VB comparative review: Windows XP SP2

2007-06-01

John Hawes

Virus Bulletin
Editor: Helen Martin

Abstract

A bumper crop of 37 products were submitted for this month's VB100 comparative review on Windows XP. John Hawes has the details.


Introduction

It became clear several months prior to this year's Windows XP comparative review that it would be a popular test. Vendors of a number of new products who were interested in putting their software forward for the VB100 certification had been in discussion with us for some time, with timing or platform issues having prevented their entry into earlier tests. Meanwhile, the broad popularity of the XP platform as much as guaranteed that all the regular VB100 entrants would support it. With a handful of further new arrivals appearing in the weeks before the deadline, this proved to be a truly bumper crop, well outstripping previous records.

In a month that incorporated two national holidays, as well as my attendance at the Frisk Antivirus Testing Workshop to keep me from the test lab (see p.2), I anticipated some long days to get the comparative completed in time - particularly with so many new and unfamiliar products with which to wrestle. I could only hope for simple and responsive interfaces, rapid scanning times and clear and straightforward results.

Platform and test sets

Windows XP, first released with quite some fanfare in late 2001, came rapidly to dominate the home-user market with its advances over Windows 98 and ME, and has also made steady inroads into the corporate sphere. The release of Service Pack 2 (SP2) in mid-2004, with some serious security improvements including the Windows Firewall and the Security Center, has boosted the platform's popularity and stability and made it almost a global standard. With a third service pack expected some time next year, and Windows Vista still at the start of a long settling-down period before it becomes widespread, XP is sure to remain dominant for some time yet.

Setting up Windows XP has become a simple process for me after having repeated the task many times over the years, and all the familiar controls and settings are easy to find and use. The Professional edition was used for testing purposes, in case any of the corporate products required domain membership or any of the other add-ons not available in the home edition. With SP2 rolled into the installer I used, little further tweaking was required once the systems were running and talking to the test lab network.

Beyond the expansion of the WildList test set and a host of additions to the clean sets, the test collections remain fairly stable. The WildList used to compile the test sets - the February 2007 version released in mid-April - had a relatively small number of additions, which were dominated by W32/Sdbot and W32/Rbot variants, with a large number of older items falling from the list after a lengthy tenure. Most interesting among the additions were the file infectors, some more of the W32/Looked (aka Viking) variants that have been appearing in recent months, as well as W32/Fujacks (aka the Panda Burning Incense virus, among other bizarre names picked up in its flashes of media popularity).

I hoped again to include some more detailed speed test results, although I anticipated there being several products that would not fit into the testing methodology (especially regarding on-access tests where different products behave in wildly different ways when files are simply opened, copied, written to etc., rather than fully executed).

For the archive tests, I planned once more to test both with the default settings and with archive scanning switched on, to try to show reasonably equal measures across products. Again, I expected some products not to offer this level of configuration, and results are presented only in as much depth as it was possible to gather in the available time.

Results

AEC Trustport Workstation Antivirus 2.5.0.970

Trustport Anti-Virus is available as a component of the broader Trustport suite, which was reviewed in VB in some depth a couple of months ago (see VB, March 2007, p.13). The installation was thus a familiar affair. Halfway through the installation I was reminded to ensure that I had no other anti-virus solutions installed on my machine - quite a reasonable request since the four engines included with the product (BitDefender, Ewido, Grisoft and Norman) should be more than adequate for anyone.

No reboot was required at the end of the installation, and red shield and blue gem icons installed to the system tray indicated that protection was running smoothly. Accessing the configuration options from here, I found the interface sensible and highly responsive, and had on-access scanning temporarily disabled, the logging settings tuned up and the first on-demand scan under way in a matter of seconds.

With all four engines deployed for the on-demand mode, speeds were never likely to be as impressive as detection rates, but on access only two engines are in use and the slowdowns are not too severe.

With splendid detection throughout and not a false positive in sight, Trustport gets this bumper comparative off to a good start with a very well deserved VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Agnitum Outpost Security Suite Pro

The first of the barrage of newcomers to join the test this month, Agnitum's product is an expansion of its well-known firewall offering, with virus detection provided by the VirusBuster engine.

Installing the product was a fairly straightforward affair, although I was asked if I wanted 'Advanced' protection (recommended for more experienced users) or a 'Normal' level (suitable for all). Since the advanced option was selected by default, I went with this mode. I was also offered an option to enable 'SmartScan', which is a system that can be used to speed up scanning using checksums of known good files, stored in hidden files. This I turned down for fairness in the speed tests, and a number of other setup options were trundled through before I could get my hands on the product proper.

The interface itself is attractive, with a tree menu showing its core functions and the product's various 'plugins', of which the 'anti-malware' section was, of course, the most interesting to me. Each has its own configuration section, some stretching to several tabs, and some detailed status information was also provided.

Scanning was performed with ease, generally from the handy context-menu link, and was fast and stable. On-access protection was similarly solid and reliable. Detection across the zoo sets was in line with the results I would expect from the engine used, but some strange behaviour was encountered in the WildList set. Two samples, both with .pif extensions, were missed in the on-demand scan, and four different items, including a full set of one of the W32/Fujacks variants, were missed on access. This behavioural oddity spoils Agnitum's chances of a VB100 at first attempt, but this product seems a likely contender for the award in future tests.

ItW: 99.92%
ItW (o/a): 99.55%
Macro: 100.00%
Polymorphic: 87.82%

AhnLab V3 Internet Security 2007

AhnLab has been a regular and successful entrant in VB's comparative reviews over the last few years, and it was no surprise to see V3 back on the test bench after a brief absence. The Internet Security suite includes the usual firewall, web and email protection facilities, from which a selection of required components could be made during installation, which also offered a pre-install scan and was ready to go without rebooting.

Initial impressions of the GUI were very good: it looked slick and attractive, with a prominent 'Settings' button promising easy access to all the required controls. Attempting to run a few scans proved a little less straightforward than I had hoped, due to the requirement to set up a job and then run it, but a 'Run a virus scan' option was added into context menus, making speed testing much easier.

Scanning speeds themselves were on the slow side on demand, especially with the option to scan archives enabled, but on-access speeds were remarkably fast, with little control of the depth of scanning available for this mode.

Logging has proved problematic with AhnLab products in the past, and this occasion was no exception. Logs saved from the Log Viewer utility were invariably truncated to an apparently random size, but usable figures were obtained eventually, after splitting the scans into several sections. These, and the results of on-access blocking, showed samples to have been missed in all test sets, though not in vast numbers. In the WildList set three separate items were not detected, including the polymorphic W32/Polip.A, of which all 15 samples were missed, thus denying AhnLab a VB100 this time around.

ItW: 99.79%
ItW (o/a): 99.79%
Macro: 98.97%
Polymorphic: 92.83%

Alwil avast! v.4.7 Professional Edition

Alwil's avast!, one of the best-known names in the home-user field thanks to the widely used free versions, is another regular in VB comparatives, and little was changed here from previous visits. As usual, the rather funky basic interface was avoided for most tests, with the ‘Advanced’ control system providing ample functionality.

Again the system for setting up scan tasks proved a little fiddly for my purposes, but my familiarity with the interface has begun to pay off and the tests were completed quickly. Speeds were middling throughout, and detection likewise - neither flawless nor disappointingly lacking.

The product’s reliability was carried over into the WildList set where nothing was missed, and likewise the clean sets, where only the usual single file labelled a ‘Joke’ required noting. As a result, Alwil is once again the worthy winner of a VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.56%
Polymorphic: 85.35%

Authentium Command AntiVirus for Windows 4.94.5

Authentium is another fairly regular participant in VB’s tests, with a false positive issue in last October’s test the first blot for several years on an otherwise impressive test history (see VB, October 2006, p.10). The company focuses on ‘software as a service’, but continues to sell the Command software both as a standalone product and as part of a suite including a firewall and so on.

The product itself is a simple little thing; installation seemed to spend some time pondering its surroundings, before suddenly announcing completion, and opening the GUI showed a tiny and unflashy but potent little tool. In a simple-to-use manner, it offered all the required tweaking, apart from the ability to add archives to the file types scanned on access, and zipped through the tests in excellent time.

Detection rates were similarly excellent, with barely a miss across the board, and the few missed detections were due to the file types not scanned by default. This performance, coupled with a complete absence of false positives, easily qualifies Authentium for another VB100.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Avira AntiVir

Avira is another perennial high achiever in VB100 terms, and its product is another which grows pleasantly familiar with repeated use. In this case, however, familiarity adds little to the product’s ease of use, since it is well designed and easy to use from the outset.

A few things I had not spotted before include the whimsical title ‘Luke Filewalker’ given to the scanner screen, which started a scan of my system automatically after installation and had to be stopped. Several other products also carried out this auto-check, while most others offered the option of a thorough scan once they were ready to go - an option I always decline for the purposes of these tests.

AntiVir’s slogan promises ‘More than security’, and I certainly felt secure looking at the admirable detection figures, with a only a tiny handful of misses - mostly an obscure and ancient DOS virus - and splendid speeds across the board.

Again, archives could not be scanned on-access, but this does not detract from the excellent results, easily earning Avira another VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 98.72%

Bullguard v.7.0

The second newcomer to the VB test bench this month is from Bullguard, a company founded in Copenhagen in 2001. Bullguard's Internet Security suite has been available for around five years, offering a firewall, spam filter, anti-spyware and a backup system alongside virus detection provided by the BitDefender engine. The company boasts over 18 million downloads of its 60-day free trial, and also offers mobile products and chat-based online support.

The product itself, adorned with the company’s bulldog logos, looked good, with a slick and professional design lending a weighty, serious feel leavened by some friendly language in its messages, and proved responsive and solid.

Configuration was generally easily achieved, although logging seemed to be entirely absent, and my only other quibble with the interface was the greyness of some of the buttons, which often made me think the functionality in question was greyed out and thus unavailable - until I tried clicking on them.

Scanning speeds were solid, with particularly thorough scanning of archive files slowing things down a little, and results were, as expected, very impressive. There were very slightly more misses in the zoo test sets here than in the parent product, but nothing from the WildList set got past it.

This performance, combined with a lack of false positives, grants Bullguard its first VB100 award on its first attempt, and left me hoping that all the new products would present as few problems as this.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.49%
Polymorphic: 97.55%

CA AntiVirus 8.4.0.11

CA's home user product first made an appearance in VB in the February Vista review (see VB, February 2007, p.14), and the product submitted this time is little changed from that occasion. Installation included CA's usual trick of requiring EULAs to be scrolled all the way through, as well as a lengthy activation keycode, but once up and running the product presented no such barriers to testing.

A simple GUI was laid out in fairly standard style, and a small but reasonable amount of configuration (for a home-user product) was available. Using the handy context-menu scan option, tests were run through in good time, aided by some excellent scanning speeds. It was no surprise to find that there was no option to scan archives on access.

Detection rates were little changed from previous scores, with a smattering of misses across the zoo test sets, but nothing in the WildList. With no false positives generated in the clean set, CA's home division can celebrate a second VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 92.15%

CA eTrust r.8.1.634.0

CA's corporate offering is also little changed from its last appearance in the Vista comparative - indeed, the same submission was used this time with only additional updates provided. The eTrust brand has a lengthy history in VB's comparative testing, initially using the InoculateIT engine, later swapping to the Vet engine as the default, and now offering only the Vet engine, since InoculateIT was retired late last year.

The eTrust interface has never been a favourite of mine, its server-client design leaving the browser chugging slowly along as it attempts to refresh content after every click of a button. Under Vista, where version 8.1 was last tested, this sluggishness was notably improved, but any hopes that this was down to the new version rather than the platform were quickly dispelled and testing consisted of brief moments of activity interspersed with long periods watching the ‘please wait’ message - particularly when trying to view some hefty scan logs, which threatened to overwhelm it entirely.

Despite these issues, tests were eventually completed with the usual very impressive speed during the actual scanning. After converting the logs from the .dbf format in which they are stored to a style which did not require the unresponsive log viewer, results were found to be similarly good, with solid detection and no false positives qualifying CA for another VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.82%
Polymorphic: 92.15%

CAT Quick Heal AntiVirus 2007 v.9

CAT’s website lays claim to the title ‘India’s leading anti-virus software’. As well as the ‘Lite’ product submitted for testing, Quick Heal is available as both the ‘AntiVirus Plus’ version, with anti-spyware and firewall functionality constituting the ‘Plus’ element, and as a full ‘Total Security’ suite with the addition of spam-filtering and data theft prevention among other things.

The product greeted me with the message ‘Welcome to the world of virus-free computing’, and the built-in messenger system providing information on updates and outbreaks continued this theme of friendly communication with the user. The interface is simple, but clearly designed and easy to use, with right-click scanning used for much of the testing.

Checking the logs showed the figures to be much as expected, with a fair number of misses in most of the zoo sets, but nothing in the WildList set and no false positives. CAT is therefore eligible for another VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 98.04%
Polymorphic: 76.11%

Doctor Web Dr.Web 4.33.3.04230

Doctor Web is another VB100 regular, supporting a wide set of platforms with its product range, including Windows versions as far back as Windows 95. The XP version, the whole thing impressively compact at little over 10 MB, installs in a shiny and attractive manner, with the customary stern warnings against having other security products installed on the machine.

Using the product was made easy by familiarity, and once I had remembered that the ‘change‘ button was required to apply changes made to settings, tests were zipped through without difficulty. Unloading the on-access mode prompted a message saying that part of the SpIDer monitor system had failed to unload, but this didn’t seem to cause any lasting problems.

Speeds were somewhat slow both on demand and on access, which can perhaps be put down to very thorough scanning, particularly where archives are concerned - the product reported the largest number of ‘objects’ scanned in this test set. Detection within the zoo sets was as excellent as usual, with most of the very few samples missed being due to the file types not being scanned by default.

Doctor Web had some issues in the last comparative review, with a log parsing problem causing several detected files to be counted erroneously as misses in our initial report. In addition, a small number of W32/Sdbot samples were confirmed to have been missed from the WildList test set. Further investigations by the vendor have indicated that these samples were covered by updates to the product’s engine that were not submitted for the test along with the virus database updates, but these samples would have been protected against in a real-world setting.

Unfortunately Doctor Web was unlucky again on this occasion, and several more samples were missed, including three Sdbots and two W32/Rbots, all in the WildList set. This was enough to deny Doctor Web the VB100 award for the second time running.

ItW: 99.33%
ItW (o/a): 99.33%
Macro: 100.00%
Polymorphic: 98.72%

eEye Digital Security Blink Personal Edition 3.0.9

Blink is another newcomer, and one of which I had little prior knowledge. Vulnerability specialist eEye Digital Security has been in business for almost ten years, spotting and reporting security flaws and creating software to keep networks free from exploitable software. Its Blink client product is a desktop offering promising a range of security features that include: vulnerability scanning, HIPS and other system protection systems, as well as firewalling and anti-malware protection, provided in part by Norman.

Installation includes the customary warning against combining the product with other security software, as well as a thorough list of products which could be expected to clash with Blink, and an assertion that running multiple products will provide no extra protection. The remainder of the installation process is slick and smooth and requires no reboot.

The interface of the product itself is similarly attractive, with an option-rich page offering controls over the full range of functionality. Scanning is designed in the typical style of an anti-spyware product, with the full system and registry the default target, but individual areas can be scanned by switching off ‘deep disk scanning’ and selecting the required folder. This gave some unusual speed results, with great attention paid to executable and binary files but little, perhaps sensibly, to media and documents.

On-access detection was obtained via the system’s logging, as blocking was not sparked by simple file-opening.

A few times during testing the display faltered somewhat, with attempts to view scan histories producing only a ‘Page not found’-type error message, but logging to file seemed more stable.

Results were good across the board, closely matching the scores recorded by Norman’s own product, and with the WildList set amply covered and a single suspicious file in the clean set, another impressive-looking piece of software gets its first VB100 stamp of approval.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.90%
Polymorphic: 81.94%

Eset NOD32 Antivirus System 2.70.32

The Windows version of NOD32 is another very familiar product, little changed in the last several tests, although a major new release is promised in the coming months. This should add further functionality to the current protection against malware on the local system and arriving via web and email vectors.

NOD32’s configuration is straightforward with the benefit of some experience, and tests zoomed along at the customary rapid pace.

The only option that seemed not to be available was scanning inside archives on access, and the thorough detection which has become the norm for NOD32 once again covered the entire extent of the VB collections. With not a single miss in any set and no hint of a false positive, NOD32 once again proves worthy of a VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Fortinet FortiClient 3.0.412

Fortinet focuses on business customers with a range of server products and appliances, and unsurprisingly its FortiClient product is another thorough suite, with many additions to the usual firewalls and mail filters.

As befits a corporate environment, configuration is flexible in-depth, and can be navigated with ease across the clearly designed, responsive interface.

Scans were completed in very good time, despite defaulting to scanning everything thrown at it, and Fortinet’s recent elevation to the top rank of products that miss nothing in any of our zoo sets continues, with full detection scored throughout.

A small issue with the alert popups, which got a little overloaded during the opening of thousands of infected samples within a few minutes, did not prove a significant problem. The thorough detection extended across the WildList set without a false positive in sight, thus granting Fortinet another VB100.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Frisk F-PROT Anti-Virus 6.0.70

Iceland’s Frisk Software is another vendor whose history in VB100 testing dates back into the 20th century. This history has been an illustrious one, and the company’s detection technology is included in several other products.

F-PROT offers a clean and simple interface in bright white with shades of red and blue. Configuration is straightforward and thorough, with a simplified scanner setting available for those less interested in fine-tuning. On-access scanning is less tweakable, but does its job efficiently.

Scanning speeds were very good throughout, and detection similarly excellent, with nothing beyond the capabilities of the product if properly configured. This included the WildList set, and an absence of false positives gives F-PROT another VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

F-Secure Protection Service for Consumers (7.00 build 387)

F-Secure’s 2007 suite was favourably reviewed in these pages some months ago (see VB, November 2006, p.12), and has been gathering similarly positive reviews from other testers. The product submitted for review this time was apparently slightly different from the usual F-Secure Internet Security, having been designed for rebranded redistribution, but my user experience was not affected.

However, this preview status seems to have added a few problems into the previously solid suite. An issue with the logging provided, which was previously noted in the Vista test when logs containing large numbers of detections failed to export in their entirety, was once again in evidence here. A new problem also emerged on this occasion, with a sample of W32/Wotbot causing the product to seize up somewhat on one occasion.

With these fairly minor irritations overcome, testing was eventually completed, with F-Secure’s traditional plodding thoroughness while scanning archives adding to the delays. Detection in general proved to be excellent, with the only miss in the zoo sets caused by a file type not scanned by default. In the WildList set, however, a single sample of W32/Allaple was also missed, which was enough to see a rare failure for F-Secure to achieve a VB100 award.

ItW: 99.88%
ItW (o/a): 99.88%
Macro: 100.00%
Polymorphic: 100.00%

G DATA AntiVirusKit 17.0.7089

G DATA’s AVK product is another of those with a long history of superb performance in VB’s testing, and once more there is little fault to be found with the product.

Speeds were not as impressive as some, which is as one would expect from a multi-engine product. The product’s interface is not only visually appealing but also clearly and sensibly laid out with little left to be desired. The ever-useful right-click scanning is in evidence, and any attempt to change the settings in a way which could lead to excessive system impact or lack of protection is warned against appropriately.

The only minor quibble I had was a repetition of the grey-buttons-looking-greyed-out problem mentioned earlier, and the format of the logs being less than ideal for my personal needs. However, with no samples missed in any of the test sets, and just a few warnings about hacker tools and joke programs in the clean set, AVK racks up yet another VB100 award with ease.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Grisoft AVG 7.5 Professional Edition

Grisoft, like Alwil and Avira, makes a basic version of its product available as a free download. AVG anti-virus thus has a very high public profile, supported by a reputation for solidity and good detection. Its free anti-rootkit and anti-spyware products, backed up by technology brought in by the company’s acquisition of Ewido, are also in wide use. Grisoft also provides full-featured and integrated versions, as well as a range of server products and support for other platforms.

Also mirroring Alwil, AVG offers simple and advanced versions of its interface, neither of which is entirely straightforward. Scans were mostly initiated using the right-click method, to avoid a rather fiddly task design system, and scanning times were far better on access, where little configuration was available, than on demand.

Detection rates were little changed from previous tests, with results generally solid with a scattering of misses in each set. In the WildList set, a W32/Rbot sample was detected by the spyware side of the product, labelled as Adware and a ‘potentially unwanted program’. On access, this meant that the file was not alerted on, and although this error was apparently corrected within days of the product’s submission, it was enough to deny AVG a VB100 award this time.

ItW: 100.00%
ItW (o/a): 99.88%
Macro: 99.93%
Polymorphic: 75.88%

Ikarus Virus Utilities 1.0.52

This is the second appearance of Ikarus Virus Utilities in a VB comparative review - its first having been as long ago as November 2001 (see VB, November 2001, p.16). Austria-based Ikarus Software also carries a range of server products for mail and web filtering, and the product is available as a six-month free trial.

The initial download is remarkably small at only slightly over 4 MB, but this must be supplemented by the virus definition data, which for this test measured around 7 MB.

Installation was prevented initially by the need for the Microsoft .NET framework, which apparently is downloaded automatically when the installer is run with web access. With this in place, the process continued with a check for other security software which may prevent full operation, and the offer to install Adobe Reader which is needed to access the documentation (which sadly only works when running from CD and was not included in my download edition).

With the installation complete and updates added, the product showed a small status display tool with details of the scanner, updater and on-access ‘guard’, but the main interface seemed unwilling to open at first. After several attempts and a reboot it suddenly started responding, and from then on seemed to suffer no such problems. Configuration was minimal and a little difficult to fathom, but once figured out, things got moving quite nicely.

While scanning the large infected sets much of the interface faded away and refused to respond, leaving me fearing a total crash, but checking back some time later I found it had returned to normal and the scan completed without serious incident.

On-access scanning was easier to run through, and analysis of the results showed good speeds, though detection across the infected sets was a little uneven, with a significant number of misses in the older DOS and polymorphic sets. These figures are magnified by some large sample sets however, and overall percentage scores are more impressive.

More importantly, a small handful of WildList viruses were missed, and several false positives were alerted on, including components of the Nero CD recording software, Norton Ghost and the GoogleTalk installer, all of which were labelled as trojans. This was enough to deny Ikarus its first VB100, but with a little work the product should be a solid contender for qualification in the near future.

ItW: 99.88%
ItW (o/a): 99.88%
Macro: 95.86%
Polymorphic: 71.00%

iolo AntiVirus 1.1.9

Best known for its repair and optimization products, iolo has built a considerable public profile with its presence on the shelves of high-street software outlets. The company’s range of anti-virus and firewall products also includes a full security suite. Having previously licensed the Kaspersky engine, iolo now uses technology from Authentium, in addition to some ideas of its own.

Having heard from iolo some time in advance of this test, I was lucky enough to have had a look at the product in advance and get to know its workings. The installation was smooth and unproblematic, although it spent some time getting ready for action. The interface looks thorough, crammed with information without being cluttered, and appears to have ample configuration options.

Logging seemed only to kick in when some kind of disinfection or removal took place, so scanning alone was not possible. The default setting, which involved quarantining most items, took an excessively long time when dealing with large numbers of infected files and seemed to get stuck every few thousand, locking down the interface and requiring a reboot to fix. This is not a likely scenario outside the test lab, however, and is most unlikely to affect users; setting it to delete without quarantining circumvented the problem.

Speeds over clean files were excellent in both modes, with no further crashes experienced, and detection seemed thorough throughout. However, two PowerPoint files in the clean set were labelled as infected, and a single WildList file was missed in both modes, with another missed on access only, which means iolo will have to try again to achieve VB100 certification.

ItW: 99.97%
ItW (o/a): 99.86%
Macro: 98.60%
Polymorphic: 96.15%

K7 Total Security 2006

K7 Computing, based in Chennai, India, is yet another name that is new to the VB test bench, but again the firm is far from new to the game, having produced its first anti-virus product as long ago as 1992. Along with the Total Security suite seen here, which includes firewall and anti-spam functions, a standalone anti-virus product and a corporate edition are also available.

The installation process was a smooth and clean operation, and ends with a ‘news and update’ screen carrying useful information. This was, in fact, one of the only products to point out that my lack of web connection was the reason the product could not update itself. The interface showed similar attention to detail in its clear and user-friendly design, and was steady and responsive throughout.

Scanning speeds were excellent at all times, and while detection was not perfect on the less current test sets, especially the aging and less relevant DOS set, this was far from surprising for a newcomer not using anyone else’s technology. K7 has clearly been working hard on the latest threats and achieved full coverage of the WildList set. With just a couple of items in the clean sets adjudged to be ‘riskware’, K7 can proudly claim its first VB100.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 97.23%
Polymorphic: 65.00%

Kaspersky Anti-Virus 6.0.2.621

Kaspersky’s product is a far more familiar one, having been the subject of another thorough review in VB a few months ago (see VB, September 2006, p.16). The installation and use of the product were thus straightforward, and all the tests were sprinted through in good time, although things were slowed somewhat by the need for a reboot after install and some seriously in-depth scanning of archives.

Detection figures were mostly as excellent as ever, with a pair of misses in one zoo set attributable to the file types ignored by default on access. Unfortunately, however, the same sample of W32/Allaple that upset F-Secure’s chances of a VB100 was missed here. Investigations have shown that detection was in place both a few days before and a few days after our test, and was presumably removed temporarily for some fixing. This unfortunate timing was enough to spoil Kaspersky’s recent solid record of VB100 awards.

ItW: 99.88%
ItW (o/a): 99.88%
Macro: 100.00%
Polymorphic: 100.00%

McAfee VirusScan Enterprise v.8.5i

McAfee’s corporate desktop product was submitted for this test, and was unchanged from previous tests. It is a solid and businesslike product, with its operation and configuration thorough and lacking in either excessive simplification or over-complex razzle-dazzle.

The only confusing aspect remains the inability to deactivate on-access scanning from the main interface (it can be switched off with ease from the system tray). Scanning speeds were good, and detection excellent, with only a small handful of DOS samples missed. Another VB100 is awarded to McAfee without further ado.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Microsoft Forefront Client Security 1.5.1937

Forefront is Microsoft’s long-awaited corporate client product, a new implementation of the scanning technology provided for the home user market in OneCare. The final release to market is expected to be at around the same time as the publication of this review.

Things got off to a shaky start when my first stab at running the installation CD on a test machine proved a dead loss, the installer failing with an obscure error message. Resorting to the documentation, I found to my horror some lengthy instructions for the design of a security topology, which required a Windows 2003 server on which to run the installer and from which to deploy to clients - this also needed such delights as Microsoft SQL Server 2005 SP1, IIS and ASP.net, the .NET framework 2.0, MMC 3.0, GPMC SP1 and WSUS. While making moves to acquire these items, I asked the developers for a simpler client install method, which thankfully was provided and proved ample for my needs.

The user interface seemed rather simple, with less configurability than I would expect from a corporate product. Presumably most of this side of things is controlled from a proper management server, where available. Running most of the testing was fairly straightforward however, with the only problem being a complete absence of internal logging – detection details had to be gleaned from the system event log.

Scanning speeds were fairly reasonable, and detection seemed pretty thorough overall, Microsoft having made some efforts at improving its coverage since the recent appearance of OneCare in VB’s Vista test.

Some slightly unusual behaviour was uncovered when a single file in the WildList set, a sample of W32/Tenga, was not blocked on access. Further investigation showed that the default action for this file was set to ‘always allow’ (after detecting the file in an on-demand scan, selecting the ‘apply action’ option either deleted, disinfected or quarantined other items, while this one was for some reason allowed to pass unfiltered).

Despite this problem, basic detection of the file was provided, and thus without having generated any false positives in the scan of the clean test set, Forefront just about qualifies under the rules of the VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 96.15%

Microsoft Windows Live OneCare 1.5.1890.35

My second attempt at testing OneCare was aided by some familiarity with the product, and with the special setup required to allow this web-centric software to operate without its connection to base. Installation was at first hindered by some mysterious errors, but this was soon diagnosed, with help from the developers, as being due to my system using the UK locale, for which the appropriate language packs were not included in the pared-down version provided for my test.

My experience with the interface paid off and the tests were completed without further issue, with scanning speeds a fraction slower than OneCare’s corporate sibling and detection rates just as good. Among the other functionality included was an offer to ‘tune-up’ my system, with disk defragmentation etc.

Limited configuration did not extend to logging, and results, once parsed, showed full detection of the WildList, and again no false positives, so OneCare is also granted the VB100 this time.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 96.15%

Microworld eScan Internet Security for Windows 9.0.714.1

Microworld Technology provides a wide range of server and gateway products alongside those for desktops, including Linux. The installation of eScan complained at first about the date on my test machine, which for some reason was set to before the creation date of the product. With this small issue resolved, the installation continued simply and rapidly, and required a reboot to activate fully. The interface was a little odd-looking, but fairly simple to use throughout my tests, and speed times reflected the thoroughness of the Kaspersky engine at the heart of the product. Thoroughness was also a feature of scans of the infected sets. I spent a long time watching the amusing animation of a hand crushing an insect which accompanied detection, along with a wildly inaccurate progress bar. Microworld’s submission seems to have missed the small window during which the Kaspersky engine missed detection of the W32/Allaple sample, and also had more complete defaults, resulting in 100% detection across the board, and with only a single piece of software labelled a risk, eScan wins another VB100 with some style.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Norman Virus Control 5.90

Norman is another familiar face in VB’s testing, and again familiarity with the rather unusual layout of the product rendered testing less of a chore than it once was. The availability of a right-click option, starkly labelled ‘Norman Virus Control’, also helped speed things along.

On-access scanning has always been somewhat odd in the Norman product, with little control of its behaviour available, and logging was a little flaky here, requiring several attempts to get a full list of detections. Scanning the WildList seemed to show a batch of files never blocked when opened, but access to those tricky logs showed that detection was indeed in place and some allergy to the testing tool in use was diagnosed as the likely cause of the oddity.

Overall, results were shown to be very good, with no false positives and some pretty decent times in the speed tests. With the WildList covered without difficulty, Norman also wins a VB100.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 81.94%

NWI VirusChaser 5.0a

NWI is the abbreviation of New Technology Wave Inc., a Korean operation whose VirusChaser product is an implementation of the Dr.Web scanning engine aimed at the Asian market, and is provided in an even smaller package - this time a mere 7 MB in total.

Installation was thus simple and fast, and the clear and straightforward GUI offered more configuration of its own appearance than of actual scanning behaviour. Many tests were nevertheless carried out fairly easily using the context-menu option, and zipped along very rapidly.

On-access scanning seems not to be sparked by simple file opening, and as a result speed times were not measurable for comparison, but detection was instead measured by copying files to the machine.

Logs showed detection rates to be slightly below the level achieved by the parent product, along with a broad set of applications labelled ‘Riskware’. Unfortunately for NWI, the product missed the same clutch of WildList samples as Dr.Web, as well as a handful of others, which means that no VB100 is awarded to NWI this time either.

ItW: 98.90%
ItW (o/a): 98.90%
Macro: 99.90%
Polymorphic: 97.82%

PC Tools Antivirus 3.1.1.6

The first of two submissions from PC Tools, this is the company’s standalone anti-virus product, which was first released in late 2005 and is assisted by VirusBuster technology. A basic version of the product is also made available as a free download. Alongside its anti-malware range, PC Tools also offers a selection of system repair, recovery and cleanup products, privacy tools, a spam filter and a firewall.

The product installed rapidly and simply with few choices to be made, and launched an attempt to update without prompting. Oddly, this reported that the product was up to date, despite having no web access from within the test lab, and the brightly coloured interface’s status page also misleadingly reported that ‘the last update was today’.

The GUI was simply laid out, and testing ran through without difficulty. Some hefty XML logs proved a little much for my poor tired system to bear, but scanning speeds were good and results looked promising. On-access behaviour was a little unusual too, with access to some files denied and other detections merely logged, while a cascade of alert messages gushed down the right-hand side of the screen.

In both modes, the product had difficulty with a couple of files in the clean set, which it got stuck on, refusing to go any further. On demand, trying to stop the snagged scan simply led to a ‘stopping...’ message, and only a reboot moved things along. With the ‘On Guard’ on-access scanner switched on, perusing files from Explorer slowed to a rather frustrating degree at times, especially while trying to analyse the large logs created.

With these issues surmounted, detection results were finally obtained and results proved pretty thorough across all the sets. The WildList was completely covered, with no false positives, adding PC Tools to the roster of new VB100 winners this month.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 87.74%

PC Tools Spyware Doctor v.5.0.0.182

Spyware Doctor is PC Tools’ long-standing flagship product, a widely trusted anti-spyware tool into which virus detection and protection has been added.

The installation process and appearance of the interface are similar to the previous product, colourful and curvy and aimed squarely at the home user, although this one had some more complex configuration and a lengthy list of scanning types from which to select when kicking off a localised scan.

Logging proved a little tricky again here, with output generally truncated, but results were gathered easily by setting it to delete infected items from the test sets and seeing what was left behind. On-access detection was also unusual, with no blocking of simple file access possible and so no speed figures for this mode were available, but the slowdown was fairly noticeable to the naked eye from time to time. Detection on access was measured by copying files to the system and having them deleted.

The same two files in the clean set caused problems, but once the snags were overcome no false positives were reported, on-demand scanning speeds were reasonable, and detection rates were good too, although Spyware Doctor missed a small set of DOS samples caught by its sister product. Everything else proved fine though, and a second VB100 is duly awarded to PC Tools.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.93%
Polymorphic: 87.74%

Proland Protector Plus 2007

Proland is another vendor that is neither a complete newcomer to VB’s comparative testing nor a regular. The vendor’s products previously appeared in several comparative reviews in the late 1990s, and Proland returns after a lengthy absence and recent acquisition.

Protector Plus is another contender for the accolade of most compact product, with the whole thing weighing in at around 8.5 MB, and again a slick and speedy installation reflects its small size. The process looks good too, and offers but does not force a system scan. The option is also provided to add support information to the Windows address book.

This attention to user needs was shown throughout, with lots of helpful advice, and the product’s interface was attractive and well designed. It also ran well, with no freezes or crashes or other unwanted behaviour despite the heavy load of the tests.

Checking through results revealed some superb scanning speeds, as expected, and also a fair number of misses across all the zoo sets, with particularly low coverage of older samples. A couple of WildList samples were likewise missed, with several more missed on access thanks to some incomplete coverage of file extensions. This, along with the presence of two false positives, means that Proland will also have to do a little more work before qualifying for a VB100 award.

ItW: 99.76%
ItW (o/a): 97.93%
Macro: 82.53%
Polymorphic: 36.97%

Softwin BitDefender Antivirus Plus v.10

BitDefender is a more well-established product, with its advanced heuristics making it a popular choice for other software makers looking for an extra engine.

The company’s own implementation includes most of the standard extras, with a firewall, spam and web filters and anti-spyware functionality included, as well as the ‘B-Have’ behavioural intrusion-spotter.

The product boasts that it is ‘a superior software package’, and it certainly looks sleek and solid. The ‘Activity Bar’ that hovers in a corner of the screen, semi-transparent, has always been a bit of a mystery to me, and the interface itself is similarly quirky and unusual, but its nice deep red colour scheme oozes professional slickness and solidity.

Scanning was soon under way once I had re-familiarised myself with the controls. Speeds leaned towards the thorough rather than zippy, and detection rates towards the very top end with only a handful of missed samples. None of these were in the WildList set, and no false positives were recorded either, thus qualifying BitDefender for another VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.69%
Polymorphic: 97.86%

Sophos Anti-Virus 6.54 R2

Sophos rarely misses a chance to enter a VB comparative review. Despite a major new version of the associated management tools and the addition of an optional firewall late last year, the end-user experience has remained little changed for some time.

Installation and use skipped along simply, with the in-depth configuration available making for easy testing. Some improvements in detection have removed the small number of obscure samples regularly missed in previous tests, and the only remaining misses are in Access database files, ignored by default to avoid problems with Sophos’s corporate customer base, who can be expected to have extremely large databases.

These same customers are also served by warnings about some system tools which could present a hacking risk on a corporate network, but no actual false positives and full detection of the WildList set earn Sophos a VB100.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Symantec AntiVirus 1.0.0.359

Symantec also targets the corporate market with the product submitted here, which has a serious and text-heavy feel with none of the cuddly graphics home users are generally assumed to require. Again, my familiarity with the workings of the product allowed me to complete the tests in record time.

Scanning speeds were good, although surprisingly I could find no way of activating on-access scanning inside archives.

Detection was reliably thorough, with only a tiny number of DOS samples missed, and this thoroughness extended to the WildList test set. In the clean sets a single file was flagged as suspicious, but there was nothing to prevent Symantec from winning a VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 100.00%

Trend Micro PC-cillin Internet Security 2007

Trend Micro’s suite was reviewed in depth last month (see VB, May 2007, p.14), and is still installed on a few of my spare test systems, so no trouble was expected. The product is well-designed throughout, both visually appealing and easy to navigate, and includes several useful ideas.

During installation I was informed that the Windows firewall would be deactivated, to be replaced with the product’s own firewall. I was also presented with a list of vulnerabilities detected on my bare system for which patches have since been released.

Detection was decent, if not among the most thorough, but nothing from the WildList was missed and no mistakes were made in the clean sets, resulting in another VB100 for Trend Micro.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.68%
Polymorphic: 93.10%

VirusBuster VirusBuster Professional 2006 v.5.2

VirusBuster is, for once, not the last product in this test alphabetically - but the offering is one that I never mind getting around to at the end of a test period, with its clear and logical design and pleasing stability.

While the layout of the on-demand scanning system is not my favourite, right-click scanning avoided much need to use this, and gave good speed results and a small selection of missed files in the zoo sets.

VirusBuster’s engine has already appeared in this test, implemented in some of the newcomers’ products, but the problems exhibited there were not in evidence here, and with only a warning that a zipped file in the clean set may be an attempted zipbomb, VirusBuster wins another VB100 award.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Polymorphic: 87.82%

Webroot Spy Sweeper 5.5

The final product on the list is yet another newcomer. Webroot’s Spy Sweeper has long been a popular and well-regarded player in the anti-spyware field; the company has been around for over ten years, and also produces firewall, performance management and content-filtering software. Spy Sweeper added anti-virus protection and detection late last year, incorporating the Sophos engine into version 5.2 of the product.

Installation of Spy Sweeper was a simple process, although some tweaking was required to add in the anti-virus components, which would normally be downloaded from the web separately from the main console. These were clearly recognisable as many of the parts that make up the Sophos product.

The interface is clear and simply laid out with the colourful style expected from home-user-focused anti-spyware offerings. Control of the various settings is available from several tabbed screens including those marked ‘Shields’ and ‘Options’, although these were heavier on information than actual controls.

On-demand scans were run from a tab labelled ‘sweep’, and were straightforward to set up and run. Here again little deep configuration was available, but it proved sufficient for my needs, and judging by the slowish speeds achieved on demand, scanning appears to default to fairly thorough settings.

On-access scanning speeds were considerably faster, and among the most impressive in this month’s set of products. This led me to suspect that settings here leaned towards the lax, ignoring many file types entirely. However, this proved not to be a problem where detection of the test sets was concerned. While, once again, blocking access completely did not seem to be possible, detection of malware as files were opened clearly took place, and thorough logs were produced.

The logs included useful data on the malware found, as well as warnings whenever scanning a file took longer than a few thousandths of a second. The logs also listed the vast majority of the samples in the sets, including everything rated In the Wild. With an impressive performance overall, congratulations go to Webroot for claiming a VB100 award on its first attempt.

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 99.93%
Polymorphic: 100.00%

Results tables

Conclusions

It has been a mixed month for all comers, with the large number of new arrivals drawing attention away from the regulars, most of whom put in their usual strong performances without fuss. One particularly unfortunate piece of timing spoiled the records of a couple of products which are used to achieving the highest standards, while another suffered from a miscategorisation, but in general little of interest occurred regarding the old hands.

The newcomers tell an entirely different story, with a wide range of products showing a diverse selection of new ideas and implementations.

Some of the newcomers were virus scanners pure and simple, with perhaps some minor extra functionality which is becoming the norm in all products these days. Of these, several have developed their own scanning technology from scratch, and a select few have done well enough to pass the award criteria.

Most of the newcomers were a little lacking in detection of the samples included in the older test sets. Some of these older sets may be losing their relevance to modern users, and the process of modernising the VB test sets continues apace. However, the continued appearance of reports of Windows 95 and even DOS malware from our prevalence data providers indicates that at least some users are still affected by these aging nasties, and would benefit from some protection from them.

The majority of the new products, though, were the result of specialist vendors from other security fields rolling virus protection into their offerings. Just as the traditional anti-virus vendors have had to expand their focus to include spyware protection and firewalls, so the firewall and anti-spyware experts have seen the need to add anti-virus protection to their products. This is generally done by licensing the detection technology of an established vendor, and in these cases implementation is all – with some integrating the engines into their products very successfully, and others still suffering a few teething problems.

Many of these products were highly impressive, and seem likely to offer some stiff competition to the established vendors with the diversity of extras they offer. As always, diversity and competition can only improve standards in general, but I hope that some of these ideas will be merged rather than further enlarging the field of products. It seems unlikely that either the poor exhausted test systems, or the equally worn out tester, could handle another month like this one.

Technical details

Test environment. Test were run on identical machines with AMD Athlon64 3800+ dual core processors, 1GB RAM, 40GB and 200 GB dual hard disks, DVD/CD-ROM and 3.5-inch floppy drive, all running Microsoft Windows XP Service Pack 2.

Virus test sets.  Complete listings of the test sets used can be found at http://www.virusbtn.com/Comparatives/WinXP/2007/test_sets.html

Any developers interested in submitting products for VB's comparative reviews should contact [email protected]. The current schedule for the publication of VB comparative reviews can be found at http://www.virusbtn.com/vb100/about/schedule.xml.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.