I've written recently about the poor detection of malware by antivirus products, when tested against things that arrive in my in-box.
Maybe I should name names. 55 products were involved in the test; 43 failed.
A zip file arrived today. SHA256=4cb00ceb5071c6f9b155b223c04ec776907208cc5e6621cc093f7ae1d944b350
Here's the 14 products that detected it:
AVG Crypt_s.JQU
Ad-Aware Trojan.GenericKD.2825682
Arcabit Trojan.Generic.D2B1DD2
Avira TR/Crypt.ZPACK.196579
BitDefender Trojan.GenericKD.2825682
Cyren W32/Trojan.XTCC-3358
ESET-NOD32 a variant of Win32/Kryptik.ECCY
Emsisoft Trojan.GenericKD.2825682 (B)
F-Secure Trojan.GenericKD.2825682
GData Trojan.GenericKD.2825682
K7AntiVirus Trojan ( 7000000c1 )
MicroWorld-eScan Trojan.GenericKD.2825682
Sophos Mal/Upatre-V
TrendMicro-HouseCall TROJ_GE.B11C6342
So then I unzipped it and found a scr file inside. 14 products detected it.
AVG Crypt_s.JQU
Ad-Aware Trojan.GenericKD.2825682
Arcabit Trojan.D
Avira TR/Crypt.ZPACK.196579
BitDefender Trojan.GenericKD.2825682
Cyren W32/Trojan.XTCC-3358
ESET-NOD32 a variant of Win32/Kryptik.ECCY
Emsisoft Trojan.GenericKD.2825682 (B)
F-Secure Trojan.GenericKD.2825682
GData Trojan.GenericKD.2825682
Kaspersky UDS:DangerousObject.Multi.Generic
MicroWorld-eScan Trojan.GenericKD.2825682
Sophos Mal/Upatre-V
Tencent Win32.Downloader.Bp-upatre.Kacq
Interestingly, its not the same 14.
Looking at the naming, I'm guessing that the products that call it Trojan.GenericKD.2825682 might all be using the same engine.
These detected the zip but not the content of the zip:
K7AntiVirus
TrendMicro-HouseCall
These detected the content of the zip but not the zip:
Kaspersky
Tencent
That is strange, because it's pretty easy to unzip a file and scan what you find inside. But even stranger is being able to tell that the zip file is malware, but can't do the same for the content of the zip.
Arcabit
was able to detect the zip, and inside the zip, but gave it different names.
I have been reading your blog articles regarding antivirus recently, very interesting. So which, if any, of the commercially available solutions would you recommend? I currently use an expensive well known AV suite that is not performing at all well according to your posts which is a bit concerning to say the least! I along with millions of tech savvy (but not experts in the field) people take these products on face value and expect them to perform a decent job relative to the amount we are paying for them. From your posts it looks like I'm better off with a much cheaper solution, none seem to offer 100% bullet proof protection and the only thing protecting me is common sense not to click on anything dubious.
ReplyDeleteI can't recommend any of them. But here's something you can try.
ReplyDeleteOver a period of time, collect all the emails that you get with attached exe, scr, doc files etc (or zips that include them); by reading the accompanying email, you can decide if they're kosher (maybe a friend sent you a doc file) or not. And test each of them with Virustotal.com. Keep tabs on which products detect which files. You might find a product that flags all the malware; more likely, you won't.
You're right. It looks to me as if the only thing protecting you is your common sense. And I've not heard anyone from the AV industry contradicting my postings on this topic.