Malwarebytes’ Anti-Malware review

Malwarebytes’ Amti-Malware is a very popular security application, in the past few months MRG has received many requests to review this application and we have decided to do it.

We want to start by saying a few words about this product, Malwarebytes’ Anti-Malware ,or as commonly referred to as MBAM, is a product specially designed to give out extra level of protection as it works right next to your primary Anti-Malware application.

As this product is a complementary Anti-Malware application, the reviewing process is slightly changed to show full potential of this program.

The reviewing process had 5 stages:

  1. We will attempt to download and run 15 malware samples using 15 malicious URL’s with Malwarebytes’ Anti-Malware running in the background.
  2. We will attempt to download and install 15 rogues applications using 15 URL’s which are used to distribute rogue applications with Malwarebytes’ Anti-Malware running in the background..
  3. We will run an On Demand scan on 10 samples of malware, these samples come from our Infected System Rescue test and are the ones that were missed by most Anti-Malware applications. These samples are missed, malicious, traces from the system (failed removal), EXE’s and .DLL’s form the system folder.
  4. Real Time Protection test where we will execute 15 samples of malware.
  5. Infected System Rescue test where we will infect the system with 10 samples of malware and will use Malwarebytes’ Anti-Malware to clean the system.

Result of our reviewing process:

  1. 15 malicious URL’s – Malwarebytes’ Anti-Malwaresuccessfully blocked all 15 malicious URL’s (download nor installation was not possible).
  2. 15 rogue URL’s – Malwarebytes’ Anti-Malware successfully blocked all 15 rogue URL’s (download nor installation was not possible).
  3. Malwarebytes’ Anti-Malware detected 8/10 samples missed by other Anti-Malware applications.
  4. Malwarebytes’ Anti-Malware blocked 13/15 samples when we executed them in real time.
  5. Malwarebytes’ Anti-Malware removed all 10 samples of malware from the infected system, no harmful traces were found in active processes, system folder, temporary files, windows registry…

Conclusion:

Malwarebytes’ Anti-Malware is an extremely effective security application, it has many useful features one of which is IP blocking which works perfectly, real time protection is able to block samples which are not recognized by signature based detection (heuristic and IP). It showed us that it was more than capable of detecting, removing and blocking samples that are not being recognized by other security applications.  The program is very simple to install and configure and we believe that even the lesser experienced users will not have any problems with configuration.

Overall, Malwarebytes’ Anti-Malware is doing exactly what it was designed to do, it is offering extra level of protection working right next to your primary Anti-Malware application of choice, we wish to highlight its real time blocking and malware removal capabilities.

MSG Archive

MRG Archive

Malware Research Group Project 024

Project number: 024

Project Details: Browser Security / Financial Malware test

Operating System used: Windows XP Professional Service Pack 3

Number of applications used: 27

List of applications used:

1. AVG Internet Security
2. Avira Premium Security Suite
3. BufferZone Pro
4. CA Internet Security Suite
5. DefenseWall HIPS
6. ESET Smart Security
7. F-Secure Internet Security
8. G DATA Internet Security
9. GeSWall Professional Edition
10. Kaspersky Internet Security
11. McAfee Internet Security
12. Norton Internet Security
13. Online Armor ++
14. OutpostPro Security Suite
15. PC Tools Internet Security
16. Prevx SafeOnline
17. SafeCentral
18. SandboxIE
19. SentryBay Data Protection Suite
20. SpyCop Cloak
21. SpyShelter
22. Trend Micro Internet Security
23. Trust Defender
24. Trusteer Rapport Emerald
25. Vipre Antivirus Premium
26. Zemana AntiLogger
27. ZoneAlarm Internet Security

You can download the test report here ->MRG Online Banking Browser Security Project

Malware Research Group Project 023

Project number: 023

Project Details: On Demand Scan Test

Operating System used: Windows XP Professional Service Pack 3

Number of applications used: 15

Number of malware samples used: 259.694

List of applications used:

1. A-Squared Anti-Malware 4.5.0.29

2. avast Antivirus Professional  5.0.462

3. AVG Anti-Virus Professional 9.0.801

4. Avira AntiVir Premium 10.0.0.597

5. BitDefender Antivirus 13.0.20.347

6. COMODO Internet Security 4.0.138377.779

7. ESET Nod32 Antivirus 4.0.474.0

8. F-Secure Antivirus 9.22 build 15450

9. G DATA Antivirus 20.2.4.1

10. Kaspersky Anti-Virus 9.0.0.736

11. McAfee AntiIVrus Plus 14.0.306

12. Microsoft Security Essentials 1.0.1961.0

13. Norton AntiVirus 17.6.0.32

14. Online Armor++ 4.0.0.35

15. VIPRE Antivirus Premium 4.0.3248

Detailed Test report is available  for download here -> MRG On Demand Scan Test april 2010

MRG Online Banking Browser Security Test – March 2010

Project number: 022

Project Details: Online Banking Browser Security Test

Operating System used: Windows XP Professional Service Pack 3

Number of applications used: 10

Number of simulation tools used: 6

List of applications used:

Spydex, Advanced Anti Keylogger 3.7

Global Information Technology (UK), Anti-keylogger 9.2.1

Zemana, AntiLogger 1.9.2.172

SoftSphere Technologies, DefenseWall 2.56

QFX Software, KeyScrambler Professional 2.6.0.2

EMSI Software, Mamutu 2.0.0.22

Prevx Ltd. Prevx 3.0.5.91

Trusteer Ltd, Rapport 3.5.912.25

Soft Media Publishing Inc. SpyCop Cloak

SpyShelter, SpyShelter 3.0

Detailed Test report is available  for download here -> MRG Online Banking Security Test Mar 2010

Rogue Software Infection Prevention test

Project details: Rogue Software Infection Prevention test

Operating System used in this test: Windows XP Professional Service Pack 3

Total number of programs used in this test: 24

Programs divided into two groups: Complementary Anti-Malware Applications & Full Featured Anti-Malware Applications/Internet Security Suites

Amount of samples used in this test: 30

The “complementary” antimalware applications tested were:

• Ad-Aware Free 8.1.4
• Corbitek Antimalware 2 Beta
• Immunet Protect 1.0.24-32*
• IObit Security 360 v1.40
• Malwarebytes’ Anti-Malware 1.44
• ParetoLogic Anti-Spyware 5.7
• PC Tools Spyware Doctor 7.0.0.514
• Prevx 3.0.5.50*
• Sunbelt CounterSpy 3.1.2848
• SUPERAntiSpyware 4.33.1000
• TrojanHunter 5.2

The full antimalware / internet security applications were:

• a-squared Anti-Malware 4.5.0.29
• avast! Antivirus 5.0.396
• Avira AntiVir Premium 9.0.0.452
• BluePoint Security 2010 1.0.98
• COMODO Internet Security 3.14.129887.586
• G Data AntiVirus 2010 20.2.4.1
• Kaspersky Internet Security 2010 9.0.0.736
• Microsoft Security Essentials 1.0.1611.0
• NANO Antivirus 0.6.0.6 Beta
• NOD32 Antivirus 4.0.474
• Online Armor ++ v4.0.0.15
• Panda Cloud Antivirus 1.0
• Trend Micro Internet Security Pro 17.50 Build 1366

Additional information:

All programs tested using their default settings.

Online Armor ++ enables HIPS by default

COMODO Internet Security enables Defense+ by default

Trend Micro Internet Security enables Proactive Intrusion Blocking by default

Kaspersky Internet Security enables Proactive Defense by default

Programs that manage to block installation of all 30 samples will receive MRG System Protected Award

Full report of Rogue Software Infection Prevention test is available for download in PDF format.

Jan 2010 Rogue Test

MRG On Demand and System Rescue test

The purpose of this project is to assess the effectiveness of a set of five full AV/AM applications and two AM/AS applications against 1000 mixed samples on demand and their effectiveness in detecting and removing fifteen live infections from a system.

On Demand Scan test

Methodology used in the on demand test:
1. Windows XP Professional Service Pack 3 is installed and updated with all important updates.

2. An image of the Operating System is created with internet access.

3. A clone of the Imaged system is made for each program to be used in the test.

4. An individual program is installed with default settings on each of the Cloned systems.

5. Any real time protection is disabled.

6. On each Cloned system the folder containing the samples of malware is placed.

7. All the programs are fully updated.

8. Real Time protection and other default methods of detection/prevention used by the applications are turned on prior to the start of the test.

9. The test is conducted by performing a right click scan of the folder containing the samples and allowing the application to delete / quarantine any samples detected.*

* Prevx is limited to detecting and cleaning 256 malicious samples at a time, therefore, we performed as many scans as was required to clean all the samples it was able to detect.

The applications tested were as follows:

a-squared Anti-Malware 4.5.0.27

AntiVir Premium 9.0.0.452

Bluepoint Security 1.0.0.83

Hitman Pro 3.5.3 Build 80

Malwarebytes’ Anti-Malware 1.42

Prevx 3.0.5.23

SUPERAntiSpyware Professional 4.31.1000

We used 1000 samples of malware, the samples up to one month old , only Trojans, Backdoors, Worms, Rogues, Spyware and Viruses were used.

Results:

Rank Program Detected Samples
1 Hitman 984
2 A-Squared 983
3 BluePoint 982
4 AVIRA 959
5 Malwarebytes 817
6 Prevx 728
7 SUPERAntiSpyware 448

OD1

Infected System Rescue Test

Methodology used in this test:

1. Windows XP Professional Service Pack 3 is installed and updated with all important updates.
An image of the Operating System is created with internet access.

2. A clone of the Imaged system is made for each program to be used in the test.

3. An individual program is installed with default settings on each of the Cloned systems.

4. A Snapshot is taken of each cloned system.

5. Any real time protection is disabled.

6. On each Cloned system the folder containing the fifteen samples of malware is placed.

7. All the programs are fully updated.

8. Each malware sample is executed individually, with the system being rebooted after each execution, until all fifteen samples have been executed.

9. A second snapshot of the cloned system is taken, allowing us to know all changes / infections.

10. All differences between the first and second snapshots are noted.

11. Real Time protection and other default methods of detection/prevention used by the applications are turned on.

12. The test is conducted by performing a full system scan and allowing the application to perform its detection and removal activities.

13. Once the application finds no malware / reports a clean system, the cloned system is compared to the first snapshot so an assessment of cleanup effectiveness can be made.

The applications tested were as follows:

a-squared Anti-Malware 4.5.0.27

AntiVir Premium 9.0.0.452

Bluepoint Security 1.0.0.83

Hitman Pro 3.5.3 Build 80

Malwarebytes’ Anti-Malware 1.42

Prevx 3.0.5.23

SUPERAntiSpyware Professional 4.31.1000

List of malware samples used:

AdWare.Win32.Agent.pwl
Backdoor.Win32.Hupigon.iyzf
Email.Worm.Win32.Iksmas.fva
P2P.Worm.Win32.Palevo.keh
Trojan.BAT.Qhost.gx
Trojan.Downloader.Win32.Agent.ctrh
Trojan.Downloader.Win32.Genome.zng
Trojan.Dropper.Win32.Agent.bhrg
Trojan.Dropper.Win32.Mudrop.fgp
Trojan.Spy.Win32.Zbot.acyk
Trojan.Win32.Buzus.cmsb
Trojan.Win32.FraudPack.zdf
Trojan.Win32.Inject.admx
Trojan.Win32.Kreeper.hf
Trojan.Win32.Refroso.scn

Results:

Program Result
A-SQUARED System Rescued
Hitman Pro System Rescued
AVIRA Failed
BluePoint Failed
Malwarebytes Failed
Prevx Failed
SUPERAntiSpyware Failed

List of samples which were not successfully removed from the system, for each program separately:

Avira:

Backdoor.Win32.Hupigon.iyzf

Trojan.Win32.Refroso.scn

BluePoint:

Trojan.Spy.Win32.Zbot.acyk

Trojan.Win32.FraudPack.zdf

Malwarebytes:

Backdoor.Win32.Hupigon.iyzf

Trojan.Win32.Buzus.cmsb

Prevx:

Trojan.Win32.FraudPack.zdf

Trojan.Win32.Buzus.cmsb

Trojan.Win32.Inject.admx,

Trojan.Spy.Win32.Zbot.acyk

Trojan.Dropper.Win32.Agent.bhrg

SUPERAntiSpyware:

Trojan.Spy.Win32.Zbot.acyk

Backdoor.Win32.Hupigon.iyzf

P2P.Worm.Win32.Palevo.keh

Trojan.Win32.Buzus.cmsb

Trojan.Downloader.Win32.Agent.ctrh

Trojan.Win32.Refroso.scn

Trojan.Win32.FraudPack.zdf

Trojan.Dropper.Win32.Mudrop.fgp

Trojan.Downloader.Win32.Agent.ctrh

Trojan.Downloader.Win32.Genome.zng

This test is property of Malware Research Group, any unauthorized reproduction of this test is strictly forbidden.

Malware Research Group Project 021

Project details: On Demand Scan test

Operating System used in this test: Windows XP Professional Service Pack 3

Total number of programs used in this test: 21

Amount of samples used in this test: 554.891

Malware categories used in this test and the amount of samples in each category:

Trojans/Backdoors- 398.951
Windows Viruses- 8.864
Worms- 61.928
Adware/Spyware- 48.552
Rootkits/Exploits- 10.736
Other Malware- 25.860

Samples

List of programs used in P#21 and their program versions:

a-squared Anti-Malware  4.5.0.27
avast! Professional Edition 4.8.1356
AVG Anti-Virus 9.0.663 Build 1703
Avira AntiVir Premium 9.0.0.447
BitDefender AntiVirus 13.0.15.297
COMODO Internet Security 3.12.111745.560
eScan Antivirus 10.0.997.491
ESET Nod32 Antivirus 4.0.467
F-Secure Antivirus 10.00.246
F-Prot Antivirus 6.0.9.3
Ikarus Virus Utilities 1.0.97
G DATA Antivirus  20.0.1.1
Kaspersky Anti-Virus 9.0.0.463
McAfee VirusScan Plus 13.11.102
Norman Antivirus & Anti-Spyware  7.10.02
Norton AntiVirus 17.0.0.136
Online Armor++ 3.5.0.50
Panda Antivirus 9.00.00
Twister Anti-TrojanVirus 7.32
Sophos Anti-Virus 7.6.10
Spy Emergency 7.0.195.0

Methodology used in this test:

1.Windows XP Professional Service Pack 3 is installed and updated with all the important updates.

2. Image of the Operating System is being created.

3. Clones of the Imaged system have been made in the amount of programs used in the test.

4. On each of the Cloned systems a separate program is being installed.

5. All the programs used in this test are being updated with the latest databases , the updating process is finished within 60 minutes for all programs. When the updating procedure is finished and the successful program updates have been verified, internet is disconnected.

6. Malware package that was prepaid earlier is being placed into every PC scheduled for testing.

7. All All programs were tested using their default (out of the box) settings..

8. After each program finishes the test, another scan is being performed on the undetected items.

9. When each of the programs completes the second scan, the samples missed are being counted and stored into the external storage unit.

10. The final results are presented and show the amount of samples that were detected and removed..

Additional information:

McAfee VirusScan Plus enables Artemis by default therefore we tested McAfee VirusScan Plus with active internet connection at the same time the other oprograms were being updated with their latest databases.

The table shows the program tested, the amount of malware samples (all of the categories above) that were detected and removed.

Program Detection Rate (%)
a-squared 99.8%
Online Armor ++ 99.8%
G Data 99.6%
Avira 99.5%
Ikarus 99.4%
Panda 98.9%
Norton 98.8%
Avast 98.7%*
McAfee 98.7%
BitDefender 98.6%*
eScan 98.6%
F-Secure 98.5%
Nod32 98.3%
Kaspersky 98.2%
Comodo 98.1%
AVG 97.4%
F-Prot 95.7%
Twister 94.6%
Sophos 94.4%
Norman 93.2%
Spy Emergency 66.5%

GenerateChart

This test is property of Malware Research Group, any unauthorized reproduction of this test is strictly forbidden.

If you have any questions regarding this test, please visit our forums

Malware Research Group

Malware Research Group Project #20

Project details: RWS Real Time test

Operating System used in this test: Windows XP Professional Service Pack 3

Total number of programs used in this test: 25

List of programs used:

a-squared Anti-Malware   4.5.0.22

avast! Professional Edition 4.8.1351

AVG Anti-Virus 8.5.409 Build 1634

Avira AntiVir Premium 9.0.0.446

BitDefender AntiVirus 2010 Build 13.0.15.297

COMODO Internet Security 3.11.108364.552

Dr.Web 5.00.1.08170

eScan Antivirus Edition 10

F-Prot Antivirus 6.0.9.2

F-Secure InternetSecurity 2010 10.00 Build 246

G DATA InternetSecurity 2010 20.0.3.0

Ikarus Virus Utilities 1.0.97

Kaspersky Anti-Virus 2010 9.0.0.463

McAfee VirusScan Plus 2009 13.15.101

Microsoft Security Essentials 1.0.407.0 (BETA)

NOD32 Antivirus 4.0.437

Norman Virus Control 5.99 R14

Norton AntiVirus 2009 16.5.0.134

Online Armor ++ 3.5.0.32

Panda Antivirus Pro 2010 9.00.00

Panda Cloud Antivirus 0.08.82

Prevx 3.0.1.65

Spy Emergency 2009 6.0.605

Twister Anti-TrojanVirus V7 R3(7.32)

VIPRE® Antivirus + Antispyware 3.1.2775

Amount of malware samples used in this test: 60

We used the following samples of malware:

Adware.Win32.AdMedia.ed
Adware.Win32.Iebar.w
Backdoor.Win32.Bifrose.bksm
Backdoor.Win32.Kbot.tg
Backdoor.Win32.NewRest.an
Backdoor.Win32.NewRest.ao
Backdoor.Win32.Poison.anpg
Backdoor.Win32.Small.ejx
Backdoor.Win32.Wuca.ee
Backdoor.Win32.Wuca.ek
Email.Worm.Win32.Joleee.dbe
Net.Worm.Win32.Kolab.cnx
Net.Worm.Win32.Koobface.bjc
Net.Worm.Win32.Koobface.bjm
Net.Worm.Win32.Koobface.bjs
Net.Worm.Win32.Koobface.bju
Rootkit.Win32.Bezopi.a
Trojan.Win32.Agent.ctap
Trojan.Win32.BHO.xsv
Trojan.Win32.Crot.v
Trojan.Win32.Inject.ahhq
Trojan.Win32.Inject.ahte
Trojan.Win32.Pakes.now
Trojan.Win32.Refroso.cpj
Trojan.Win32.Smardf.fuz
Trojan.Win32.TDSS.aeaf
Trojan.Win32.Vaklik.fsi
Trojan.Win32.Vaklik.ftt
Trojan.Downloader.Win32.Agent.cmcq
Trojan.Downloader.Win32.Agent.cndd
Trojan.Downloader.Win32.Dadobra.dbd
Trojan.Downloader.Win32.FraudLoad.eyw
Trojan.Downloader.Win32.FraudLoad.wooi
Trojan.Downloader.Win32.Small.ambd
Trojan.Downloader.Win32.Small.ambv
Trojan.Dropper.Win32.Agent.apfr
Trojan.Dropper.Win32.Agent.aven
Trojan.Dropper.Win32.Agent.awwv
Trojan.Dropper.Win32.Agent.ayqa
Trojan.Dropper.Win32.Agent.ayzr
Trojan.Dropper.Win32.Agent.azhd
Trojan.Dropper.Win32.Agent.baoo
Trojan.PSW.Win32.LdPinch.dis
Trojan.PSW.Win32.LdPinch.gxo
Trojan.PSW.Win32.VB.akp
Trojan.Ransom.Win32.SMSer.in
Trojan.Spy.Win32.Agent.azmu
Trojan.Spy.Win32.Goldun.cnx
Trojan.Spy.Win32.KeyLogger.cly
Trojan.Spy.Win32.Zbot.aacf
Trojan.Spy.Win32.Zbot.aaha
Trojan.Spy.Win32.Zbot.aaim
Trojan.Spy.Win32.Zbot.gen
Trojan.Spy.Win32.Zbot.zte
Win32.AdvancedAntivirus.ib
Win32.OnLineGames.bkzf
Win32.OnLineGames.vjmz
Worm.Win32.AutoRun.afcb
Worm.Win32.AutoRun.auku
Worm.Win32.Bezopi.be

All samples of malware used in this test came from infected machines, samples were collected from 05/08/2009 – 20/05/2009. The testing was conducted from 27/08/2009 – 31/08/2009.

Methodology used in this test:
1.Windows XP Professional Service Pack 3 is installed and updated with all important updates.
2. An image of the Operating System is created.
3. A clone of the Imaged system is made for each program to be used in the test.
4. An individual program is installed on each of the Cloned systems.
5. On each Cloned system the package containing 60 samples of malware is placed.
6. All the programs are fully updated.
7. Real Time protection/On Access scanners as well as all other methods of detection/prevention used by various Security Applications are turned on prior to the start of the test.
8. The test is conducted by trying to execute each of the 60 malware samples.
9. In this test goal is to block the execution of each of the 60 malware samples, therefore we allowed various categories of Security Applications to be used in the same test, we tested mostly Antivirus, Internet Security Suite applications with their default settings (out of the box).
10. After each program used in this test is tested on against all 60 malware samples, the system is checked for any traces of active malware.
11. We will show the list of missed malware for each of the programs which failed to block all 60 of the samples.
12. The results will be presented separately for Antivirus and Internet Security Suite applications.

The tables shows: Program tested, Amount of samples blocked, Amount of Samples missed, Passed or Failed the test.

Program Blocked Missed MRG Project#20
a-squared 60 0 Passed
Avast 58 2 Failed
AVG 59 1 Failed
AVIRA 60 0 Passed
BitDefender 53 7 Failed
Dr.Web 57 3 Failed
eScan 52 8 Failed
F-Prot 46 14 Failed
Ikarus 60 0 Passed
Kaspersky 60 0 Passed
Microsoft (BETA) 57 3 Failed
Nod32 58 2 Failed
Norman 50 10 Failed
Norton 58 2 Failed
Panda 60 0 Passed
Panda Cloud 60 0 Passed
Prevx 60 0 Passed
Spy Emergency 44 16 Failed
Twister 58 2 Failed
VIPRE 60 0 Passed
Program Blocked Missed MRG Project#20
COMODO 60 0 Passed
F-Secure 60 0 Passed
G DATA 60 0 Passed
McAfee 59 1 Failed
Online Armor++ 60 0 Passed

Additional information:

Using the same engine doesn’t mean that the result is going to be the same, if the two product don’t share the same features in real time protection (heuristics, behavior monitoring…) and the samples are not covered by signature database, they results will differ.

F-SecureMicrosoft Security EssentialsPrevx and Panda Cloud require a live internet connection in order to function properly. These four AVs were tested on VMs with live connections within 45 minutes of the traditional AVs Images being finalized in order to ensure they had no measurable advantage over them in terms of signature age.

For all other information, please visit our forums.

System Protection Award winners:

a-squared Anti-Malware

Avira AntiVir PE Premium

COMODO Internet Security

F-Secure Internet Security

G DATA Internet Security

Ikarus Virus Utilities

Kaspersky Anti-Virus

Online Armor ++

Panda Antivirus Pro

Panda Cloud Antivirus

Prevx

VIPRE® Antivirus + Antispyware

Programs that failed this test and the samples that were not blocked:

Avast
Trojan.Downloader.Win32.Agent.cmcq
Trojan.Dropper.Win32.Agent.apfr

AVG

Trojan.Spy.Win32.KeyLogger.cly

BitDefender
Backdoor.Win32.Kbot.tg
Backdoor.Win32.NewRest.an
Trojan.Win32.Refroso.cpj
Trojan.Dropper.Win32.Agent.aven
Trojan.Dropper.Win32.Agent.ayzr.
Trojan.Ransom.Win32.SMSer.in
Trojan.Spy.Win32.Zbot.gen

Dr.Web
Backdoor.Win32.Poison.anpg
Trojan.Downloader.Win32.Agent.cmcq
Trojan.Dropper.Win32.Agent.apfr

eScan
Backdoor.Win32.NewRest.an
Backdoor.Win32.Poison.anpg
Trojan.Win32.Refroso.cpj
Trojan.Win32.Vaklik.ftt
Trojan.Dropper.Win32.Agent.aven
Trojan.Dropper.Win32.Agent.ayzr
Trojan.Ransom.Win32.SMSer.in
Trojan.Spy.Win32.Zbot.gen

F-Prot
Backdoor.Win32.NewRest.an
Trojan.Win32.Inject.ahte
Trojan.Win32.Vaklik.ftt
Trojan.Downloader.Win32.Agent.cndd
Trojan.Downloader.Win32.FraudLoad.wooi
Trojan.Dropper.Win32.Agent.apfr
Trojan.Dropper.Win32.Agent.aven
Trojan.Dropper.Win32.Agent.baoo
Trojan.PSW.Win32.LdPinch.gxo
Trojan.PSW.Win32.VB.akp
Trojan.Ransom.Win32.SMSer.in
Trojan.Spy.Win32.Zbot.aaha
Trojan.Spy.Win32.Zbot.aaim
Trojan.Spy.Win32.Zbot.gen

McAfee
Trojan.Win32.Inject.ahhq

Microsoft (BETA)
Trojan.Win32.Inject.ahhq
Trojan.PSW.Win32.VB.akp
Trojan.Spy.Win32.Agent.azmu

NOD32
Trojan.Win32.Inject.ahhq
Trojan.Ransom.Win32.SMSer.in

Norman
Backdoor.Win32.Poison.anpg
Rootkit.Win32.Bezopi.a
Trojan.Win32.Inject.ahte
Trojan.Win32.Smardf.fuz
Trojan.Win32.Vaklik.fsi
Trojan.Dropper.Win32.Agent.apfr
Trojan.Dropper.Win32.Agent.ayzr
Trojan.PSW.Win32.LdPinch.gxo
Trojan.Ransom.Win32.SMSer.in
Trojan.Spy.Win32.Agent.azmu

Norton
Trojan.Win32.Inject.ahhq
Trojan.Downloader.Win32.Agent.cndd

Twister
Trojan.Win32.Vaklik.ftt
Trojan.Dropper.Win32.Agent.ayzr

Spy Emergency
Backdoor.Win32.Kbot.tg
Backdoor.Win32.NewRest.an
Backdoor.Win32.NewRest.ao
Backdoor.Win32.Poison.anpg
Rootkit.Win32.Bezopi.a
Trojan.Win32.Agent.ctap
Trojan.Win32.Vaklik.fsi
Trojan.Win32.Vaklik.ftt
Trojan.Downloader.Win32.Agent.cmcq
Trojan.Dropper.Win32.Agent.apfr
Trojan.Dropper.Win32.Agent.ayzr
Trojan.PSW.Win32.LdPinch.gxo
Trojan.Spy.Win32.Zbot.aacf
Trojan.Spy.Win32.Zbot.aaha
Trojan.Spy.Win32.Zbot.gen
Trojan.Spy.Win32.Zbot.zte

Malware Research Group Project #19

Project details: On Demand scan test

Operating System used in this test: Windows XP Professional Service Pack 3

Total number of programs used in this test: 19

List of programs used:
 
1. a-squared Anti-Malware 4.0.0.79
2. avast! Professional Edition 4.8.1335
3. AVG Anti-Virus 8.0.234
4. Avira AntiVir Premium 9.0.0.420
5. BitDefender AntiVirus  Build 12.0.12.0
6. COMODO Internet Security 3.9.95478.509
7. ClamWin Free Antivirus 0.95.1
8. Dr.Web for Windows 5.00.1.04130
9. ESET Nod32 Antivirus 4.0.417
10. F-Secure Antivirus  9.00.149
11. G DATA Antivirus  20.0.1.1
12. Kaspersky Anti-Virus  8.0.0.506
13. Norman Antivirus & Anti-Spyware 7.10.02
14. Norton AntiVirus  16.5.0.134
15. Sophos Anti-Virus 7.6.4
16. Twister Anti-TrojanVirus 7.32
17. eScan Antivirus Edition 10.0.946.341
18. McAfee VirusScan Plus 13.3.117
19. Spy Emergency  6.0.405
 
 
 
Amount of malware samples used in this test: 639.424
 
 
Malware categories used in this test and the amount of samples in each category:
 
 
Trojans/Backdoors- 468.850
Windows Viruses- 12.134
Worms- 64.358
Adware/Spyware- 58.224
Rootkits/Exploits- 11.058
Other Malware- 24.800
 
 
GenerateChart
 
 
 
 
 
False Positive samples were not used in this test, therefore the results reflect strictly the detection capabilities of each program used in this test.
 
 
 
 
 
Samples used in this test were supplied by our own team of researchers, all samples are less then one year old.

Methodology used in this test:

1.Windows XP Professional Service Pack 3 is installed and updated with all the important updates.

2. Image of the Operating System is being created.

3. Clones of the Imaged system have been made in the amount of programs used in the test.

4. On each of the Cloned systems a separate program is being installed.

5. All of the programs in the test are being updated with the latest databases at the same time. When the updating procedure is finished and the successful program updates have been verified, internet is disconnected.

6. Malware package that was prepaid earlier is being placed into every PC scheduled for testing.

7. All the programs in the test are set to delete all the detected items.

8. After each program finishes the test, another scan is being performed on the undetected items.

9. When each of the programs completes the second scan, the samples missed are being counted and stored into the external storage unit.

10. The final results are presented and show the amount of samples that were detected and removed.

The table shows the program tested, the amount of malware samples (all of the categories above) that were detected and removed.

Program Detection Rate (%)
a-squared 99.7%
Avira 99.5%
G DATA 99.4%
Kaspersky 98.8%
Avast 98.7%
BitDefender 98.6%
eScan 98.5%
Norton 98.2%
Nod32 97.4%
COMODO 97.1%
McAfee 96.8%
F-Secure 96.4%
AVG 96.2%
Norman 95.4%
Twister 94.6%
Sophos 93.5%
Spy Emergency 82.4%
ClamAV 82.3%
Dr.Web 79.5%

If you wish to use these results on your website, please use a direct link to this web page

GenerateChart 3d

This test is property of Malware Research Group, any unauthorized reproduction of this test is strictly forbidden.

Malware Research Group Project #18

Project details: On Demand scan test

Operating System used in this test: Windows XP Professional Service Pack 3

Total number of programs used in this test: 18

List of programs used:

1. a-squared Anti-Malware 4.0.0.79
2. avast! 4.8.1335
3. AVG Anti-Virus 8.5.287 Build 1483
4. Avira AntiVir Premium 9.0.0.420
5. BitDefender AntiVirus 2009 Build 12.0.12.0
6. COMODO Internet Security 3.8.65951.477
7. ClamWin Free Antivirus 0.95.1
8. Dr.Web 5.00.1.04130 for Windows
9. ESET Nod32 Antivirus 4.0.417
10. F-Secure Internet Security 2009 9.00.149
11. G DATA InternetSecurity 2009 19.0.0.53
12. Kaspersky Anti-Virus 2009 8.0.0.506
13. Norman Antivirus & Anti-Spyware 7.10
14. Norton AntiVirus 2009 16.5.0.134
15. Sophos Anti-Virus 7.3.0
16. Twister Anti-TrojanVirus 7.32
17. eScan Antivirus Edition  V10
18. McAfee VirusScan Plus 2009
 
Malware samples used in this test: 395.844
Malware categories used in this test and the amount of samples in each category :

Windows/Macro Viruses- 18.696

Trojans/Backdoors- 243.811

Worms/Rootkits- 86.634

Adware/Spyware- 46.703

Samples used in this test were supplied by our own team of researchers, all the samples used in this test date from January 1st 2008. up to December 31st 2008.

Methodology used in this test:

1.Windows XP Professional Service Pack 3 is installed and updated with all the important updates.

2. Image of the Operating System is being created.

3. Clones of the Imaged system have been made in the amount of programs used in the test.

4. On each of the Cloned systems a separate program is being installed.

5. All of the programs in the test are being updated with the latest databases at the same time. When the updating procedure is finished and the successful program updates have been verified, internet is disconnected.

6. Malware package that was prepaid earlier is being placed into every PC scheduled for testing.

7. All the programs in the test are set to delete all the detected items.

8. After each program finishes the test, another scan is being performed on the undetected items.

9. When each of the programs completes the second scan, the samples missed are being counted and stored into the external storage unit.

10. The final results are presented and show the amount of samples that were detected and removed.

The table shows the program tested, the amount of malware samples (all of the categories above) that were detected and removed.

Pogram Detection Rate (%)
a-squared 99.6%*
Avira 99.6%*
G DATA 99.4%
Avast 99.2%
Norton 99.0%
Kaspersky 98.8%
BitDefender 98.7%
eScan 98.5%
F-Secure 98.3%
McAfee 98.1%
Nod32 97.6%
AVG 96.9%
COMODO 96.2%
Twister 95.7%
Sophos 93.5%
Norman 93.2%
Dr.Web 86.3%
ClamAV 85.7%

If you wish to use these results on your website, please use a direct link to this web page.

We wish to point out once again, that this test was done using malware samples created and discovered in the past year (2008.), we did not use any “suspicious” files or False Positives, we didn’t take scanning speed into consideration, this was test was conducted simply to check the ability of today’s Anti-Malware programs when dealing with malware samples which have been around for some tome.

Avira and a-squared detected exactly the same amount of samples (99.61%), that result is very rare in tests like this and has happened to our team only once before this test. Both Avira and a-squared share the first place in this test.

This test is property of Malware Research Groupany unauthorized reproduction of this test is strictly forbidden.

Malware Research Group Project #17

Project details: Infected System Rescue test

Operating System used in this test: Windows XP Professional Service Pack 3

Total number of programs used in this test: 18

List of programs used:

1. a-squared Anti-Malware 4.0.0.73
2. avast! 4.8.1335
3. AVG Anti-Virus 8.0.237 Build 1428
4. Avira AntiVir Premium 8.2.0.373
5. BitDefender AntiVirus 2009 Build 12.0.11.3
6. COMODO Internet Security 3.5.57173.439
7. ClamWin Free Antivirus 0.94.1
8. Dr.Web 5.0.0.12300 for Windows
9. ESET Nod32 Antivirus 3.0.684
10. F-Secure Internet Security 2009 9.00.148
11. G DATA InternetSecurity 2009 19.0.0.53
12. Kaspersky Anti-Virus 2009 8.0.0.506
13. Norman Antivirus & Anti-Spyware 7.10
14. Norton AntiVirus 2009 16.2.0.7
15. Sophos Endpoint Protection 7.5.1
16. Twister Anti-TrojanVirus 7.32
17. eScan Antivirus Edition  V10
18. McAfee VirusScan Plus 2009
 

Malware samples used in this test: 30

All the samples used should be detected by all the participants in this test.

All the samples used are wide spread and no “unknown” variants have been used.

List of Malware samples used in this test:

Adware.Win32.Cinmus.hen
Adware.Win32.Virtumonde.qpm
Backdoor.Win32.Bifrose.zbx
Backdoor.Win32.BlackHole.d
Backdoor.Win32.Hupigon.efjs
Backdoor.Win32.Poison.oo
Backdoor.Win32.Singu.bt
Backdoor.Win32.Sinowal.bq
FraudTool.Win32.Agent.b
Hoax.Win32.Renos.vark
Net.Worm.Win32.Kolab.baq
Rootkit.Win32.Clbd.kr
Trojan.Win32.Buzus.jio
Trojan.Win32.Delf.hjd
Trojan.Win32.Inject.afm
Trojan.Win32.Midgare.gga
Trojan.Win32.Monder.dtn
Trojan.Win32.Monderb.hrf
Trojan.Win32.Qhost.kng
Trojan.Win32.VB.jiq
Trojan.Clicker.Win32.Small.kj
TrojanDownloader.FakeAlert.wr
TrojanDownloader.Win32.Agent.bbkf
TrojanDownloader.Win32.CodecPack.ml
TrojanDownloader.Win32.Zlob.wg
TrojanDropper.Win32.Mudrop.cy
TrojanSpy.Win32.Delf.dq
TrojanSpy.Win32.Zbot.dmz
TrojanSpy.Win32.VB.axg
Virus.Win32.Virut.bv

Methodology used in this test:

This test was not conducted inside a virtual environment because many of the samples used in this test will not run inside virtual environments. Instead we used real conditions which are ideal for this type of the test. Before the test started MRG Team tested all the samples to check their correct installation and functionality.

1. Fresh copy of Microsoft’s Windows XP Service Pack 3 is being installed and fully updated

with all the important updates and patches.

2. On the freshly installed Operating System we install all the tools needed to create images

and snapshots of the system.

3. Extra images of the system are being created.

4. The imaged system is being infected by only 1 malware sample at the time and another image

of the system is being created after each infection took place.

5. The malware installed on the system is being checked for proper functionality.

The system is also being checked for proper functionality after the installation of the

malicious program took place.

6. For all the programs used in this test one image containing one active infection is being

made for each of the 30 samples used in this test.

7. Installation of the program used in the test is attempted on each of the 30 images crated

(the procedure is repeated for all 18 programs used in this test), if installation

is successful, the program is set to “clean” all malicious programs detected

8. After every attempted “cleaning” is completed, the system is being checked for active

infections as well as system functionality (another image is being created).

If the infection has been successfully neutralized and no harmful traces have been found,

if the system is not harmed while the disinfection took place, the program gets one point.

9. If, after the attempted cleaning is completed, the infection is still active in any way

that it can pose a threat to the system or the system was harmed while disinfection took

place, the program will get no points.

10.System Rescued award goes to all programs that achieved 100% successful removal of all the active infections.

* For all programs that failed the test, we will make a list of the samples that were not cleaned and were found active after the attempted cleaning was completed. *

The Table shows the name of the program used, how many points the program got and the final result.

Product Points Result
a-squared 30 System Rescued
Avast 30 System Rescued
Avira 30 System Rescued
AVG 30 System Rescued
BitDefender 30 System Rescued
COMODO 30 System Rescued
ClamAV 26 Failed
Dr.Web 23 Failed
eScan 30 System Rescued
F-Secure 30 System Rescued
G DATA 30 System Rescued
Kaspersky 30 System Rescued
McAfee 28 Failed
NOD32 24 Failed
Norman 27 Failed
Norton 30 System Rescued
Sophos 29 Failed
Twister 28 Failed

This test is property of Malware Research Group any unauthorized reproduction of this test is strictly forbidden.

System Rescued award goes to:

a-squared Anti-Malware

avast! Professional Edition

AVG Anti-Virus

Avira AntiVir PE Premium

BitDefender AntiVirus

COMODO Internet Security

eScan Antivirus Edition

F-Secure Internet Security

G DATA Internet Security

Kaspersky Anti-Virus

Norton AntiVirus

List of the programs that failed to remove all active infections, under each program you can see which malware samples were not successfully removed.

ClamWin Free Antivirus

Backdoor.Win32.BlackHole.d

FraudTool.Win32.Agent.b

Trojan.Win32.Delf.hjd

Trojan.Win32.VB.jiq

Dr.Web

Adware.Win32.Cinmus.hen

Net.Worm.Win32.Kolab.baq

Trojan.Win32.Buzus.jio

Trojan.Win32.Delf.hjd

Trojan.Win32.VB.jiq

TrojanDownloader.Win32.Agent.bbkf

TrojanSpy.Win32.VB.axg

ESET Nod32 Antivirus

Net.Worm.Win32.Kolab.baq

Trojan.Win32.Inject.afm

Trojan.Win32.Midgare.gga

Trojan.Win32.VB.jiq

Trojan.Clicker.Win32.Small.kj

TrojanSpy.Win32.Delf.dq

McAfee VirusScan Plus

Adware.Win32.Cinmus.hen

Net.Worm.Win32.Kolab.baq

Norman Antivirus & Anti-Spyware

Adware.Win32.Cinmus.hen

FraudTool.Win32.Agent.b

Trojan.Win32.VB.jiq

Sophos Endpoint Protection

Net.Worm.Win32.Kolab.baq

Twister Anti-TrojanVirus

Rootkit.Win32.Clbd.kr

Trojan.Win32.Buzus.jio

All the programs managed successful installations on all the infected images, none of the programs harmed the system while removing malware from it.

This test is property of Malware Research Groupany unauthorized reproduction of this test is strictly forbidden.

Malware Research Group project #016

Project details: Malware Test/On Demand Scan

Operating System used in this test: Windows XP Professional Service Pack 3

Programs used in this test: 15

Program names and versions:

1. a-squared Anti-Malware 4.0.0.66
2. avast! 4.8.1296
3. AVG Anti-Virus 8.0.229 Build 1410
4. Avira AntiVir Premium 8.2.0.373
5. BitDefender AntiVirus 2009 Build 12.0.144
6. COMODO Internet Security 3.5.57173.439
7. ClamWin Free Antivirus 0.94.1
8. Dr.Web 5.0.0.12300 for Windows
9. ESET Nod32 Antivirus 3.0.684
10. F-Secure Internet Security 2009 9.00.148
11. G DATA InternetSecurity 2009 19.0.0.53
12. Kaspersky Anti-Virus 2009 8.0.0.506
13. Norman Antivirus & Anti-Spyware 7.10
14. Norton AntiVirus 2009 16.1.0.33
15. Sophos Endpoint Protection 7.5.1

MALWARE SAMPLES USED IN THIS TEST: 565.400

Malware categories used in this test and the amount of samples in each category :

Windows/Macro Viruses-38 120

Trojans/Backdoors- 398 850

Worms/Rootkits- 58 330

Adware/Spyware- 69 580

SAMPLES USED IN THIS TEST WERE SUPPLIED BY OUR OWN TEAM OF RESEARCHERS.

Methodology used in this test:

1.Windows XP Professional Service Pack 3 is installed and updated with all the important updates.

2. Image of the Operating System is being created.

3. Clones of the Imaged system have been made in the amount of programs used in the test.

4. On each of the Cloned systems a separate program is being installed.

5. All of the programs in the test are being updated with the latest databases at the same time. When the updating procedure is finished and the successful program updates have been verified, internet is disconnected.

6. Malware package that was prepaid earlier is being placed into every PC scheduled for this test.

7. All the programs in the test are set to delete all the detected items.

8. After each program finishes the test, another scan is being performed on the undetected items.

9. When each of the programs completes the second scan, the samples missed are being counted and stored into the external storage unit.

10. After the missed samples have been verified, 20% of the missed samples are being anonymously submitted to each of the program Vendors.

11. The final results are presented and show the amount of samples that were detected and removed.

The table shows the program tested, the amount of malware samples (all of the categories above) that were detected and removed and the amount of Adware and Spyware samples that were detected and removed .

Product Malware Adware/Spyware
G DATA 99.6% 99.3%
AntiVir 99.4% 99.2%
a-squared 99.3% 99.2%
Avast! 99.1% 98.9%
F-Secure 99.0% 98.3%
Kaspersky 98.8% 98.1%
Norton 98.6% 94.8%
BitDefender 98.4% 94.6%
Sophos 97.5% 93.1%
Norman 96.1% 93.3%
Nod32 95.9% 93.6%
AVG 95.7% 91.3%
Comodo 91.4% 90.0%
Dr.Web 89.6% 84.1%
ClamAV 85.4% 84.0%

COMODO Internet Security Review

COMODO Internet Security is a fast growing, constantly improving, freeware product which provides 360° protection.
COMODO’s motto is “Prevention is the key to internet security”, we absolutely agree with this, so we decided to use COMODO Internet Security in our multilayered test.

Making this review we used the latest version of COMODO Internet Security (3.12.111745.560), Database Version: 2470.

Reviewing process had three stages:

1. On Demand scan on 50.000 samples of malware (June,July,August and September)

2. Self Protection test where we used various tools with which we tried to disable COMODO Internet Securityand its services.

3. System Protection test – COMODO Internet Security was tested in Real Time against various most dangerous malware samples (better known as System Killers)

Result of our reviewing process:

1. On Demand scan test – COMODO Internet Security failed to detect 153 samples of malware out of 50.000, scoring a detection rate of 99.69%.

2. Self Protection Test – COMODO Internet Security successfully blocked all 10 attempts to disable it and its services.

3. System Protection Test – COMODO Internet Security successfully detected and blocked all 15 System Killers leaving the system unharmed and fully operational.

Conclusion:

COMODO Internet Security offers outstanding level of protection with their default settings, we were impressed with their Defense + and its ability to successfully block all attempts to disable it and harm the system.
This product offers outstanding Proactive Protection, excellent Leak Protection, On Demand scan speed is impressive, program runs very lite and uses very little of system’s resources.
As we are following the development of COMODO Internet Security we are able to see improvements made, we only hope that they will find a way to reduce the amount of popup screens which will make it more user friendly for the lesser experienced users.
Prevention is the key to internet security and COMODO is taking that seriously.

Malware Research Group

Blue Point Security Review

BluePoint Security 2010 Review

We first came across BluePoint Security about six months ago and thought at the time it seemed an innovative product. We have included it in our tests and it performs very well, in fact, it is an exceptional product, as is demonstrated by its performance in our last official test where it was the only full antimalware product to pass.

We have mentioned before about the increasing amount of malware being produced and the efforts of security vendors to keep up with this. One popular means employed by vendors is cloud technology which allows vendors to react to new malware faster and protect their customers against these threats more quickly. Whilst cloud technology helps increase detection efficiency, it still fails to solve the problem of protecting users from zero day threats.

The fundamental problem with traditional antivirus / antimalware applications is that they use black listing. This approach is somewhat like the law, which states you are innocent until proven guilty. This philosophy may be great for use in Human law, where it is rightly argued it is better to let ten guilty men go free than execute one innocent man, but not so good when applied to computers.

BluePoint Security 2010 takes a different approach in that it assumes all files are guilty – it intercepts the execution of every file on the system (on the premise that no file should be trusted) and checks it against a list of files it knows to be good. If the file is on its known good list, it allows it to execute, if it is not on the list, with default settings, it is then analysed using its cloud AM engine. If it is found to be malicious, it is blocked, if it is not found to be malicious, the user is given the option to allow the file to be run, with the caveat that the file is unknown. If the user chooses to execute the file, BPS will continue to analyse the file to detect malicious behaviour.

If BluePoint is set to not show alerts, the user is not given the opportunity to execute a file if it is unknown or found to be malicious. This approach ensures zero day or unique / custom malware is always blocked.

BluePoint Security 2010 was reviewed on a system running Microsoft Windows 7 (32 bit).

As BluePoint Security 2010 requires active internet connection to function properly because of their cloud based technology, internet connection was active during the review process.

We reviewed the latest version of BluePoint Security, version 1.0.7.99

Our reviewing process had three stages:

1. System Protection Test: we used live URL’s to download 50 Zero-Day malware samples and attempt to infect the system with them.

2. System Protection Static Test: in this test we used 50 samples of malware which were downloaded before, all files are being executed in real time.

3. Infected System Rescue Test: we used BluePoint Security 2010 on a system containing 10 active infections (Buzus, Hupigon, Inject, Koobface, Zbot, Bifrose, Pincav, Mudrop, Renos, Sasfis).

Result of our reviewing process:

System Protection Test: BluePoint Security 2010 successfully blocked all 50 Zero-Day samples from installing in real time.

System Protection Static Test: Blue BluePoint Security 2010 successfully blocked all 50 samples of malware from installing on the host system.

Infected System Rescue Test: BluePoint Security 2010 successfully remove all 10 active infections from the host system leaving no malicious/harmful traces behind.

Conclusion:

BluePoint Security 2010 showed some remarkable protection capabilities scoring 100% in all three stages of our reviewing process.

From the moment you install BluePoint Security 2010 it’s a smooth ride, it makes you feel like you have no Anti-Malware program at all, but make no mistake as soon as the real threat comes it is blocked instantly.

In using their “Bluecore” white list technology and complementing this with the best cloud antivirus engine we have seen to date, Bluepoint offers exactly the kind of protection users need these days.

The user interface is very clear and intuitive, the setting are also very simple. The product comes set with high settings by default so there is no need for any additional configuration. Upon detection BluePoint Security will show you the risk level (low, medium, high, severe) and if malicious the files will ether be deleted or quarantined.