In Gizmo’s Support Alert Newsletter Issue 136, Free Edition, 17th August, 2006 is examinated the question of how well computer security programs protect against the latest generation of security threats. The results were not that good, and a lot of programs could be easily terminated by hostile malware.
It’s know that new avast 5 will have the AntiKill feature that could be beta tested right now.
We know that signature scanners are not designed to detect things like process injection or registry changes. These, it would be argued, are best left to intrusion detection and protection systems. But, we’re asking Alwil from quite some time to improve avast features toward antyspyware and other kinds of malware. I’m trying to discuss the same here.
However, shouldn’t avast protect us from rootkits? In Gizmo tests, only WebRoot SpySweeper passed.
Gizmo stated that it’s pointless focusing on whether one security program is better than another when, in fact, all the security programs flunked. The reality is that it’s not possible to secure your PC against a malware program that is allowed to run on your PC with full admin privileges. Thank Windows for this. Layering your defenses can clearly help. It doesn’t solve the problem though. And the cost in complexity, inconvenience and processing power usage is high.
And for solution suggested: run your PC in a virtualized environment whenever connected to the internet. It’s simpler and more effective than any other option. Remember though, virtualization is in addition to your normal security defenses. It doesn’t replace them; it just makes their job easier.
The full results are here: http://www.techsupportalert.com/security_scanners.htm. I just try to make a summary of them bellow to avast users. Credits are all to Gizmo, not me, of course.
[i]In the table below, the first column shows whether the security product could detect process injection. That’s a technique used by malware to hide inside legitimate programs that are current running on your PC. Once inside these processes, they acquire the rights and privileges of the host process. If the host process has the right to communicate with the internet, the malware automatically gets that right, too.
The second column shows whether, independently of signature recognition, the security product could detect a malware program creating an autostart entry. In other words, could it detect an unknown program starting automatically with Windows? To pass the test the security product had to warn or prevent changes in the Startup folder as well as startup locations in the Registry.
The third column shows whether the security product protects your PC against drive-by infections. I tested each product at three hostile sites. To pass the tests, protection must have been provided against all three.
The final column show whether the security product can detect rootkits. I used two rootkits: Hacker Defender and FuTo. To pass, the product had to detect both.[/i]
[tr][td][/td][td]Detect Process injection [/td][td]Detect malware startup [/td][td]Protect drive-by download [/td][td]Detect rootkits [/td][/tr]
[tr][td]Ad-Aware Pro V1.6[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Avast! Home V4.7[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]AVG Anti-Virus Free V7.1[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]BitDefender Pro V9.095[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]CounterSpy V1.5[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]CounterSpy V2.0.122 be-ta[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Ewido v3.5[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Ewido V4 be-ta[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Kaspersky AV V6.0.0[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]NOD32 V2.51[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]Norton Antivirus 2006[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]SpyBot S&D V1.4[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Spyware Doctor V3.6[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][/tr]
[tr][td]Trojan Hunter V4.5[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]WebRoot SpySweeper V4.5[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]OK[/td][/tr]
[tr][td]Windows Defender V1.1.1051[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]