Antivirus Test for Polymorphic Viruses Detection (February 2008)
Table of Contents:
- Introduction
- Test Results and Awards
Introduction
Polymorphic malicious programs (also referred to hereafter as viruses) are capable of completely mutating with every new infection, generating multiple samples of themselves.
When scanning files on a computer using the traditional method, antivirus products search for specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is modified, it will no longer be possible to detect it using that signature. A polymorphic virus is capable of performing such modifications to any of its parts.
Detecting polymorphic viruses is possible due to using detection algorithm that is specially developed for each individual virus. The aim of this test is to assess the quality of the special algorithm function in various antivirus products.
Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do so reflects the level of professionalism of an antivirus product’s developers. They not only have to analyze the complex variants of the viruses but also develop a reliable procedure and methodology to ensure 100% detection rates.
Methodology for Antivirus Test for Polymorphic Viruses Detection »
Awards Guide of Antivirus Test for Polymorphic Viruses Detection»
Malware that makes use of polymorphic technology to avoid detection is always the most difficult to detect for antivirus software.
Virus polymorphism consists of virus code mutating ‘on the fly’, while the code generation procedure itself can also vary and undergo modifications with every new infection. In other words, polymorphic viruses are capable of completely altering themselves every time they infect, generating multiple versions of a single virus. (More information about polymorphic code can be found here.)
When scanning files on a computer using the traditional method, antivirus products search for specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is modified, it will no longer be possible to detect it using that signature. A polymorphic virus is capable of performing such modifications to any of its parts.
Detecting polymorphic viruses therefore requires the use of a detection algorithm that is specially developed for each individual virus.
The aim of this test is to assess the quality of the special algorithm function for detecting the latest polymorphic viruses.
Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do so reflects the level of professionalism of an antivirus product’s developers. They not only have to analyze the complex variants of the viruses but also develop a reliable procedure and methodology to ensure 100% detection rates.
The following antivirus programs were tested:
- Agnitum Outpost Security Suite Pro 2008 (VirusBuster)
- Avast Professional Edition 4.7
- AVG Anti-Virus Professional Edition 7.5
- Avira Antivir Personal Edition Classic 7.06
- BitDefender Anti-Virus 2008
- DrWeb 4.44
- Eset Nod32 Antivirus 3.0
- F-Secure Anti-Virus 2008
- Kaspersky Anti-Virus 7.0
- McAfee VirusScan 2008
- Microsoft Windows Live OneCare 2.0 Pre-Release
- Panda Antivirus 2008
- Sophos Anti-Virus 7.0
- Symantec Anti-Virus 2008
- Trend Micro Antivirus plus Antispyware 2008
- VBA32 Workstation 3.12.6
The test was performed using 11 families of polymorphic viruses, each with a specific functionality. The initial samples and resulting test collection of malware was generated in compliance with the stated requirements.
The following families of polymorphic viruses were compiled for the test:
- Allaple.1, Allaple.2, Allaple.3, Allaple.4
- Alman.1, Alman.2
- Twido.1, Twido.2
- Virut.2, Virut.3, Virut.4
Testing of the antivirus programs was performed on a Windows XP SP2 operating system from 15 January to 20 February 2008 strictly in line with the stated methodology.
Test Results and Awards
Tables 1-2 show the detection results of the antivirus products for the different families of polymorphic viruses.
Table 1: Detection rate for different families of polymorphic viruses (part 1)
| Antivirus product \ Virus family |
Allaple.1 | Allaple.2 | Allaple.3 | Allaple.4 | Alman.1 | Alman.2 |
| Agnitum | 99.92% | 99.72% | 98.19% | 99.21% | 99.48% | 99.01% |
| Avast | 99.96% | 99.89% | 99.32% | 93.81% | 99.90% | 100% |
| AVG | 100% | 99.90% | 100% | 99.75% | 100% | 100% |
| Avira | 100% | 100% | 100% | 100% | 100% | 100% |
| BitDefender | 99.84% | 99.72% | 93.11% | 93.48% | 98.74% | 98.61% |
| DrWeb | 100% | 99.88% | 99.77% | 93.69% | 100% | 100% |
| Eset | 100% | 99.99% | 98.31% | 99.48% | 100% | 100% |
| F-Secure | 100% | 100% | 100% | 99.98% | 100% | 100% |
| Kaspersky | 100% | 100% | 100% | 99.98% | 100% | 100% |
| McAfee | 99.73% | 99.77% | 96.16% | 99.16% | 96.96% | 100% |
| Microsoft | 99.92% | 99.93% | 98.76% | 99.64% | 100% | 100% |
| Panda Security | 100% | 99.87% | 97.63% | 96.20% | 99.90% | 99.80% |
| Sophos | 100% | 99.39% | 78.98% | 71.89% | 99.69% | 100% |
| Symantec | 99.53% | 99.51% | 90.40% | 91.26% | 99.16% | 99.80% |
| Trend Micro | 100% | 100% | 100% | 100% | 99.90% | 100% |
| VBA | 99.49% | 99.51% | 92.2%% | 94.06% | 77.91% | 100% |
| Total samples in family: | 2569 | 8240 | 885 | 4785 | 955 | 504 |
Table 2: Detection rate for different families of polymorphic viruses (part 2)
| Antivirus product \ Virus family |
Twido.1 | Twido.2 | Virut.2 | Virut.3 | Virut.4 |
| Agnitum | 0% | 0% | 99.10% | 96.31% | 98.74% |
| Avast | 100% | 100% | 100% | 99.33% | 99.67% |
| AVG | 98.04% | 0.24% | 99.64% | 98.64% | 99.23% |
| Avira | 100% | 100% | 100% | 99.90% | 99.51% |
| BitDefender | 97.70% | 0% | 100% | 99.23% | 99.23% |
| DrWeb | 99.93% | 88.05% | 99.82% | 98.34% | 99.01% |
| Eset | 97.97% | 0% | 100% | 98.36% | 98.47% |
| F-Secure | 100% | 99.67% | 100% | 100% | 100% |
| Kaspersky | 100% | 99.67% | 100% | 100% | 100% |
| McAfee | 11.01% | 0.00% | 23.65% | 40.25% | 13.10% |
| Microsoft | 100% | 100% | 53.25% | 77.93% | 13.97% |
| Panda Security | 11.48% | 0.00% | 97.11% | 98.36% | 97.48% |
| Sophos | 19.99% | 21.63% | 99.46% | 90.63% | 96.99% |
| Symantec | 0% | 0% | 100% | 91.49% | 100% |
| Trend Micro | 0% | 0% | 98.01% | 67.80% | 40.33% |
| VBA | 99.12% | 0.16% | 97.47% | 94.61% | 96.27% |
| Total samples in family: | 1481 | 1230 | 554 | 6757 | 1825 |
Diagram 1: Protection against the Allaple virus family
Only Avira and Trend Micro were capable of providing 100% protection against the viruses of the Allaple family.
Diagram 2: Protection against the Alman virus family
Avira, Kaspersky, ESET, Avast, DrWeb, F-Secure and Microsoft provide 100% protection against the viruses of the Alman family.
Diagram 3: Protection against the Twido virus family
Avira, Avast and Microsoft provide 100% protection against the viruses of the Twido family.
Diagram 4: Protection against the Virut virus family
Kaspersky and F-Secure provide 100% protection against the viruses of the Virut family.
A number of antivirus programs have problems when detecting polymorphic viruses from the Twido.2, Twido.1 and Virut.4 families. The first two of those families caused 11 of the 15 antivirus products that were tested to fail.
Alman.2, Allaple.1 and Allaple.2 proved to be the easiest to detect with all the antivirus products achieving a detection rate of 90% or higher.
In accordance with the awards scheme, the results from tables 1 and 2 have to be converted into points. A total of 3 points are awarded if the antivirus program detected 100% of the samples from a virus family. This demonstrates that the detection algorithm was developed properly and underwent the correct testing.
Two points are awarded if the antivirus program detects between 99 and 100% of the samples from a virus family. The detection algorithm, in this case, was not developed perfectly or did not undergo the necessary testing.
One point is awarded for a detection rate of 90-99% of the samples form a virus family, suggesting the detection algorithm was developed with errors or failed to undergo the necessary testing.
If less than 90% of the samples in a virus family were detected, the detection algorithm for that family was deemed to perform poorly and no points were awarded to the antivirus program.
Table 3 shows the total score for all the products that participated in the test and the type of award they received.
Table 3: Antivirus product ranked according to result and award
| Antivirus | Award | Total points (maximum 33) |
| Avira Antivir Personal Edition Classic 7.06 |  Gold Anti-Polymorphic Protection Award |
31 |
| F-Secure Anti-Virus 2008 | 31 | |
| Kaspersky Anti-Virus 7.0 | 31 | |
| Avast Professional Edition 4.7 |  Silver Anti-Polymorphic Protection Award |
25 |
| AVG Anti-Virus Professional Edition 7.5 | 22 | |
| DrWeb 4.44 | 21 | |
| Eset Nod32 Antivirus 3.0 | 20 | |
| Microsoft Windows Live OneCare 2.0 Pre-Release |  Bronze Anti-Polymorphic Protection Award |
19 |
| Trend Micro Antivirus plus Antispyware 2008 | 18 | |
| Symantec Anti-Virus 2008 | 17 | |
| BitDefender Anti-Virus 2008 | 16 | |
| Agnitum Outpost Security Suite Pro 2008 | 15 | |
| Sophos Anti-Virus 7.0 | 14 | |
| Panda Antivirus 2008 | 14 | |
| VBA32 Workstation 3.12.6 | 14 | |
| McAfee VirusScan 2008 |
Failed |
11 |
Avira Antivir Personal Edition, F-Secure Anti-Virus and Kaspersky Anti-Virus achieved the best polymorphic virus detection results, missing just a few samples out of 30,000. Those three antivirus programs received the Gold Anti-Polymorphic Protection Award.
Avast Professional Edition, AVG Anti-Virus Professional Edition, DrWeb and ESET Nod32 Antivirus also scored highly, although all of them – with the exception of Avast – failed on one family of polymorphic viruses. They all received the Silver Anti-Polymorphic Protection Award.
Microsoft Windows Live OneCare, Trend Micro Antivirus, Symantec Anti-Virus, BitDefender Anti-Virus, Agnitum Outpost Security Suite, Sophos Anti-Virus, Panda Antivirus and VBA32 Workstation all achieved satisfactory results. Of particular note was the antivirus product from Microsoft, which showed a high level of detection for several virus families, but failed to achieve a higher score after performing poorly with the Virut 1-3 virus families.
McAfee VirusScan, unfortunately, failed to attain the minimal amount of points needed to pass the test.
- Login to post comments
