“To support our concerns, we tested on an older system if the products are loading all their protection modules before e.g. malware in the start-up folder is executed. All products failed this test, except AVG and Sophos. AVG and Sophos were the only two products which detected and blocked the mal- ware before its execution after system start-up (by loading itself at an early stage), in all others cases first the malware was successfully executed and only later detected by the AV products, when it was already too late.”
Is there a response from the Avast team to this comment? I’m hoping that an update will correct this weakness.
in fact, there’s nothing to worry about… first of all, the malware must get to the PC somehow and that’s not done between PC power up and a logon screen… so the initial detection of such sample is a job for real-time shields, which are all already running when a user-mode subsystem is on (and a penetration of new malware is possible)… if we come accross a scenario where an older malware binary becomes detected later, then you always can schedule a boot-time scan (and as you probably know, it is started very early)… testing with AV solution turned off and restarting the machine and similar laboratory approaches don’t reflect reality…
It is an interesting comment, but seeing a statement like this, without further explanation / description of the test procedure makes me a bit suspicious…
I mean, he’s talking about the “start-up folder”. What exactly is that? If it’s really the Startup folder in the Start menu, then it doesn’t make much sense to me at all. I mean, the contents of the Startup folder is executed on LOGON, not on BOOT. That is, the user first has to log on and only then, after the Explorer loads, will the programs in that folder get executed. Now avast (and any other AV) runs as a system service, meaning that its start is independent of users logging in and out… so, in this particular case, one would have to question whether the speed at which the user was logged on was same for each tested product, for example.
Now, I have to say that the avast protection services actually start very early in the boot process. Typically much earlier than the user actually sees the logon screen, actually. So the results from this “test” are a bit disappointing / strange, indeed… I’ll try to talk to Andreas and find out more details.
Yes Please do…I’ve read something about AV’s protection not starting early enough in the boot up process a while back on the web …but can’t remember now which AV research service did it ???
The anti-rootkit scan doesn’t happen until 8 minutes after boot. There is little point in doing a rootkit scan that early as it may not be established and generally the functions to run a comparison against whatever the appropriate Windows API says is running against what is actually running may not be available.
@Vlk: in the mail with the preview about the performance test we pointed out the issue and offered remote access to a TestPC to see what is meant in case that you can not replicate it by yourself in your lab. Other vendors already confirmed this issue and said that they are going to fix it asap, as the AV should detect/block the malware before it can load and do anything.
P.S.: e.g. on Windows XP, most home users run as Admin / no pwd = no logon screen.
The default file shield setting seems to be “scan when executing”, so couldn’t malware stay dormant until boot, then execute early in boot and so remain undetected?