I was reading the av-comparatives report of febuary 2007, I would like to congratulate the Alwil team for once again achieving a high score however I would also like to ask why did a few AV’s including Avast fail to detect the polymorphic viruses ??
A polymorphic virus that changes its binary pattern each time it infects a new file to keep it from being identified is by its nature going to be difficult to detect.
In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.
Most anti-virus software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.
Encryption is the most commonly used method of achieving polymorphism in code. However, not all of the code can be encrypted as it would be completely unusable. A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code.
So unless you detect the original polymorphic virus signature and you don’t have some other non-signature means of detection, you will be looking for something very small.
and when it comes to the important one that gets the real danger to Avast users in the real world, I believe Avast would definitely offer the 100% detections, as the case of Win32:Polipos last year that Avast detected them all 100% while so many scanners failed, e.g. NOD32, Trend Micro, Sophos, Panda, CA eTrust and of course, our beloved AVG. ;D
That’s how the story goes, but that doesn’t necessarily mean it’s true. I have personally run into many viruses and self-replicating malicious software that are not counted as part of the WildList.
Who defines “real threats”? Is there necessarily anyone with the authority and ability to list 100% of the malware that are circulating in the wild? I think not. It’s why tests using samples outside the WildList - such as AV-Comparatives - are important, because the WildList only contains a severely limited number of viruses that actually exist.
Without getting sidetracted by other issues, allow me to say that any security company who is satisfied by the mere fact that their product detects 100% of the WildList is in a very precarious position indeed.
As for the report you quoted, I believe it was conducted during April 2006. Part of the problem is that other vendors have attempted and succeeded in improving their polymorphic virus detection rate, while avast! seems to remain stagnant, as far as the results show…