Re: Antivirus Comparison

Val.Baranov_at_revlon.com
Date: 02/10/05

  • Next message: Smith, Ryan: "RE: Taking control of user's desktops" 
    To: RichardR <randjunk@gmail.com>, sjwall@shaw.ca
Date: Thu, 10 Feb 2005 14:39:24 -0500







    Hi,

    FYI: An interesting article translated form Russian (sorry for errors !).
    Could be interesting as another "point-of-view". Please make a note about
    the "code emulation" (see below).

    Regards,
    š š š š š Val Baranov
    CISSP, MCSE, CCA
    Sr. Unix Systems Administrator
    ________________________________________________________________________________


    Hi All,

    Let's take a small worm Mydoom.a and arrange a Web-site
    http://www.virustotal.com/ to help us.

    --------------------------------------------------------------------

    Initial check-up:
    š š š š š š šScan results
    š š š š š š šFile: I-Worm.Mydoom.a
    š š š š š š šDate: 07/16/2004 15:52:19
    š š š š š š š----
    š š š š š š šBitDefender š 7.0/20040716 š found [Win32.Novarg.A@mm]
    š š š š š š šClamWin š devel-20040517/20040715 š found [Trojan.SCO.A]
    š š š š š š šeTrustAV-Inoc š 4641/20040714 š found [Win32/Mydoom.A.Worm]
    š š š š š š šF-Prot š 3.15/20040715 š found [W32/Mydoom.A]
    š š š š š š šKaspersky š 4.0.2.23/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š šMcAfee š 4377/20040716 š found [W32/Mydoom.a.dll]
    š š š š š š šNOD32v2 š 1.812/20040716 š found [Win32/Mydoom.A]
    š š š š š š šNorman š 5.70.10/20040716 š found [MyDoom.A@mm]
    š š š š š š šPanda š 7.02.00/20040716 š found [W32/Mydoom.A.worm]
    š š š š š š šSybari š 7.5.1314/20040716 š found [Win32/Mydoom.A.Worm]
    š š š š š š šSymantec š 8.0/20040715 š found [W32.Mydoom.A@mm]
    š š š š š š šTrendMicro š 7.000/20040716 š found [WORM_MYDOOM.A]

    Everything is as expected - any program knows this.
    --------------------------------------------------------------------
    Let-s go further. Originally worm is being packed by using an old version
    of UPX. Let's unpack worm and try again:
    š š š š š Scan results
    š š š š š š šFile: Copy of Mydoom.exe
    š š š š š š šDate: 07/16/2004 15:31:33
    š š š š š š š----
    š š š š š š šBitDefender š 7.0/20040716 š found [Win32.Novarg.A@mm]
    š š š š š š šClamWin š devel-20040517/20040715 š found nothing
    š š š š š š šeTrustAV-Inoc š 4641/20040714 š found nothing
    š š š š š š šF-Prot š 3.15/20040715 š found nothing
    š š š š š š šKaspersky š 4.0.2.23/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š šMcAfee š 4377/20040716 š found nothing
    š š š š š š šNOD32v2 š 1.812/20040716 š found [Win32/Mydoom.A]
    š š š š š š šNorman š 5.70.10/20040716 š found nothing
    š š š š š š šPanda š 7.02.00/20040716 š found nothing
    š š š š š š šSybari š 7.5.1314/20040716 š found [W32/Mydoom]
    š š š š š š šSymantec š 8.0/20040715 š found [W32.Mydoom.B@mm]
    š š š š š š šTrendMicro š 7.000/20040716 š found [WORM_MYDOOM.GEN]

    ClamWin devel-20040517,eTrustAV-Inoc 4641, F-Prot 3.15, McAfee 4377, Norman
    5.70.10, Panda 7.02.00 do not know packers.
    --------------------------------------------------------------------
    Next step: let's pack worm with aspack:
    š š š š š šScan results
    š š š š š š šFile: Mydoom aspack.exe
    š š š š š š šDate: 07/16/2004 15:31:52
    š š š š š š š----
    š š š š š š šBitDefender š 7.0/20040716 š found [Win32.Novarg.A@mm]
    š š š š š š šClamWin š devel-20040517/20040715 š found nothing
    š š š š š š šeTrustAV-Inoc š 4641/20040714 š found nothing
    š š š š š š šF-Prot š 3.15/20040715 š found nothing
    š š š š š š šKaspersky š 4.0.2.23/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š šMcAfee š 4377/20040716 š found nothing
    š š š š š š šNOD32v2 š 1.812/20040716 š found [Win32/Mydoom.A]
    š š š š š š š š š Norman š 5.70.10/20040716 š found nothing
    š š š š š š š š š Panda š 7.02.00/20040716 š found nothing
    š š š š š š š š š Sybari š 7.5.1314/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š š š š Symantec š 8.0/20040715 š found nothing
    š š š š š š š š š TrendMicro š 7.000/20040716 š found nothing

    A you can see, Smantec 8.0 and TrendMicro 7.000 do not befriend with
    packers ;)
    --------------------------------------------------------------------
    And now let's stir up AvSpoffer against this worm:
    (FYI: this program allows to "hide" - means "pack" - practically any
    virus/trojan from being discovered by AV programs without any harm to virus
    itself; the program is frequently updated with new features - it's VERY
    popular...)
    š š š š š š š šScan results
    š š š š š š š š š File: Mydoom spoofed2.exe
    š š š š š š š š š Date: 07/16/2004 15:21:56
    š š š š š š š š š ----
    š š š š š š š š š BitDefender š 7.0/20040716 š found [Win32.Novarg.A@mm]
    š š š š š š š š š ClamWin š devel-20040517/20040715 š found nothing
    š š š š š š š š š eTrustAV-Inoc š 4641/20040714 š found nothing
    š š š š š š š š š F-Prot š 3.15/20040715 š found nothing
    š š š š š š š š š Kaspersky š 4.0.2.23/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š š š š McAfee š 4377/20040716 š found nothing
    š š š š š š š š š NOD32v2 š 1.812/20040716 š found nothing
    š š š š š š š š š Norman š 5.70.10/20040716 š found nothing
    š š š š š š š š š Panda š 7.02.00/20040716 š found [Fichero Sospechoso]
    š š š š š š š š š Sybari š 7.5.1314/20040716 š found [Trojan.Mydoom.A]
    š š š š š š š š š Symantec š 8.0/20040715 š found [W32.Mydoom.B@mm]
    š š š š š š š š š TrendMicro š 7.000/20040716 š found nothing

    Anyone, who didn't find a worm, don't have the code emulation implemented -
    as you see, the most of them.
    --------------------------------------------------------------------

    And finally, the hit of the season: AvSpoffer with aspack on a top:
    š š š š š š š š š Scan results
    š š š š š š š š š File: Mydoom spoofed ASPack.exe
    š š š š š š š š š Date: 07/16/2004 18:13:03
    š š š š š š š š š ----
    š š š š š š š š š BitDefender š 7.0/20040716 š found [Win32.Novarg.A@mm]
    š š š š š š š š š ClamWin š devel-20040517/20040715 š found nothing
    š š š š š š š š š eTrustAV-Inoc š 4641/20040715 š found nothing
    š š š š š š š š š F-Prot š 3.15/20040716 š found nothing
    š š š š š š š š š Kaspersky š 4.0.2.23/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š š š š McAfee š 4377/20040716 š found nothing
    š š š š š š š š š NOD32v2 š 1.812/20040716 š found nothing
    š š š š š š š š š Norman š 5.70.10/20040716 š found nothing
    š š š š š š š š š Panda š 7.02.00/20040716 š found nothing
    š š š š š š š š š Sybari š 7.5.1314/20040716 š found [I-Worm.Mydoom.a]
    š š š š š š š š š Symantec š 8.0/20040715 š found nothing
    š š š š š š š š š TrendMicro š 7.000/20040716 š found nothing
    --------------------------------------------------------------------
    Only 3 product are able to catch the worm: BitDefender 7.0, Kaspersky
    4.0.2.23 Ι Sybari 7.5.1314. We may exclude Sybari, because this product
    just uses a set of engines while our goal is to compare different engines (
    though Sybari is still a great product - from my own experience --- VB).
    Also a good news: DrWeb (available from http://www.sald.com/) is also
    discovers all of these modifications (nice product as well -- VB).

    So, make your decision ........................... š :-)
    Based on this I could say: any rewards or awards (even from Virus Bulletin)
    will never guarantee reliability of a product. For instance, the
    much-vaunted NOD32, which received almost any of "available" awards,
    appears as unreliable in this case.


    |+---------------------+-------------------------------------------------|
    || RichardR | |
    || <randjunk@gmail.co| š š š š To: š š š šLloyd Haynes |
    || m> | <lloyd.haynes@gmail.com> |
    || | š š š š cc: š š š šShawn Wall |
    || 02/10/2005 06:06 | <sjwall@shaw.ca>, |
    || AM | security-basics@securityfocus.com |
    || Please respond to | š š š š Subject: š š š šRe: Antivirus |
    || RichardR | Comparison |
    || | |
    |+---------------------+-------------------------------------------------|






    Hi all
    read all your replies and I just could see that one has it
    preferencies or experience on using this or that kind of AV. But it is
    always interesting to know what lacks on one and doesnt on another.

    In my case, more exactly in our lab, we are using FSecure, and I dont
    really have good feedbacks from users and experience with it. Well I
    just cant say its because FSecure doesnt do good job, it does do it
    well, but now the main thing is new functionnalities has been
    implemented with FSecure packages coming with the AV, the firewalling.

    The fact here is that, most of our researchers work on 2 OS (linux +
    win), using for that vmware on win to swtich between them and for
    this, we had many crashes and pending problems on windows. But when we
    just use FSecure as only an AV and nothing else, everything seems to
    work correctly...so I just think we cant really say if things will
    work correctly or not or what are best or not for our working
    environment, we can just find out and see after how AV will behave.
    Personnally, I prefer Kaspersky for it robutesse and simplicity of
    use.

    As said Vinny above, Stinger from NAI works really good for some
    specific virus (Trojan, BackDoor...)

    Cheers,
    Richard

  • Next message: Smith, Ryan: "RE: Taking control of user's desktops"
    • Quantcast