Many Antivirus Tools Fail in LinuxWorld Test

talkinsecurity writes "In a public, side-by-side test conducted last night at LinuxWorld, ten antivirus products were confronted with 25 known viruses. The results were surprisingly disparate. Only three of the products caught all of the viruses; three only caught 61 percent, and one caught an abysmal 6 percent. The test, which wasn't particularly complicated, proves that there still are wide differences in the effectiveness of AV tools. A lot of people think all AV tools are the same — they're not!"

The winners:

[RichPowers]

From TFA:

Kaspersky, Symantec, and Clam AV: 100% caught

FProt and Sophos: 94%

McAfee: 89%

GlobalHauri, Fortinet, and SonicWall: 61%

WatchGuard's Linux AV: 6%

And a graph of the results plus links to some of the test viruses: http://virus.untangle.com/

Re:The winners:

[alx5000]

What's even funnier:

WatchGuard disputes the test results, stating that it uses ClamAV -- one of the products that caught all of the viruses -- in its own product. "We don't see how the results could be valid -- our product uses ClamAV," a spokesman says.

Re:The winners:

I must have missed something. How, with 25 different viruses can one catch 6%? My math skillz tell me that it should be divisible by 4.

Re:The winners:

Duh, it detected a virus and a half! Do I have to explain everything to you??

Re:The winners:

[porl]

maybe your feeble human-maths says so, but bistro-maths is becoming much more in vogue these days....

Re:The winners:

[careykohl]

Well then, all WatchGuard needs to do now is back it up with some source code showing how they managed to fuck it up so bad it misses 94% of the viruses now.

Re:The winners:

[flu1d]

I guess that really all depends if they're using ClamAV's definition updates or not. The anti-virus engine is useless without a good list of definitions. ClamAV is pretty sweet due to the fact that you can create your own definition for a 0 day and submit it back to ClamAV while using the new definition.

Re:The winners:

[Christophotron]

Wheres NOD32? This test is lame.

Re:The winners:

[iminplaya]

You must be one of those old timers that didn't have to suffer the new math from the 60s. Hint: It's all about self esteem now.

Re:The winners:

[hazem]

I'm no math genius, but if there were only 25 viruses, how can any of the tools catch a percentage of them that is not a multiple of 4%?

Re:The winners:

[todd1000]

Exactly what I thought. I actually had to look ast TFA and the sample size is 18. 5.55% is 6%

Re:The winners:

[blaine+the+monorail]

If you read the website with the original results, it says that there were actually only 18 viruses in the first test, and Watchguard only caught one, which is 5.6%. You can download a nice spreadsheet with detailed information about which viruses every solution caught, too.

Re:The winners:

It's only 18... not 25

see http://virus.untangle.com/
w

I wonder how Avast would have done (having a Free version)

Re:The winners:

In fact, the only virus it caught in the test was 000_eicar.com
Something tells me it wasn't installed correctly (author also admits he made mistakes in the installation of Sophos AV too)

Re:The winners:

[sbryant]

How, with 25 different viruses can one catch 6%?

Because the test set was 18, and not 25 as reported. 100/18=5.555. Have a look at the test results.

-- Steve

Re:The winners:

Clam is a good open source MAIL server virus scanner. Not a good client full feature scanner.

Checking signatures without any kind of heuristics is abandoned in DOS Antivirus ages after horrible failure rate when first polymorphic (true or half) virus appeared.

Those tools like Kaspersky are running their own virtual machine to proactively check what a suspect file does after checking it for known beginner level virus signatures. Also they do it relatively without slowing the machine down, aka "transparent" to end user. Some commercial OS X antiviruses such as Intego Virusbarrier started to do same thing but of course compared to Windows focused antiviruses, they are at stone ages now.

I just don't like people claiming those companies "charge for nothing" or "snake oil selling". No, just because Clam is there for free, it doesn't make commercial solutions some "hoax" like stuff. Same goes for AVG too.

I submitted 3 undetected viruses to Clam project myself, all detected by free online Kaspersky. All were accepted. Signature based AV checking will work on mail viruses unless they move to a real programming language with ASM but not on some evil spyware/worms which are at boundaries of polymorphic code.

This is for Linux/OS X users. If you buy a Linux/OS X antivirus to detect Windows Viruses on a Windows client, you are wasting your money. I see many Mac people buying Symantec etc. stuff, that is a real waste of money. If you like Symantec solutions: Good, go buy but buy the real thing running in real native win32.

Re:The winners:

[Bert64]

The idea of such products running on unix machines, is to protect malicious files from reaching windows clients...

Aside from that, antivirus is an industry that shouldnt exist. People shouldnt be running as privileged users, to minimise the scope of damage from malware, and any vulnerabilities allowing malware to gain higher privileges should be fixed quickly, giving any virus a very short shelf life and limited scope to cause havoc.
If your not running as a privileged user, there are very few ways you can ensure your malware will be automatically started after a reboot.

Re:The winners:

[loginx]

How do you catch 61% of 25 viruses? That's 15.25 viruses... the numbers are a bit weird...
94% -> 23.5 viruses
89% -> 22.25 viruses
6% -> 1.5 virus

Re:The winners:

[Wolfrider]

> all detected by free online Kaspersky

--Hey, thanks for that; I usually use Avast, and didn't know K had a free online tool. // DL'ing now

LinuxWorld? Is that still relevant?

I don't know anyone who is going to LinuxWorld this year. Is it still relevant? Are they still shoving GNU, Debian & other OSS projects to the back room?

I registered for LinuxWorld (the free pass). 3 friggen times (God their registration website is miserable).

I never received any sort of email or postal-mail conformation, like I do for other conferences.

Since I never got any sort of confirmation, I completely forgot about LinuxWorld. Now, LinuxWorld is almost over. Oh well, I guess I won't attend (representing our 50 linux machines, and a million dollars worth of hardware).

Maybe I'm not their target audience anymore. My hair isn't pointy enough.

Re:LinuxWorld? Is that still relevant?

[JamesRose]

I know they can pick up alot of information when you connect to their website, IP, location, but hair pointiness?

Re:LinuxWorld? Is that still relevant?

[WNight]

It's measured in typos. And the number of reboots it takes you to fill out a web form.

Re:LinuxWorld? Is that still relevant?

hair pointiness

As in "Pointy Haired Boss". Linuxworld mostly caters to PHB's, not engineers.

viruses on linux - a big deal anyway?

[pddo]

are viruses on linux a overflow from WINE?

Re:viruses on linux - a big deal anyway?

[adam.dorsey]

Linux mail directors/servers/etc. often run AV to scan mail for their more vulnerable cousins from Redmond.

Re:viruses on linux - a big deal anyway?

[alx5000]

You seem to be missing an important issue: Linux workstations are often used as mail, web, ftp, etc. servers, and as firewalls and gateways as well. Being able to scan files that come in and out your network can sometimes prove indispensable.

Re:viruses on linux - a big deal anyway?

[justkeeper]

From TFA:

Untangle first conducted the AV "fight club" two years ago, when it was trying to decide which AV tool to include in its network gateway, These anti-virus products are probably used in the gateways to inspect packets passing through them and stop malicious contents to spread into Windows machines in the internal networks.

Re:viruses on linux - a big deal anyway?

[archen]

And this is especially good news for those of us utilizing CLAM. You COULD spend a heap of cash adding on tons of crap to an exchange server and hope that it doesn't implode under the weight... or you could have a postfix mail gateway with Clam AV and some simple spam blocking techniques for only the cost of time and hardware. It's also good in a way that not only do you not get viruses IN, but you can keep them from going out as well. You've obviously got issues at that point, but at least you're not spreading the plague. All thanks to open source goodness.

Re:viruses on linux - a big deal anyway?

[cp.tar]

Actually, I remember an article about the lack of compatibility between Windows and WINE.

Of the four viruses thrown at it, WINE couldn't run one properly.

Truly, Wine Is Not an Emulator.

Re:viruses on linux - a big deal anyway?

[JeffSh]

Another viable option are the managed services i.e. messagelabs and postini. they are becoming increasingly popular and are alot simpler to implement for small business.

Re:viruses on linux - a big deal anyway?

[deniable]

We did that for years. We had an Exchange Server sitting behind a debian relay running spamassassin and clamav. We still had virus checkers on the Exchange box but they didn't get a lot of work.

Re:viruses on linux - a big deal anyway?

[SpaceLifeForm]

There's a good thing about Exchange.
By the time you get the e-mail, the zero-day is expired.

Re:viruses on linux - a big deal anyway?

[Hucko]

I deliberately ran a virus in Wine once. The virus 'propegated' in the extracted directory but IIRC the actual

vulnerability didn't work. I ran ClamAV and it deleted most of the files.

P.S. I only installed Wine to do the test then uninstalled it. No harm done

Re:viruses on linux - a big deal anyway?

[Ciggy]

Actually, I remember an article about the lack of compatibility between Windows and WINE.

Of the four viruses thrown at it, WINE couldn't run one properly.

This one (http://os.newsforge.com/article.pl?sid=05/01/25/1 430222) by any chance?

I came to moderate!

[cdn-programmer]

Not much here.

The story could have shown a list of the tested viruses verses the AV software being tested. A simple table would have conveyed a great deal more information than the druel the fellow wrote. Yes I RTFA and as I said - it is not very informative.

Re:I came to moderate!

[shystershep]

druel

Is that a cross between drivel and drool? Maybe some gruel thrown in for flavor?

Re:I came to moderate!

[Kymermosst]

The story could have shown a list of the tested viruses verses the AV software being tested. A simple table would have conveyed a great deal more information than the druel the fellow wrote. Yes I RTFA and as I said - it is not very informative.

You RTFA and then sadly don't do any research. Why would they bother to list the tested viruses when provide the actual viruses (see "Test Set")?

Re:I came to moderate!

[JackieBrown]

Can you open the zip and tell me what they are?

Re:I came to moderate!

[compro01]

why open it? most any competant antivirus program can scan within a ZIP file.

Re:I came to moderate!

[JackieBrown]

But the above asked for a list.

Re:I came to moderate!

[JackieBrown]

000_eicar.com
001_eicarcom2.zip
002_eicar_com.zip
003_eicar.rar
004_eicar.zip.bad_extension
005_eicar_big.zip
010_18_04_2005.exe
011_abuselist.zip
012_fullstory.exe
013_image.jpg.exe
014_message.pif
015_mntrup.exe
016_patch-6143.zip
017_photo.pif
018_q347558.exe
019_scan_check.jpg.exe
020_test.zip
021_The_taxation.zip
100_8.zip
101_scan.jpg
102_Syndony.zip
103_Update-KB8136
104_Attachement.scr
105_image.jpg.exe
106_Info.exe
107_Please-confirm-pay
108_virus_87
109_virus_88
110_vvzh.scr
111_xxx.com
112_untangle1.zip
113_untangle21.zip
114_untangle22.zip
115_untangle3.zip
116_untangle4.zip

Re:I came to moderate!

[mspohr]

I just scanned the Virus samples zip file with my (presumably up to date) corporate Symantec Antivirus and it came up perfectly clean!??`!!!

I then upzipped the file and Symantec still let 14 of the viruses through!!

Re:I came to moderate!

[compro01]

i have a very low opinion of anything that comes out of Symantec these days. it not only has ungodly poor detection, it has a massive tenancy to cause false positives (yes, my raw ASCII text file carries a "generic trojan", riiiigght) and randomly fuck up the internet connection (it detects an "infection" in the winsock configuration and tries to "fix" it, and ends up screwing the internet connection. fortunately it is easy to fix in XP.)

i now take an uninstall first, ask questions later policy with that evil software.

AVG

[DigiShaman]

What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.

Re:AVG

[Southpaw018]

They left out Eset NOD32 as well. Symantec and McAffee are the AV old guard: still strong, but also bloated, slow, and weakening. And they have the occasional health problems.

Kaspersky and Eset seem to be the two main up and comers, and they left one out!

Re:AVG

[Kymermosst]

What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.

Test them yourself. The virus samples they used are found here.

Re:AVG

[omeomi]

I've had good experiences with AVG. Unfortunately, on the rare occasions that I have had to deal with a virus, I've had to go through just about every single virus scanner that I can find before I'm able to completely eliminate the virus. Last time around, AVG was the one that correctly identified the virus, allowing me to find some special utility that somebody had written specifically to delete that particular virus. I think it was still a fairly new virus, which might explain why the major brands weren't able to clean my system, but I've been somewhat surprised in the past that it's so difficult to remove a virus/worm with commercial virus scanners.

Re:AVG

[cp.tar]

Kaspersky and Eset seem to be the two main up and comers, and they left one out!

Well, I haven't noticed a NOD32 for Linux... have you?

Re:AVG

[Feyr]

my experience mirrors yours. based on many dozens of PCs running AVG: it's excellent at detection but once a virus does get past it you're fucked

Re:AVG

[schwaang]

NOD32 Antivirus for File Servers runs seamlessly on all mainstream Linux distributions (RedHat, Mandrake, SuSE, Debian and others) and FreeBSD. The small footprint and fast performance makes NOD32 optimally suited for real-time or on-demand protection of your Unix File System Servers.

http://www.eset.com/products/linux.php

Re:AVG

I downloaded their sample viruses (35 files) and scanned them using AVG.
After remembering to turn on archive scanning it found 31 of them to be infected.
I'd say that's pretty decent, a shame they left it out of the their tests.

They don't exactly make the Linux version easy to find on their site but here's a forum link:
http://forum.grisoft.cz/freeforum/read.php?10,9450 1,backpage=,sv=

Re:AVG

[SpaceLifeForm]

What platform?

Re:AVG

[freeone3000]

Not even mentioning avast. I've used AVG for a while, but Avast! scans much faster and offers the same features, plus the linux version is free-to-use as well.

Re:AVG

[cp.tar]

Well, my bad...

In that case, I have two things ro wonder about:
1. Why wasn't it included in the test? and
2. WTF was my original post moderated Funny for?

Re:AVG

[it0]

I have bitdefender running on my system
it0@home:/tmp/virus$ bdc all/*
BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53)
Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved.

/tmp/virus/all/000_eicar.com infected: EICAR-Test-File (not a virus)
/tmp/virus/all/001_eicarcom2.zip=>eicar_com.zip=>e icar.com infected: EICAR-Test-File (not a virus)
/tmp/virus/all/002_eicar_com.zip=>eicar.com infected: EICAR-Test-File (not a virus)
/tmp/virus/all/004_eicar.zip.bad_extension=>eicar/ 00_eicar.com infected: EICAR-Test-File (not a virus)
/tmp/virus/all/010_18_04_2005.exe infected: Win32.Bagle.JF@mm
/tmp/virus/all/011_abuselist.zip=>document.txt.exe infected: Win32.Netsky.P@mm
/tmp/virus/all/012_fullstory.exe infected: Trojan.Peed.Gen
/tmp/virus/all/013_image.jpg.exe infected: Trojan.Banker.BZ
/tmp/virus/all/014_message.pif infected: Win32.Worm.Mytob.IB.Damaged
/tmp/virus/all/015_mntrup.exe infected: Trojan.Downloader.Delmed.A
/tmp/virus/all/017_photo.pif infected: Win32.Netsky.P@mm
/tmp/virus/all/018_q347558.exe infected: Win32.Swen.A@mm
/tmp/virus/all/019_scan_check.jpg.exe infected: Trojan.Spy.Goldun.S
/tmp/virus/all/020_test.zip=>test.exe infected: Win32.Worm.Mytob.T
/tmp/virus/all/101_scan.jpg infected: Trojan.Spy.Goldun.Q
/tmp/virus/all/104_Attachment.scr infected: Win32.Mydoom.M@mm
/tmp/virus/all/105_image.jpg.exe infected: Trojan.Banker.BZ
/tmp/virus/all/106_Info.exe infected: Win32.Bagle.W@mm.damaged
/tmp/virus/all/108_virus_87.bin infected: Trojan.Dropper.Rootkit.I
/tmp/virus/all/109_virus_88.bin infected: Trojan.Dropper.RIE
/tmp/virus/all/110_vvzh.scr infected: Win32.Mydoom.AQ@mm

Results:
Folders :0
Files :44
Packed :10
Infected files :21
Suspect files :0
Warnings :0
Identified viruses:21
I/O errors :0
Files/second :14
Scan time :00:00:03

Some notes

112_untangle1.zip Contains password, therefore cannot be checked
113_untangle21.zip Correctly identified when first manually unzipped, strange because BDC can check inside zips
114_untangle22.zip-(07-08-08_01:24) Correctly identified when first manually unzipped, strange because BDC can check inside zips
115_untangle3.zip Contains password, therefore cannot be checked
116_untangle4.zip Contains password, therefore cannot be checked

Re:AVG

[it0]

Also this is what clamav says

it0@home:/tmp/virus/all$ clamscan
/tmp/virus/all/109_virus_88.bin: OK
/tmp/virus/all/018_q347558.exe: Worm.Gibe.F FOUND
/tmp/virus/all/004_eicar.zip.bad_extension: Eicar-Test-Signature FOUND
/tmp/virus/all/016_patch-6143.zip: Trojan.Small-zippwd-17 FOUND
/tmp/virus/all/011_abuselist.zip: Worm.SomeFool.P FOUND
/tmp/virus/all/020_test.zip: Worm.Mytob.KT FOUND
/tmp/virus/all/010_18_04_2005.exe: Worm.Bagle.ET FOUND
/tmp/virus/all/107_Please-confirm-my-payment.eml: Trojan.Goldun.S-2 FOUND
/tmp/virus/all/108_virus_87.bin: Trojan.Downloader-12155 FOUND
/tmp/virus/all/110_vvzh.scr: Worm.Mydoom.AV FOUND
/tmp/virus/all/001_eicarcom2.zip: Eicar-Test-Signature FOUND
/tmp/virus/all/115_untangle3.zip: OK
/tmp/virus/all/002_eicar_com.zip: Eicar-Test-Signature FOUND
/tmp/virus/all/100_8.zip: Worm.Bagle.EI FOUND
/tmp/virus/all/114_untangle22.zip-(07-08-08_01:24) : Trojan.Downloader.Small-3219 FOUND
/tmp/virus/all/014_message.pif: Worm.Mytob.Crypt.Gen FOUND
/tmp/virus/all/103_Update-KB8156-x86.exe: Worm.Stration.JH FOUND
/tmp/virus/all/106_Info.exe: Worm.Bagle.Y FOUND
/tmp/virus/all/015_mntrup.exe: Trojan.Downloader.Delmed-2 FOUND
/tmp/virus/all/116_untangle4.zip: OK
/tmp/virus/all/000_eicar.com: Eicar-Test-Signature FOUND
/tmp/virus/all/017_photo.pif: Worm.SomeFool.P FOUND
/tmp/virus/all/102_Syndony.zip: Worm.Bagle.CD-1 FOUND
/tmp/virus/all/105_image.jpg.exe: Trojan.Dropper.Small.UU FOUND
/tmp/virus/all/019_scan_check.jpg.exe: Trojan.Goldun.S-2 FOUND
/tmp/virus/all/113_untangle21.zip: W32.Philis-232 FOUND
/tmp/virus/all/012_fullstory.exe: Trojan.Downloader-647 FOUND
/tmp/virus/all/111_xxx.com: Trojan.Spy-6766 FOUND
/tmp/virus/all/013_image.jpg.exe: Trojan.Dropper.Small.UU FOUND
/tmp/virus/all/021_The_taxation.zip: Worm.Bagle.FO FOUND
/tmp/virus/all/003_eicar.rar: Eicar-Test-Signature FOUND
/tmp/virus/all/104_Attachment.scr: Worm.Mydoom.M FOUND
/tmp/virus/all/112_untangle1.zip: OK
/tmp/virus/all/101_scan.jpg: Trojan.Spy.Goldun.N-unp FOUND

----------- SCAN SUMMARY -----------
Known viruses: 142800
Engine version: 0.91.1
Scanned directories: 1
Scanned files: 34
Infected files: 30
Data scanned: 7.08 MB
Time: 5.890 sec (0 m 5 s)

Better results, but still the zipfiles with password couldn't be checked.

Re:AVG

[ElBeano]

Removing a virus AFTER an infection is often a tricky proposition. Another poster suggested safe mode. My modus operandi is to scan the hard disk from a known clean machine. A self-scanning, infected machine will quite often miss something. The best self-scan I've seen is the AVAST boot-time scan, which scans before Windows completely loads.

Re:AVG

Thank you. I've some scores to settle.

Re:AVG

Beeing curios of how nod32 compares to the AVs in the test i scanned the sample files in windows, using the latest definitions. Presumably the file server version of nod32 should have the same results. Below are the results
found

000_eicar.com
001_eicarcom2.zip
002_eicar_com.zi p
003_eicar.rar
004_eicar.zip.bad_extension
010 _18_04_2005.exe
011_abuselist.zip
012_fullstory. exe
013_image.jpg.exe
014_message.pif
015_mntru p.exe
017_photo.pif
018_q347558.exe
019_scan_ch eck.jpg.exe
020_test.zip
021_The_taxation.zip
1 00_8.zip
101_scan.jpg
102_Syndony.zip
103_Updat e-KB8156-x86.exe
104_Attachment.scr
105_image.jp g.exe
106_Info.exe
107_Please-confirm-my-payment .eml
108_virus_87.bin
109_virus_88.bin
110_vvzh .scr
111_xxx.com
113_untangle21.zip

not found - password protected files inside the archive

016_patch-6143.zip
112_untangle1.zip
114_untangl e22.zip-(07-08-08_01
115_untangle3.zip
116_untan gle4.zip

Re:AVG

[kad77]

I think you missed the test archive password is 'a'. Using that password, I attempted to extract every file from the archive using 7zip. I have ESET NOD32 running in a test W2k3 Std VM.

Running version 2450 (20070810) of NOD32's virus database, it caught every file and removed content as it was being written to 7zip's temp folder. I then disabled the file system monitor, and tried to extract again. The resident memory scanner wouldn't let 7zip process any files either.

FYI.

Re:AVG

"They left out Eset NOD32 as well." - by Southpaw018 (793465) * on Thursday August 09, @09:16PM (#20177583)

Funny that, eh?

NOD32 is THE BEST ONE OVERALL too, per tests myself & others investigated (vs. my former fav. in NORTON CORPORATE PRODUCTS NO LESS) + noted results on via comparisons done on most all, if NOT all, commercially available antivirus products for Windows, here:

http://forums.techpowerup.com/showthread.php?s=aed b3b4e4ca35cdd452e78f4a0c22c3f&t=26400&highlight=NO D32

(Where I was a BIG fan & propoent of Symantec's 10.2 "corporate client" model of their antivirus no less, vs. NOD32... & I HAD MY VIEWS CHANGED after that, per the above url's tests, no less!)

Not the "MOST COMPREHENSIVE TEST" on our parts (mostly memory residency & bloat comparisons as well as number of 'moving parts'/'active ingredients' so-to-speak)... but, for that? We used the MOST COMPREHENSIVE & CURRENT DATA FOR THAT WE COULD FIND, from sites that DID test efficacy vs. virus databases & samples they had as referential evidence thereof.

LINUX SECURITY?

Well when challenged head-to-head by myself on a FAIR MULTIPLATFORM test of the gauge of security online in CIS Tool by the center for internet security, vs. one of your users here @ /., in SanityInAnarchy? Here were his evasions, & lack of know how (including insinuating he'd post a faked image of his result score):

http://slashdot.org/comments.pl?sid=264303&cid=201 82847

Hmmm... Well, you read that, you judge!

APK

P.S.=> Smart of you, investigating the "test data set sample", because "4/5 dentists do NOT necessarily chew Trident", regardless of "F.U.D." spreading commercials, trying the OLDEST TRICK IN THE STATISTICS BOOK (a skewed sampleset of data sampled & used)... apk

Re:AVG

[lennier1]

>>2. WTF was my original post moderated Funny for?
Probably because NOD32 (at least the Windows branch) tends to be so resource-friendly and yet efficient that it's barely noticeable at all.

Re:AVG

[SiChemist]

Or, you could use a linux live CD like this one:
http://www.inside-security.de/insert_en.html

I'm sure there are plenty others, this is just the first one I ran across.

Re:AVG

[macdaddy]

AVG did the same for me about a month ago. Vundo got on my laptop and it took forever to get rid of the damn thing. It always makes me nervous when the instructions for doing something in Windows point out that "your machine will blue screen after this step but don't worry; that's normal."

Re:AVG

[mgrussin]

The virus samples are actually viruses so beware, may not be the best way to test your system if there are any concerns...

Re:AVG

[rtechie]

As others have pointed out, somewhat confusingly, whenever possible you should NOT try to remove a virus in situ (while Windows is running).

Option #1. The ideal situation is to pull the hard drive from the system, drop in in another, and then examine the drive. This will give to maximum forensic flexibility to fix the drive with a wide variety of tools.

Option #2. If the above isn't feasible, use a bootable LiveCD of some kind to boot into a CD-based "recovery OS" that will allow you the edit the registry, run recovery tools, etc. I recommend a Windows-based LiveCD like Ultimate Boot CD for Windowshttp://www.ubcd4win.com/ for recovery of Windows systems.

Option #3. If neither of the above options is available, at minimum, reboot into Safe Mode to do the virus recovery.

Re:AVG

[AP31R0N]

i'm testing NOD32 for my company's AV (100ish PCs). So far it's a ninja. It finds things the others left behind.

math question

[jeebee]

How does i/25 not equal 4*i%? Were some of the 25 viruses half-caught, or one-quarter caught?

Re:math question

It is not a math question but a biological question: were the statistics pulled out of a dog ass or a horse ass?

Re:math question

[seriesrover]

thats exactly what I was thinking...how can you have 25 viruses and get anything other than 4%, 8%, 12% etc. The article refers to 6%, 61% and 89%...bizarre - I can only reason that they weighted the severity of each virus.

Re:math question

[mhall119]

From the article (emphasis mine):

One product, WatchGuard's Linux AV tool, caught fewer than 6 percent of the viruses sent to it. Obviously WatchGuard only caught 4% (or maybe 0%), and they were just trying not to embarrass them too much, you insensitive clod.

Re:math question

[glitch23]

How does i/25 not equal 4*i%? Were some of the 25 viruses half-caught, or one-quarter caught?

Maybe some were caught but identified incorrectly.

Re:math question

[VirusEqualsVeryYes]

Additionally, they could have calculated the type of virus (by entry method, severity (as you mentioned), spread method, mode of attack, age, etc.) and weighed their percentages in the wild. It's also possible that the programs perhaps prevented some of the damage of some of the virusus, thus meriting partial credit.

It's also possible I'm wrong, but either way, the article is omitting some information we're supposed to know.

Re:math question

[Bibz]

Because the summary isn't right.

They used 18 test cases, Watchguard got only one : 1/18 = 5.55%, rounded = 6%

All from the spreadsheet available at http://virus.untangle.com/

Re:math question

I'm more interested in how you got imaginary viruses.

Re:math question

[AlanS2002]

Multiple runs of the tests, perhaps.

Re:math question

[Spikeles]

Actually if you read the spreadsheet, the only thing Watch guard picked up was the EICAR test pattern.

Which is fairly easy to test since it's just a string of characters that make a fully workable DOS program..
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIR US-TEST-FILE!$H+H*

Re:math question

[jsiren]

From http://virus.untangle.com/ : for the Wild+Eidar chart, n=18; for the overall catch rate chart, n=35. Writeup is at http://blog.untangle.com/?p=96 .

Re:math question

[Von+Helmet]

Well, i is imaginary, after all.

Odd numbers.

[DerekLyons]

Something seems a little strange here. With 25 test cases, and a binary outcome (either the virus was detected or it was not), the %caught should proceed in even step of 4%. There's some number massaging going on somewhere.
 
Hmm... the Fight Club Website lists 35 test cases, not 25. It's not clear if there is any overlap between the various test cases. In fact, there's not any discussion of the testing methodology (let alone what precisely was tested) at all. Just "here's our numbers - believe them or infect your own machine and find out for yourself".
 
Now, while I admire the 'do it yourself' hacker ethos as much as the next guy - this is taking it a bit too far.

Re:Odd numbers.

[Bibz]

Well examining the Excel sheet here http://virus.untangle.com/, they used 18 test cases, so they got 5.6% for Watchguard

The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...

Re:Odd numbers.

[g0at]

The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...

Well, the average of 18 and 35 *is* 25 (within about 6%). :)

Re:Odd numbers.

[sneakerpimps]

Look at the page: http://virus.untangle.com/.

• For the "Wild + Eicar Catch Rate" it says, "The sample size of this test is 18 (not 25 as some cited)."
• For the "Overall Catch Rate" it says, "The sample size of this test is 35."

Re:Odd numbers.

[Gnavpot]

The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...

Well, the average of 18 and 35 *is* 25 (within about 6%). :)

It is actually an logarithmic average (within about 0.4%).

So obviously, some nerd is responsible for writing "25".

Online Scanners Considered... Bad?

[eddy]

For fun I downloaded an application where I suspected the "keygen" was trojanized. I was correct; the real keygen had been bundled with some, as it would turn out, Off The Shelf trojan. However, I didn't know what trojan so I scanned with F-Secure's online-engine, which didn't detect anything (neither did my active AVG installation). So I sent in the exectuable as a sample, explained what little I had to say; where I found the file, that it was pecompact2'ed, that their online scan didn't detect it. The process of submitting a file req. you to attach the scanner log.

Got the reply that "The file you submitted was found to be malicious, and is already detected as Trojan-Downloader.Win32.Delf.asz using the latest virus definitions." and "Please update your virus definition databases to properly detect the file".

Remember, I had scanned it using their latest online scanner and provided the log where the trojan was NOT detected.

So, maybe an extra warning for online scanning engines.

PS.
Shortly after I had submitted the file to f-prot, AVG started detecting it.

Re:Online Scanners Considered... Bad?

[ianare]

"The file you submitted was found to be malicious, and is already detected as Trojan-Downloader.Win32.Delf.asz using the latest virus definitions Please update your virus definition databases to properly detect the file". Translation :
"Thanks for your submission, we analyzed the file and it's a new variant of Trojan-Downloader.Win32.Delf.asz that we hadn't seen before. Do an update to verify it's being detected properly by the client."

Re:Online Scanners Considered... Bad?

[MikeBabcock]

I've had excellent results myself with submitting unknown suspicious files to McAfee. Sure, their software isn't what it used to be, but they've been very fast at getting back to me with virus definition "extra.dat" files to detect the virus/trojan in the field.

Re:Online Scanners Considered... Bad?

[r_jensen11]

A while ago, I purposely downloaded the Bagle virus from one of my old yahoo accounts. That's when I found out the media was messing up every time they refered to it as the Beagle virus. How did I find out it was really Bagel? Because I opened it in vi, vi went into hex mode, and I found a bunch of registry strings containing Bagle instead of Beagle. In order to download it (because the online filters caught it as a virus,) I had to supply the direct URL that bypassed Yahoo's antivirus. It wasn't hard, all I had to do was delete a section of the URL string.

Someone asked me to send them a copy of the virus because they wanted to have a look at it too. I think I just renamed it to something like Bagle.jpg or something along those lines. But then again, that was years ago.

Re:Online Scanners Considered... Bad?

[Spikeles]

I purposely downloaded the Bagle virus

How did I find out it was really Bagel?

containing Bagle instead of Beagle

I'm sorry, which is it again?

Re:Online Scanners Considered... Bad?

[Hal_Porter]

Bagle is an interesting virus that affects both people and computers. Not only is it polymorphic in computer memory to evade virus scanners, the name is also polymorphic in English when infected people talk about it to confuse the uninfected.

The solution is to wear gloves when disinfecting infected systems. If someone like the unfortunate GP fumbles the name repeatedly, they are probably infected too and you should kill them and then burn their body. There are also some reports that people infected with Beagle spread misinformation and incite chaos to sabotage attempts at eradicating it.

ClamAV among top 3!

[blind+biker]

Nice to see opensource programs perform so well, so consistently. I only wish the author(s) maintained the ports and packages himself. The Win32 port seems a bit of an afterthought. Anyway, still a brilliant antivirus program.

(My other OS favourites include Audacity, CDex, The GIMP and OpenSolaris (you didn't expect that one coming, did you)).

Re:ClamAV among top 3!

[jnf]

It's a horrible AV program, unless you don't count the fact it will get you owned

Re:ClamAV among top 3!

The most severe unpatched Secunia advisory affecting Clam AntiVirus (clamav) 0.x, with all vendor patches applied, is rated Not critical There's one privilege escalation vulnerability, which is local-only. And pretty easy to avoid:

Secunia Advisory: SA11253
Release Date: 2004-03-31

Critical: Not critical
Impact: Privilege escalation
Where: From local network
Solution Status: Unpatched

Software: Clam AntiVirus (clamav) 0.x

Description:
l0om has reported a security issue in Clam AntiVirus, which potentially can be exploited by malicious, local users to gain escalated privileges.

An administrative user can use the "VirusEvent" directive in "clamav.conf" to create events for the realtime scanner, which allows a specified command to be executed when a virus is detected.
*snip*

Solution:
Don't use the "%f" specifier when creating a VirusEvent. Whoo, I'm terrified. What if I go in as an administrator and set up a virus event using the %f specifier and then allow someone local access to my machine? Or what if I just hand them the friggin' password while I'm at it?

  Yeah, Clamav is a TERRIBLE virus scanner because of that. *eye-roll*

Re:ClamAV among top 3!

[jnf]

CVE-2007-3123 - heap overflow CVE-2007-3122 - AV scan bypass CVE-2007-3023 - 'does not properly calculate the end of a certain buffer' (most likely an overflow of one kind or another) CVE-2007-1997 - signedness bug leads to heap overflow CVE-2007-0898 - arbitrary file overwrite (oh noes not those evil ..'s) That's excluding all of the vulns that are clearly DoS only's, which is amusing considering a DoS in your AV is potentially very damaging. That's only this year, there are tons for years past. Seriously, check your facts before opening your yap. ClamAV has been and continues to be bug ridden.

Re:ClamAV among top 3!

[moosesocks]

Meh. Not The GIMP.

GIMP represents a vestige of thie old linux world. It tries to do too much, and fails miserably at all of it. The UI's confusing, the feature set doesn't even remotely rival Photoshop, and it's never going to be taken seriously until it gets a new name.

Re:ClamAV among top 3!

[Hal_Porter]

But what about the cathedral and the bazaar? Many eyeballs make all bugs shallow? Surely only evil closed source software contains bugs?

Re:ClamAV among top 3!

Right now everyone with a support & software contract on their corporate antivirus product is chuckling at your naiveté.

Symantec & McAfee release minor updates on their CAV products once a month, sometimes more. They don't push them out so users running LiveUpdate (etc.) can get them, instead they require the company contact to download a full AV distribution to get that minor update, then roll it out on their own to desktops. That alone makes for a lot of antique CAV versions installed on corporate desktops.

And of course like all closed source, until you get bitten by a bug you have no idea that it exists, since their bug database isn't public. Rag all you want on a public bug databasee, but just because you have the ability to see all the bugs logged for an open source product doesn't mean bugs every bit as dangerous/annoying don't exist in your favorite closed source product.

Zombies

[Porchroof]

It is understandable why there are so many zombies out here spewing spam 24 hours a day. Nobody has a clean machine and there is no way to obtain one without reformatting the hard drive and reinstalling the minimum.

I'm fairly knowledgable about home computers (I bought my first one in 1976) and I have a weird feeling in my gut that there is something on this computer that shouldn't be there. But all of the tools I've tried (antivirus, antispyware, etc.) have found nothing wrong.

I coined a word a while back: filthify, v., to give a computer access to the Internet.

Re:Zombies

[bmo]

If you suspect something is evil with your setup, you should go with your gut instincts. You are probably more right than you know.

You should get away from antivirus. Seriously. I'm going to sound like a salesman, but bear with me a bit.

Antivirus and anti-malware in general, on Windows machines, closes the barn door after every single horse has bolted. There is _no_ way to be sure your Windows computer is badware/zombieware free. To top this off, it often sucks up incredible amounts of cycles that turn the latest gamer machine into an XT.

There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze. What you do is establish a "ground state" for the machine by doing a bare metal install and then installing DeepFreeze. You then have certain areas for data that are unfrozen, but the rest is basically locked up tight.

Surf by an evil site and get a drive-by install? Laugh maniacally, and reboot. The evil bits are then...gone. The machine has returned to its ground state. To install software permanently, you must "unfreeze" the machine, install your software, and then refreeze. The refreezing can be automatic for the next reboot or specified for a certain number of reboots, like if you were doing a Windows update and have to suffer through the interminable reboots. So it also gives Windows "parental supervision" - even for the 9x machines that don't have the concept of an "administrator" account.

Evilware in the presence of DeepFreeze is about as sticky as snot to teflon. If you insist on staying with Windows, this will let you sleep at night.

I swear, Faronics should hire me.

--
BMO

Re:Zombies

[ozzee]

I actually do the same kind of thing. Whenever I get a new machine, I snaphot the HDD before I even boot it the first time. Then I run the auto updates from MS and snapshot it again. I then regularly wipe the machine by restoring a snapshot. (It also forces me to keep my data somewhere else that is safe.)

The only advantage of this over the DeepFreeze thing is that I can unfreeze to multiple prior states.

I think it should be a standard feature with these 100GB++ notebook drives.

Re:Zombies

[imemyself]

There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze

Have you ever worked in a tech department that had to support frozen computers? It turns a project that would maybe take fifteen or twenty minutes per lab into something more like and hour long. The school district that I work for used Deep Freeze on most of the desktops at the high school up until about a year or two ago. Taking DF off made it a lot quicker to make minor changes to the computers during the year, and there hasn't been any significant problems. Students and teachers are also happier with it because it prevents stuff that people have saved in My Documents (yes, the kids are told over, and over again to save to their mapped home directories - but occasionally they don't) from being wiped out.

About the same time as that we also took students out of the Admin group (I'm not exactly sure why they were in there in the first place - no apps have had any problems with it), so that mitigated any significant problems as well. We also have McAfee managed AV and 8e6 web filtering, but AFAIK its fairly rare that any viruses or malware are found on the student computers. The laptops that the teachers have(and have admin rights on) are another story. But they would whine if they couldn't add weatherbug and have five different toolbars in IE. Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it. Students/regular non-admin users should not be able to cause damage to the OS. In a well run environment there shouldn't be tons of problems with malware. Yeah, there is going to be an occasional piece of malware that exploits a security vulnerability that could screw up the system. But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups.

Re:Zombies

Um, i had my server running for over a year and I did all kinds of stuff to/with it, and finally installed SAV 10 on it and it found Nothing!

well, it deleted my rainbowrcrack exe, and some other important files, but It found no malicious stuff.

Re:Zombies

[bmo]

"Have you ever worked in a tech department that had to support frozen computers?"

A bit. It's a PITA, but for static setups that don't need touching and subject to "many hands" like in a library, it's not bad. Let's just say that students in a classroom are typically better behaved than many library patrons.

" Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it."

Well, I think the problem with that lies elsewhere, probably in a place called Redmond. All this stuff is just patches upon patches to keep Windows from eating itself.

"But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups."

Some would say that this should be the default, but "design and marketing decisions" prevent that.

"But they would whine if they couldn't add weatherbug and have five different toolbars in IE"

Nnnggghhh.... *puts on BOFH hat* "YOU GET THE POLICY OF DOOM! MUAHAHAHAHAHAH!!!!"

--
BMO

Re:Zombies

[compro01]

i dunno about the not swear at part.

the IT dept at the local school district recently ditched it as they kept having problems where it wouldn't unfreeze properly to install updates and it would foul up their update schedules (they have it rigged so it's supposed to reboot to thawed, then check for and install updates for all the programs every day at 11pm or thereabouts, then reboot frozen), but sometimes for no appearent reason, it wouldn't thaw and all the updates would get fouled up and systems would go unupdated for days and they'd have to go out and do it manaualy once they discovered it.

these problems were happening on win xp pro, though on a single-user computer that should be not much of an issue as it is on a large network.

Re:Zombies

[MobyDisk]

Wow, that's almost like having some sort of permissions, or access control list, that prevents applications from modifying certain files. What a concept! I'll invent it, and call it UNIX!

Re:Zombies

The thing that's missing to scan a Windows box, is a clean boot disk that can still handle the Virus scan. For me, that means a Linux boot CD (ala knoppix, DSL, Ubuntu, etc.) that has been rebuilt with an AV tool already installed and ready to use.

Boot the CD, you know you have a clean system running, download the latest updates (because Linux detects the network hardware and sets up the Internet connection), run the scan on the Windows drives and viola!

Catching viruses by the hundreds.

Nobody in the AV world really does that anymore do they?

pity. . . for windows users anyway.

Re:Zombies

Students and teachers are also happier with it because it prevents stuff that people have saved in My Documents (yes, the kids are told over, and over again to save to their mapped home directories - but occasionally they don't) from being wiped out.

You could use roaming profiles so that the desktop & my documents are copied back automatically to a network share. You can also adjust the registry so that my documents is transparently redirected to a network share.

Re:Zombies

[Magada]

You talk a sweet deal, for sure. But riddle me this: how do you know you got infected and it's time for a reboot? There are lots of viruses (specifically file infectors) out there that could survive between wipes in your "unfrozen" data areas -and you'd be wallowing in complacency while being re-0wned every time you boot up.

Re:Zombies

[Eskarel]

It sort of depends on the school environment.

When I was at university I worked for one of the campus libraries as a support officer. That meant in addition to supporting staff(which was moderately tedious, though the fiddler rate in librarians isn't too high so they weren't too problematic) that meant supporting a lab of about 50 pc's.

Now at the university, some of the the text books came with software, which we had to let the students install on the machines, which meant that they had to have admin rights. They were also allowed to use the PC's in pretty much any way they liked including looking at pornography assuming they didn't offend any nearby patrons.

We didn't use Freeze(don't think it existed back then), but we used a system which did a differential and removed changes as scripted. Let me tell you, as much as it was a pain in the ass to maintain the master index, it beat the hell out of trying to fix em any other way and beat imaging(doing the whole lab took over a day, big image slow links).

Re:Zombies

[baadger]

> I'm fairly knowledgable about home computers (I bought my first one in 1976) and I have a weird feeling in my gut that there is something on this computer that shouldn't be there

It's called Microsoft Windows :)

Re:Zombies

"Students and teachers are also happier with it because it prevents stuff that people have saved in My Documents (yes, the kids are told over, and over again to save to their mapped home directories - but occasionally they don't) from being wiped out."

Right click "My Documents" under "Target Folder Location" enter their home directory. Problem solved.

Re:Zombies

DeepFreeze is great for library machines, but it's horrendous for a home system. Your saved documents, gone. Your saved games, gone. Your new preferences, gone. Yes, you can set up ThawSpaces, but it's a very manual process, and you will miss stuff. What it really needs is an option to analyze what an app writes, then when it's done, ask whether you want to keep thawed the areas that it wrote. But I don't think it even can do that for the registry. It's really just not made for home users.

Re:Zombies

[nuzak]

That's great, why don't you go run along and do that. Then the people that actually want something completely different and unrelated will go and buy DeepFreeze instead.

Re:Zombies

[Deliveranc3]

Agreed, it's a great solution for network booting systems but a terrible solution for single use systems (especially if you're a power user who installs a bunch of diffrent software).

The best way to do it is to monitor your networking, seriously if a bot slows you down enough you can kill the program, and having no listening services or apps that aren't secure means you're totally immune to outside control.

When I turn off BT on my computer my net connection should be dead, if it's not I find the service and kill it.

For me the best solution has always been using rare software (such as Opera, and Miranda) and HiJackThis to kill every service. Every month I run an AV tool, and trojan program. I find something wrong every 5-6 months and it's usually not particularly toxic.

These had to be Windows viruses being tested..

I assume the virus software was running on Linux but the viruses being detected were Windows viruses. You might want this type of virus software running on a Linux mail server or Samba server so Windows machines can't spread their viruses to other Windows machines through you. Of course we know they couldn't have come up with 25 Linux viruses, or even 1 for that matter.

Re:These had to be Windows viruses being tested..

[perlchild]

So... does this mean watchguard removed the windows virus definitions from clamav, and left only a virus engine that can detect native viruses, in order to sell a native watchguard for windows license?

How did Microsoft Onecare do guys?

[Dude+McDude]

Guys????

Re:How did Microsoft Onecare do guys?

[caspper69]

Last I checked, OneCare did not run on Linux.

Hmm, no Trend

[afidel]

We use Sophos on our Linux mail relays and Trend on the desktops, servers and web proxy. We've only had one small virus outbreak in 15 months. I guess Trend isn't covered since there is no Linux client, but it is in the top bracket on every shootout I have seen in the last couple years.

Re:Hmm, no Trend

[matazar]

i really wish they had done trend. i want to see one of these for windows based ones.

i always recommend kasperky, CA and trend. while i'm shocked that norton caught them all, it still doesn't change my stance on their crappy products. they don't allow control to the end user. you can't disable or change any settings without it bitching constantly until you turn it back on. it's bulky, it's the most targeted and you can turn it off if you want to.
/rant

Re:Hmm, no Trend

[xrayspx]

I guess Trend isn't covered since there is no Linux client

That's not really true. Trend sells IMSS for linux relays. I notice you said "client", but still, I would think IMSS should have been included.

Re:Hmm, no Trend

[totally+bogus+dude]

I'm intending to run our install of Trend over the sample viruses to see how it fares, but I guess lots of other people have the same idea. Currently downloading at 1.4 kB/sec, 1 hr 33 mins to go! (The file is 7.8 megs.)

Six percent?

[Harmonious+Botch]

There were 25 viruses. How does something catch six percent? Eight or four, sure. But six?

Re:Six percent?

Maybe they used multiple machines or tests to increase the sample base?

Re:Six percent?

[EveLibertine]

Maaaaybe it blocked all of the viruses but 1, but that one that got through infected it 100 times, of which the software then found and cleaned 6.
Alternatively, maybe it really did only get 4%, but they gave it an extra two points for effort. and a star sticker too.
Ok, so probably not. I'm going to guess that maybe the test wasn't as thorough as the article makes it out to be.

Re:Six percent?

[tkiesel]

I was wondering that myself.

Maybe they used two (or a multiple thereof) different infection venctors per virus? That'd make 6% a possible score if a particular virus were detected only via some vectors but not others.

Re:six percent?

[pigphish]

All this fuss over the math is making the invalid assumption that the 25 viruses appear only once.
The viruses were setup in different ways: within archives (rar, zip), attached, merged
The samples file itself contains 34 files.

To get a more accurate count times the total number times the virus was presented.

On another note, i tested with avast v4.7 which did very well. Not as good as kaspersky though which found 2 more after avast said everything was clean.

Not surprising...

[SuperBanana]

...considering that most of the antivirus programs were tricked when a new "variant" of one of the worms back around '99 or so. So kids- just insert random whitespace into your worms!

The change? The line endings in the VBS script changed. It probably wasn't even intentional- some broken mail server probably modified CR's into CRLF's. It sailed right past Trend Micro's email scanner and infected several dozen systems.

I was the first person to notice why it slipped by, and brought it to the attention of a big-name "security expert" who ran a mailing list which shall go unnamed. He thanked us for the research, passed along my findings to the list, and then promptly went around doing interviews with the press using the first person voice. "I discovered that...", blah blah was what I read the next day.

I would comment on this...

...but the first rule is do not talk about fight club!

I run Linux because...

[BearRanger]

Let me preface this by saying that I work in a Windows free environment. I understand that not everyone has this luxury.

Am I a bad citizen because I don't scan for Windows viruses on my Linux systems? It's almost like another Microsoft tax--you're expected to degrade your performance to prevent their victims, uh, customers (yeah, that's it) from infecting each other. Those folks need to be responsible for their own safety and not expect the rest of us to do it for them. They could start by holding Microsoft accountable and making other choices at purchasing time. To me, Windows isn't worth the hassle.

Re:I run Linux because...

[PenGun]

I used to save em'. Had quite a collection at one time.

Re:I run Linux because...

[n0dna]

Ever consider that every virus infection stopped by anyone, target or not, could cut down on the bandwidth sucked away from all of us by the ever increasing botnets?

What about infected files that don't originate on your systems but are passed through it? If you send out an infected file, the recipient won't care where you think you got it, or how much you feel that it isn't your problem, you're the one who infected them.

You can piss and moan about trash on the sidewalk or you can just pick it up.

Re:I run Linux because...

What you could do, to be a good citizen at no noticeable cost to yourself, is - any time you send a file, to anyone, attach a note saying "This file has not been screened for viruses".

Lots of people attach notes saying "File scanned using Whizbang 3.335", and I just say "Oh goody" and scan it myself manually. A note saying "This file has not been scanned" would be a refreshing change of honesty, but would make no difference at all to the working procedures of someone who's even slightly security-conscious.

Re:I run Linux because...

[TheRealMindChild]

Yeah... same idea as "My fucking legs work. Is it my fault that yours don't? Am I expected to forgo the luxury of an escalator because you are in a wheel chair?"

Re:I run Linux because...

[tech10171968]

I, too, work in a completely Windows-free enviroment at our company (in fact, I'm the one who spec'd everything, from our database server to the workstations). But I still insist on everyones' machine running ClamAV because, while we don't have many/any worries about being compromised by malware, we do exchange web traffic with our customers (like, say, most any business using at least one computer with an internet connection). I'd hate like hell to think that we may have inadvertently passed a virus- or trojan-infected email or spreadsheet to a customer - doesn't exactly do wonders for customer relations, ya know?

Re:I run Linux because...

[dbIII]

Am I a bad citizen because I don't scan for Windows viruses on my Linux systems?

It only makes sense on mail gateways and possibly web proxies that have Microsoft machines behind them.

Re:I run Linux because...

[Nightspirit]

On an enterprise level, if one of your workers sends me an infected file, I don't care that all your systems are linux and that it doesn't affect it. I'm permanently putting your company on my block list

Re:I run Linux because...

[kanweg]

I have a company. Were I to have a business partner with reasoning like that I wouldn't mind being on your block list as it would possibly symptomatic for the sense in other decisions you make too. Not that I would ever make your block list (Windows free environment) and we create our e-mails and files ourselves.

Bert

Re:I run Linux because...

[kanweg]

I have a company. We create our own e-mails and content. Anti-virus programs not only may cost money, but need attention too. And they can be a major pain in the butt if they are overzealous, making you refuse new software or even causing (repairable) damage to your system. No thanks. We have taken our responsibility by not running Windows.

Bert

Re:I run Linux because...

[ajs318]

Am I a bad citizen because I don't scan for Windows viruses on my Linux systems?

Not at all. It's not your problem. Assuming your boxes aren't acting as open SMTP relays (they're not, are they? good) and if you're running any anonymous FTP servers (what, are you crazy?) then no directory is both readable and writable, then you're doing everything right. People should be prepared to deal with the consequences of running riduculously-insecure operating systems -- or not run them.

Bad Car Analogy time: If someone's not wearing a seat belt, and you crash into them, it's not really your fault if they end up going through the windscreen.

Inefficient AV testing methods

[beefcake1942]

The methods used to test AV products are simply bogus. I would really implore you all to read an article published on The Register today. As an ex-employee of one of the world's largest AV vendors, what it says is not only fact but something you should all take into consideration http://www.theregister.co.uk/2007/08/09/anti_virus _testing/

Re:Inefficient AV testing methods

[swb]

You mean corporate shills lie and cheat to get rich?

Interesting...

[rob1980]

Interesting that SonicWALL only caught 61% compared to McAfee catching 89%. The virus protection on our SonicWALL at work is powered by McAfee.

Rainbow Fonts

[Tablizer]

The charts used those damned ClearType sub-pixelation fonts in the image, which is not going to work right with many monitors since they have to be tuned per user. When I see that rainbowy tinge, at first I check to make sure I haven't drank too much c c c coffee again.

Re:Rainbow Fonts

[Anpheus]

The image itself won't contain any subpixel data, it can't. Except for SVG, and no browsers support doing anything like this yet, there is no format that renders to a higher resolution than a device pixel. I suppose SVG -could- use subpixel rendering, but I'm fairly certain that anti-aliasing is the extent of what is done there.

Re:Rainbow Fonts

[Tablizer]

Images can contain the same info that "sub-pixel" screen-fonts can. It is just that you have to have both the proper pixel color ordering in the image sequence (ex: red green blue versus red blue green) and "native" resolution such that an image pixel maps to a screen pixel 1-to-1. An image (gif, jpeg, etc.) cannot "know" what kind of setup a given user has ahead of time, plus it does not "understand" fonts, but merely has an image of pixels that make up text to the user's eyes. I "magnified" it, and it does indeed look like Cleartype-like subpixelation, not anti-aliasing (alone).

I have to question the validity of this test...

[RootWind]

Not to knock Clam but there is something odd about these results (Besides the absurdly low testbed). TFA says Clam won two years ago (which meant Untangle would use it), and again now. However, just last May the results from AV-Test.org (a real trusted legitimate source) against a comprehensive testbed put ClamAV near the bottom of the heap: http://www.pcmag.com/article2/0,1895,2135053,00.as p
I can't help but think that Untangle is trying to justify their own choice, rather than have a real test. With a testbed of only 25-35, it is possible to pick a group of malware that can put any AV on top. Even the user submitted malware is suspect, especially when that testset is also so low. ClamAV is great against virus outbreaks, with one of the fastest signature responses, but it has pretty atrocious trojan and zoo detection, since there is not enough man-power to collect and create signatures for less prevalent and non-replicating malware.

Re:I have to question the validity of this test...

[armanox]

PC Mag's test is done using Win32, whereas it would seem that this test was done on *NIX. So, ClamAV isn't good under Windows? Just a thought.

Re:I have to question the validity of this test...

wtf is a "zoo"? Is this a word you just made up?

Re:I have to question the validity of this test...

Note too that Untangle is a competitor to the vendors that they tested including Sonicwall, Fortinet and WatchGuard. This is like Microsoft "testing" their desktop AV software against AVG, McAfee, etc. and claiming that they did the best.

Re:I have to question the validity of this test...

[Radium_]

> With a testbed of only 25-35, it is possible to pick a group of malware that can put any AV on top.

While your remark is true, I guess both tests are useful, depending which aspect of an antivirus is significant to you.
Untangle tested 17 viruses (+ Eicar.com) captured "in the wild" from some mailbox, while av-test.org uses 600,000+ viruses for its tests.
I prefer my antivirus to detect 100% of the 500 (?) viruses which are actually found all around the Internet rather than detect 565,865 viruses, 99% of which will never hit the mailservers of my company.

Onecare caught 0%

Due to lack of ability to actually execute.

Re:Onecare caught 0%

[Dude+McDude]

That would mean that it's performing just as well as it does in Windows. Good work Microsoft!

Excel Results upped to Zoho Viewer

[Leemeng]

For the Excel-averse, I have uploaded the Excel Results of the test to the Zoho Viewer website. So you needn't install Excel or OO. http://viewer.zoho.com/docs/edblaI

ClamAV still does make a great second AV test

[mattb47]

I'm not sure I'd rely *only* on ClamAV for protecting incoming mail on my mail servers. But if you can hookup a way to check incoming mail against multiple AV providers, then definitely throw ClamAV into the mix. It's free and it works...

- Matt

Re:ClamAV still does make a great second AV test

[macdaddy]

To go along with your statement I'll throw in an simple OSS tool that hooks into Sendmail and does just what you said (and so much more). MIMEDefang is the tool I'm referring to. My last check of the config script listed about 20 AV clients it supported out of the tarball and a number of Perl addons that also help identify malicious crap like Anomy::HTMLCleaner and File::Scan. MIMEDefang has been rolled up into a commercial app which I highly recommend as well called CanIt. There are a number of CanIt options including CanIt-Pro which has a kickass GUI. They also make a SMB appliance and a full-size appliance. They also include the source. I highly recommend it. I use CanIt-Pro myself. It makes the Barracuda products look like the worthless pieces of junk that they are. CanIt also installs Clam out of the box.

Windows?

[ZeroFactorial]

The real question is, how many of these virus scanners detected and quarantined windows?

All joking aside, isn't it strange than with all of Microsoft's monopolistic tendencies, they haven't branched into the anti-virus market yet?

I recognize that this would be a paradox, but still....

Re:Windows?

[zackeller]

http://en.wikipedia.org/wiki/Windows_Live_OneCare

Re:Windows?

[ukh]

MSAV: http://en.wikipedia.org/wiki/Microsoft_Anti-Virus/

All antivirus tools *are* the same

All of them depend on guessing whether a file is good or bad.
All of them will have false negatives as well as false positives, most likely skewed to have fewer false positives to reduce the annoyance factor at the expense of missing real viruses - false negatives.
There are substantially better and computationally cheaper ways to protect your system than an anti-virus.

huh?

[smitty97]

What's a virus?

signed,
Mac User

Re:huh?

[ianare]

Something you get if you go online. Remember, you may not be infected by a virus, but you can still spread it. Signed, Computer User

Re:huh?

[swokm]

A thing you may receive in the near future, unless Apple finally gets around to implementing better handling of "safe" file types and Apple Mail attachments in 10.5...

Re:huh?

That is so made up by those corky Windows users! I mean seriously, a computer virus? And what is it supposed to infect - other programs? That's impossible if you can't even write to /bin or /usr/bin! Mwuhahaha! you Windows guys really crack me up.

Signed,
    Linux User

Re:huh?

[pandrijeczko]

What's a Mac?

Re:huh?

A shiny plastic box running FreeBSD.

61% of 25 viruses???

[dniq]

How does one "capture" 15.25 (61% out of 25) viruses? Or 6% (1.5), for that matter?

Re:61% of 25 viruses???

[KillerBob]

See, I thought that until I tried to download the sample file and open it. Then I noticed that the sample was 7.5MB in size, and that there were multiple instances of some viruses. The weird numbers come from having a partial success rate in capturing Virus X. That is... if I send 12 instances of MyDoom.M at a virus scanner, and it only catches 7 of them.

Re:61% of 25 viruses???

[Reziac]

Server is going so slow right now that I gave up on the download til the crowd thins, so don't know if this is what's going on, but:

Compressed executables can render the virus invisible. Different compression schemes can alter scanning results. So it behooves one to test both an uncompressed executable, and the same virus in a variety of compressed formats.

Incidentally, this problem was why I stopped using McAfee's DOS scanner, back about 1994: Every time its engine was updated, I'd test it against my zoo. One day the update was unable to find a common virus in compressed form, tho it could see it uncompressed. F-Prot saw them both. I switched, and never went back.

As a consultant or to replace all the users...

[msimm]

Because I see 1) unfreeze 2) installed warez 3) refreeze 4) zombie. It's a great idea if you have a really good working understanding of an operating system (although I've seen some pretty tricky virii/malware) but for your regular users this is complicated and confusing. In fact I would say it would probably be easier to train a user to use an unprivileged account (and we all know how well that's gone).

DeepFreeze is an excellent tool for administrators or powerusers. But certainly no silver bullet.

Re:As a consultant or to replace all the users...

[DrSkwid]

Unprivileged accounts can't double click on the clock to see the date/time properties (or calendar as humans call it). You get "Sorry, you don't have privileges to change the system time"

Yeah! Go clamav

[xgr3gx]

ClamAV rules, I use it on my mailserver, as well as my Linux desktop. It's great, and it's not a resource hog.
I've even installed ClamWin on some Windows boxes for people. No compliants from them :).

What?

[RvLeshrac]

GlobalHauri? Fortinet? Where are NOD32 and BitDefender?

I'd rather see commercially available AV tests, since that's what 99.9% of consumers use. I can (and have!) not use an AV scanner for 4 or 5 years and never see a virus, because I pay attention. How about Jimmy Bob Johnson who visits every porn and keygen site on the internet, but uses McAfee because his ISP bundles it?

Re:What?

[Barny]

Sorry, but I gotta say it, RTFA

These are all AV solutions running on *nix.

Yeah yeah, mod me down, but I had to do it :)

Lame

[pravuil]

Come on, an MCSE would expect those results.

Seriously, with a title like "Many Antivirus Tools Fail in LinuxWorld Test" you would expect something new. Well, I guess I was surprised. I didn't think Symantec had it in them. Kudos to them. ClamAV, no surprise there at all. Same goes for Kaspersky. You could've figured that out by using Google.

Re:The winners: *Direct* Quote

[quadra23]

One product, WatchGuard's Linux AV tool, caught fewer than 6 percent of the viruses sent to it. "We're not exactly sure what the problem with WatchGuard is," says Morris. "The test was set up the same way for all of the vendors."

This number quoted by the original poster missed the section in bold, it was technically < 6%, which could mean either 0 or 1 virus (funny how everything always works out to binary in some way or another :). My question would be which is it? Either way, my system would be compromised by either 24 or 25 viruses -- neither of which is a good scenario especially in regards to well-known viruses (according to the article no 0-day exploits were accepted).

Abacus problem

[flyingfsck]

I think their counting frame has a cracked bead...

Detected, not Caught

[Riquez]

Only three of the products caught all of the viruses

Does this not strike anyone as a really stupid way to word the detection of a virus?
If you "catch a virus", you're infected.

"where's geoff today?",
"oh, he caught the flu"
"he caught it! nice one geoff, you managed to destroy that pesky flu & not get infected - so he's out celebrating right?"
"erm... fk off weirdo"

MOD PARENT UP

[rgravina]

Finally, someone knows why the value is not a multiple of 4!

Why am I not surprised the summary had errors? :)

RTFLITFA

that is Read the Fucking Link in the Fucking Article, which says 18 test viruses, not 25. 1/18 = 5.555...% rounded up to 6%.

An AV can only do so much....

People.. it makes no difference if these AV products can detect a virus or not... let me relay a conversation for you:

Them: I think I have I virus!
Me: Okay, let me have a look... oh, did you open any files which I told you not to open?
Them: Yes, I downloaded this awesome screensaver and cursor kit from the web. It's really cool
Me: Oh.. which website?
Them: It was off PutaVirusOnMyPc.com they were credible because they advertised a lot of porn and get rich quick schemes. The flashing ads really gave me confidence that this was a quality organisation giving me this file.
Me: Oh, I would have thought the ant-virus would pick up the virus whilst it was being transfered
Them: Oh, it did but I told it to ignore it and when it gave me 3 more warnings, I opened it anyway because I really really wanted to see what was in the file...

Ofcourse, this would never happen, they wouldn't tell you they did it, they'd lie and say they have no idea it just stopped working. It's when you have to look at the url and AV logs to get that information.

People are idiots who lie.... we got no chance so we may as well just face it, we're all screwed.

Re:The winners: *Direct* Quote

[Dash+Hash]

My guess is that it caught two, but was only able to remove or prevent one from infecting the machine. If it successfully caught and removed one, it would give it 4%, and if it caught (noticed) a second but was unable to do anything about it, it might have gotten a point or two for noticing it and being able to alert the user to something being wrong, but did not get full points since it could not remove or prevent an infection from the second.

That's just thoughts, though; I am too tired to read the article in-depth, but considering how people are responding, I have a feeling that this sort of thing isn't mentioned in it.

18 not 25

The linked website states the sample size was 18 not 25.
1/18 = 5.6%

There is another small writeup here: http://blog.untangle.com/?p=96

six percent?

[mrjb]

Given any set of 25 viruses, each virus represents 4 percent. So one antivirus caught a virus and a half?

Same thing with Norton, etc.

[Joce640k]

Once a virus is in the machine it can do whatever it likes, including hiding itself from your antivirus. I've personally disinfected dozens of machines which have Norton+a virus.

The answer is usually to reboot in safe mode and scan from there.

PS: I use AVG. Norton is just too intrusive, bloated and causes too many problems with normal system operation.

Re:Same thing with Norton, etc.

[ChameleonDave]

The answer is usually to reboot in safe mode and scan from there.
How safe is safe mode? I reboot into Linux and scan the Windows partition from there.

Re:Same thing with Norton, etc.

How safe is safe mode?

Not all that safe. It's definitely a good idea to use it, however malware can rootkit your system or register itself as a critical system service that gets run even in safe mode.

Re:Same thing with Norton, etc.

Actually, once you are compromised by a virus, you no longer own your system and there is no such thing as a "safe" way to disinfect (there may be specific cases with specific viruses that are simple enough and well enough known to do this, but in the general case, it's simply not safe to assume you can "clean" a virus from your system). And counting on Windows "safe" mode to help you in any way at all is pointless - chances are if a virus root's your system, it'll still be there in safe mode as well, and may very well hide itself from the best of scanners once it's in. Time to format the hard drive and start over (esp with Windows).

Re:Same thing with Norton, etc.

[orclevegam]

I've been reading recently about L4 and other microkernels and how they can used to run another kernel inside them. With L4Linux it's possible to run Linux on top of a L4 kernel, and in parallel to another kernel, but as far as I'm aware there's nothing to let you run Windows (short of maybe running VMWare on top of Linux). It would be very interesting to run L4 + AV Software + Windows that way the AV would be operating outside of Windows (parallel to it). Only problem might be the resource impact for running this, plus not sure exactly what that would do to hardware acceleration of video graphics. From what I've read the way Linux runs on top of L4 is it uses a set of dummy drivers that make calls to the underlying L4 servers, and I imagine you'd have to do the same with Windows, which I'm sure the graphics drivers would not be happy with, so it's out for any sort of accelerated graphics (for now anyway, hopefully the open source push that nvidia and ATI [plus intel] have been going in recently continues and we'll have fully open source graphics drivers soon).

Re:The winners: *Direct* Quote

[rts008]

"Either way, my system would be compromised by either 24 or 25 viruses..."

24 or 25 out of 25?

Hmmm....

Does mean that *nix is finally ready for the desktop?..Just like Windows?

Uhmm..w00t!?!?

Disclaimer: coming to you from a Feisty Kubuntu PC that is running ClamAV.

How is this relevant to Linux users ?

[slashdotlurker]

I run a home network back home that has 1 OpenBSD server, 1 Linux server, 4 Linux laptops/desktops and 1 Mac. Precisely how are any of these "anti-virus" tools relevant to me ?

Something is wrong with the methodology here...

How can a tool detect 6% of 25 viruses?
That would be 1.5 viruses caught...

All those percentages should be multiples of 4.

Don't include me in your "we know"

[DrSkwid]

This 2001 Qnetic report for the UK gov.
http://www.govtalk.gov.uk/documents/QinetiQ_OSS_re p.pdf

Makes this claim : "There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for
commercial Unix versions and perhaps 40 for Linux."

But viruses, by definition, will always have a hard time in Lunix. People generally don't share executables. Which leaves auto-opening files such as image preview, pdf, html and openoffice docs etc.etc.

It generally easier to exploit internet facing services such as DNS, HTTP, SMTP etc.

Re:Don't include me in your "we know"

[ajs318]

But viruses, by definition, will always have a hard time in Lunix. People generally don't share executables. Which leaves auto-opening files such as image preview, pdf, html and openoffice docs etc.etc.

That is so true. Linux, like every Unix implementation, includes a compiler and one or more interpreters as part of the basic installation. There is absolutely no reason to pass around binary executables. (In the last century, when internet access meant dial-up, distributions took to supplying ready-compiled executables; but these were invariably checked by experts independent of the authors, digitally signed to prevent tampering and made available from centralised repositories.)

As for data files, the use of these as an attack vector depends on vulnerabilities in the viewing/editing applications (or the underlying libraries they use). And Open Source implies Open Data Formats; which implies that for any given type of data file, there will be more than one application that can work with it. If the vulnerability is in the application itself, then the chances are some other application won't be affected. If the vulnerability is in the library, then again chances are that some people will be using older versions which predate the vulnerability or newer ones which have it corrected.

While it's technically possible to write a virus in an interpreted language, I have a feeling that any attempt to do so would be short-lived; the perpetrator would necessarily have to give away the exact details of what they had done, which would provide some clues as to how to reverse the damage and guard against anything similar in future.

Results with Trend OfficeScan 8

[totally+bogus+dude]

Extracted the zip to a directory and let OfficeScan (8.0, Scan engine v8.500.1002, virus pattern 4.641.00) scan and quarantine all viruses. These files remained:

111_xxx.com
112_untangle1.zip
114_untanged22.zip-(07-08_08_01 -- empty file, not extracted, ends in :01:24)
115_untangle3.zip
116_untangle4.zip

Ugh, not binary

[gerf]

I couldn't ignore the anal-retentive troll inside of me.

which could mean either 0 or 1 virus (funny how everything always works out to binary in some way or another :).

That is not binary, but rather only could be binary, but could be any m-ary. True, it could be binary, if you assume two viruses would be represented by 01, three by 11, four by 001, and so forth. As it is, it's ambiguous, as are all numbers. 234 viruses could be decimal, hexadecimal, or a higher base, just as X amount of something does not denote the actual base. Now, if there was a subscript "1," that could mean it was binary, but that's obviously not there, now is it, hmm.

On another tangent, I have seen a similar analog-digital converter in a PIC program quite a few years back. Basically, if I had an analog value that I knew were only going to be 0 or 1, I could convert it to a digital 0 or 1. For some reason the label of the value mattered more than the actual value in the application. What a fun program in school. I was able to use the free 15-step limited program to do what I wanted, while everyone else had to resort to some ungodly large amount of logic that required the paid program.

Re:Ugh, not binary

[Mozk]

Really 0 and 1 in any numeral system would be equal to 0 and 1 in decimal, but it's true that you wouldn't be able to tell which system it's in.

Also binary digits are written with higher values to the left, not to the right as in your post; it's the same as with decimal. Thus 4 in decimal would be 100 in binary, not 001.

Re:Ugh, not binary

[fbartho]

big endian vs little endian!

Finally, someone reawakens that war...

Re:Ugh, not binary

[Mozk]

AFAIK endianness has nothing to do with the order of bits, but rather concerns the order of bytes in memory. I was under the impression that it's either a standard (ISO?) or very widely agreed on.

Nevertheless I'd be willing to start a war over it. :P

Re:Ugh, not binary

[fbartho]

You're absolutely right, I hadn't personally had to worry about endianness in a long while, especially since most of the time (that I've seen) a good network library will have "convertToNetworkByteOrder() and convertToLocalByteOrder()" type functions - or silently handle it, so all you have to remember about endianness is that you have to remember to throw your data through a filter like that before you use it.

Re:Ugh, not binary

[Mozk]

Since you seem to know a bit about it and personally I haven't worked with complex network applications nor had to deal much with interoperating different architectures, where does endianness differ among them?

I'm only asking you because I prefer hearing things in people's words when dealing with technical details like this, rather than looking it up on Wikipedia. :P

Re:Ugh, not binary

[fbartho]

Well what do you think wikipedia is all about? "Hearing things in other people's words" in some cases many other people, with hopefully only the best and most accurate wording remaining... In this case all my knowledge comes from the networking I did in college (from a tiny bit of very low level, to using various libraries in C C++ Java and C#) from reading the documentation for those libraries, and from the little programming I did with FTP on PPC. At every step in my learning wikipedia has been invaluable. When I read articles on wikipedia, I'll open any link that seems remotely interesting in a new tab, when I finish reading the article I'll close it, and read the next tab, and repeat. This has exponential growth until you either hit a sequence of leaf articles (read "stub") or you've exhausted the topic at hand and managed not to find any links to other topics or you're time pressed and so you stop opening tabs. In any case the wikipedia article on endianness http://en.wikipedia.org/wiki/Endianness is pretty fleshed out.

Selected quotes:

Intel's x86 processors use the little-endian format (sometimes called the Intel format). Motorola processors have generally used big-endian. PowerPC (which includes Apple's Macintosh line prior to the Intel switch) and System/370 also adopt big-endian. SPARC historically used big-endian, though version 9 is bi-endian (see below).

Endianness in networking

Networks generally use big-endian order, and thus it is called network order when sending information over a network in a common format. The historical reason is that this allowed routing while a telephone number was being composed. In fact, the Internet Protocol defines a standard big-endian network byte order. This byte order is used for all numeric values in the packet headers and by many higher level protocols and file formats that are designed for use over IP. The Berkeley sockets API defines a set of functions to convert 16- and 32-bit integers to and from network byte order: the htonl (host-to-network-long) and htons (host-to-network-short) functions convert 32-bit and 16-bit values respectively from machine (host) to network order; whereas the ntohl and ntohs functions convert from network to host order. While the lowest network protocols may deal with sub-byte formatting, all the layers above them usually consider the byte (mostly meant as octet) as their atomic unit.

Basically, in part from the lower level networking, I learned to love languages that had modularity and a great group of people writing libraries for them. In my opinion there is significant value in picking and choosing the right components for a job. Having to write libraries for yourself is just a pain unless you're certain you have the time to maintain them all in every language you use and your certain that the value you will get out of writing the library is worth the time. Trusting an opensource project to make a great robust networking library (with appropriate testing) lets you focus more on your project's logic, presentation, and "secret sauce" and less on the drudgery of laying every foundation pebble by pebble.

Watchguard is fine

[Tablizer]

I use Watchguard all the time and nothing has ever gone wr&,;*..}..Get 3 months of Viagra free with our low mortgage rate offer now now now!

NOD32

[Kaitnieks]

I checked their test set with NOD32. From 34 files NOD32 didn't find 4 (88% success). The files uncaught were 112_untangle1.zip, 114_untangle22.zip-(07-08-08_01, 115_untangle3.zip and 116_untangle4.zip - they're custom viruses. Personally I wouldn't worry about it because NOD32 releases definitions really fast. Since I don't surf infectious sites, my chances to cacth a new, yet unknown virus are minimal.

Re:NOD32

[whereiswaldo]

Since I don't surf infectious sites, my chances to cacth a new, yet unknown virus are minimal.

Currently, over 30,000 websites are compromised every day, resulting in hosts you trust being potential sources of infection. You don't have to surf porn or warez sites to get infected these days.

About the tests reported on, I didn't see that they tested the virus scanners on non-virus content to measure the number of files mis-categorized as viral. Measuring false positives is an important aspect of comparing virus scanners, just as it is with anti-spam products. You don't want your AV scanner reporting every application you use as viral, as eventually you will ignore those messages (like "the boy who cried wolf"). The testing really seems incomplete to me.

F-secure?

[giorgosts]

How come they didn't test F-secure, which was the first to detect the Sony rootkit, even before Mark Russinovich wrote his article? I once scanned my usenet inbox in linux using clamscan with the latest definitions. It found nothing. Then I dual-booted to windows and scanned the same folder with f-secure, and it found plenty of win32 trojans.

MD FUD?

This is yet another anti-Linux FUD by MS Ibet. Linux has no viruses. I repeat: Linux has NO viruses

Part of the problem

[Sycraft-fu]

Is viruses can be a bitch to remove when the system is online, since the virus can do things to fight the scanner. I see a scanner running on a lice system as preemption, not recovery. You run it to stop the virus before it can cause harm. AVG seems good at that, it seems to notice viruses right away.

If you want to use a tool like that for recovery, they way to do it is on an offline system. Either take the disk to another computer and set it up as a non-system disk, or build yourself a PE boot disc and clean it from that.

It more or less the same for any sort of system analysis or recovery for malware, hacks, whatever. Running tools on the live system is of limited use since you might get back bogus answers. You can run them to see what it going on, but when you actually start cleaning up, you need to do it from a different system, or there may be something working to undo what you've done.

FOSSie "security"

A lot of people think all AV tools are the same -- they're not!

Only FOSSies and OSX users are so naive about security. But when you have such a large community drinking the kool-aid that their OS is just magically immune to viruses and being hacked since "teh it's not Wind0ze!!!!!111!1", you are going to have that kind of denial of reality.

No OS will ever be immune. Anyone thinking so is an idiot, plain and simple.

Re:FOSSie "security"

[Hucko]

Just that some are better at smaller factors of immunity.... ;) It's okay, from what I hear, Vista is almost as good as Freedos now!

6% of 25 is 1 1/2?

I'm beginning to think I'd have had a better life if I'd skipped maths like everyone else seems to have.

Re:The winners: *Direct* Quote

[LordSnooty]

It found 0 viruses - are they sure they configured it correctly? Maybe it found no viruses because it found no files!

Avast

[tehniobium]

I have been using avast for the past couple of years and as far as I can see it's done really well...however I guess that might not be a good sign! Does anybody know how it compares to for example norton?

[Shrug] Why use a virus checker?

At all? I'm not using one on my Windows XP machine.

No, wait. I'm not insane. Firstly, the one I was running (Sophos) caused all sorts of quirks -- a mysteriously bogged-down system every once in a while, for no particular reason (CPU would be only a few %, but the system would be unresponsive for 10-30 seconds), weird warning messages (reports that "virtual memory was low", even with 1.7Gb of RAM free!). I tried everything else as a fix. I was sick of it, so I killed the damn thing. All the problems went away, and the system runs much better, especially when working with larger files.

I read e-mail on a Mac or Linux machine, I have a firewall on the Windows machine. I use Firefox with NoScript for a web browser, and keep it up-to-date. So far (months), no viruses or worms (heh, that I know about :-)). Yeah, theoretically I'm running in a riskier state, but everything is smoother, I've eliminated one of the main vectors entirely (e-mail attachments), and I don't have the cost of virus checker updates. If something bad happens, as I'm sure it will eventually, I'll wipe the system and reinstall. Windows seems to be happier with a reinstall every couple of years anyway.

I've come to the conclusion that some virus checkers are such expensive bloatware that the "cure" is now worse than the "disease". I'd rather change my behavior to lower the risk.

Such a poor sampleset

25 samples? And I thought PC Pro's recent sampleset of 200 was low. Isn't there supposed to be some sort of journalistic obligation when providing consumer advice, performing a thorough and meaningful test for example?

Zipfiles with passwords should be assumed positive

[Nicolas+MONNET]

Just like intaveinous drug using transvestite prostitutes, password protected zip files should be assumed to be virus positive. I've never encountered one instance of them serving a legitimate purpose, for privacy there's GPG and friends.

Re:Zipfiles with passwords should be assumed posit

[RKThoadan]

We have to use password protected zip files occasionally because most of the world is clueless about GPG.

Re:The winners: *Direct* Quote

[Shulai]

Nice try, but AFAIK ClamAV doesn't clean viruses, it just is able to quarantine or delete the files. Cleanup is mostly a wasted effort in a time when you aren't trying to catch old school viruses attached to legitimate files but mere self-contained worms than you can simply send to the bit bucket.

Disappointing

What the hell? An antivirus test that excludes the free clients AVG and Avast!

Pretty useless test. Please try again!

Collaboration

[avatar4d]

I want to preface that I run a BSD only network (OpenBSD on my router and FreeBSD on my desktop) so I have no need anymore for these applications.

One thing that most consumers don't realize is that the whole AV industry is basically a big scam. If software was designed more properly, malware would be less of an issue and AV software would be needed less (educating consumers is still an important aspect). In addition to this, the AV software itself would be better if they collaborated. The whole industry is setup to only benefit the companies and not really the consumers though. If they really tried to do the best for the customer, the organizations would collaborate to offer the best coverage (standardized definitions?) and therefore only the best software would make it on the market. Instead companies like Microsoft are in bed with the likes of Symantec/McAfee/Etc and have this whole industry setup to milk the consumer rather than direct that money to R&D and real advancement of technology.

Any thoughts?

FSecure and AVG??

[spitek]

I agree about AVG why wasnt it tested. I also use FSecure with some clients and have been very happy with it. Would have been nice to see it in the running as well. Anyone have any experiance with FSecure?

Scanner Log

[kad77]

Should have posted this too:

Time Module Object Name Threat Action User Information
8/10/2007 9:51:03 AM AMON file C:\Temp\7zE1C1C.tmp\111_xxx.com Win32/PSW.Lineage.NGI trojan quarantined - deleted
8/10/2007 9:51:03 AM AMON file C:\Temp\7zE1C1C.tmp\110_vvzh.scr Win32/Mydoom.R worm quarantined - deleted
8/10/2007 9:51:02 AM AMON file C:\Temp\7zE1C1C.tmp\109_virus_88.bin Win32/TrojanDownloader.Agent.BRK trojan quarantined - deleted
8/10/2007 9:51:02 AM AMON file C:\Temp\7zE1C1C.tmp\108_virus_87.bin Win32/TrojanDownloader.Agent.NQG trojan quarantined - deleted
8/10/2007 9:51:01 AM AMON file C:\Temp\7zE1C1C.tmp\106_Info.exe Win32/Bagle.X worm quarantined - deleted
8/10/2007 9:51:01 AM AMON file C:\Temp\7zE1C1C.tmp\105_image.jpg.exe Win32/TrojanDropper.Small.UU trojan quarantined - deleted
8/10/2007 9:51:01 AM AMON file C:\Temp\7zE1C1C.tmp\104_Attachment.scr Win32/Mydoom.R worm quarantined - deleted
8/10/2007 9:51:00 AM AMON file C:\Temp\7zE1C1C.tmp\020_test.zip Win32/Mytob.AE worm quarantined - deleted
8/10/2007 9:51:00 AM AMON file C:\Temp\7zE1C1C.tmp\019_scan_check.jpg.exe Win32/Spy.Goldun.S trojan quarantined - deleted
8/10/2007 9:50:59 AM AMON file C:\Temp\7zE1C1C.tmp\018_q347558.exe Win32/Swen.A worm quarantined - deleted
8/10/2007 9:50:59 AM AMON file C:\Temp\7zE1C1C.tmp\101_scan.jpg a variant of Win32/Spy.Goldun trojan quarantined - deleted
8/10/2007 9:50:58 AM AMON file C:\Temp\7zE1C1C.tmp\017_photo.pif Win32/Netsky.Q worm quarantined - deleted
8/10/2007 9:50:58 AM AMON file C:\Temp\7zE1C1C.tmp\014_message.pif Win32/Mytob.D worm quarantined - deleted
8/10/2007 9:50:57 AM AMON file C:\Temp\7zE1C1C.tmp\013_image.jpg.exe Win32/TrojanDropper.Small.UU trojan quarantined - deleted
8/10/2007 9:50:57 AM AMON file C:\Temp\7zE1C1C.tmp\015_mntrup.exe a variant of Win32/TrojanDownloader.Delmed trojan quarantined - deleted
8/10/2007 9:50:56 AM AMON file C:\Temp\7zE1C1C.tmp\012_fullstory.exe Win32/Fuclip.A trojan quarantined - deleted
8/10/2007 9:50:44 AM AMON file C:\Temp\7zE1C1C.tmp\011_abuselist.zip Win32/Netsky.Q worm quarantined - deleted
8/10/2007 9:50:33 AM AMON file C:\Temp\7zE1C1C.tmp\010_18_04_2005.exe Win32/TrojanDownloader.Small.ZL trojan quarantined - deleted
8/10/2007 9:50:26 AM AMON file C:\Temp\7zE1C1C.tmp\000_eicar.com Eicar test file quarantined - deleted

I filtered out user, machine name, and full description of action (offender and long description of action taken). You get the gist, and you can repeat it yourself of course.

Do the math

[mr_java66]

It is impossible to catch 6% of 25 items. One is 4%, two catches is 8%.
ug!
:{

Where is Norman AV?

Maybe not so well known, but they have a good Linux version

Re:The winners: *Direct* Quote

[DigitalCrackPipe]

I was thinking the same thing about the less than bit, but other numbers that appear without such qualifiers in the article are 94%, 89%, and 61%. So, the '25 viruses' is the part that is inaccurate(per other posts).

I Wouldn't Need any of That

[LAN+Lubber]

I run Linux.

That is all.

Publicity Stunt

[Master+of+Transhuman]

The test they ran is completely meaningless from a statistical viewpoint and was almost certainly skewed in some way by the organizers, despite the submission of viruses to be tested from the audience (shills? Not impossible!)

Despite the claims of the company that conducted the test, ClamAV HAS been tested by several AV testing outfits, and it came up poorly in all of them. In some tests it was down around 36-60%. It did poorly on both "in the wild" and "zoo" viruses. While the commercial AV's also do extremely poorly when confronted with over half a million viruses, bots, spyware and trojans in two tests, ClamAV was not in the high range in either test.

ClamAV's only advantage appears to be in detecting email viruses (since it was mostly designed to be an email scanner frontend) and in being quick to issue new detection signatures due to its community-based submission process.

ClamAV might be suitable for home users, but it is not suitable for any company with a significant email and Web traffic. And those are the companies who would be using it in Untangle's and other appliances.

An exception might be made for the version integrated with Spyware Terminator. For a small company that doesn't have that many malware vectors, this combo is a lot cheaper (free) than paying $500-1000 a year for multiple licenses from the commercial AV companies and will probably protect against spyware better, which is the main threat these days. The only problem with Spyware Terminator is its intrusiveness, when the HIDS hueristic IDS is turned on (it's off on a default install.)

do you spell it alittle a lot?

Never figured out why people spell A LOT as Alot...

I mean, really... you don't see people running around typing out alittle... do you?
No.. because it looks as silly as ALOT did almost 15 years ago when the (sarcasm)unedjamecated(/sarcasm) masses of AOL were connected to the internet at large.

Please people, give a shit and properly spell and SPEAK things.
The United States needs Ethics, Grammar and ENUNCIATION! Let GOOD stuff spill over into your typing. Not crap...

Trend miss 4 of 18!

[noctrl]

Just tested on our corporate Trend installation (Windows XP)

It does not detect:

111_xxx.com
112_untangle1.zip
115_untangle3.zip
116_untangle4.zip