This is a bit of a follow up to the following brief thread:


"Hotmail Dumps McAfee Anti Virus"
http://www.pcqanda.com/dc/dcboard.php?az=show_topic&forum=2&topic_id=340487#340862

"I did a small analysis of what KAV picked up, & what type of items found, on my brothers' computer, & what F-Prot did not. I'll try to get some samples together & run them through AntiVir also, & post some results (tomorrow or so - maybe in a new thread)."


I'll attach a ZIP file. Inside are various TEXT files. Notepad will suffice to open them.


Open the text's get a feel for what I did, see what you think.


I used the programs I used, cause, F-Prot (Dos & Windows), I had. "KAV", (mwav.exe actually), is a free KAV based scanner (only). AntiVir is a free command line scanner & remover. I did not test other Windows programs (at least not ones requiring installation), because, I didn't want to install them. mwav is a download & run, Windows scanner, so to me that was acceptable.


Updated to include Trend Micro Damage Control Engine Results
VIRUS_SAMPLES_RESULTS.122304.zip

Attachment #1, ( file)
Attachment #2, (zip file)

AV'S:

============

KAV =
MicroWorld Technologies
MicroWorld - Free AntiVirus Utilities - mwav.exe
http://www.mwti.net/antivirus/free_utilities.asp

 AV =
AntiVir
"Command line scanner - ave32.exe"
http://www.free-av.com/ave.htm

 FP =
F-Prot Antivirus
"Command line scanner - fpcmd.exe (from the Windows version of F-Prot)"
http://www.f-prot.com/

 TM = 
Trend Micro
Damage Cleanup Engine / Template
http://www.trendmicro.com/download/dcs.asp
Virus Pattern Files
http://www.trendmicro.com/download/pattern.asp

============

Note, that all files beginning with '_' are just text files,
& some of the .LOGS report files/alerts, so what may seem
like "misses" could actually be scans of the "non-infected" text files.

(Note, the free DOS version of F-Prot returns exactly the same results, though it may not
scan all files in an XP environment.)

Note that not everything flagged is malware.  Some programs intentions are to act that way,
& they do - even though they could be considered dangerous.  Also, some of KAV's hits are
more informational then necessarily bad.

Note that KAV found all of the malware samples by virtue of the fact that I used KAV to
search for samples, & what it found is what I tested the other AV's against.

Note, the Trend logs show "Can not Clean" because I specifically told it not to clean.

============

72 total malware samples.

25 malware samples in "FOUND" (aka X) directory.
All AV's found all the found samples (25)
 TM found     23

47 malware samples in "NOT.FOUND" directory.
KAV found all 47
 AV found     16
 FP found      0
 TM found     11

============

I found this after some cruisin'.

http://www.wilderssecurity.com/showthread.php?t=58597

And for some real surprises check this out.

http://www.geocities.jp/stealrush/en_ScanTest.html

Some of the online results from Japan just don't make sense.

The only sure thing is that no single test or malware package can be 100% conclusive. There's always doubts about testing methodology.

One may ask why I did this.

I have always used the free DOS version of F-Prot AV.
It has always worked well. Not too long ago, for the first time, I decided to try a Windows AV with real-time AV protection. I went with F-Prot for Windows. It has also worked well.

I have read various AV reports, & they typically rate KAV scanners the best - highest detection rates. I have read various AV reports, & typically the often mentioned free AV's don't fare as well. F-Prot, from what I have seen has always done better then the free's, but worse the the KAV's.

There have also been times when I've scanned files that came up clean, but others scanned the same file & found malware. Different AV's, different results.

Then I started visiting this site:

Online malware scan
http://virusscan.jotti.dhs.org/

People upload files, the site scans the files with various AV's & reports the results. Many times I'll open the site, then periodically reload it to see what new items have come in, & what & who detected it. Almost without exception KAV returns results. Other then that, it is a shoot & miss scenario. Most of the time F-Prot was not detecting anything.


That got me interested in KAV scanners. mwav.exe gives me a method to cleanly try out a KAV scanner. And probably I'll eventually update to a full KAV Windows based AV program.

Excerpt from your READ.ME file:

(Note, the free DOS version of F-Prot returns exactly the same results, though it may not scan all files in an XP environment.)

I assume your XP file system is FAT32, correct?

My limited test of F-Prot for Windows nailed a rather obscure RAT and other files very quickly upon accessing my overloaded My Documents folder. Frankly, I suspect there is a flaw in the implementation of the F-Prot scanner at Jordi's website.

I'll have some more questions later.

No. NTFS.

I'll try to find the full wording from F-Prot on DOS version in XP environment.


EDIT:

"Scanning Windows 2000 / 2003 / XP system with F-Prot Antivirus for DOS results in only a portion of files on the hard drive being scanned.

This is the problem with running a DOS antivirus scanner on a Windows NT 4.0 / 2000 / 2003 / XP systems. It is not guaranteed that all files will be scanned. The reason for this has mainly to do with long filenames and non-ASCII characters in file names. DOS only "understands" 8 character long filenames.

Therefore use the OnDemandScanner scanner to scan Windows NT 4.0 / 2000 / 2003 / XP systems. You can also use the command line scanner: fpcmd.exe. You use the same command-lines as for the DOS scanner."

http://www.f-prot.com/support/windows/fpwin_faq/26.html

I very much doubt F-Prot running under DOS would have capability to do much with an NTFS partition.

Sure, why not.

Other then the limitations mentioned above, why should a program care whether it is run on drive that is formatted NTFS or FAT.

There is really nothing special or different between the free DOS F-Prot AV & the Windows version (other the the Windows has the realtime component). They use the same exact virus definition files. They work the same, they run the same. Matter of fact, I prefer the interface on the DOS version to the Windows version.

I'm going to assume you mean running the DOS Fprot program from within Windows and that you know DOS doesn't support the NTFS filesystem. (not without special drivers, anyway)

Filesystem issues aside, I would expect a DOS antivirus program running in a Windows NT based operating system to not work correctly, because it is running in a virtual machine. It only runs, because it's being lied to about its environment. Low level access to repair system files will fail.

I had a look at your test results. I used to do stuff like that too, I had a "virus zoo" in an archive. I collected them. I soon realized, that sort of testing is not really all that useful. No matter how many you have, it's never a large enough sample and nor is it necessarily representative of threats that others are going to encounter. Also, in testing like that, it's not real world situations. Finding a signature in filename.exe.antivirust.test (or whatever) just sitting in a directory with a file extension that might not even be scanned by all scanners is not the same as finding and dealing with active nasties.

So the KAV based scanner finds lots of stuff and you used it to generate samples, kind of like a baseline for your tests. Your sample is far too small for that kind of comparison. Even the crappiest antivirus program can know about something that even the best doesn't.

You have to know, that in cleaning up a system, you need to run multiple utilities to get all the malware. There is no one program that is going to take care of all of it.

I like Antivir a lot (though I use the full Windows program, not the command line scanner). It's a simple enough program that it can be quickly installed, used and then uninstalled with no harm to the system if it's not going to be the resident antivirus program. The downloaded installation executable archive is updated almost daily, so it's always pretty current right out of the box. I find it to be one of the most useful for removing the nasties I encounter. I usually do a run with Trend Sysclean in Safe Mode first though.

Grogan

>I'm going to assume you mean running the DOS Fprot program
>from within Windows and that you know DOS doesn't support the
>NTFS filesystem. (not without special drivers, anyway)

Correct.

>Filesystem issues aside, I would expect a DOS antivirus
>program running in a Windows NT based operating system to not
>work correctly, because it is running in a virtual machine. It
>only runs, because it's being lied to about its environment.
>Low level access to repair system files will fail.

That is assuming it is making a low level access. Or is it just making an OS call to delete file? I don't really know but with F-Prot (DOS & Windows) that is the impression I get. (The realtime AV would be different in that respect. And I assume Norton AV gets in far "deeper" then F-Prot?

>I had a look at your test results. I used to do stuff like
>that too, I had a "virus zoo" in an archive. I collected them.
>I soon realized, that sort of testing is not really all that
>useful. No matter how many you have, it's never a large enough
>sample and nor is it necessarily representative of threats
>that others are going to encounter.

True.

>Also, in testing like
>that, it's not real world situations. Finding a signature in
>filename.exe.antivirust.test (or whatever) just sitting in a
>directory with a file extension that might not even be scanned
>by all scanners is not the same as finding and dealing with
>active nasties.

Well, these are all real world situations. All pulled from my Brothers' computer. All ended up on his computer one way or another.

He is running Win98. Oddly enough, even though for a long period of time, he was continually getting malware, & even though he was networked with other computers, none of this really affected him or any of the other systems. I have him running Mozilla rather then IE, & Eudora rather then OE. There never was any real "cleanup" actions taken on his computer (that I can recall?). I'd run the usual's, Ad-Aware & Spybot, & eventually put in SpywareBlaster. So it was more like the malware was getting into his computer, but not really doing anything. I'd periodically look through his system, find (usually by "feel") what wasn't right, rename the file with a .VIR extension, & leave it there.

Unfortunately, I never receive the kinds of stuff he does, so when I went started thinking about doing this kind of test, I had ready availability of material.

I culled his files, pulling a single sample of each type of malware I could find.

>So the KAV based scanner finds lots of stuff and you used it
>to generate samples, kind of like a baseline for your tests.
>Your sample is far too small for that kind of comparison. Even
>the crappiest antivirus program can know about something that
>even the best doesn't.

Agreed. But, when I took the "samples" & put them on my system, & started scanning them, I then I find that F-Prot did not find much of what KAV came up with, & then I give some other programs shots at the same samples, & they miss much also.

So what does that tell me. First, I have never had a virus. I do not run Ad-Aware or Spybot or SpywareBlaster on my system. I have run hijackthis & CWShredder only cause they are stand-alone programs that I can run in a scan only mode.

I do (now) run F-Prot for Windows AV, & free ZoneAlarm, & I have a router with NAT. Oh, & I run Mozilla & Eudora. I do not run IE, or OE, & do not have Java installed.

Knowing what I do, & how I do it, I have no problems running the way I do. Knowing that F-Prot is not an end all solution - cause I see there is a lot that it is not finding, I've endeavored to find other methods of keeping my system clean. So what will I do. 95% of the time, I will run as I do & as I have been. That other 5% of the time, if I download something from a suspect site, or something that I am not comfortable with, or something that I have read my contain malware, I'm going to scan it with other scanners.

>You have to know, that in cleaning up a system, you need to
>run multiple utilities to get all the malware. There is no one
>program that is going to take care of all of it.

Agreed 100%. Note, on my Brothers' computer as I mentioned above, there was not really anything to be cleaned. An odd thing here, or an odd thing there, but not a wholesale corruption to his system where it really affected anything on it. My impression is that current malware takes advantage of WinXP, IE, & OE, & their vulnerabilites. It see's Win98, & laughs, hah!, I'm not even going to screw around with you. (If he was running IE & OE, that would likely have been different.)

A friends computer (XP, IE, OE), had all types of malware, & I had to use all of the tools mentioned here (plus A2) to get rid of it. One found what the other didn't. They all complemented one another. Some needed the reboot (Spybot) before it was able to fully remove some of the malware. I thought that was great that it was able to do that.

I updated his AV (Norton) & firewall (ZA), & installed SpywareBlaster.

We'll see what happens with that.

Removing a virus from an actual infected file is more what I was thinking.

Antivirus software like Norton has complex machinery that allows it to operate in NT OSes. Kernel level drivers and services in addition to the programs.

Ever tried to print from an old DOS program in Windows XP, that tries to talk to the port directly? It usually just hangs the program. You've got to do what the kernel says, just like in the army.

Windows XP is horrendous to fix when it's all fouled up with viruses/trojans/malware. Windows 98 is much easier.

Grogan

Anti-Virus Software Review 2005
http://www.anti-virus-software-review.com/

AV-comparatives.org
http://www.av-comparatives.org/seiten/home.html

Virus Bulletin : Independent Anti-virus and Anti-spam Advice
http://www.virusbtn.com/vb100/archives/products.xml

Antivirus programs, protection guide, virus info and removals, antivirus tests, free support!
http://www.virus.gr/english/fullxml/default.asp?id=67&mnu=67

Online malware scan
http://virusscan.jotti.dhs.org/

Wilders Security Forums
http://www.wilderssecurity.com/

"MERRY CHRISTMAS & HAPPY NEW YEAR" to all you dear folk at PCQandA, I did not get a chance to say that to y'all yesterday, with all the heartfelt warmth and depth of feeling it deserves ..

This was an absolutely exemplary thread, well done guys. Objective and interesting discussion. Grogan your last two posts here are absolutely right-on. I have almost a Gigabyte of samples {and growing} in my Virus Collection and I feel as if I've just scratched the surface!

If people who make snap-judgments about AVs {the people at various forums who jump to quck premature conclusion and post "AV-X Sucks because it missed this or that lone sample on my box"} could only realize:

1. There are literally hundreds of thousands of malware samples floating around {old and new}, and they grow by the hundreds everyday. No single person or agency can hope to "catch" or collect them all. One has to lurk around the dark side of the Net, at hacker sites {often ones in Russian, Chinese, Polish, etc.} to find the more exotic ones. {Or it helps to have friends who lurk at such sites and send you samples}. Hopefully WildList.org and other professional agencies can find and list the ones that are most representative of what is in wide circulation in-the-wild {ITW}.

2. Any one of those hundreds of thousands of samples can be "doctored" by a hacker to elude detection of any given AV or AT scanner: through rebasing, hex-editing, encryption, runtime-packing {in over a thousand execution-compression formats to choose from}, etc. I have seen threads discussing where someone had rebased most of KAV's database, forex. It is just not possible to thwart a skilled hacker who knows what he is doing and wants to make a "custom" virus or malware to elude detection of a given scanner. One can only hope to "react" quickly, by releasing a new detection signature, to any "new" variant that attains some noticeable circulatoin in the wild and becomes a significant threat.

3. There is a lot of confusion over Adware-Spyware these days; it has a lot of similarities to trojan and trojan-like code, and often is assigned names that are similar to trojans: "TrojanDownloader.XX.YY" or "Backdoor.Agent.XX" -- so that oftentimes people are talking about spyware when they think they are dealing with trojans, but they really aren't dealing with a classic backdoor trojan but with the new genre of Adware and Spyware. Not all AVs are geared to detect this "new" class of malware that has arrived on the scene, and people get this confused with "classic" malware {worm, virus, trojan} that AVs are designed to cover. But all the major AVs are beginning now to expand their coverage into these "expanded threats" which include Adware and Spyware.


Grogan your comments about NAV having several processes & services tailored for the NT-Kernel Environment were spot-on. One example of that is the option {enabled by default} to scan compressed files in realtime, that was introduced in NAV 2004 and higher. That option uses an NT-based driver and doesn't work in Win9X but only in NT-based systems. Of course one cannot expect a DOS-based scanner to have such features.

Also, Kaspersky has had, for years now, such extensive coverage of runtime-packing and compression, now at over a thousand formats and counting that it recognizes. It puts those unpackers in its Bases so that any version of KAV {3.x and higher} can use them; and the formats covered are being added to almost on daily basis. {The current version of KAV is 5.x of course}. I agree with the others' comments that scanners based on KAV Engine and Signatures are the best. That is, KAV-based scanners are best in terms of detection rate; BUT, there are also always "intangibles" for any Scanner, as to how well it runs on and agrees with your particular unique system.

So use the one that has good detection and plays well on your box. That is why software comparison arguments are often so futile, because people are comparing the "apples and oranges" of how well a given Scanner will run on their systems, when everyone has a different "mix" of hardware and software comptatibility issues to contend with on their system.

Most all the respectable Scanners on the market have pretty much 100% detection of the well-known and recognized ITW viruses you are most likely to encounter in the wild. And they all have a submission procedure you can follow to submit any new and undetected viruses or malware that you find.

Excellent thread, and again a belated "MERRY CHRISTMAS" to all of you guys!

Merry Christmas, and now, Happy Boxing Day, Randy

Grogan