Drive-by Antivirus Test — Final Round

Crimepack control panel

Crimepack control panel

Here’s the final round of my antivirus drive-by test. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2). First of all I wanted to see if major free antivirus programs would be effective against web threats. To make picture complete I also tested Norton Antivirus 2011 and ESET NOD32 Antivirus, yet surprisingly they did not show 100% protection as I expected from paid software. Again, it is important to note that I checked only the first lines of defence, because there are few of them to mention:  

1. web site blocking based on IP, from the list of known domains containing malware
2. detection of malicious scripts while browsing
3. detection of exploit code before a web browser triggers it
4. shell-code detection
5. detection of downloaded installer (based on virus signatures or heuristics analysis)  

As detection of sploit portion fully installed and functioning may take lots of man hours, I say an antivirus fails if it does not react up to 4th barrier, this is important to understand. 

Test system setup

Windows Vista Home Premium SP2 32-bit
Adobe Reader 8.1.1
Java Runtime 1.5.0.9
Internet Explorer 7 build 6002.18002 

Exploits Source

Malwaredomainlist.com — this website lists the web addresses with planted exploits or redirects to exploits. The list is updated regularly. 

Exploits and their version

Phoenix exploit kit  N/A
NeoSploit N/A
Eleonore exploits pack  1.4.1 / 1.4.4mod
YES Exploit kit  3.0
Crimepack exploit system N/A
Siberia Exploits kit N/A
Seo Sploit pack N/A 

Software programs under test

Avira AntiVir Personal 10.0.0.567 — link to the review
Avast Antivirus free edition 5.0.677 — link to the review
AVG Anti-Virus Free Edition 2011 10.0.1136 — link to the review
Norton Antivirus 2011 17.5.0.127 — review is below
Panda Cloud Antivirus 2.0.0.1 — review is below
ESET NOD32 4.2.64.12 — review is below
Microsoft Security Essentials 1.0.2 — review is below
KasperskyAntivirus 2011 11.0.1.400 (a) — I could not test as KAV 2011 caused a blue screen of death on test Windows Vista Sp2 system. 

Test Results

The winner is Avast Antivirus free edition 5.0.677. It protected the system from all tested exploits. Detail overview is here

In few instances I could not test particular exploits, so it is accordingly marked “not tested”. The reason is simple: there was no live link to exploit available at the time of the test. 

Complete test report in pdf format  

All the others were not as good as Avast. Look below: 

Norton Antivirus 2011 17.5.0.127 let Eleonore exploits pack run, screenshot is below (click to enlarge): 

nav2011-eleonore-1.4.4mod-failed

NAV2011 failed to protect from Eleonore sploit

Exploits detected by NAV2011: 

NAV2011 protected from SEOsploit

NAV2011 protected from SEOsploit

nav2011-phoenix-passed

NAV2011 protected from Phoenix exploit kit

NAV2011 protected from Neosploit

NAV2011 protected from Neosploit

NAV2011 protected from Crimepack

NAV2011 protected from Crimepack

ESET NOD32 Antivirus 4.2.64.12 failed with Phoenix exploit kit and NeoSploit: 

eset-nod32-4.2-phoenix-02

ESET NOD32 failed to protect from Phoenix sploit kit

eset-nod32-4.2-failed-neosploit

ESET NOD32 failed to protect from Neosploit

and passed with some others: 

ESET NOD32 protected from YES sploit kit

ESET NOD32 protected from YES sploit kit

ESET NOD32 protected from SEO sploit kit

ESET NOD32 protected from SEO sploit kit

ESET NOD32 protected from Eleonore sploit kit

ESET NOD32 protected from Eleonore sploit kit

Panda Cloud Antivirus 2.0.0.1 did not detect anything (I tried only three sploits in this case): 

Panda Cloud Antivirus 2.0.0.1 failed to protect from Phoenix sploit kit

Panda Cloud Antivirus 2.0.0.1 failed to protect from Phoenix sploit kit

Panda Cloud Antivirus 2.0.0.1 failed to protect from NEOSploit

Panda Cloud Antivirus 2.0.0.1 failed to protect from NEOSploit

Panda Cloud Antivirus 2.0.0.1 failed to protect from Eleonore sploit kit

Panda Cloud Antivirus 2.0.0.1 failed to protect from Eleonore sploit kit

 Microsoft Security Essentials 1.0.2 failed to protect from anything except Phoenix exploit kit: 

mse-passed-phoenix

MSE 1.0.2 protected from Phoenix exploit kit

mse-failed-siberia

MSE 1.0.2 failed to protect from Siberia exploit kit

mse-failed-seo

MSE 1.0.2 failed to protect from SEO exploit kit

mse-failed-neosploit

MSE 1.0.2 failed to protect from NEOSploit

mse-failed-eleonore

MSE 1.0.2 failed to protect from Eleonore exploit kit

Avira AntiVir Personal review is here
AVG Anti-Virus Free Edition 2011 review is here
And again the winner is Avast Antivirus free edition. Good job guys! 

Conclusion

Easy to see from this test results that a modern antivirus with latest databases is not the all-round security solution. To have good protection it is essential to keep Windows and popular software (like Adobe Acrobat Reader) updated. What is really interesting here, paid security software can be less effective than free one, and Avast shines brightly in that respect. 

This drive-by test has shown actually that Avast team takes its time to filter malicious web-sites in the first place, because the others mostly did not give a sh*t about them. And then it’s a different story to fight with an exploit than to simply block the web address. So, don’t get me wrong, Avast is not the best, but it looks like a reliable companion for internet browsing.

Leave a Reply