Here’s the final round of my antivirus drive-by test. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2). First of all I wanted to see if major free antivirus programs would be effective against web threats. To make picture complete I also tested Norton Antivirus 2011 and ESET NOD32 Antivirus, yet surprisingly they did not show 100% protection as I expected from paid software. Again, it is important to note that I checked only the first lines of defence, because there are few of them to mention:
1. web site blocking based on IP, from the list of known domains containing malware
2. detection of malicious scripts while browsing
3. detection of exploit code before a web browser triggers it
4. shell-code detection
5. detection of downloaded installer (based on virus signatures or heuristics analysis)
As detection of sploit portion fully installed and functioning may take lots of man hours, I say an antivirus fails if it does not react up to 4th barrier, this is important to understand.
AVG Anti-Virus Free Edition 2011 (version 10.0.1136) performed very poorly in my drive-by test, I also noticed system slowdown while web browsing. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2).
The only exploit pack it detected was SEO Exploit kit, all others were undetected. Here’s the results:
I have Avast Antivirus free edition, version 5.0.677 in my lab for drive-by test. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2). I love Avast, because it is fast and not intrusive at all. It has been performing very well since version 4, and now it simply shines. That is why I was very pleased to see that it passed all my tests with malicious web-sites!
Avira AntiVir Personal 10.0.0.567 – Free Antivirus is under test today. Preparation is explained here (Part 1) and here (Part 2). I knew free edition of Avira would perform badly, as it is even stated on their website: no “AntiDrive-by [which] prevents against downloading viruses when surfing” and no “WebGuard [-] protection against malicious websites”. Anyway it did something, let’s see the results:
OK, let’s prepare the test platform. As I explained in the part 1, I use Oracle VM VirtualBox (recently updated to version 3.2.10) as a host sandbox. This sandbox I can use as a virtual computer to install basically any operating system. For the drive-by antivirus test I choose Windows Vista Home Premium SP2 32-bit. The idea is to make my system vulnerable, so it could be poisoned. Therefore, I intentially do not install any updates. Additionally, I install Adobe Reader 8.1.1 and Java Runtime 22.214.171.124 — both have known security holes. At that point the test OS is finished and I create a copy of it, because once it is infected (I’m sure it will be), I will need a clean one.
I’m going to perform a test of Antivirus programs in the drive-by mode. That means I will consider I think the most frequent way of getting malware for a home user — via casual browsing in the internet. In my lab I will use a freshly installed system (not decided yet which one,most probably Windows XP or Windows 7 Windows Vista) without updates and some buggy software from Adobe (Acrobat Reader, Flash) and Java without latest patches of course. I will use Internet Explorer 7 (standard for Windows Vista) also popular browsers, but not too new again — FireFox 3x, etc. Where do I get old versions of software? Old Applications for Windows is a good site. To stay safe in any case, I will use VM VirtualBox v.3.2.8 from Oracle. VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software, i.e. also free to use.
Where am I going to get infected web-sites? Good question. I will use Malware Domain List (www.malwaredomainlist.com) for that purpose. [WARNING: All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.] No one wants to pay 1500$ (!) for the Eleonore Exploits pack. But I see now that the current listing is full of zeus v2 trojan variants!