Test of 16 Anti-Virus Products Says None Rates "Very Good" 344
An anonymous reader writes "AV-Comparative recently released the results of a malware removal test in which they evaluated 16 anti-virus software solutions. The test focused only on the malware removal/cleaning capabilities, therefore all the samples used were ones that the tested anti-virus products were able to detect. The main question was if the products were able to successfully remove malware from an already infected/compromised system. None of the products performed at a level of 'very good' in malware removal or removal of leftovers, based on those 10 samples."
WRONG SITE! (Score:5, Informative)
They said AV-Comparative.org in the article. Try going there and see what happens. The correct site is av-comparatives.org.
The usual suspects (Score:5, Informative)
Of course, half of the software they tested is not anti-Malware software (Avast, for example, is an AV, not an Anti-Malware).
They also did not test MalwareBytes, probably because it would make all of the others look bad.
all lame (Score:4, Informative)
Also (Score:4, Informative)
Testing online (meaning running the removal program on a running, infected, system) removal seems kinda silly. You are fighting a war there and the malware has the upper hand being there first. On a compromised system you generally want to work on it offline. You either boot a live CD or take the hard disk to another computer. That way the malware can't be running. You can then use tools to track it down and remove it.
Running a scanner on a live system is more of a preventative measure and a detection measure. You have a realtime scanner looking for threats coming in. If it finds them, it can block them before they have a chance to do anything. This is 99.9% of the good a virus scanner does. It stops them before they ever infect the system. It can then also help in terms of alerting you if a system is infected.
However counting on one to be good at removal on a live system seems silly. Take the system offline, fix it, and bring it back up.
Re:Security... (Score:2, Informative)
Yes, but think about it this way. Lets say your computer runs at half its speed with an anti-virus.
I wouldn't run any AV that causes my computer run at "half its speed."
I used to be a huge Norton AV hater. But since v2009 they did a major overhaul to their AV engine and now it runs extremely well. 2009 and 2010 consume virtually NO detectable resources, update themselves literally every few minutes, and turn themselves off completely during gaming. Kaspersky 2010 is a bit worse performance-wise, but not terribly so. I've also installed MSE on a few PC's for people and have been impressed with its performance. None of these three slow your PC "by half" and of the three, I'd say Kaspersky is the biggest hog, but still far and away better than the Norton of old. AVG used to be lean and mean until v8 I think, then it bloated up and got slow too. Avira free was decent but the ads were too annoying, as was the mandatory annual registration renewal for it and Avast. I finally decided to pay, and have been quite satisfied.
So based on my experience, for free AV (that doesn't bug you with ads) I'd recommend MSE. If you're willing to pay, Norton 2010. And if you shop around online, you can get some good deals. I got 3 PC's w/ 2 year subscription of Norton Internet Security 2009 (and free upgrade to 2010) for $60, and I've actually found it even cheaper since.
Re:No Joke (Score:4, Informative)
Its even past that. It used to be kids who were out to knock off someone's machine on a local BBS. Then it became the legion of professionals who went blackhat due to cash.
Now, you have well heeled groups, from criminal organizations to whole governments who have immensely deep pockets who spend billions in order to search through every Windows and UNIX executable just to find the single buffer overrun, race condition, or other small goof that can be used in an elaborate attack. The payoff is big, and not just economics.
Of course the attacks are nastier and nastier.
Best defenses? After the obvious firewall and network IDS, two of the best system level out there are virtualization with a hardened hypervisor and jailing of apps. After that, an OS based IDS that can detect known signatures and unknown suspect activity. This way, something that gets access to the OS via an unjailed browser or plugin hole is stopped.
Re:Security... (Score:3, Informative)
Re:They tested Anti-virus software for malware (Score:3, Informative)
Agreed...
They should have instead tested:
And then maybe considered testing some of the lesser-known or that I believe to be outdated and/or quite ineffective:
Offline isn't always best, actually. (Score:3, Informative)
We have root kits that embed themselves into alternate data streams, utilize virtualization, employ self-encryption and password protection and randomize what would otherwise be easy-to-detect signatures etc.. Some root kits can *only* be reliably detected if they are actually *running* because they conceal themselves using these techniques. *Even then*, it requires a competent utility with things like stealth detection which look specifically for that behavior of concealing/unconcealing itself. As a result, some of these viruses don't show up in Safe Mode either...
Scanning offline is a good first step if the system is hosed. From my experiences though -- if the system can boot and mostly works -- do whatever scanning you can first while it is online. Use your best judgment as to whether you have mitigated the threat and THEN take it offline for the final clean up.
Re:Stop with the recommendations (Score:2, Informative)
Instead i'm going to make lots of recommendations. Cleaning an infection is all about using lots of tools, since no one tool is perfect, every tool has a gap in what it can detect or clean. But when it comes to prevention as few tools as possible should be used, and low-overhead choices should be used, since every tool installed and running slows down the workstation, and big-footprint tools have a big negative effect on users' productivity.
I've also emphasized the need to do the initial cleaning with the infected drive as the secondary in a second machine.
I don't recommend this. Your scanner has no way of knowing the secondary drive is a complete system.
Some malware/viruses make registry and system-level changes, and these registry changes can have serious long-term consequences. Get anti-malware on the system that can fix the registry in the proper removal process.
In the extreme case, running the scan on the medium plugged into another system, can result in you rendering the disk you are scanning an unbootable OS.
For cleaning process, I recommend having a bootable USB stick, with a hardware write-protect switch. Always set the physical write-protect switch to the read-only position when plugging into the system being cleaned.
Then install anti-virus/anti-malware tools, I use:
Avira Antivirus
SUPERAntispyware
Malwarebytes Anti-malware Technician Edition
PC Tools Spyware Doctor
PrevX Enterprise
Lavasoft Adaware Business
ESET NOD.32
ComboFix
HijackThis
Copy tools installers to some innocuous folder on the hard drive, or have them installed to run from USB.
Run a Malwarebytes quick scan first, if possible, since it's fastest. Since the USB stick MBAM is installed on is read-only, malware can't delete or tamper with mbam.exe. Sometimes it doesn't work: some malware detects specific cleaning tools.
In that case, use a different program. Or, actually have various methods of stopping malware from detecting the program: things like hexediting strings in anti-malware executables to make the anti-malware "undetectable" by malware's naive procedures.
Anyways, after the initial pass with some scanner, it will generally require a reboot, then another pass with the scanner to delete locked files. Do that.
After all that, boot from a bootable USB stick, which is either an Avira, ESET, BitDefender, or Kaspersky rescue disk image, and run a full scan from rescue media.
Then boot back into the system... and run a complete scan with all 6 anti-spyware tools (except HijackThis and Combofix, only use use once, pick only one AV tool to use. Only remove things with HijackThis if you understand what is not safe to remove).
Otherwise: any time that a tool reports something found, I clean it, reboot, and note that when finished this round of scanning with the next tools, the spyware scans need to be done over again with all tools.
Only after running a complete scan with all the anti-spyware tools and successfully getting "0 results found successively with each tool, can one reliably say "I think it's clean".
Once you get that, uninstall all anti-spyware and AV tools that were installed on the system, and install the preferred End-Point preventative security tools.
Many of the tools that are great for scanning aren't the ones good for prevention.
HijackThis and Spybot can make for reasonable cleaning in some cases. But for prevention of malware, it's gotta be something like PrevX or Spyware Doctor.
And virus prevention should be eEye Blink, or ESET + Trend Micro, with some sort of IDS and network-wide patch management in place, e.g. Shavlik NetChk.
The major consideration with prevention of AV on user workstations, is that: realtime protection should be available, enabled, and configured properly. The footprint should be minimal. Users shouldn't notice any slowdown,
Re:Kinda pointless (Score:2, Informative)
Pointless? Not exactly. New viruses can appear on your systems before there are any patterns for them. It is then left to to a scan and a clean-up to deal with it.
Re:The usual suspects (Score:3, Informative)
Malwarebytes seems to detect everything nasty.
Of course, in my experience, it also detects a lot of stuff that isn't nasty. Don't even bother running it on a drive from an old Win98 computer. It'll tell you there's 30 viruses from 2008/2009 installed on it, even if that computer had no internet access. :P
But if you examine the results and use some deductive reasoning, it's an amazing tool.
Re:Security... (Score:1, Informative)
Have you cleaned up a compromised UNIX box before. NO OS is immune to viruses and malware, NONE. I've cleaned off rootkits off of Suns, AIX machines, Linux boxes, yanked Macs from botnets (due to users wanting "free" iWork 09 versions). I have found experienced hackers who edited the RPM database so an rpm -Va doesn't catch their bongoed tripwire and sshd.
Microsoft doesn't have a monopoly on stupidity, nor do their users. Don't let the Apple ads fool you. The guy who wanted a pirated copy of iWork is just as stupid as the person downloading pr0n running as Administrator on XP with a backlevel, unpatched Web browser. The same guy who follows instructions to download a .DMG file and run the contents as root is likely the same guy who downloads a "pr0n codec" on Windows. Either way, the machines are fragged the second the user approves admin access, be it via sudo, or UAC. Even on UNIX systems, I've seen sysadmins have "." and ".." in their $PATH, so when they cd into a user homedir and type in "cat blarf.txt", they are not running /bin/cat, but just ran some shell script that just boned their system.
Please, if you know an OS that cannot be corrupted by viruses or other malware on an enterprise IT level, with the ability to deal with various corporate policies (including due diligence), by all means share it with us.
Re:Stop with the recommendations (Score:3, Informative)
Regarding my comment about using a second machine to do the initial cleaning. I would have to say that you are quite short sighted. If you think ahead you'll understand the reasoning. And, if you are wise you'll understand that I would not recommend using a Windows box as the second machine.
You are correct in that there are parts of the infections that a scanning from a second machine can't get. I don't dispute that, but that's why I said "initial" cleaning. The purpose of the initial cleaning is to allow you to go into certain folders and to delete files that you know are common havens for malware. After doing that you can use any of the several native Linux anti-malware products that will detect and remove infections from NTFS drives attached to the system.
Today's malware is good at what it does. This isn't saying that some of the malware writers are not idiots. If they were competent at what they were doing they'd have your system infected and you'd never know it. Instead they pop up ads and slow your computer down and alter permissions to folders/files/registry entries--all of which are tell tale signs of an infection. What I'm saying is that malware has become quite aggressive and the authors experienced, it's just that they are sometimes dumb as a post at how to get it done without alerting the users.
There are some pitfalls to leaving the drive in the infected computer. Some of these are exploited by malware authors. Several examples would be: some malware products will attempt to delete any anti-malware product (including the installers when you try to execute them), some malware products will disable the ability to run certain anti-malware products (even if they were installed prior to the infection), some malware products will use the system (e.g., autorun on flash drives) to copy malware onto your flash drive in order to copy their infections to new machines.
Yes, there will be missed traces of an infection when putting the drive into another computer. If you are any good at what you do then you'll know that you have removed the vast majority of the infection prior to putting it back into the original computer. You'll have deleted known malware folders, rogue programs, the temporary folders (go through your computer and count the number of \temp located under the OS and user areas), such as temporary Internet, prefetch, temp, history. At that time you then copy over the necessary software (anti-malware installers) that you'll use to do the cleaning. After putting the drive back in the original computer you then can begin the full process of cleaning.
I do agree that you have to clean heavy and use only what's necessary to keep yourself clean (though that requires due diligence on the part of the user, which is an uncommon characteristic of their behavior). If you over compensate you'll end up with a machine that is worse than the infection--just as some popular commercial products do.
I generally recommend using Linux as the secondary machine as it will allow you to bypass Windows security. Unlike XP, where you can get caught by Windows security but can get past it, Vista and Win7 really try to lock out user accounts from each other and that security can get in the way. Not to mention the fact that malware is often running and using the infected machine just prolongs the cleaning.