Antivirus Self-Protection Test (August 2007)

Table of Contents:

- Introduction
- Test Results and Awards

Introduction

Online criminal activities are gaining momentum faster than ever. Both the rate at which new types and modifications of malicious programs appear and the complexity of malware are on the rise. Cybercriminals use increasingly sophisticated methods, including masking the presence of a malicious program in the system, compression, encryption and incapacitating antivirus solutions.

Social engineering techniques make it easy to entice users to download and launch malicious programs as yet unknown by antivirus solutions. In such cases, in order to gain complete and uninterrupted control over the system, malicious programs search for an antivirus program, firewall or other protective solution in order to disrupt its operation.

Consequently, contemporary antivirus products should be able to resist such attempts, that is, they should include self-protection functionality. This helps them to resist even the most complicated attacks, such as when malicious programs use a variety of methods to disable protection, and remove the infection using standard tools after receiving the appropriate antivirus database updates.

In the test described below, we analyzed the self-protection capabilities of antivirus solutions that run under Microsoft Windows XP with Service Pack 2.

Self-protection from the following types of attacks was analyzed:

1. Modification of file and registry key access permissions.
2. Modification / removal of modules.
3. Deletion of antivirus databases.
4. Modification / deletion of important registry keys.
5. Process termination.
6. Modification of processes / code.
7. Driver unloading.

Metodology for Self-Protection Test »

Awards Guide of Self-Protection Test »

Fifteen of the most popular antivirus programs were tested, including:

1. Avast! Professional Edition 4. 7
2. Avira Premium Security Suite 7.0
3. BitDefender Internet Security 10
4. DrWeb 4.44
5. ESET Smart Security 3.0
6. F-Secure Internet Security 2007
7. Kaspersky Internet Security 7.0
8. McAfee Internet Security 2007
9. Microsoft Windows Live OneCare 1.6
10. Panda Internet Security 2007
11. Sophos Anti-Virus 6.0
12. Symantec Internet Security 2007
13. Trend Micro PC-Cillin 2007
14. VBA32 Antivirus 3.11
15. ZoneAlarm Internet Security 7.0

The antivirus product self-protection test was conducted on products running under Microsoft Windows XP with Service Pack 2 for the following groups of attacks:

1. Modification of file and registry key access permissions
2. Modification / removal of modules
3. Deletion of antivirus databases
4. Modification / deletion of important registry keys
5. Process termination
6. Modification of processes / code
7. Driver unloading.

Analysis of each antivirus product’s self-protection was based on each of the 33 parameters tested and was conducted in strict accordance with the testing methodology. 

Test Results and Awards

Table 1. Final results of antivirus product self-protection testing and the awards received

In accordance with the award scheme, 1 point (+) was awarded for each parameter (type of attack) for which an attack was successfully blocked.

One-half of a point (0.5, +/-) was awarded if the product did not include complete self-protection from a specific type of attack, but retained (or automatically restored) its main functionality.

And, finally, if self-protection was absent and the product’s main functionality was deactivated, the antivirus product received no point for a specific type of attack.

As Table 1 shows, the absolute leader in terms of self-protection is Kaspersky Internet Security 7.0, which received the Gold Self-Protection Award. This antivirus product blocked 97% of attacks and scored 32 points out of a possible 33. Its score was only 1 percentage point below that required for a Platinum Self-Protection Award (see analysis of test results and awards).

High self-protection results were demonstrated by three antivirus products, including VBA32 Antivirus 3.11, Symantec Internet Security 2007 and F-Secure Internet Security 2007, which scored 61% to 71% and received the Silver Self-Protection Award.

Five more products, including ZoneAlarm Internet Security 7.0, Panda Internet Security 2007, McAfee Internet Security 2007, ESET Smart Security 3.0 and Trend Micro PC-Cillin 2007, demonstrated a satisfactory result and received the Bronze Self-Protection Award.

It is worth mentioning ZoneAlarm Internet Security, which completely failed to block only four attacks, but received a low score because its unprotected antispam module from MailFrontier was disabled by most of the attacks.

All other antivirus products failed the test, scoring less than 40% of the maximum possible points.

Table 2 shows the number of points scored by each antivirus product based on the number of attacks blocked and missed by its self-protection during testing.

Table 2. Number of attacks blocked and missed and total points scored by each product

1) The product’s self protection successfully blocked the attack.
2) Self-protection from the attack is partially missing, but the main functionality was retained (or automatically restored).
3) The product lacks self-protection from a specific type of attack or the self-protection is present, but the product’s main functionality was disabled.
 

Below, we present additional information on the antivirus product self-protection testing results by type of attack.

Table 3. Testing results (the system level)

Table 4. Testing results (process termination)

Table 5. Testing results (process modification)

Table 6. Testing results (driver protection)

As Tables 3–6 show, the best overall results were achieved in the categories of driver protection and protection from process modification (which only five products failed).

This analysis has demonstrated that only four of the antivirus products tested (Kaspersky Internet Security 7.0, VBA32 Antivirus 3.11, Symantec Internet Security 2007 and F-Secure Internet Security 2007) are equipped with adequate self-protection.

Of these products, only the self-protection included in Kaspersky Internet Security 7.0, which scored 97% and received the Gold Self-Protection Award, is truly reliable.

Avast! Professional Edition 4.7, Avira Premium Security Suite 7.0, Sophos Anti-Virus 6.0, DrWeb 4.44, Microsoft Windows Live OneCare 1.6 and BitDefender Internet Security 10 failed testing, demonstrating that they are virtually incapable of blocking possible attacks by malicious programs.

 Detailed testing results for each antivirus product and more detailed information on the calculations based on the testing results can be downloaded in Microsoft Excel format (attached to this post).