Active Malware Treatment Test (September 2007)
Table of Contents:
- Introduction
- Test Results and Awards
Introduction
The antivirus industry of today devotes much effort to preventing virus infections. Various proactive technologies are developed and tested, new threat response times decrease, and detection rates increase. At the same time, the rate at which new kinds of and modifications to malicious programs appear is also rapidly increasing. As a result, no antivirus vendor can guarantee 100% protection to users. Malware infections are still quite common, and very few Internet users have not dealt with a virus at least once.
To make matters worse, virus writers keep perfecting their software. Some malicious programs are very hard to remove from the computer, because they use various methods to mask their presence in the system (including via rootkits) and to avoid detection and removal by antivirus programs.
What can be done if a computer is infected? Will an existing antivirus product cope with the problem or will it be necessary to install a competitor’s product?
In this test, we analyzed the ability of popular antivirus programs to treat active infections -- that is, when a malicious program has been executed and installed on a computer and may be using various methods to prevent detection and removal by antivirus solutions.
Antivirus products from 14 vendors were tested, including Avast!, AVG, AVZ, Avira, BitDefender, Eset, F-Secure, McAfee, Panda Software, Sophos, Symantec, Trend Micro, VirusBlokAda, Dr. Web, and Kaspersky Lab.
Testing was conducted using the following malicious programs (the names are shown according to the classification used by Kaspersky Lab) selected in accordance with the criteria described here:
- Adware.Win32. Look2me.ab
- Adware. Win32.NewDotNet
- AdWare.Win32.Virtumonde.bq
- Backdoor.Win32.Haxdoor.ix
- Backdoor.Win32.PcClient.ca
- Email-Worm.Win32.Scano.ac
- Trojan-Clicker.Win32.Costrat.l
- Trojan-Downloader.Win32.Agent.brr
- Trojan-Downloader.Win32.Agent.brk
- Trojan-Proxy.Win32.Agent.lb
- Trojan-Proxy.Win32.Wopla.ag
- Trojan-Proxy. Win32.Xorpix.ba
- Trojan-Spy.Win32.Bancos.aam
- Trojan-Spy.Win32.Goldun.ls
- Virus.Win32.Gpcode.af
- Rootkit.Win32.Agent.ea
- SpamTool.Win32.Agent.u
Testing of the ability of antivirus products to treat active infections was conducted strictly in accordance with the methodology.
Test Results and Awards
Table 1: Results of active malware treatment by different antivirus products
| Malware\ Antivirus | Avast! Professional Edition 4.7 | AVG Anti-Virus 7.5 | Avira AntiVir PE 7.0 | BitDefender Antivirus 10 | Dr.Web Anti-Virus 4.33 |
| Adware.Win32.Look2me.ab | + | + | - | - | - |
| Adware.Win32.NewDotNet | + | - | - | - | - |
| AdWare.Win32.Virtumonde.bq | + | + | + | - | - |
| Backdoor.Win32.Haxdoor.ix | - | - | - | - | + |
| Backdoor.Win32.PcClient.ca | + | + | + | - | - |
| Email-Worm.Win32.Scano.ac | - | - | - | - | - |
| Trojan-Clicker.Win32.Costrat.l | - | - | - | - | - |
| Trojan-Downloader.Win32.Agent.brr | - | - | - | - | - |
| Trojan-Downloader.Win32.Agent.brk | - | - | - | - | - |
| Trojan-Proxy.Win32.Agent.lb | + | + | + | + | - |
| Trojan-Proxy.Win32.Wopla.ag | + | + | - | - | - |
| Trojan-Proxy. Win32.Xorpix.ba | + | + | - | - | - |
| Trojan-Spy.Win32.Bancos.aam | + | + | - | - | - |
| Trojan-Spy.Win32.Goldun.ls | + | + | + | - | + |
| Virus.Win32.Gpcode.af | - | - | - | - | - |
| Rootkit.Win32.Agent.ea | - | - | - | - | - |
| SpamTool.Win32.Agent.u | - | - | - | - | - |
| Total: | 9/17 | 8/17 | 4/17 | 1/17 | 2/17 |
Table 2: Results of active infection treatment by different antivirus products (continued)
| Malware\ Antivirus | Dr.Web Anti-Virus 4.44 Beta | Eset NOD32 Antivirus 2.7 | F-Secure Anti-Virus 2007 | Kaspersky Anti-Virus 7.0 | McAfee VirusScan 2007 |
| Adware.Win32.Look2me.ab | - | - | - | + | - |
| Adware. Win32.NewDotNet | + | - | - | + | + |
| AdWare.Win32.Virtumonde.bq | + | - | - | + | + |
| Backdoor.Win32.Haxdoor.ix | + | - | - | + | - |
| Backdoor.Win32.PcClient.ca | + | + | + | + | + |
| Email-Worm.Win32.Scano.ac | - | - | - | + | - |
| Trojan-Clicker.Win32.Costrat.l | + | - | - | + | - |
| Trojan-Downloader.Win32.Agent.brr | + | - | - | - | - |
| Trojan-Downloader.Win32.Agent.brk | + | - | - | - | - |
| Trojan-Proxy.Win32.Agent.lb | + | + | + | + | + |
| Trojan-Proxy.Win32.Wopla.ag | + | - | - | + | - |
| Trojan-Proxy. Win32.Xorpix.ba | + | - | - | + | - |
| Trojan-Spy.Win32.Bancos.aam | + | - | - | - | - |
| Trojan-Spy.Win32.Goldun.ls | + | + | + | + | + |
| Virus.Win32.Gpcode.af | - | - | - | + | - |
| Rootkit.Win32.Agent.ea | + | - | - | - | - |
| SpamTool.Win32.Agent.u | + | - | - | - | - |
| Total: | 14/17 | 3/17 | 3/17 | 12/17 | 5/17 |
Table 3: Results of active infection treatment by different antivirus products (continued)
| Malware\ Antivirus | Panda Antivirus 2008 | Sophos Anti-Virus 6.5 | Norton AntiVirus 2007 | Trend Micro Internet Security 2007 | VBA32 Antivirus 3.12 |
| Adware.Win32.Look2me.ab | + | - | + | - | - |
| Adware. Win32.NewDotNet | + | + | + | + | - |
| AdWare.Win32.Virtumonde.bq | - | - | + | + | - |
| Backdoor.Win32.Haxdoor.ix | + | - | + | + | - |
| Backdoor.Win32.PcClient.ca | + | - | + | - | - |
| Email-Worm.Win32.Scano.ac | - | - | - | - | - |
| Trojan-Clicker.Win32.Costrat.l | - | - | + | - | - |
| Trojan-Downloader.Win32.Agent.brr | + | - | + | - | - |
| Trojan-Downloader.Win32.Agent.brk | - | - | - | - | - |
| Trojan-Proxy.Win32.Agent.lb | + | + | + | + | + |
| Trojan-Proxy.Win32.Wopla.ag | + | - | + | - | - |
| Trojan-Proxy. Win32.Xorpix.ba | + | - | + | - | - |
| Trojan-Spy.Win32.Bancos.aam | + | - | + | - | - |
| Trojan-Spy.Win32.Goldun.ls | + | + | + | + | - |
| Virus.Win32.Gpcode.af | - | - | - | - | - |
| Rootkit.Win32.Agent.ea | - | - | - | - | - |
| SpamTool.Win32.Agent.u | - | - | - | - | - |
| Total: | 10/17 | 3/17 | 12/17 | 5/17 | 1/17 |
Notice! According to analysis of testing results and awards:
( + ) means that antivirus solution successfully removed the active infection, and the system was restored (or was not damaged),
( - ) The antivirus solution failed to remove the active infection or the system’s integrity was seriously damaged.
As you can see from Tables 1-3, the most complicated for treatment malware samples ware Virus.Win32.Gpcode.af, Rootkit.Win32.Agent.ea, SpamTool.Win32.Agent.u, Email-Worm.Win32.Scano.ac and Trojan-Downloader.Win32.Agent.brk.
Only six of 15 tested products demonstrated acceptable results in the treatment of active infection, i.e. they successfully cured the infected system.
The most effective antivirus in the treatment of active infection is Dr.Web Anti-Virus 4.44, which won Gold Malware Treatment Award. Kaspersky Anti-Virus 7.0 and Norton AntiVirus 2007 also showed decent result (71%) and was awarded with Silver Malware Treatment Award.
The other three antivirus products: Panda Antivirus 2008, Avast! Professional Edition 4.7 и AVG Anti-Virus 7.5, demonstrated mediocre results (от 59 до 47%). These figures meet the requirements for Bronze Malware Treatment Award.
An additional three antivirus products, namely, Eset NOD32 Antivirus, Sophos Anti-Virus and BitDefender Antivirus, demonstrated mediocre results. The remaining antivirus solutions performed poorly. These products can by no means be relied upon to effectively combat today’s virus threats.
For detailed test results, including the information on the disinfection of specific viruses, and to verify the calculations used to determine the test results, please download the complete results below in Microsoft Excel format.
- Login to post comments
