Viruses are money-driven tools these days, they are trying to stay in the shadow from a regular consumer point of view. Reason is they are designed for an economic crime (D.o.S., online banking fraud, blackmail, etc.) and big chances are you are not very suitable as a target. They can make some harm to you personally, but probability of that is close to zero. If they steal your credit card number, you may never know about it. But even if your bank let you become the fraud victim (very unlikely) for certain period, your real loss at the end will be frustration and anger.
I’m afraid the biggest coming internet threat is fake information. The Truman Show may never end for those who confuse living souls with spam bots, news with generated text, and books with messy databases. I feel a shiver going down my spine while reading fake spam messages as they truly reflect the schizophrenic reality, the endless fall to the demons abyss.
How do you know the information you’ve just read is real, true, valid, and was not published three years ago?
Here’s the final round of my antivirus drive-by test. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2). First of all I wanted to see if major free antivirus programs would be effective against web threats. To make picture complete I also tested Norton Antivirus 2011 and ESET NOD32 Antivirus, yet surprisingly they did not show 100% protection as I expected from paid software. Again, it is important to note that I checked only the first lines of defence, because there are few of them to mention:
1. web site blocking based on IP, from the list of known domains containing malware
2. detection of malicious scripts while browsing
3. detection of exploit code before a web browser triggers it
4. shell-code detection
5. detection of downloaded installer (based on virus signatures or heuristics analysis)
As detection of sploit portion fully installed and functioning may take lots of man hours, I say an antivirus fails if it does not react up to 4th barrier, this is important to understand.
AVG Anti-Virus Free Edition 2011 (version 10.0.1136) performed very poorly in my drive-by test, I also noticed system slowdown while web browsing. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2).
The only exploit pack it detected was SEO Exploit kit, all others were undetected. Here’s the results:
I have Avast Antivirus free edition, version 5.0.677 in my lab for drive-by test. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2). I love Avast, because it is fast and not intrusive at all. It has been performing very well since version 4, and now it simply shines. That is why I was very pleased to see that it passed all my tests with malicious web-sites!
Avira AntiVir Personal 10.0.0.567 – Free Antivirus is under test today. Preparation is explained here (Part 1) and here (Part 2). I knew free edition of Avira would perform badly, as it is even stated on their website: no “AntiDrive-by [which] prevents against downloading viruses when surfing” and no “WebGuard [-] protection against malicious websites”. Anyway it did something, let’s see the results:
OK, let’s prepare the test platform. As I explained in the part 1, I use Oracle VM VirtualBox (recently updated to version 3.2.10) as a host sandbox. This sandbox I can use as a virtual computer to install basically any operating system. For the drive-by antivirus test I choose Windows Vista Home Premium SP2 32-bit. The idea is to make my system vulnerable, so it could be poisoned. Therefore, I intentially do not install any updates. Additionally, I install Adobe Reader 8.1.1 and Java Runtime 188.8.131.52 — both have known security holes. At that point the test OS is finished and I create a copy of it, because once it is infected (I’m sure it will be), I will need a clean one.
I’m surprised to see that Microsoft delivers pre-released beta version of Forefront Endpoint Protection 2010 to its corporate customers. What can force a company use unfinished product to protect daily business? Though it is true that some well-established and evolved projects like Gmail had been running for years in beta phase, I don’t really remember examples when corporate users are heavily involved in that. Corporate customers are usually the ones who drag the old versions (like Windows XP) for long long time before any upgrade, because stability and low cost service are the keys.
I’m going to perform a test of Antivirus programs in the drive-by mode. That means I will consider I think the most frequent way of getting malware for a home user — via casual browsing in the internet. In my lab I will use a freshly installed system (not decided yet which one,most probably Windows XP or Windows 7 Windows Vista) without updates and some buggy software from Adobe (Acrobat Reader, Flash) and Java without latest patches of course. I will use Internet Explorer 7 (standard for Windows Vista) also popular browsers, but not too new again — FireFox 3x, etc. Where do I get old versions of software? Old Applications for Windows is a good site. To stay safe in any case, I will use VM VirtualBox v.3.2.8 from Oracle. VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software, i.e. also free to use.
Where am I going to get infected web-sites? Good question. I will use Malware Domain List (www.malwaredomainlist.com) for that purpose. [WARNING: All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.] No one wants to pay 1500$ (!) for the Eleonore Exploits pack. But I see now that the current listing is full of zeus v2 trojan variants!
Whatever I may say about NIS interface, Symantec can afford to develop super effective security package spending millions of $$ to trump all their competitors. And it is good to have it almost free for a long time. 90 days (3 months) to me is a huge period to try and make a decision. Consider this, even if you buy it, you basically have a trial of 360 days for a good sum of money.