AV-Test Self-Protection of Antivirus Software

Discussion in 'other anti-virus software' started by IBK, Oct 26, 2015.

  1. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
  2. hjlbx

    hjlbx Guest

    Hee, hee... Comodo. It don't suprise me, Comodo don't support anything...
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This sums up the review nicely:

    For consumer products, Avira, Bullguard, ESET, Kaspersky Lab, McAfee and Symantec use the DEP & ASLR technologies 100%. In terms of digitally signed files, ESET, McAfee and Symantec also did a good job.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Thanks for sharing. I'm missing Emsisoft in this tests.
     
  5. Magic_The

    Magic_The Registered Member

    Joined:
    Jun 24, 2015
    Posts:
    31
    Eset 100%? thats good.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Nice test, a shame so few score 100%.
    DEP&ASLR have been around for years now. The score for newer migitations would probably be very awful.

    It would be interesting to also show server connection security in the next version of this test; is TLS used? If yes is it TLS 1.2 and does it use Forward Secrecy? With all the cloud phone home features it is important this information is protected in transport.
    Another interesting test would be to see if AV's properly verify updates files.
     
  7. ttomm1946

    ttomm1946 Registered Member

    Joined:
    Jul 23, 2014
    Posts:
    111
    I'd like to see Webroot tested
     
  8. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    I am sorry but this is an incredibly amateurish test...
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Care to elaborate vlk? I'm interested in hearing the reasons, because I've seen similar self-protection tests that were severely flawed as well (tester killing avastUI.exe and basing conclusion on that).
     
  10. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Sure. All the tester did was run a static scan of the binaries installed by the AV product, checking whether the ASLR and DEP flags are enabled in the PE header.

    There's multiple issues with this approach:
    1. Since they don't scan the live processes (just static binaries on the disk), the situation when the binaries get loaded into memory may be totally different. Other 3rd party DLLs that don't have ASLR/DEP enabled may be loaded as well. In-memory modifications can be made. Etc.
    2. On the flip side, the fact that a binary is present on the disk doesn't imply it gets loaded -- or, that it gets loaded the way the tester assumes (i.e. as a normal EXE/DLL). For example, the binary may be an empty stub used to replace malicious code during the cleaning process. Or, it may be part of a sensor/honeypot system where the point is NOT to have DEP/ASLR enabled to maximize its effectiveness. Etc... The point is, the tester made the assumption that all binaries present on the disk are used in the normal, traditional way -- which is often not the case, especially with security software. Very often, the lack of DEP/ASLR flags in security software is not a result of some kind of sloppiness; instead, it's part of a carefully crafted design.

    Based on that, I think the results of this test have very little correlation with the actual ability of the product to protect itself against malware.
    Instead of doing the test properly, the tester just took a shortcut and did a simple scan of all the binaries in the product, without even trying to understand the purpose of these binaries and the way they are used.

    Thanks,
    Vlk
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    well shame on that tester :)
     
Loading...