VirusInfo Testing: November 2007

[Humpty]

Don't use any blacklist scanners here but many do and may be interested in the test results below?

How we test

 

The testing of anti-viruses by VirusInfo is powered by free online scanner VirusTotal. Project participants, being practising specialists in the area of computer security, are uploading at VirusTotal the malicious software that they have received form infected machines, and then publish the results of scanning in a special topic on VirusInfo forum. The malicious software should meet the following requirements:

 

1) The sample should not be detected by the anti-virus software that protects the infected machine.

 

2) The sample should be found by the consultant him/herself in a real infection case.

 

3) The sample should not be taken from some other site or from some other collection of malware.

 

The results of scanning are regularly generalized as a graph of detection level. The graph is prepared in accord with the following principles:

 

1) The X axis represents the anti-virus software used by VirusTotal at the current moment. The Y axis represents the number of samples uploaded.

 

2) For each antivirus we mark the number of samples that it has successfully detected using one or another detection method. The graph reflects the general number of detected samples and the each method's part in the general detection.

 

3) The following detection methods are distinguished:

 

a) signature detection (detecting already known malware by the signature method)

 

b ) heuristic detection (detecting yet unknown malware by the method of emulation / code analysis / etc. Examples: "Heur.Trojan.Generic"; "a variant of: XXXXX")

 

c) detection of suspicious file (detecting yet unknown malware by the method of informing the user about suspicious characteristics of a sample under analysis. Examples: "Suspicious file"; "VIPRE: Suspicious")

 

d) detection of suspicious cryptor / packer (detecting yet unknown malware by the method of informing the user about the unknown / rare / suspicious packer / cryptor or about the fact of multiple packing / crypting. Example: "HEUR/Crypted").

 

Testing results

 

The latest one is the graph for November, 2007, presented below.

Article and Test Results

[LUSHER]

Don't use any blacklist scanners here but many do and may be interested in the test results below?

 

Article and Test Results

 

Someone posted this on the castlecops wiki a few days ago in the section on AV tests. I let it stay, but I'm dubious about the methodology really.