an update…
Here is what I did for more extended tests. I broke the bad guy down to all layers up to level 2 (at high risk for myself lol). No way in hell am I messing with a bios trashing 1k virus past that level, I don’t even have a virtual machine setup here! (and I should)
So far i’ve tested, AVG, NOD32, KAV5, AVK, Norman, Avast, McAfee Enterprise 8.0i Beta and F-Secure. Thats it for me for now on this test file, i’ve had enough. =) Results aren’t too good, but i’m still thinking about what we can surmise from this!
I think the issue here is, how DEEP these programs truely are with their on-demand scanning systems. Do they really scan as good as they say? Are they really scanning INSIDE those archives or are they just doing a header check? If I was brave, i’d test each product down to the infection layer, but i’m not, if a single product missed it, i’m toast, or if it didn’t clean it right, i’m toast. So the question is, how soon would YOU like to know of a threat on your system? Do you want to wait till its down to the last second, and something could go wrong, or do you want to deal with it far far in advance? What if you burn the CD, insert it into a windows computer, and autorun starts up setup, and infects you before your AV picks it up? Clearly, even BURNING a deadly file, gives me the shakes. =)
So heres where my testing is… Unless I indicate otherwise, all settings were completely maxed, all versions were current, including definitions. System was cleanly rebooted and registry proofed prior to testing each product.
NOD32 - Failed, no detection to till right up to infection.
KAV5 - Failure until layer 2.
AVK - Failure until layer 2.
F-Secure - Failure until layer 2.
McAfee Beta - Failure until layer 2.
AVG - Failed, no detection till infection (according to member testing this).
Norman - Failure until level 1, pre-infection though.
Avast Pro - Sucess! Level 4 immediate detection.
From this limited non-scientific personal test, I can personally surmise to myself, that anything with the KAV engines is picking it up at a reasonably safe layer(I think), which SHOULD be before infection would take place - this later would be the “Just clicked to install the file” stage. AVG I would consider worst on this one, with NOD32 and Norman bringing up the real with deadly close call detection. However, that would bother me still, because NOD32 is well known for failing to clean - and if that happened here, your machine is done. Remember, ALL of these products except Avast didn’t find the bad guy before burning the BIN/CUE files, and only a couple of them(KAV engines) detected during the initial install layer, or at some point within that initial install layer.
Avast shocked me here, detected immediately, without even unzipping the archive that was downloaded, without even burning the BIN. Penetrated deep into the suspect file, and found a 1k virus hiding behind a bush. BRAVO! =)
Heres the details on the subject virus:
Win:CIH 1.x
CIH is a virus which infects native Windows 95/98 applications (PE - Portable Executable files).
It is approximately 1Kbyte long. Virus has been found In the Wild in many countries all over the world. It installs itself into the memory, hooks file access calls and infects EXE files that are opened. It has very dangerous trigger: depending on the system date it operates with Flash BIOS ports and tries to overwrite Flash memory with “garbage”. This is possible only if motherboard and chipset allows writing to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Many modern motherboard cannot be protected by a DIP switch. Virus then overwrites data on all installed hard drives.
Three versions of this virus are known: CIH 1.2 and 1.3 activate the trigger routine on April 26th only, while the version 1.4 is able to do the damage on 26th of any month. CIH stores itself in the “holes” between the PE sections so the file length remains the same.