On the possibilities of antiviruses. Part 2
Today we will continue to test the quality of anti-virus products, namely, we will study the technology such as the analysis of the behavior of the program during its execution (HIPS). Since many people considered testing the capabilities of just one proactive defense too subjective ( On the capabilities of antiviruses. Part 1 ), then it’s time to test what antiviruses are capable of in field conditions.
For our tests we will use the same classic Trojan-Downloader from the previous part. It will be downloaded and executed by the well-known Putty SSH client. Formally, the program cannot be called malware, however, the HIPS technology is simply obliged to respond to the behavior of this executable file. How she will do it - we will check it now.
Well, we will install experimental samples of anti-virus products on the virtual machine and we will begin testing. The following anti-virus products will take part in it: KIS, Avast, Avira, NOD32, Northon, ESET Smart Security, AVG, Panda, Dr.WEB and Comodo. Let's go in alphabetical order.
So, our first test subject is Avast, one of the most well-known free antiviruses. We start our test executable file and in a few seconds the Putty window appears in front of us. Avast did not cope with the task, and gets a clean deuce on a five-point scale.
')
The second on the list is AVG, widely known abroad. Run the file ... and ... no reaction from the antivirus - Putty is loaded and running! There is nothing more to say.
Next comes another free Avira antivirus. Open the folder and ...
... do not even have time to run the file. Valorous Avira prevented access to the file in advance and tried to delete it. Moreover, it gave a painfully familiar warning about the presence of a certain TR / Crypt.XPACK.Gen in the file. For those who still do not know how Avira detects malware, post a link for review . Considering all these facts, the results of this antivirus look somewhat suspicious, although formally Avira coped with the task. So we’ll give her a C grade, with a plus, for trying. If anyone is interested, Avira also often swears at clean files compiled with VS C ++ 2010 with settings not by default, but recently, in general, took its own DLL as a malicious program.
Next on our list is Comodo antivirus. Run the file ...
... and see the following warning. Moreover, our program subsequently could not download and run anything. Antivirus coped with the task perfectly.
It is the turn of Dr.WEB. Run the file ...
... and see the standard warning about the network activity of the program (strange if it were not). Therefore, our assessment of this product is a solid four, maybe even with a plus.
Next comes ESET Smart Security. But nothing to say about him. He did not cope with the task.
Now let's start testing Kaspersky Internet Security. Open the folder ...
... and do not have time to run the file, as the antivirus issues a warning. And he correctly identified the type of malware before we launched it. Therefore, KIS gets a five with a plus.
Unfortunately, all subsequent antiviruses, such as McAfee, NOD32, Northon and Panda did not react to the launch of the file and did not cope with the task, for which they receive unsatisfactory ratings.
The final table with the results is as follows:
PS It is time to check the antivirus for the speed of adding malware signatures. A week ago, our final sample caused a negative reaction from 6 of 43 antiviruses. Now we see the following picture:
Awesome reaction - a warning issued 21 antivirus out of 43. You can make your own conclusions.
For our tests we will use the same classic Trojan-Downloader from the previous part. It will be downloaded and executed by the well-known Putty SSH client. Formally, the program cannot be called malware, however, the HIPS technology is simply obliged to respond to the behavior of this executable file. How she will do it - we will check it now.
Well, we will install experimental samples of anti-virus products on the virtual machine and we will begin testing. The following anti-virus products will take part in it: KIS, Avast, Avira, NOD32, Northon, ESET Smart Security, AVG, Panda, Dr.WEB and Comodo. Let's go in alphabetical order.
So, our first test subject is Avast, one of the most well-known free antiviruses. We start our test executable file and in a few seconds the Putty window appears in front of us. Avast did not cope with the task, and gets a clean deuce on a five-point scale.
')
The second on the list is AVG, widely known abroad. Run the file ... and ... no reaction from the antivirus - Putty is loaded and running! There is nothing more to say.
Next comes another free Avira antivirus. Open the folder and ...
... do not even have time to run the file. Valorous Avira prevented access to the file in advance and tried to delete it. Moreover, it gave a painfully familiar warning about the presence of a certain TR / Crypt.XPACK.Gen in the file. For those who still do not know how Avira detects malware, post a link for review . Considering all these facts, the results of this antivirus look somewhat suspicious, although formally Avira coped with the task. So we’ll give her a C grade, with a plus, for trying. If anyone is interested, Avira also often swears at clean files compiled with VS C ++ 2010 with settings not by default, but recently, in general, took its own DLL as a malicious program.
Next on our list is Comodo antivirus. Run the file ...
... and see the following warning. Moreover, our program subsequently could not download and run anything. Antivirus coped with the task perfectly.
It is the turn of Dr.WEB. Run the file ...
... and see the standard warning about the network activity of the program (strange if it were not). Therefore, our assessment of this product is a solid four, maybe even with a plus.
Next comes ESET Smart Security. But nothing to say about him. He did not cope with the task.
Now let's start testing Kaspersky Internet Security. Open the folder ...
... and do not have time to run the file, as the antivirus issues a warning. And he correctly identified the type of malware before we launched it. Therefore, KIS gets a five with a plus.
Unfortunately, all subsequent antiviruses, such as McAfee, NOD32, Northon and Panda did not react to the launch of the file and did not cope with the task, for which they receive unsatisfactory ratings.
The final table with the results is as follows:
PS It is time to check the antivirus for the speed of adding malware signatures. A week ago, our final sample caused a negative reaction from 6 of 43 antiviruses. Now we see the following picture:
Awesome reaction - a warning issued 21 antivirus out of 43. You can make your own conclusions.
Source: https://habr.com/ru/post/136874/
All Articles