The antivirus industry of today devotes much effort to preventing virus infections. Various proactive technologies are developed and tested, new threat response times decrease, and detection rates increase. At the same time, the rate at which new kinds of and modifications to malicious programs appear is also rapidly increasing. As a result, no antivirus vendor can guarantee 100% protection to users. Malware infections are still quite common, and very few Internet users have not dealt with a virus at least once.

To make matters worse, virus writers keep perfecting their software. Some malicious programs are very hard to remove from the computer, because they use various methods to mask their presence in the system (including via rootkits) and to avoid detection and removal by antivirus programs.

What can be done if a computer is infected? Will an existing antivirus product cope with the problem or will it be necessary to install a competitor’s product?

In this test, we analyzed the ability of popular antivirus programs to treat active infections -- that is, when a malicious program has been executed and installed on a computer and may be using various methods to prevent detection and removal by antivirus solutions.

Testing results (September, 2007)

Award	Products
Gold Malware Treatment Award Download GIF image (500х500px)	Dr.Web Anti-Virus 4.44 Beta (82%)
Silver Malware Treatment Award Download GIF image (500х500px)	Kaspersky Anti-Virus 7.0 (71%) Symantec Norton AntiVirus 2007 (71%)
Bronze Malware Treatment Award Download GIF image (500х500px)	Panda Antivirus 2008 (59%) Avast! Professional Edition 4.7.1029 (53%) AVG Anti-Virus 7.5 (47%)
Poor results	McAfee VirusScan 2007 (29%) Trend Micro Internet Security 2007 (29%) Avira AntiVir PE Premium 7.0 (24%) F-Secure Anti-Virus 2007 7.0 (18%) Eset NOD32 Antivirus 2.7 (18%) Sophos Anti-Virus 6.5 (18%) Dr.Web Anti-Virus 4.33 (12%) BitDefender Antivirus 10 (6%) VBA32 Antivirus 3.12 (6%)

Key results of the testing of antivirus products for the treatment of active infections in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »

Online criminal activities are gaining momentum faster than ever. Both the rate at which new types and modifications of malicious programs appear and the complexity of malware are on the rise. Cybercriminals use increasingly sophisticated methods, including masking the presence of a malicious program in the system, compression, encryption and incapacitating antivirus solutions.

Social engineering techniques make it easy to entice users to download and launch malicious programs as yet unknown by antivirus solutions. In such cases, in order to gain complete and uninterrupted control over the system, malicious programs search for an antivirus program, firewall or other protective solution in order to disrupt its operation.

Consequently, contemporary antivirus products should be able to resist such attempts, that is, they should include self-protection functionality. This helps them to resist even the most complicated attacks, such as when malicious programs use a variety of methods to disable protection, and remove the infection using standard tools after receiving the appropriate antivirus database updates.

In the test described below, we analyzed the self-protection capabilities of antivirus solutions that run under Microsoft Windows XP with Service Pack 2. Self-protection from the following types of attacks was analyzed:

1. Modification of file and registry key access permissions.
2. Modification / removal of modules.
3. Deletion of antivirus databases.
4. Modification / deletion of important registry keys.
5. Process termination.
6. Modification of processes / code.
7. Driver unloading.

Antivirus product self-protection testing methodology »

Analysis of self-protection test results and awards »

Test results (September 11, 2007)

Key results of the testing of antivirus products in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »

Testing of anti-rootkit software on the detection and removal of malicious programs.

Rootkit technologies have become increasingly popular with virus writers. The reason for this is obvious: they conceal malicious programs and their components from PC users and antivirus programs. The source code for some rootkits can be found on the Internet, inevitably resulting in the use of rootkit technology in various Trojans and spy programs (spyware / adware, keyloggers, etc.).

There are a large number of dedicated software products (anti-rootkit solutions) that are designed to detect and remove such kinds of malicious programs.

The purpose of this test is to analyze the ability of the most popular anti-rootkit products to detect and remove malicious programs actively distributed over the Internet (“in the wild” samples) that take advantage of rootkit technology. 

It should be noted that anti-rootkit software is usually tested on various test or proof of concept rootkits, while testing on widespread in the wild samples is what provides the most valuable information.

• Methodology used in anti-rootkit software testing for the detection and removal of malware »
• Selection of malicious programs for the testing of anti-rootkit software for the detection and removal of malware »

Summary of anti-rootkit testing results (March 14, 2007) 

Main results of the testing of anti-rootkit software for the detection and removal of malware in HTML»

 
Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Summary of testing results in PDF format »

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »

The antivirus industry of today devotes much effort to preventing virus infections. Various proactive technologies are developed and tested, new threat response times decrease, and detection rates increase. At the same time, the rate at which new kinds of and modifications to malicious programs appear is also rapidly increasing. As a result, no antivirus vendor can guarantee 100% protection to users. Malware infections are still quite common, and very few Internet users have not dealt with a virus at least once.

To make matters worse, virus writers keep perfecting their software. Some malicious programs are very hard to remove from the computer, because they use various methods to mask their presence in the system (including via rootkits) and to avoid detection and removal by antivirus programs.

What can be done if a computer is infected? Will an existing antivirus product cope with the problem or will it be necessary to install a competitor’s product?

In this test, we analyzed the ability of popular antivirus programs to treat active infections -- that is, when a malicious program has been executed and installed on a computer and may be using various methods to prevent detection and removal by antivirus solutions.

Testing results (February 11, 2007)

Main results of the testing of antivirus products for the treatment of active infections in HTML»

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »

Award	Products
Gold Packers Support	F-Secure Anti-Virus 2006 (81%)* Kaspersky Anti-Virus 6.0 (81%)
Silver Packers Support	BitDefender 9 Professional Plus (76%) Dr. Web Anti-Virus 4.33 (76%)
Bronze Packers Support	Eset NOD32 Antivirus 2.5 (57%)
Failed the test:	AVG Anti-Virus 7.1 (10%) Avira AntiVir PE 7.0 (10%) CA eTrust EZ Antivirus r8 (10%) Clam AntiVirus 0.88 (10%) McAfee VirusScan 2006 (10%) avast! Professional Edition 4.7 (5%) Panda Platinum Internet Security 2006 (5%) Sophos Anti-Virus 6.0 (5%) Norton AntiVirus 2006 (5%) VBA32 Antivirus 3.11 (5%) Trend Micro PC-Cillin 2006 (0%) UNA 1.8 (0%)
* F-Secure Anti-Virus 2006 uses an antivirus engine licensed from Kaspersky Lab.
** The test was conducted using the latest versions of the following compression utilities: ACProtect, ASPack, ASProtect, Dropper, EXECryptor, ExeStealth, FSG, MEW, Morphine, NsPack, Obsidium, ORiEN, Packman, PECompact2, PESpin, Petite, Private exe Protector, UPX, WinUpack, yoda's Cryptor, yoda's Protector.

Key results of our testing for packer support on different antivirus products in HTML»

Complete results for each antivirus product are available only in PDF or Microsoft Excel format:

Complete testing results in PDF format »

Complete testing results in Microsoft Excel format »