Antisource.com  /  Security Forums  /  About  /  FAQs  /  Links  /  Polls  /  Advanced Search     
Register!   Login  
The All Inclusive Security Resource
Defending users and administrators against the
threat of viruses, trojans, spam, spyware, and hackers
Topics
General News
Antivirus Reviews
Network Defense
Spyware
Anti-Spam
Phishing Scams
Virus Alerts
Featured Product

Antivirus for your email server! Virus & content check mail with 5 virus scanning engines. Free 30 day trial available!


Download Free Trial
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes

Network Security
Firewalls and Routers
Intrusion Detection
Web Proxies

Antivirus Support
Symantec
McAfee
Trend Micro
Other Antivirus
Quick Resources
About Antisource
Malware Threats Triangle
Free Virus Scan
Virus Map
 

But... my antivirus said it was clean!

Saturday, September 20, 2008
Author: mechBgon
Permalink: antispyware-comparisons 		Antivirus Reviews
Email Article to a Colleague Printer-Friendly Version Author's Profile


Years ago, my mom got an email with an attachment that contained a MyDoom email worm. She opened the attachment, ran the MyDoom worm, and infected her computer. Two days later, her antivirus software recieved its weekly definition update, and finally recognized the MyDoom worm she'd opened. Too late.

In recent years I've hunted malware in the real world, and uploaded thousands of malware files to VirusTotal for analysis by about 30 types of security software, probably including the one you're using right now. The detection rates can be quite low on the malware that actually matters RIGHT NOW, the malware the bad guys are constantly regenerating to keep ahead of the antivirus vendors and keep infecting computers. I recognized a need to educate people that antivirus is not an ironclad defense by itself.



An attempt at education

About a year ago, I harvested a particular batch of malware from the real world, and scanned it with about 20 different antivirus/antispyware programs, then published the results at the AnandTech Forums as an educational topic. The intent of the test was to show that NONE of the antivirus/antispyware programs succeeded in detecting ALL the malware, and therefore it is still important to use other layers of security besides antivirus alone. Following the test results, you'll find some suggestions for securing Windows PCs.

For the test, I collected 95 malware samples, including exploits, rootkits, trojans (Zlob, DNSChanger, LoadAdv, VideoAccessCodec and others), backdoors, password-stealers, PUPs/adwares (including some DLLs, BHOs and EXEs harvested from a few live installs on my honeypot), a malicious HOSTS file, a QuickTime exploit, and a couple email worms, plus a really tough one: sneaky Frogexer images used to smuggle malicious code through the firewall. This was fresh real-world malware, hot off the bad guys' servers.

The results, in no particular order. Again, this is not a complete or scientific test, nor a buyer's guide; it merely illustrates that your favorite antivirus isn't infallible protection by itself.

  • F-Secure's online scanner detected 60 of the 95 samples.

  • BitDefender 10 AntiVirus Plus, in its default configuration, detected 49 of the 95 samples. The BitDefender contextual scanner appears to use all BitDefender's optional capabilities by default, so there were no additional tweaks to use. It missed all but one HTML exploit, some Trojans, at least one of the rootkit files, and the adware/fraudware files.

  • ClamwinPortable detected 44 of the 95 samples.

  • NOD32, in its default configuration, detected 59 of the 95 samples. Heuristics and compressed-file scanning were already enabled by default, and enabling detection of "potentially-unsafe programs" didn't result in any additional detections. NOD32 missed all the HTML exploits, the Frogexer pics, a rootkit, some Trojans and adware/fraudware files.

  • Panda ActiveScan online scanner detected 47 of the 95 samples if I'm reading the report correctly. They missed the HTML exploits but had relatively good detection of the adware/fraudware files.

  • Microsoft's Live OneCare online scanner detected 43 of the 95 samples. It was unable to delete some of them, for unknown reasons, but it detected more than I expected.

  • Kaspersky AntiVirus 7 detected 67 of the 95 samples using maxed-out settings (which is how I normally run it). Looking at the scan results, the reason KAV7 scored higher than F-Secure (which uses the KAV engine and sigs) appears to be the new heuristic-detection capabilities added to v7. KAV7 nevertheless missed all of the HTML exploits, all of the Frogexer pics, about half of the DLLs from actual adware/PUP installs, and some of the Trojans.

  • Computer Associates (CA), in its default configuration, detected 26 of the 95 samples. There did not appear to be any additional scanning capabilities to enable, since heuristics were already enabled. CA missed nearly all of the HTML exploits, lots of Trojans, all the crafty .GIFs, the PUP/adware files, an email worm, a Spambot, Trojan-Downloaders, and some of the rootkit files.

  • Symantec's online scanner detected 39 of the 95 samples.

  • Symantec AV Corporate 10.1.5.5000 detected 43 of the 95 samples in John's testing. Glancing at a screenshot of what was missed, it looks like it missed all the HTML exploits, some Trojans, the Frogexer pics, the adware/fraudware files, some Trojans, and the malicious HOSTS file.

  • McAfee's command-line scanner was run with all detection capabilities maxed, using the hourly beta 4100 DATs. It detected 36 of the 95 samples. Notably, it failed to detect any of the rootkit files or any of the HTML exploit samples, and it failed to detect the current versions of the Frogexer pics.

  • AntiVir PersonalEdition Classic, in its default configuration, detected 60 of the 95 samples. With all settings maxed out in Expert Mode (heuristics at maximum, all filetypes scanned, and all optional threat categories enabled) it nailed 71 of the 95 samples, including all but one HTML exploit, but still missed most of the files from live adware/PUP installations, some Trojans, and the crafty .GIF files.

  • AVG Free Edition, in its default configuration (which already includes heuristics and archive scanning), detected 47 of the 96 samples. With the Scan all files option enabled, it detected on one additional file, the malicious HOSTS file, leaving the HTML exploits, adware/PUP files, the crafty .GIF files and lots of Trojans undetected.

  • Avast! Personal Edition, in its default configuration, detected 45 of the 95 samples. Setting the protection to High instead of Normal did not get any additional detections. Avast missed the same sorts of stuff that AVG did.

  • AOL Kaspersky [no longer available], in its default configuration, detected 59 of the 95 samples. With all settings maxed out, it detected 61 of the 95 samples thanks to the enabling of PUP detection. Detection pattern was similar to KAV7 except it didn't have the heuristic detections.

  • SUPERAntiSpyware detected 42 of the 95 samples. That was pretty impressive considering that the majority of the samples don't really fit its target genre.


  • I got an interesting question from John... of the files missed by KAV7 in fully-maxed configuration, how many of them were detected by SUPERAntiSpyware? I tested and found that SAS detected 9 of 28 files that KAV7 had not detected. John did further tests with antispyware apps and reports these results:

    • Counterspy v2 - 43 out of 95 (trojans, spamtool, vpp, antispystorm)
    • AVG Anti-Spyware - 39 out of 95 (trojans, hosts file, rootkit, ultimatedefender)
    • a-squared free - 25 out of 95 (trojans, spamtool, virusprotectpro, antispystorm)
    • Spy Sweeper 5.5.7.48 - 24 out of 95 (detected trojans, ultimate cleaner, maxifiles)

  • Oh, and Windows Defender detected 3 of the 95 samples (golf clap)

And 2 weeks later? A spot check with a few of the products...


  • AntiVir detected 73 of the 95 samples with maxed-out Expert Mode settings

  • Kaspersky AntiVirus 7 detected 74 of the 95 samples with maxed-out settings including the optional heuristics

  • AOL Kaspersky detected 70 of the 95 samples with default settings, and 72 of the 95 samples when the potentially-dangerous software option was enabled

  • SUPERAntiSpyware detected 44 of the 95 samples

  • Spyware Doctor Starter Edition from Google Pack detected 21 of the 95 samples

Taking your defense beyond antivirus alone: defense-in-depth techniques for Windows PCs

  1. Try a non-Administrator user account Many people aren't even aware that they can set aside the dangerous Administrator-level powers, and use their computer in a much safer way. mech's information page about non-Administrator user acccounts The security gains you get from this step are very substantial; going back to the example of my mom and her MyDoom infection, this step alone would've prevented it.

  2. Use firewalls If you have a broadband connection, use a router between your broadband modem and your computer(s). Also use a software firewall, such as the Windows Firewall or another of your choice. Firewalls regulate network communication between computers & networks, helping to prevent unwanted probes and attacks.

  3. Keep your Microsoft software up-to-date Enable Automatic Updates as shown in this picture (you can reach this setting by right-clicking My Computer and choosing Properties).

    Also, upgrade your Automatic Updates software to Microsoft Update, which will update a wider range of Microsoft software (including any Microsoft Office-related software). To get Microsoft Update:

    • for Windows XP or Windows 2000 users, go to the Microsoft Update website.

    • For Windows Vista users, click Start, type Windows Update in the Search box, and press Enter, then click Change Settings, and put a checkmark in the box for Microsoft Update.

  4. Eliminate unnecessary "attack surface" Did your computer come with a bunch of junk you never use? Or has it got a lot of accumulated stuff you don't use anymore? Uninstall it. The bad guys cannot exploit something that isn't there. This includes media players, Instant Messaging and VOIP programs, email programs, web browsers, Sun Java and other popular stuff are often exploited by the bad guys.

  5. Keep your other software up-to-date This step is VERY important in today's world. Home users, try out Secunia's new Personal Software Inspector beta (free for home use), and it'll show you how to fix many of the vulnerabilities that the bad guys use to infect computers. I also like the free Microsoft Baseline Security Analyzer, but Secunia's free utility is a must-have.

  6. Vista users: keep UAC turned on Windows Vista has enhanced security capabilities. Some of them depend on the User Account Control (UAC) system, which prompts for approval from the computer's Administrator, before allowing potentially-dangerous actions to be completed. It's wise to leave UAC enabled. Tip: if you have issues creating or modifying files and folders, causing repeated UAC prompts, ask at a Forum for help adjusting the file-system permissions to actually fix the underlying issue.

  7. Use your computer's Data Execution Prevention feature Fully enable your computer's Data Execution Prevention, as shown in this picture. You can reach this setting by right-clicking My Computer and choosing Properties. If a program is terminated by the Data Execution Prevention, you'll see an alert that says so. DEP stops some types of exploits right at the hardware level.

    If you get Data Execution Prevention errors when you're trying to use legit programs, then use your Administrator account to make exceptions when necessary. In this picture, you can see that I added some "problem" programs to the exception list.

  8. Disable or restrict "AutoPlay" Your computer can be automatically attacked by an infected memory card, a flash drive, a burned CD or DVD, an external hard drive or an MP3 player. This is the modern equivalent of how computer viruses spread themselves by infecting floppy diskettes in the old days. how to prevent AutoPlay attacks by disabling or restricting AutoPlay

  9. Keep your tinfoil hat on! Do NOT install any software or add-ons you got from the Internet, unless it comes from an absolutely trustworthy author. Because when you download & install software, you cast aside your own defenses and put yourself at the mercy of the software's author. Don't do this lightly, because the bad guys will be happy to bypass all your security measures with a Trojan Horse attack, targeting YOU as the weak point in the defenses.

  10. All that glitters is not gold Absolutely do not mess around with warez (illegal software), key generators, cracks, or any executable files you got from a P2P / file-sharing network; these are extreme risks. If there's one thing the bad guys are likely to use as bait, this is it.

  11. Back up your stuff Some types of malware actively delete your stuff (music, documents, movies and more), or encrypt it and hold it for ransom. Be wise: establish a backup system, such as an external hard drive, and use it.

  12. For the advanced user: Software Restriction Policy Some versions of Windows XP and Windows Vista are capable of Software Restriction Policy. If you have XP Pro, XP Media Center Edition, Vista Business, Vista Ultimate or Vista Enterprise, and you're able to use a non-Administrator user account, then check out Software Restriction Policy too.

My mom was lucky. The bad guys didn't encrypt her documents and family photos and hold them for ransom. The bad guys didn't steal her WoW account and sell off her stuff. The bad guys didn't hijack her PayPal or eBay account, or steal her identity or credit-card number, or clean out her bank account. But that's the type of stuff that's at stake these days, and cleaning up the infection two days later won't bring your stuff back once it's been stolen, deleted, or encrypted. Just one infection, might be one too many, so consider using defense-in-depth techniques in addition to a modern, up-to-date antivirus program.

mechBgon

Microsoft MVP, Windows Shell/User, 2006-2008

  

Comment about But... my antivirus said it was clean! | 0 comments |

The following comments are owned by whomever posted them. This site is not responsible for what they say.

 
 Copyright © 2009 Antisource
 All trademarks and copyrights on this page are owned by their respective owners.
Running GeekLog | Privacy Policy | Created this page in 0.17 seconds | Site Stats | RSS Feed xml