Many Antivirus Tools Fail in LinuxWorld Test

talkinsecurity writes "In a public, side-by-side test conducted last night at LinuxWorld, ten antivirus products were confronted with 25 known viruses. The results were surprisingly disparate. Only three of the products caught all of the viruses; three only caught 61 percent, and one caught an abysmal 6 percent. The test, which wasn't particularly complicated, proves that there still are wide differences in the effectiveness of AV tools. A lot of people think all AV tools are the same — they're not!"

The winners:

[RichPowers]

From TFA:

Kaspersky, Symantec, and Clam AV: 100% caught

FProt and Sophos: 94%

McAfee: 89%

GlobalHauri, Fortinet, and SonicWall: 61%

WatchGuard's Linux AV: 6%

And a graph of the results plus links to some of the test viruses: http://virus.untangle.com/

Re:The winners:

[alx5000]

What's even funnier:

WatchGuard disputes the test results, stating that it uses ClamAV -- one of the products that caught all of the viruses -- in its own product. "We don't see how the results could be valid -- our product uses ClamAV," a spokesman says.

Re:The winners:

I must have missed something. How, with 25 different viruses can one catch 6%? My math skillz tell me that it should be divisible by 4.

Re:The winners:

Duh, it detected a virus and a half! Do I have to explain everything to you??

Re:The winners:

[careykohl]

Well then, all WatchGuard needs to do now is back it up with some source code showing how they managed to fuck it up so bad it misses 94% of the viruses now.

Re:The winners:

[flu1d]

I guess that really all depends if they're using ClamAV's definition updates or not. The anti-virus engine is useless without a good list of definitions. ClamAV is pretty sweet due to the fact that you can create your own definition for a 0 day and submit it back to ClamAV while using the new definition.

viruses on linux - a big deal anyway?

[pddo]

are viruses on linux a overflow from WINE?

Re:viruses on linux - a big deal anyway?

[adam.dorsey]

Linux mail directors/servers/etc. often run AV to scan mail for their more vulnerable cousins from Redmond.

Re:viruses on linux - a big deal anyway?

[archen]

And this is especially good news for those of us utilizing CLAM. You COULD spend a heap of cash adding on tons of crap to an exchange server and hope that it doesn't implode under the weight... or you could have a postfix mail gateway with Clam AV and some simple spam blocking techniques for only the cost of time and hardware. It's also good in a way that not only do you not get viruses IN, but you can keep them from going out as well. You've obviously got issues at that point, but at least you're not spreading the plague. All thanks to open source goodness.

Re:viruses on linux - a big deal anyway?

[cp.tar]

Actually, I remember an article about the lack of compatibility between Windows and WINE.

Of the four viruses thrown at it, WINE couldn't run one properly.

Truly, Wine Is Not an Emulator.

Re:viruses on linux - a big deal anyway?

[JeffSh]

Another viable option are the managed services i.e. messagelabs and postini. they are becoming increasingly popular and are alot simpler to implement for small business.

Re:viruses on linux - a big deal anyway?

[SpaceLifeForm]

There's a good thing about Exchange.
By the time you get the e-mail, the zero-day is expired.

AVG

[DigiShaman]

What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.

Re:AVG

[Southpaw018]

They left out Eset NOD32 as well. Symantec and McAffee are the AV old guard: still strong, but also bloated, slow, and weakening. And they have the occasional health problems.

Kaspersky and Eset seem to be the two main up and comers, and they left one out!

Re:AVG

[Kymermosst]

What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.

Test them yourself. The virus samples they used are found here.

Re:AVG

[omeomi]

I've had good experiences with AVG. Unfortunately, on the rare occasions that I have had to deal with a virus, I've had to go through just about every single virus scanner that I can find before I'm able to completely eliminate the virus. Last time around, AVG was the one that correctly identified the virus, allowing me to find some special utility that somebody had written specifically to delete that particular virus. I think it was still a fairly new virus, which might explain why the major brands weren't able to clean my system, but I've been somewhat surprised in the past that it's so difficult to remove a virus/worm with commercial virus scanners.

Re:AVG

[Feyr]

my experience mirrors yours. based on many dozens of PCs running AVG: it's excellent at detection but once a virus does get past it you're fucked

Re:AVG

[schwaang]

NOD32 Antivirus for File Servers runs seamlessly on all mainstream Linux distributions (RedHat, Mandrake, SuSE, Debian and others) and FreeBSD. The small footprint and fast performance makes NOD32 optimally suited for real-time or on-demand protection of your Unix File System Servers.

http://www.eset.com/products/linux.php

Odd numbers.

[DerekLyons]

Something seems a little strange here. With 25 test cases, and a binary outcome (either the virus was detected or it was not), the %caught should proceed in even step of 4%. There's some number massaging going on somewhere.
 
Hmm... the Fight Club Website lists 35 test cases, not 25. It's not clear if there is any overlap between the various test cases. In fact, there's not any discussion of the testing methodology (let alone what precisely was tested) at all. Just "here's our numbers - believe them or infect your own machine and find out for yourself".
 
Now, while I admire the 'do it yourself' hacker ethos as much as the next guy - this is taking it a bit too far.

Re:Odd numbers.

[Bibz]

Well examining the Excel sheet here http://virus.untangle.com/, they used 18 test cases, so they got 5.6% for Watchguard

The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...

Online Scanners Considered... Bad?

[eddy]

For fun I downloaded an application where I suspected the "keygen" was trojanized. I was correct; the real keygen had been bundled with some, as it would turn out, Off The Shelf trojan. However, I didn't know what trojan so I scanned with F-Secure's online-engine, which didn't detect anything (neither did my active AVG installation). So I sent in the exectuable as a sample, explained what little I had to say; where I found the file, that it was pecompact2'ed, that their online scan didn't detect it. The process of submitting a file req. you to attach the scanner log.

Got the reply that "The file you submitted was found to be malicious, and is already detected as Trojan-Downloader.Win32.Delf.asz using the latest virus definitions." and "Please update your virus definition databases to properly detect the file".

Remember, I had scanned it using their latest online scanner and provided the log where the trojan was NOT detected.

So, maybe an extra warning for online scanning engines.

PS.
Shortly after I had submitted the file to f-prot, AVG started detecting it.

Re:math question

[seriesrover]

thats exactly what I was thinking...how can you have 25 viruses and get anything other than 4%, 8%, 12% etc. The article refers to 6%, 61% and 89%...bizarre - I can only reason that they weighted the severity of each virus.

Not surprising...

[SuperBanana]

...considering that most of the antivirus programs were tricked when a new "variant" of one of the worms back around '99 or so. So kids- just insert random whitespace into your worms!

The change? The line endings in the VBS script changed. It probably wasn't even intentional- some broken mail server probably modified CR's into CRLF's. It sailed right past Trend Micro's email scanner and infected several dozen systems.

I was the first person to notice why it slipped by, and brought it to the attention of a big-name "security expert" who ran a mailing list which shall go unnamed. He thanked us for the research, passed along my findings to the list, and then promptly went around doing interviews with the press using the first person voice. "I discovered that...", blah blah was what I read the next day.

I run Linux because...

[BearRanger]

Let me preface this by saying that I work in a Windows free environment. I understand that not everyone has this luxury.

Am I a bad citizen because I don't scan for Windows viruses on my Linux systems? It's almost like another Microsoft tax--you're expected to degrade your performance to prevent their victims, uh, customers (yeah, that's it) from infecting each other. Those folks need to be responsible for their own safety and not expect the rest of us to do it for them. They could start by holding Microsoft accountable and making other choices at purchasing time. To me, Windows isn't worth the hassle.

Re:I run Linux because...

[n0dna]

Ever consider that every virus infection stopped by anyone, target or not, could cut down on the bandwidth sucked away from all of us by the ever increasing botnets?

What about infected files that don't originate on your systems but are passed through it? If you send out an infected file, the recipient won't care where you think you got it, or how much you feel that it isn't your problem, you're the one who infected them.

You can piss and moan about trash on the sidewalk or you can just pick it up.

Re:I came to moderate!

[shystershep]

druel

Is that a cross between drivel and drool? Maybe some gruel thrown in for flavor?

Re:Zombies

[bmo]

If you suspect something is evil with your setup, you should go with your gut instincts. You are probably more right than you know.

You should get away from antivirus. Seriously. I'm going to sound like a salesman, but bear with me a bit.

Antivirus and anti-malware in general, on Windows machines, closes the barn door after every single horse has bolted. There is _no_ way to be sure your Windows computer is badware/zombieware free. To top this off, it often sucks up incredible amounts of cycles that turn the latest gamer machine into an XT.

There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze. What you do is establish a "ground state" for the machine by doing a bare metal install and then installing DeepFreeze. You then have certain areas for data that are unfrozen, but the rest is basically locked up tight.

Surf by an evil site and get a drive-by install? Laugh maniacally, and reboot. The evil bits are then...gone. The machine has returned to its ground state. To install software permanently, you must "unfreeze" the machine, install your software, and then refreeze. The refreezing can be automatic for the next reboot or specified for a certain number of reboots, like if you were doing a Windows update and have to suffer through the interminable reboots. So it also gives Windows "parental supervision" - even for the 9x machines that don't have the concept of an "administrator" account.

Evilware in the presence of DeepFreeze is about as sticky as snot to teflon. If you insist on staying with Windows, this will let you sleep at night.

I swear, Faronics should hire me.

--
BMO

I have to question the validity of this test...

[RootWind]

Not to knock Clam but there is something odd about these results (Besides the absurdly low testbed). TFA says Clam won two years ago (which meant Untangle would use it), and again now. However, just last May the results from AV-Test.org (a real trusted legitimate source) against a comprehensive testbed put ClamAV near the bottom of the heap: http://www.pcmag.com/article2/0,1895,2135053,00.as p
I can't help but think that Untangle is trying to justify their own choice, rather than have a real test. With a testbed of only 25-35, it is possible to pick a group of malware that can put any AV on top. Even the user submitted malware is suspect, especially when that testset is also so low. ClamAV is great against virus outbreaks, with one of the fastest signature responses, but it has pretty atrocious trojan and zoo detection, since there is not enough man-power to collect and create signatures for less prevalent and non-replicating malware.

Re:Onecare caught 0%

[Dude+McDude]

That would mean that it's performing just as well as it does in Windows. Good work Microsoft!

Re:Zombies

[ozzee]

I actually do the same kind of thing. Whenever I get a new machine, I snaphot the HDD before I even boot it the first time. Then I run the auto updates from MS and snapshot it again. I then regularly wipe the machine by restoring a snapshot. (It also forces me to keep my data somewhere else that is safe.)

The only advantage of this over the DeepFreeze thing is that I can unfreeze to multiple prior states.

I think it should be a standard feature with these 100GB++ notebook drives.

Re:math question

[VirusEqualsVeryYes]

Additionally, they could have calculated the type of virus (by entry method, severity (as you mentioned), spread method, mode of attack, age, etc.) and weighed their percentages in the wild. It's also possible that the programs perhaps prevented some of the damage of some of the virusus, thus meriting partial credit.

It's also possible I'm wrong, but either way, the article is omitting some information we're supposed to know.

Re:math question

[Bibz]

Because the summary isn't right.

They used 18 test cases, Watchguard got only one : 1/18 = 5.55%, rounded = 6%

All from the spreadsheet available at http://virus.untangle.com/

Re:Zombies

[imemyself]

There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze

Have you ever worked in a tech department that had to support frozen computers? It turns a project that would maybe take fifteen or twenty minutes per lab into something more like and hour long. The school district that I work for used Deep Freeze on most of the desktops at the high school up until about a year or two ago. Taking DF off made it a lot quicker to make minor changes to the computers during the year, and there hasn't been any significant problems. Students and teachers are also happier with it because it prevents stuff that people have saved in My Documents (yes, the kids are told over, and over again to save to their mapped home directories - but occasionally they don't) from being wiped out.

About the same time as that we also took students out of the Admin group (I'm not exactly sure why they were in there in the first place - no apps have had any problems with it), so that mitigated any significant problems as well. We also have McAfee managed AV and 8e6 web filtering, but AFAIK its fairly rare that any viruses or malware are found on the student computers. The laptops that the teachers have(and have admin rights on) are another story. But they would whine if they couldn't add weatherbug and have five different toolbars in IE. Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it. Students/regular non-admin users should not be able to cause damage to the OS. In a well run environment there shouldn't be tons of problems with malware. Yeah, there is going to be an occasional piece of malware that exploits a security vulnerability that could screw up the system. But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups.

Re:Zombies

[bmo]

"Have you ever worked in a tech department that had to support frozen computers?"

A bit. It's a PITA, but for static setups that don't need touching and subject to "many hands" like in a library, it's not bad. Let's just say that students in a classroom are typically better behaved than many library patrons.

" Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it."

Well, I think the problem with that lies elsewhere, probably in a place called Redmond. All this stuff is just patches upon patches to keep Windows from eating itself.

"But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups."

Some would say that this should be the default, but "design and marketing decisions" prevent that.

"But they would whine if they couldn't add weatherbug and have five different toolbars in IE"

Nnnggghhh.... *puts on BOFH hat* "YOU GET THE POLICY OF DOOM! MUAHAHAHAHAHAH!!!!"

--
BMO

Re:I came to moderate!

[JackieBrown]

000_eicar.com
001_eicarcom2.zip
002_eicar_com.zip
003_eicar.rar
004_eicar.zip.bad_extension
005_eicar_big.zip
010_18_04_2005.exe
011_abuselist.zip
012_fullstory.exe
013_image.jpg.exe
014_message.pif
015_mntrup.exe
016_patch-6143.zip
017_photo.pif
018_q347558.exe
019_scan_check.jpg.exe
020_test.zip
021_The_taxation.zip
100_8.zip
101_scan.jpg
102_Syndony.zip
103_Update-KB8136
104_Attachement.scr
105_image.jpg.exe
106_Info.exe
107_Please-confirm-pay
108_virus_87
109_virus_88
110_vvzh.scr
111_xxx.com
112_untangle1.zip
113_untangle21.zip
114_untangle22.zip
115_untangle3.zip
116_untangle4.zip

Re:The winners: *Direct* Quote

[quadra23]

One product, WatchGuard's Linux AV tool, caught fewer than 6 percent of the viruses sent to it. "We're not exactly sure what the problem with WatchGuard is," says Morris. "The test was set up the same way for all of the vendors."

This number quoted by the original poster missed the section in bold, it was technically < 6%, which could mean either 0 or 1 virus (funny how everything always works out to binary in some way or another :). My question would be which is it? Either way, my system would be compromised by either 24 or 25 viruses -- neither of which is a good scenario especially in regards to well-known viruses (according to the article no 0-day exploits were accepted).