Analyst's View: How to Catch a Virus

CloneRanger · May 17, 2010

There's nothing quite like the hands-on, gritty experience of installing antivirus software and challenging it to clean up a test system that's dripping with malware such as viruses, spyware, worms, Trojans, and so on. Sure, the independent testing labs put most products through exhaustive static tests, and I do peruse those reports in the course of an evaluation. But reviewing a chart of results just can't compare with watching the product succeed (or fail) at rooting out real-world malware.
Click to expand...

http://www.pcmag.com/article2/0,2817,2363812,00.asp

- Observations i made on the test -

Ask the Experts

I kick off the process of gathering a new malware collection by asking researchers at dozens of major security companies for their suggestions. I don't ask them to send me samples that would be impolite, not to mention dangerous.
Click to expand...

Dangerous ? only if he runs them, which he should know how not to !

The Sport of Malware Watching

Next comes the scary part; I launch each sample and take careful note of exactly what changes it makes to the file system and Registry. Of course, I do this inside a virtual machine, and after each test run I roll the virtual machine back to its pristine original state.
Click to expand...

VM's are ok up to a point, but nothing compares to running malware on a REAL system. He should backup a fresh OS etc install, and reload that after each test.

PC Armor keeps a real-time record of file and Registry activity related to program installations, ignoring most ongoing activity by already-installed programs and Windows components.
Click to expand...

PC Armor was originally launched as Spyberus by Robot Genius http://www.robotgenius.net/products/spyberus.jsp and was an early attempt at a Returnil etc type product.

PC Armor successfully removed all traces of most samples. In a few cases it left behind driver-related legacy keys, which are notoriously difficult to remove and are harmless if the driver itself isn't present. No trace of any files remained, much less executable files, so it was 100 percent successful.
Click to expand...

http://www.pcmag.com/article2/0,2817,2340671,00.asp

Legacy keys are easy to delete, if you know how.

Sanity Check

A few samples from the new collection weren't caught by any of the three. I checked those at VirusTotal, a website that reports whether 42 different anti-malware solutions consider a particular file to be malicious. That last check eliminated a couple of samples that had made it all the way to the end. If all 42 products give the file a clean bill of health I'm not going to argue!
Click to expand...

42 no shows at VT etc on new malware, does NOT mean they are 100% clean, and he should know that, so i will argue.

- Apps used in the tests -

Process Explorer = Excellent

PC Armor = Havn't tried it, but based on above, Returnil etc would be much better.

InCtrl5 = Excellent

Panda Anti-Rootkit = Quite good, but there are better ARK's

Norton AntiVirus 2010 = Good, but not the best

Spyware Doctor = Havn't tried it, but not that it immediately springs to mind to use it from others opinions.

Malwarebytes = Good

Note - Spyware Doctor and Norton AntiVirus 2010 both owned by Symantec, which sponsers PC Magazine that Neil J. Rubenking works for.

What do you think about the test, and what would you differently ?

Log in or Sign up

Analyst's View: How to Catch a Virus

CloneRanger Registered Member

Log in or Sign up

Analyst's View: How to Catch a Virus

CloneRanger Registered Member

Useful Searches