Home » »

Test of Packers Support in Antiviruses (September 2006)

Submitted by Ilya Shabanov on Fri, 09/15/2006 - 18:19

Malware-writers often use packers (or couple of packers) to impede detection of their "creations" for anti-virus engines. This fact forces antivirus developers to provide operational packers support to make av-engines more powerful for recognizing known malwares under new variants of packers. So, our test will show which AV companies attend to packers support and which not.

Table of Contents:

- Introduction
-Test Results and Awards

Introduction

During the August 2006 testing session, antivirus products from 17 vendors were tested, including Avast!, Avira, Computer Associates, Eset, F-Secure, Grisoft, McAfee, Panda Software, Sophos, Symantec, Trend Micro, VirusBlokAda, Dr. Web, Kaspersky Lab and the Ukrainian Antivirus Center.


Antivirus products were tested on the following malicious programs selected in accordance with the methodology described above: 

  • Backdoor.Win32.BO_Installer
  • Email-Worm.Win32.Bagle
  • Email-Worm.Win32.Menger
  • Email-Worm.Win32.Naked
  • Email-Worm.Win32.Swen
  • Worm.Win32.AimVen
  • Trojan-PSW.Win32.Avisa
  • Trojan-Clicker.Win32.Getfound

These malicious programs were modified using 21 types of packers (using the latest versions available at the time of testing), also selected in accordance with the methodology described above, including:

  1. ACProtect 1.32
  2. ASPack 2.12
  3. ASProtect 2.1 buid 2.19
  4. Dropper 2.0
  5. EXECryptor 2.3.9.0
  6. ExeStealth 2.76
  7. FSG 2.0
  8. MEW 11 SE 1.2
  9. Morphine 2.7
  10. NsPack 3.7
  11. Obsidium 1.2.5.0
  12. ORiEN 2.12
  13. Packman 1.0
  14. PECompact2 2.78a
  15. PESpin 1.304
  16. Petite 2.3
  17. Private exe Protector 1.9
  18. UPX 2.01w
  19. WinUpack 0.39 final
  20. yoda's Cryptor 1.3
  21.  yoda's Protector 1.0b.
     

Testing Results and Awards

Award Products
 Gold Packers Support
Gold Packers Support		 F-Secure Anti-Virus 2006 (81%)*
Kaspersky Anti-Virus 6.0 (81%)  
  Silver Packers Support
Silver Packers Support		 BitDefender 9 Professional Plus (76%)
Dr. Web Anti-Virus 4.33 (76%)
  Bronze Packers Support
Bronze Packers Support		 Eset NOD32 Antivirus 2.5 (57%)
Failed the test: AVG Anti-Virus 7.1 (10%)
Avira AntiVir PE 7.0 (10%)
CA eTrust EZ Antivirus r8 (10%)
Clam AntiVirus 0.88 (10%)
McAfee VirusScan 2006 (10%)
avast! Professional Edition 4.7 (5%)
Panda Platinum Internet Security 2006 (5%)
Sophos Anti-Virus 6.0 (5%)
Norton AntiVirus 2006 (5%)
VBA32 Antivirus 3.11 (5%)
Trend Micro PC-Cillin 2006 (0%)
UNA 1.8 (0%)
 * F-Secure Anti-Virus 2006 uses an antivirus engine licensed from Kaspersky Lab.

 ** The test was conducted using the latest versions of the following compression utilities: ACProtect, ASPack, ASProtect, Dropper, EXECryptor, ExeStealth, FSG, MEW, Morphine, NsPack, Obsidium, ORiEN, Packman, PECompact2, PESpin, Petite, Private exe Protector, UPX, WinUpack, yoda's Cryptor, yoda's Protector.


Only five out of the 17 antivirus products tested demonstrated acceptable packer support. These are products from the following vendors: F-Secure, Kaspersky Lab, BitDefender, Dr. Web and Eset. The results from other antivirus products were extremely poor.

Since F-Secure Anti-Virus uses the Kaspersky Lab antivirus engine, it can be concluded that the Gold Packers Support was earned by a single antivirus engine (the test results for Kaspersky Anti-Virus and F-Secure Anti-Virus were identical, which can be clearly seen from the detailed test results, so it is no coincidence that both solutions have the same final result of 81%).

The BitDefender and Dr. Web products also demonstrated high results – 76% packer support is short of the 80% required to receive the Gold Packers Support Award, but the Silver Packers Support award is well earned.

Eset NOD32, which supports 57% of the packers used in the test, and is the fifth and last product to be awarded. The solution received the Bronze Packers Support Award.

54930_5d4de6c50ab062b89f157c86e298c0266589e7d0_aa30.ex#