Pages

Monday 26 October 2015

Which antivirus?

I've written recently about the poor detection of malware by antivirus products, when tested against things that arrive in my in-box.

Maybe I should name names. 55 products were involved in the test; 43 failed.

A zip file arrived today. SHA256=4cb00ceb5071c6f9b155b223c04ec776907208cc5e6621cc093f7ae1d944b350 
Here's the 14 products that detected it:

AVG                  Crypt_s.JQU   
Ad-Aware             Trojan.GenericKD.2825682   
Arcabit              Trojan.Generic.D2B1DD2   
Avira                TR/Crypt.ZPACK.196579   
BitDefender          Trojan.GenericKD.2825682   
Cyren                W32/Trojan.XTCC-3358   
ESET-NOD32           a variant of Win32/Kryptik.ECCY   
Emsisoft             Trojan.GenericKD.2825682 (B)   
F-Secure             Trojan.GenericKD.2825682   
GData                Trojan.GenericKD.2825682   
K7AntiVirus          Trojan ( 7000000c1 )   
MicroWorld-eScan     Trojan.GenericKD.2825682   
Sophos               Mal/Upatre-V   
TrendMicro-HouseCall TROJ_GE.B11C6342     



So then I unzipped it and found a scr file inside. 14 products detected it.

AVG                     Crypt_s.JQU    
Ad-Aware                Trojan.GenericKD.2825682    
Arcabit                 Trojan.D    
Avira                   TR/Crypt.ZPACK.196579    
BitDefender             Trojan.GenericKD.2825682    
Cyren                   W32/Trojan.XTCC-3358    
ESET-NOD32              a variant of Win32/Kryptik.ECCY    
Emsisoft                Trojan.GenericKD.2825682 (B)    
F-Secure                Trojan.GenericKD.2825682    
GData                   Trojan.GenericKD.2825682    
Kaspersky               UDS:DangerousObject.Multi.Generic    
MicroWorld-eScan        Trojan.GenericKD.2825682    
Sophos                  Mal/Upatre-V    
Tencent                 Win32.Downloader.Bp-upatre.Kacq     


Interestingly, its not the same 14.

Looking at the naming, I'm guessing that the products that call it  Trojan.GenericKD.2825682  might all be using the same engine.

These detected the zip but not the content of the zip:

K7AntiVirus
TrendMicro-HouseCall


These detected the content of the zip but not the zip:

Kaspersky
Tencent

That is strange, because it's pretty easy to unzip a file and scan what you find inside. But even stranger is being able to tell that the zip file is malware, but can't do the same for the content of the zip.

Arcabit

 was able to detect the zip, and inside the zip, but gave it different names.

2 comments:

  1. I have been reading your blog articles regarding antivirus recently, very interesting. So which, if any, of the commercially available solutions would you recommend? I currently use an expensive well known AV suite that is not performing at all well according to your posts which is a bit concerning to say the least! I along with millions of tech savvy (but not experts in the field) people take these products on face value and expect them to perform a decent job relative to the amount we are paying for them. From your posts it looks like I'm better off with a much cheaper solution, none seem to offer 100% bullet proof protection and the only thing protecting me is common sense not to click on anything dubious.

    ReplyDelete
  2. I can't recommend any of them. But here's something you can try.

    Over a period of time, collect all the emails that you get with attached exe, scr, doc files etc (or zips that include them); by reading the accompanying email, you can decide if they're kosher (maybe a friend sent you a doc file) or not. And test each of them with Virustotal.com. Keep tabs on which products detect which files. You might find a product that flags all the malware; more likely, you won't.

    You're right. It looks to me as if the only thing protecting you is your common sense. And I've not heard anyone from the AV industry contradicting my postings on this topic.

    ReplyDelete