Here’s the final round of my antivirus drive-by test. Preparation for the drive-by test and setup configuration is described here (part 1) and here (part 2). First of all I wanted to see if major free antivirus programs would be effective against web threats. To make picture complete I also tested Norton Antivirus 2011 and ESET NOD32 Antivirus, yet surprisingly they did not show 100% protection as I expected from paid software. Again, it is important to note that I checked only the first lines of defence, because there are few of them to mention:
1. web site blocking based on IP, from the list of known domains containing malware
2. detection of malicious scripts while browsing
3. detection of exploit code before a web browser triggers it
4. shell-code detection
5. detection of downloaded installer (based on virus signatures or heuristics analysis)
As detection of sploit portion fully installed and functioning may take lots of man hours, I say an antivirus fails if it does not react up to 4th barrier, this is important to understand.
Test system setup
Windows Vista Home Premium SP2 32-bit
Adobe Reader 8.1.1
Java Runtime 188.8.131.52
Internet Explorer 7 build 6002.18002
Malwaredomainlist.com — this website lists the web addresses with planted exploits or redirects to exploits. The list is updated regularly.
Exploits and their version
Software programs under test
Avira AntiVir Personal 10.0.0.567 — link to the review
Avast Antivirus free edition 5.0.677 — link to the review
AVG Anti-Virus Free Edition 2011 10.0.1136 — link to the review
Norton Antivirus 2011 184.108.40.206 — review is below
Panda Cloud Antivirus 220.127.116.11 — review is below
ESET NOD32 18.104.22.168 — review is below
Microsoft Security Essentials 1.0.2 — review is below
KasperskyAntivirus 2011 22.214.171.1240 (a) — I could not test as KAV 2011 caused a blue screen of death on test Windows Vista Sp2 system.
The winner is Avast Antivirus free edition 5.0.677. It protected the system from all tested exploits. Detail overview is here.
In few instances I could not test particular exploits, so it is accordingly marked “not tested”. The reason is simple: there was no live link to exploit available at the time of the test.
All the others were not as good as Avast. Look below:
Norton Antivirus 2011 126.96.36.199 let Eleonore exploits pack run, screenshot is below (click to enlarge):
Exploits detected by NAV2011:
ESET NOD32 Antivirus 188.8.131.52 failed with Phoenix exploit kit and NeoSploit:
and passed with some others:
Panda Cloud Antivirus 184.108.40.206 did not detect anything (I tried only three sploits in this case):
Microsoft Security Essentials 1.0.2 failed to protect from anything except Phoenix exploit kit:
Easy to see from this test results that a modern antivirus with latest databases is not the all-round security solution. To have good protection it is essential to keep Windows and popular software (like Adobe Acrobat Reader) updated. What is really interesting here, paid security software can be less effective than free one, and Avast shines brightly in that respect.
This drive-by test has shown actually that Avast team takes its time to filter malicious web-sites in the first place, because the others mostly did not give a sh*t about them. And then it’s a different story to fight with an exploit than to simply block the web address. So, don’t get me wrong, Avast is not the best, but it looks like a reliable companion for internet browsing.