|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Best Shareware and Freeware Sites Best Sites for Tips, Tricks and Tweaking Best Sites for Scripts, Drivers and Fonts Computer Glossaries, Guides and Tutorials NEW Reviews: If you are in the market for compatible inkjet printer cartridges you should check out our Editor's two new series of reviews of the best and cheapest inkjet printer cartridge sites. If you are looking for the very best inkjet cartridge sites in terms of customer support then go straight to Inkjet printer cartridge sites reviews. We've bought inkjet cartridges from all the sites listed and can attest to the quality of service offered. If the price of your inkjet cartridges is this most important issue for you then check out cheapest inkjet cartridge sites. Here we carry out a weekly price check on scores of inkjet cartridge sites and list the cheapest ten. Sick of Spam? Gizmo reviews the best spam
blockers for average users
The Best Windows Backup Software Our editor reviews 18 of the best selling backup software products but can only recommend five. But only one, get his "Editor's Choice"
|
16 Security Scanners Unplugged An analysis of how well 16 popular security products cope with the latest generation of security threats. The Problem In a previous article "The Home Computer Security Mess" I talked of the home computer security conundrum. On the one hand we have the rapidly increasing sophistication of malware. On the other hand, computer security products have become so numerous, so complex and so overlapping in function that's it's become almost impossible for home users to make rational assessments of their effectiveness. Towards a Solution As a first step towards clarification I decided earlier this year to carry out a series of tests on home computer security programs. The first of these, reported here, is on signature based security products, the most widely deployed of all home computer security programs. This class of security product based products includes anti-virus, anti-trojan and anti-spyware scanners. The tests I conducted were quite unlike the traditional tests of such products that focus on the adequacy of their signature detection. In contrast, I wasn't interested in signature detection but rather how well the products were equipped to handle the latest generation of security tests. In particular I was interested in the following questions:
These are really important questions yet they are ignored in most product reviews. A product may have outstanding malware detection but it's worth zip if the security program can be easily terminated by a PE encrypted malware program. To answer these questions I used a number of different technical test procedures. Several of these were based upon the methodology devised by Michel Aparicio at his blog site: http://kareldjag.over-blog.com/10-category-69553.html Full details of the technical tests can be found in the detailed product test results below. Test Methodology My short list of products to be tested included most of the most popular free and commercial anti-virus, anti-trojan and anti-spyware scanners. The programs tested were the most recent versions available at that time; June 2006. With a few minor exceptions, all programs were tested using their default configurations. Where exceptions were made, they have been noted in the results. Two products, Ewido and CounterSpy had betas of new versions available so I tested the betas as well as the current products. One product, Windows Defender was only available in Beta form. In total I ended up with 16 products. Each was tested on a virtual PC running on a VMWare workstation. Most products were tested using an unpatched version of Windows XP. The beta products were tested with unpatched copy of Windows XP SP2 as this was a minimum requirement. Here's the list of products tested. You can click on the product to get the detailed test results. Note: Although I tested the most recent versions available at the time of testing in June, almost all products will have been updated to some degree since then. At the time of writing, August 2006, Ewido V4 has moved out of beta, SpySweeper V5 has been released, Spyware Doctor is up to V4 and CounterSpy V2 is now at a much more advanced beta version. My test results may have reduced applicability to these later versions. Can the security product be easily terminated by a hostile malware program? In this test I tried terminating the product's monitor or core processes using several different termination tools.
As you can see most products were easily terminated using Windows Task Manager, a result that can only be described as feeble. Ewido, Kaspersky and Norton put up decent fights. If I terminated their processes the products would restart them again. However with the heavyweight tools I was able to delete the source files so they could not be restarted.. Only NOD32 was resistant to all three methods of termination. Even so. I was still able to terminate NOD32 by forcing a reboot and deleting some of its key files during the boot process. Can the program detect malware within archived and compressed executable files? 1. Archive Detection I tested detection within archives using by embedding a malware product that I knew the product could detect within each of 11 different archive types: .7z, .bh, .cab, .bz2, .gz, .jar, .lha, .rar, .tar, .yz1 and .zip. I used installation default settings in all cases but note that some products such as SpySweeper and Ad-Aware will only scan archives if you change the default settings. This possibility was not tested.
Three aspects of the results are notable. First, no product scanned within all the archives. Second no product scanned the .bh and .yz1 archive types. Finally several products didn't scan even the most common archives such as .zip, .rar and .cab. If a program doesn't scan with a particular type of archive file it can never detect any malware that is within such a archive. It should however be capable of detecting the product once it is extracted from the archive. However many folks routinely scan downloaded files before installing as a precaution. If that file happens to be archived then there are good chances that a scan will not reveal anything. If you use Ad-Aware, CounterSpy, SpyBot, Spyware Doctor or SpySweeper with their default settings, you are wasting your time. None of these products scan within any archive. Compressed Executable Detection To test detection within compressed executables I packed a malware program that I knew the product could detect using 11 different packers: WinZip SEA, WinRar SEA, Morphine, NSPack, Yoda, UPX, Thermida, Petite, TELock, Mew and FSG.
Some of these packers can produce
polymorphically encrypted files executable files. That is, each file
produces is different. Detecting these files is a challenge
for most security products yet they are widely used by hackers.
As with archived malware no security product detected within all the compressed executables. Some, notably Ad-Aware, SpyBot, Spyware Doctor, Trojan Hunter and SpySweeper were very poor in the scope. No product was able to detect malware that was hidden by the commercial packer Thermida. The inability of a security product to scan within compressed executables is more serious than not being able to scan within archives. Yes, the real time monitors in some products may catch the malware when it is executed but if the malware first terminates the security software then an infection is inevitable. Again note that a precautionary scan of a downloaded file is useless if the security scanner doesn't scan within the packer used to produce the downloaded executable file. In particular note that If you use Ad-Aware, CounterSpy, SpyBot, Spyware Doctor or SpySweeper with their default settings, you are wasting your time. None of these products scan within any packed file. Can the Security Product Detect Process Injection? I used the ZapAss test program that injects an implant into a running process and then downloads a file using that process. None of the security products tested warned of the process injection. Simple as that. Better get out your IDS program ;>) Does it monitor changes in the Windows startup folder and registry startup areas? To pass this test the program had to warn if changes were made in any of several different startup area. No product passed the test. Definitely get out your IDS program ;>) Does the product detect the presence of running rootkits? In this test I loaded the Hacker Defender and FuTo rootkits while the security program and its monitor were deactivated. I then enabled the monitor and did a system scan. To pass the test both rootkits had to be detected.
Only Spyware Doctor and SpySweeper detected both rootkits though in the later case, the rootkit detection option needed to be enabled. How good is it's protection again a modern blended threat? This test involved running the DFK Threat Simulator, a sophisticated blended threat simulation that disables your defenses, bypasses your firewall, installs a cleverly disguised trojan, a virus and a keylogger all masked with a rootkit.
The only products that passed this deadly but revealing test were those that detected the test program by signature. I've rated this as a conditional pass. I suspect that had the programs not detected the test by signature then all would have failed as they were all included in the security program "kill list" embedded in the test program. How well does the product protect against drive-by downloads? Here I browsed with Internet Explorer to three known drive-by download sites. These sites use flaws in Windows and Internet Explorer to download malware without any user action or knowledge. Typical exploits include the well known iFrame and WMF exploits though the sites will repeatedly try a sequence of exploits if not initially successful. If finally successful, the sites will download multiple malware products, often running into tens of megabytes. After browsing I ran HijackThis and WhatChanged reports to see if there was an active infection. Because if the possibility of rootkit infection stealthing malware I also scanned with BlackLight and RootkitRevealer.
SpySweeper has been given a conditional pass rating as access to the bad sites was blocked by SpySweeper. Conclusions Having looked at the results you have probably already concluded that most of the products failed most of the tests and alas, this is not far from the truth. I'm resisting making more specific conclusions as this test is only the first of several I'll be conducting in the second half of 2006. In the coming months I'll be looking at virtualization products, IDS/IPS utilities and some other categories as well. By the time this series
is completed, I'll have some specific recommendations for you on the
best way to protect your computer against the latest generation of
threats. These recommendations will be based on facts rather than
vendor hype or commercial affiliation. But this is speculation. When this series is completed we will (perhaps) know the real answer. I'll be presenting the results of my next series of tests in Support Alert Newsletter. If you want to receive these results as they are published, you may wish to subscribe. It's free. If you feel this article is of value, please post it to one or more of the following: Digg it! Del.icio.us Furl Gizmo Ian "Gizmo" Richards August 2006
Home Copyright © techsupportalert.com 200 6
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
