Security Basics mailing list archives
Re: Antivirus Comparison
From: Val.Baranov () revlon com
Date: Thu, 10 Feb 2005 14:39:24 -0500
Hi, FYI: An interesting article translated form Russian (sorry for errors !). Could be interesting as another "point-of-view". Please make a note about the "code emulation" (see below). Regards, Val Baranov CISSP, MCSE, CCA Sr. Unix Systems Administrator ________________________________________________________________________________ Hi All, Let's take a small worm Mydoom.a and arrange a Web-site http://www.virustotal.com/ to help us. -------------------------------------------------------------------- Initial check-up: Scan results File: I-Worm.Mydoom.a Date: 07/16/2004 15:52:19 ---- BitDefender 7.0/20040716 found [Win32.Novarg.A@mm] ClamWin devel-20040517/20040715 found [Trojan.SCO.A] eTrustAV-Inoc 4641/20040714 found [Win32/Mydoom.A.Worm] F-Prot 3.15/20040715 found [W32/Mydoom.A] Kaspersky 4.0.2.23/20040716 found [I-Worm.Mydoom.a] McAfee 4377/20040716 found [W32/Mydoom.a.dll] NOD32v2 1.812/20040716 found [Win32/Mydoom.A] Norman 5.70.10/20040716 found [MyDoom.A@mm] Panda 7.02.00/20040716 found [W32/Mydoom.A.worm] Sybari 7.5.1314/20040716 found [Win32/Mydoom.A.Worm] Symantec 8.0/20040715 found [W32.Mydoom.A@mm] TrendMicro 7.000/20040716 found [WORM_MYDOOM.A] Everything is as expected - any program knows this. -------------------------------------------------------------------- Let-s go further. Originally worm is being packed by using an old version of UPX. Let's unpack worm and try again: Scan results File: Copy of Mydoom.exe Date: 07/16/2004 15:31:33 ---- BitDefender 7.0/20040716 found [Win32.Novarg.A@mm] ClamWin devel-20040517/20040715 found nothing eTrustAV-Inoc 4641/20040714 found nothing F-Prot 3.15/20040715 found nothing Kaspersky 4.0.2.23/20040716 found [I-Worm.Mydoom.a] McAfee 4377/20040716 found nothing NOD32v2 1.812/20040716 found [Win32/Mydoom.A] Norman 5.70.10/20040716 found nothing Panda 7.02.00/20040716 found nothing Sybari 7.5.1314/20040716 found [W32/Mydoom] Symantec 8.0/20040715 found [W32.Mydoom.B@mm] TrendMicro 7.000/20040716 found [WORM_MYDOOM.GEN] ClamWin devel-20040517,eTrustAV-Inoc 4641, F-Prot 3.15, McAfee 4377, Norman 5.70.10, Panda 7.02.00 do not know packers. -------------------------------------------------------------------- Next step: let's pack worm with aspack: Scan results File: Mydoom aspack.exe Date: 07/16/2004 15:31:52 ---- BitDefender 7.0/20040716 found [Win32.Novarg.A@mm] ClamWin devel-20040517/20040715 found nothing eTrustAV-Inoc 4641/20040714 found nothing F-Prot 3.15/20040715 found nothing Kaspersky 4.0.2.23/20040716 found [I-Worm.Mydoom.a] McAfee 4377/20040716 found nothing NOD32v2 1.812/20040716 found [Win32/Mydoom.A] Norman 5.70.10/20040716 found nothing Panda 7.02.00/20040716 found nothing Sybari 7.5.1314/20040716 found [I-Worm.Mydoom.a] Symantec 8.0/20040715 found nothing TrendMicro 7.000/20040716 found nothing A you can see, Smantec 8.0 and TrendMicro 7.000 do not befriend with packers ;) -------------------------------------------------------------------- And now let's stir up AvSpoffer against this worm: (FYI: this program allows to "hide" - means "pack" - practically any virus/trojan from being discovered by AV programs without any harm to virus itself; the program is frequently updated with new features - it's VERY popular...) Scan results File: Mydoom spoofed2.exe Date: 07/16/2004 15:21:56 ---- BitDefender 7.0/20040716 found [Win32.Novarg.A@mm] ClamWin devel-20040517/20040715 found nothing eTrustAV-Inoc 4641/20040714 found nothing F-Prot 3.15/20040715 found nothing Kaspersky 4.0.2.23/20040716 found [I-Worm.Mydoom.a] McAfee 4377/20040716 found nothing NOD32v2 1.812/20040716 found nothing Norman 5.70.10/20040716 found nothing Panda 7.02.00/20040716 found [Fichero Sospechoso] Sybari 7.5.1314/20040716 found [Trojan.Mydoom.A] Symantec 8.0/20040715 found [W32.Mydoom.B@mm] TrendMicro 7.000/20040716 found nothing Anyone, who didn't find a worm, don't have the code emulation implemented - as you see, the most of them. -------------------------------------------------------------------- And finally, the hit of the season: AvSpoffer with aspack on a top: Scan results File: Mydoom spoofed ASPack.exe Date: 07/16/2004 18:13:03 ---- BitDefender 7.0/20040716 found [Win32.Novarg.A@mm] ClamWin devel-20040517/20040715 found nothing eTrustAV-Inoc 4641/20040715 found nothing F-Prot 3.15/20040716 found nothing Kaspersky 4.0.2.23/20040716 found [I-Worm.Mydoom.a] McAfee 4377/20040716 found nothing NOD32v2 1.812/20040716 found nothing Norman 5.70.10/20040716 found nothing Panda 7.02.00/20040716 found nothing Sybari 7.5.1314/20040716 found [I-Worm.Mydoom.a] Symantec 8.0/20040715 found nothing TrendMicro 7.000/20040716 found nothing -------------------------------------------------------------------- Only 3 product are able to catch the worm: BitDefender 7.0, Kaspersky 4.0.2.23 и Sybari 7.5.1314. We may exclude Sybari, because this product just uses a set of engines while our goal is to compare different engines ( though Sybari is still a great product - from my own experience --- VB). Also a good news: DrWeb (available from http://www.sald.com/) is also discovers all of these modifications (nice product as well -- VB). So, make your decision ........................... :-) Based on this I could say: any rewards or awards (even from Virus Bulletin) will never guarantee reliability of a product. For instance, the much-vaunted NOD32, which received almost any of "available" awards, appears as unreliable in this case. |+---------------------+-------------------------------------------------| || RichardR | | || <randjunk () gmail co| To: Lloyd Haynes | || m> | <lloyd.haynes () gmail com> | || | cc: Shawn Wall | || 02/10/2005 06:06 | <sjwall () shaw ca>, | || AM | security-basics () securityfocus com | || Please respond to | Subject: Re: Antivirus | || RichardR | Comparison | || | | |+---------------------+-------------------------------------------------| Hi all read all your replies and I just could see that one has it preferencies or experience on using this or that kind of AV. But it is always interesting to know what lacks on one and doesnt on another. In my case, more exactly in our lab, we are using FSecure, and I dont really have good feedbacks from users and experience with it. Well I just cant say its because FSecure doesnt do good job, it does do it well, but now the main thing is new functionnalities has been implemented with FSecure packages coming with the AV, the firewalling. The fact here is that, most of our researchers work on 2 OS (linux + win), using for that vmware on win to swtich between them and for this, we had many crashes and pending problems on windows. But when we just use FSecure as only an AV and nothing else, everything seems to work correctly...so I just think we cant really say if things will work correctly or not or what are best or not for our working environment, we can just find out and see after how AV will behave. Personnally, I prefer Kaspersky for it robutesse and simplicity of use. As said Vinny above, Stinger from NAI works really good for some specific virus (Trojan, BackDoor...) Cheers, Richard
Current thread:
- Re: Antivirus Comparison, (continued)
- Re: Antivirus Comparison Thierry Zoller (Feb 11)
- RE: Antivirus Comparison Shawn Wall (Feb 11)
- RE: Antivirus Comparison Mike MacNeill (Feb 10)
- RE: Antivirus Comparison Brett Grant (Feb 10)
- Re: Antivirus Comparison Ty Bodell (Feb 10)
- Re: Antivirus Comparison C. Francis Pineda (Feb 10)
- RE: Antivirus Comparison Andrew Shore (Feb 10)
- RE: Antivirus Comparison Ragans, Dustin CONT Ciber (Feb 10)
- RE: Antivirus Comparison Nick Duda (Feb 10)
- RE: Antivirus Comparison Reece, Terry (Feb 10)
- Re: Antivirus Comparison Val . Baranov (Feb 10)
- RE: Antivirus Comparison Andrew Shore (Feb 11)
- Re: Antivirus Comparison nospam (Feb 17)
- Re: antivirus comparison gerald (Feb 11)
- RE: antivirus comparison Abbott, Michael (Feb 17)