Test Strategies & Common Mistakes International Antivirus Testing Workshop 2007

Similar documents
Beyond Testing: What Really Matters. Andreas Marx CEO, AV-TEST GmbH

The WildList is Dead, Long Live the WildList!

Testing Exploit-Prevention Mechanisms in Anti-Malware Products

Retrospective Testing - How Good Heuristics Really Work

UP L13: Leveraging the full protection of SEP 12.1.x

Discount BitDefender SBS Security pc computer software ]

Get BitDefender Business Security 3 Years 15 PCs pc software site download ]

Coupon BitDefender Corporate Security 3 Years 10 PCs internet download software for pc ]

Avg Antivirus Manual Latest Version 2013 For Xp

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Anti-Virus Comparative No.1

Get BitDefender Security for File Servers 2 Years 5 PCs computer new software download ]

Anti-Virus Comparative No.8

Common Preventive Maintenance Techniques for Operating Systems

Anti-Virus Comparative No.7

Anti-Virus Comparative No.4

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Invincea Endpoint Protection Test

Antivirus Technology

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Herd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist

EXECUTIVE REPORT 20 / 12 / 2006

Free antivirus software download

Symantec Endpoint Protection 14

Review BitDefender Business Security 2 Years 1000 PCs free pc software downloading sites ]

Insecurity in Security Software

BITDEFENDER. White paper

Cracked BitDefender SBS Security 2 Years 2000 PCs downloads softwares for pc ]

An Introduction to Virus Scanners

Free Download BitDefender Client Security 1 Year 50 PCs softwares download ]

Get Max Internet Security where to buy software for students ]

Quick Heal AntiVirus for Server. Optimized Antivirus Scanning. Low on Resources. Strong on Technology.

Seqrite Antivirus for Server

NetDefend Firewall UTM Services

Manually Remove Of Xp Internet Security Protect Virus Manually

Anti-Virus Comparative

Free Download BitDefender Business Security 3 Years 5 PCs full version free software download ]

Remove Mcafee Antivirus Plus 2013 Link Version For 90 Days

Protection Against Malware. Alan German Ottawa PC Users Group

Symantec vs. Trend Micro Comparative Aug. 2009

Discount Bitdefender Security for SharePoint website for free software ]

User s Guide. SingNet Desktop Security Copyright 2010 F-Secure Corporation. All rights reserved.

Safe N Sec Enterprise Pro

Cracked BitDefender Security for File Servers 2 Years 55 PCs pc repair software for free ]

Endpoint Protection. ESET Endpoint Antivirus with award winning ESET NOD32 technology delivers superior detection power for your business.

Free Download BitDefender Business Security 2 Years 30 PCs web software free ]

How To Remove Personal Antivirus Security Pro Virus Windows 8

Coupon BitDefender Corporate Security 1 Year 45 PCs best site for free software download ]

For Businesses with more than 25 seats.

Annexure E Technical Bid Format

Symantec Antivirus Manual Removal Tool Corporate Edition 10.x

Forensic Network Analysis in the Time of APTs

To Renew or Change? Cloud-based Antivirus for Busy IT People

How To Remove Personal Antivirus Security Pro Virus Manually

Avira Ultimate Protection Suite. Short guide

Kaspersky Internet Security - Top 10 Internet Security Software in With Best Antivirus, Firewall,

ESET Secure Business. Simple and Straightforward

Anti-Virus. Anti-Virus Scanning Overview. This chapter contains the following sections:

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

Full Edition BitDefender Business Security 3 Years 10 PCs free computer software downloads for windows ]

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Avira Endpoint Security. HowTo

Anti-Virus Testing and AMTSO

INTRODUCING SECURITYPLUS FOR MDAEMON

Norman SandBox Solutions. 15 January 2007 Righard J. Zwienenberg

How To Remove Virus From Computer Without Using Antivirus In Windows Xp

Avira AntiVir Server

Antivirus Myths and Facts. By Helmuth Freericks

Security Awareness. Presented by OSU Institute of Technology

Cisco s Appliance-based Content Security: IronPort and Web Security

Real protection against real threats

Comodo Antivirus for Linux Software Version 1.0

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

How To Remove Virus Without Antivirus In >>>CLICK HERE<<<

Anti-Virus Comparative

Free Download BitDefender Small Office Security 1 Year 1000 PCs trial version software free download ]

AVG File Server. User Manual. Document revision ( )

Report on ESET NOD 32 Antivirus

Overcoming limitations of Signature scanning - Applying TRIZ to Improve Anti-Virus Programs

Ryan KS office thesee

Sales Training

Cracked BitDefender Client Security 2 Years 20 PCs lowest price software ]

ESET NOD32 ANTIVIRUS 8

ESET NOD32 ANTIVIRUS 7

Free antivirus software download windows 10

Install and Configure ICT Equipment and Operating Systems Unit 229 Utility Programs

Remove Trend Micro Titanium Internet Security Without Password

Automate Consulting Services

CSCD 303 Essential Computer Security Fall 2017

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

Kaspersky PURE 2.0. Exclusions

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

What s new in BitDefender Professional Client

What s New in Version 3.5 Table of Contents

ANALYSIS OF MODERN ATTACKS ON ANTIVIRUSES

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

Product Line Guide Corporate Antimalware PLUS Network Visibility PLUS Systems Management

Transcription:

Test Strategies & Common Mistakes International Antivirus Testing Workshop 2007 Andreas Marx, MSc. CEO, AV-Test GmbH http://www.av-test.org

Table of Content About AV-Test.org Tests of Security Software Prerequisites for Evaluation and Testing Evaluation and Testing the Programs Documenting and Editing the Test Results Current project: cross-reference lists (XREF) Questions & Answers

About AV-Test.org Founded as company in 1996 and 2004 (GmbH) About 15 full-time employees and freelancers Working for 45 computer magazines world-wide Working for many companies as consultants People are involved in AV programming, testing and research since 1991 (as University project) Our test lab is equipped with more than 100 PCs Large collection of malware and clean files (60 TB) Over 2,000 product tests per year

Prerequisites for Evaluation and Testing Tester has to be independent from the companies he wants to review (sponsored reviews needs clearify the fact that the test was paid by a specific organization) The tester needs to know what he wants to do Detailed test plan is important A secure, separated network (which is not connected to any external networks like the internet) is required as test environment Dedicated test network Detailed knowledge about malware is required Reverse Engineering Skills Every malware file needs to be checked (e.g. replicated and analyzed) if it s working properly or possibly corrupted before it s included in any collection used for tests! Reminder: Malware is not a toy!

Evaluation and Testing the Programs (I) The classic criteria: Detection rates Virus scanner should detect viruses... Easiest method: One simply scans a formerly created malware database (log files? how to count? crashes?) Differentiation possible between WildList and Zoo tests (old vs. new files?), intentionally malicious software (e.g. viruses, worms, bots) and potentially unwanted software (e.g. dialer, jokes, ad-/spyware) etc. Often, only the on-demand scanner (because it s so easy to do?), but not the on-access guard is reviewed Results in many cases meaningless (99.5 vs. 99.7%) Exact CRC/MD5 detections of files by many AV products Malware databases are often badly maintained

Evaluation and Testing the Programs (II) The counterpart: False positive tests Less frequently tested, even if scanners with lots of false positives (and possible high malware and heuristic detection rates) can t be used on any production PC A preferably big database of known to be good / harmless files is required (at least, some 100,000) Sources: CDs and DVDs, ftp and http server mirrors Should be sorted after importance / priority (e.g. severity of a false positive: Windows system file vs. Office program vs. any unknown 3rd party tool) Procedures: Scan a system with a high number of applications installed on it vs. scan installer files as is

Evaluation and Testing the Programs (III) Today, cleaning is getting more important: Never-ending and increasing malware stream A high number of PCs will get infected sooner or later Malware is using advanced self-protection techniques (including rootkits) which are working better than similar functions implemented in malware scanners Procedure: Infect a system and test the cleaning functions (the scanner might not detect all malwarerelated pieces, but it should clean everything!) Important: Are all files and the Windows Registry treated properly? Are all programs still working? (Some less important traces might be left behind, e.g. skin files) Very complex and time-consuming test

Evaluation and Testing the Programs (IV) Even more important: Prevention What kind of techniques are offered by the products to detect (and prevent) the infection by unknown malware? Keywords: Application Control Mechanisms, Host-based Intrusion Detection & Prevention Solutions (HIDS/HIPS) Procedure: Start a malware and see what will happen Important: The test environment must look very real, simulated internet connection, no virtual machines Compare the number of warning messages during normal operation (including patches which are installed by Windows Update) vs. during malware execution What kind of critical actions are blocked or not? Can malware changes be undone (if so, how well?)

Evaluation and Testing the Programs (V) Testing (Outbreak) Response Times Question: At which time was my PC protected? Create an archive with all ever-released AV updates (e.g. signatures, engine and program files) Use a (scripted) multi-scanner system, plus some manual tests Test of all archived updates against the different scanner versions in a given period of time (start date, end date?) Look for heuristic and proactive detections (retrospective tests), reaction times, plus detection and name changes Future development: Application Lifecycle Testing Not only a single update is tested, but all available ones How did the scanner perform over a period of time in case of reliability of detection, avoiding false positives etc.? We want to show how the products are performing in real-life

Documenting and Editing the Test Results Representation of the results Write what was tested and how so a third party can understand it Tell, what s important and what s not so essential! Summarize all results into manageable tables Not all data will fit into tables Additional comments are essential Give the tested developers some time for proofreading of results and verifying the samples used for the test Remove samples from the test which are questionable or not malicious Publication in readable form Use a clear document style and structure with easily readable fonts HTML pages or PDF files are universal After publication Keep contacts to the developers Keep on discussion about current and future test strategies

Creation of cross-reference lists of malware names (code name: XREF) and known bad files which are unsuitable for testing File Name AVG AntiVir BitDefender MYTBAB.EXE I-Worm/Mytob.Z Worm/Mytob.AB Win32.Worm.Mytob.S MYTBAE.EXE I-Worm/Mytob.BB Worm/Mytob.BM Win32.Worm.Mytob.FE MYTBAH.EXE I-Worm/Mytob.AE Worm/Mytob.AH Win32.Worm.Mytob.X MYTBAL.EXE I-Worm/Mytob.AL Worm/Mytob.BF Win32.Worm.Mytob.AC MYTBAM.EXE I-Worm/Mytob.AC Worm/Mytob.BF Win32.Worm.Mytob.V MYTBAN.EXE I-Worm/Mytob.AM Worm/Mytob.BF Win32.Worm.Mytob.AN MYTBAR.EXE I-Worm/Mytob.AP Worm/Mytob.BA Win32.Worm.Mytob.AA MYTBAU.EXE I-Worm/Mytob.AK Worm/Mytob.AU Win32.Worm.Mytob.Y MYTBAW.EXE I-Worm/Mytob.AQ Worm/Mytob.AW Win32.Worm.Mytob.AB MYTBAX.EXE I-Worm/Mytob.AR Worm/Mytob.AX Win32.Worm.Mytob.AA MYTBBB.EXE I-Worm/Mytob.AU Worm/Mytob.BG Win32.Worm.Mytob.AE MYTBBD.EXE I-Worm/Mytob.AS Worm/Mytob.BE Win32.Worm.Mytob.AB MYTBBI.EXE I-Worm/Mytob.FW Worm/Mytob.ED.1 Win32.Worm.Mytob.BC MYTBBJ.EXE I-Worm/Mytob.AI Worm/Mytob.AS Win32.Worm.Mytob.T MYTBBL.EXE I-Worm/Mytob.BF Worm/Mytob.BR Win32.Worm.Mytob.M MYTBBM.EXE I-Worm/Mytob.BO Worm/Mytob.BW Win32.Worm.Mytob.AF

Questions & Answers??? Note: Many testing papers can be found at: http://www.av-test.org Publications Papers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback