years 1 week ago
2 years 2 weeks ago
2 years 5 weeks ago
2 years 15 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 34 weeks ago
2 years 45 weeks ago