Thursday, September 30, 2010

Best and worst antivirus against fake AV malware

The detection rate for fake antivirus malware amongst antivirus vendors is usually below 25%. I was curious to see which AV engines were the best and worst, when it comes to blocking malicious fake AV executables. In order to figure it out, I obtained 16 different samples which I uploaded to VirusTotal in order to get the detection information on 43 AV engines.

Before I get into the results, it is interesting to note that fake AV perpetrators often reuse the same names for different executables. For example, the malicious executable scanner.exe, was found with different file sizes, which resulted in different AV detection results, depending on where the executables came from. The opposite is also true. The same exact file (same size, same MD5) was found on different domains under different names. I made sure my 16 samples were indeed different files to not skew the comparison.

VirusTotal - Detection information for one sample
No absolute protection

The average detection rate was found to be 30%. The detection rate for each sample varied from 12% to 49%.

The best AV engine detected 13 of the 16 samples (81% detection rate). Only 13 out of the 43 AV software detected at least 50% of the samples.



Click on the image to see the detection rate for all AV software
Best AV solutions

The best AV solution to detect fake AV malware is Sophos, with an 81% detection rate, followed by Sunbelt (75%).

5 best AV solutions against fake AV malware

The 13 AV engines which detected at least 50% of the malicious executables are (in alphabetical order):
  1. AhnLab-V3
  2. AntiVir
  3. BitDefender
  4. F-Secure
  5. GData
  6. Kaspersky
  7. NOD32
  8. PCTools
  9. Sophos
  10. Sunbelt
  11. Symantec
  12. TrendMicro
  13. TrendMicro-HouseCall
Worst AV software

The following 7 AV engines did not detect any of the samples:
  1. ClamAV
  2. eSafe
  3. Fortinet
  4. Jiangmin
  5. TheHacker
  6. ViRobot
  7. VirusBuster
AVG, a popular free antivirus, detected 19% of the samples, the same as McAfee.

Conclusion

The AV vendors need to step up and improve their detection. Samples are easily found. I've explained how to get to the fake AV pages from a Google query of the Hot Trends in previous posts.

-- Julien

6 comments:

名品_Su said...

Hi,Julien

I worked AV company in Korea
I think you saw one testing.

I want to receive the 16 samples.

Nice to meet you.

thank you.

jcanto said...

http://blog.hispasec.com/virustotal/22

kurt wismer said...

you're using virustotal to test/compare anti-malware products? really? after numerous (including the hispasec folks themselves) have warned against it and said it's a bogus methodology, you still persist?

Julien Sobrier said...

@kurt: Could you send me some references about your claims on issues with VirusTotal? I run a few AV in house (AVG, Kaspersky, Panda, ClamAV, etc.) on Windows and Linux, I got the exact same results as VirusTotal.

kurt wismer said...

@julien sobrier
it seems to me that jcanto beat me to it. i included the url of my own post on the subject in the name/url pair used to identify myself in this comment.

the rule of thumb is this: virustotal is for testing samples, not for testing anti-malware products.

Ringman said...

Ahnlab isn't well known product yet.
Maybe it;s good for detect other malware but for real major malware it's missed.

I was founr it's review on Youtube it's poor.