October 2010 15 antymalware 0-day (exploits) test

Test Methodology:

1. I used 20 real hazards 0-day (the latest threats, you can meet the
web pages). I tested only the exploits themselves to potentially secure pages.
12 exploits from Polish sites, the other from abroad. All anti-viruses were tested on these same samples.

2. . Due to the difficult to locate the inability to install exploits and many
anti-virus at the same time I tested at UrlVoid.com because this
side antivirus use heuristics. The exception here is probably the only
Panda, which failed to detect any file. However, as we know from the various tests, it is in detecting weak skrypts, exploits.

3. The test was conducted on Windows XP with Mozilla Firefox 3,6,10.
He won the one who discovered the most.

4. Although I tested tens of thousands of malware in my career I am not
professional.

Winner?

1.Avira, Avast 16/20 (80%)
2.F-prot 13/20 (65%)
3.AVG 12/20 (60%)
4.kaspersky 10/20 (50%)
5.Emsisoft, Nod32, Virus Buster, ClamAV 9/20 (45%)
6.BitDefender 8/20 (40%)
7.Drweb 7/20 (35%)
8.Trend Micro 6/20 (30%)
9.VBA32 5/20 (25%)
10.Comodo 1/20 (5%)
11.Panda 0/20 (0%)

On the Polish side coped best free Avira, which detected 11 of 12 exploits.
Surprise to me is the position in + F-prot. One exploit was not detected by any antivirus program.

 

I think 1/20 it's 5%, not 0.05%

 

It's 0-day tests http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusDailyStats?setview=standard&setfontsize=100

 

No Symantec , e.g. NIS 2011 ?

 

Always surprises me that the Dr Web team always quote Shadowserver to support the detection rates of their AV.

After all this is a honeypot site which is well known for their corrupted files and there is also no testing for functionality; problems which they say made them pull out of participating on some of the better known testing sites.

 

Not only that, the versions of AV engines are quite old.

Coming back to the topic, Panda scored well in AV-Comparatives. Here it is trailing behind Clam AV!

 

Without Norton, this test is not very interesting for me.

By the way, is this a dynamic or merely an on demand test?

 

Oleg Sych Thanks. Yes this 5%

Hawki, Smage:

I testing Norton previously and reached very good result. Norton and Avira, AVG, Avast best block exploits on site polish. On foreign site best Trend Micro.
This test ist only on on-demand.

Arin:

Yes Panda excellent results in AV-Comparitives, but its problem in detect script.

 

VT detect "suspicious file" a on URLVoid at Panda not work heuristics.

I checked and exploit the 13/10/2010 Panda did not detect anything on the VT

MD5: 3cefc1ac30357e0265bbd6d635d5bc62

 

Hmm... looks like it. Panda outscored only K7 and Rising in AV-Comparatives test for detecting malicious scripts. I'm noticing this for the first time.

As a seperate request, can you please test F-Secure's Exploit Shield, Norman's Exploit Blocking and Trend Micro's Browser Guard?

 

Can u test mse too plz
then we will know the position of free av's

 

Only 20 tested and they all did like crap. AV industry, you have problems. Regardless of how you break down the testing, it only shows that when it comes to fighting malware, the industry is crying out for a new way to fight it.

Avira missed 20 percent at best, so if 5000 had been used 1000 would have been missed. That totally sucks.

What is needed is the ability to isolate all internet facing apps that if needed to write to your pc, are checked in a manner to ensure for no malware. Meaning what writes may be delayed.

Why oh why do some of this so called specialty malware vendors not join forces. Sandboxie, DefenseWall, Prevx and others, hold the key, but they have got to assist each other in creating the product, then reap the rewards.

2011, yeah, the year of the malware epidemic I am starting to think. Hold tight to your wallet. More later....

 

Hello,


I still don't quite understand the meaning of the so called 0-Day Exploits.
What's that supposed to mean? Some malware URLs at MDL posted today's date?
How come AV vendors knowing about those sites that keep updated lists of malicious URLs don't keep on their toes and monitor them constantly for new and undetected malware samples?

Almost every day I submit malware samples to AV vendors gathered from fresh URLs published on those sites that keep track of those nefarious domains known to distribute malware and, to my surprise, many of these samples submitted go UNDETECTED. Although, doing this doesn't bother me at all, I always ask myself why the heck the AV company[ies] I submit those malware samples to don't spend some time monitoring those lists by themselves if they have the money and the manpower to do so? Is that so difficult to accomplish?

I will never understand why AV companies with access to those lists fail in a disgraceful way to these kind of tests whereas myself with just tools like a computer, an internet connection and Googling can find things that aren't so hard to find.





Carlos

 

@ Zyrtec

Hi

I've often wondered that myself, why they don't ? If they do they aren't making the most of them

 

This test is meaningless or not very useful, they use old versions of the for many of the av's and only uses definitions and heuristics, what about all the other technologies?

I'm going to quote what VirusTotal, Prevx and almost any AV vendor thinks about this kind of tests

http://blog.hispasec.com/virustotal/22
http://www.prevx.com/blog/106/Why-using-VirusTotal-for-AV-testing-is-a-bad-idea.html

@ELWIS1 can you send me by pm the 20 websites that you used please?

 

Was avira on high heuristics or normal ?

 

Dear Lord you're absolutely right about how he thinks Prevx. I think so too, but only if they are infected exe files or pdf, etc.. Here I tested the infected site and you know how hard to locate the file.

Of course, I would like to test at the same time for 15 machines, but this is impossible. So I tested the Urlvoid where, for example Kaspersky uses heuristics, a on VirusTotal does not.

What about the fact that Trend Micro block a malicious website or Norton, which is an exploit. How do you get such a file on the flash drive is a good chance that will not detect.

Parties do not remember. Thanks for your feedback.

The Champ:

I don't know, I use UrlVoid. Write to Avira and then you answer

 

Sorry maybe I was a bit hard, first, thanks for you effort, I guess that this is better than nothing

 

thnx for answering

 

And URLVoid uses Kaspersky 9.0.0.736 while VirusTotal uses Kaspersky 7.0.0.125. Kaspersky at VirusTotal detects 3/3 while at URLVoid 0/3.

MD5: b89da1f4fdf74f88fbd72314c6b3f469
MD5: 6fd50febbfe6b4b5f396cbb6f0a6f512
MD5: beb576bfdc3c823edc06079918c58823

 

URL Void is most likely using a Linux CLI while VT is using Windows. That or they have the engines set up differently.

 

Possibly because such lists change very frequently. Many of the domains change and so too does the malware. Some domains are even fast-fluxing, meaning they change direction very quickly so by the time an URL is added to an AV's database, it is no longer in use. It is a difficult nut to crack.