VB Comparative: Red Hat Linux 9 - April 2006

2006-04-01

Matt Ham

Virus Bulletin
Editor: Helen Martin

Abstract

The main competition amongst products this month seemed to be as to which could have the least useful documentation – find out which products redeemed themselves by achieving a VB 100%.


Introduction

Performing the Linux comparative vies with carrying out the NetWare review as one of my least favourite occupations, so it was with a sense of impending doom that I awaited the coming of another March of the Penguins.

As has ever been the case, the main competition amongst products here seemed to be to determine which could have the least useful documentation. Some companies opt for the easy way out and supply either none at all, or a single-page PDF which effectively says: 'Installing the product is done by installing the product, now do it.' More advanced obfuscators produce several near identical sets of documentation, only one of which contains a vital clue on how to activate the product. The clue is, of course, cunningly concealed amongst useless text. Finally, and in a category of frustration all of its own, are the companies that supply what appears to be very helpful documentation – except that it is wrong, offering misdirection, incorrect path names, erroneous file names or references to objects which simply do not exist. A number of the products in the review were less than sporting and supplied useful, accurate documentation – these were, however, the exception rather than the rule.

Test sets

The test sets used were aligned to the most recent WildList available at the time of the review deadline, which was the December 2005 WildList. Products were submitted with a deadline of 6 March. This gave the vendors ample time to add new viruses to their databases, so few misses were expected in the In the Wild (ItW) test set.

There was a little more potential for problems in the clean test sets, which have undergone major changes. As has been mentioned previously (see VB, March 2006, p.13), self-extracting executables have been given their own test set (dynamically compressed files), which is distinct from the clean set. This has entailed the removal of many files from the old clean set, and the addition of files to both the clean and dynamic sets. As a result of these changes it should also be noted that comparisons with past clean set throughput rates are no longer valid.

Alwil avast! 2.0.1b

Like many of the products on review, avast! makes use of the open source Dazuko method of intercepting file accesses to Samba shares. This method is particularly appreciated during the review process, since the methods of activating a Dazuko installation are sufficiently generic that they give a fair idea of what should be done to get the on-access scanner up and running. Thus, despite the non-ideal, fragmented documentation in this case, there were few issues with setting up the product.

Misses in detection were much as expected, with most falling into the category of complex polymorphics. With no misses in the ItW set and no false positives, avast! earns itself a VB 100%.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 83.33%
Macro: 99.56%
Standard: 99.38%
Polymorphic: 93.58%

Avira AntiVir 6.33.1.74

Since H+BEDV has officially ceased to exist, the AntiVir product line name is now used by Avira – which is not surprising since the two companies were, by and large, run by the same people performing the same duties. The developers have long-standing links with Dazuko and therefore it is not surprising that AntiVir makes use of that component in its scanning.

Once initial problems with licence files had been overcome, the setup process was quick and easy. The documentation stated that the default settings were not likely to be desirable – which was indeed the case. Unfortunately, the documentation also recommended the use of a nonexistent configuration application to solve this problem. In the end I tweaked the configuration files manually, which resulted in good scanning performance. A VB 100 % is the result.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 86.67%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

CAT Quick Heal 8.00

Quick Heal continues the Dazuko theme, though with a slight difference. Apparently Dazuko 2.2 is not compatible with CAT's offering, thus the 2.05 version was used. There were also a few other Dazuko-related issues during installation. If Dazuko is already installed, configured and loaded on the target machine, installation fails. Unloading Dazuko solves this problem, though it is a slightly strange requirement, since it must be reloaded immediately in order to activate on-access scanning.

Quick Heal continues to be fairly predictable in its misses, with a slightly larger number than most other products in the line-up. That said, none of the misses were In the Wild, and no false positives were generated, so a VB 100% is awarded to CAT.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 60.00%
Macro: 98.18%
Standard: 96.39%
Polymorphic: 96.57%

Doctor Web Dr.Web 4.33.0.09211

Dr.Web rejoices in perhaps the largest number of component RPM files in its installation package, which contain several dependences. Thankfully, simply throwing them all at the package manager simultaneously solves any potential irritations. The installation procedure is admirably automated, with the on-access scanning component installed and ready to go in a decent configuration. The only oddity is that on-access scanning is not actually activated, since the appropriate daemon is not loaded automatically. While it is reasonable to leave the decision to activate on-access scanning to the administrator, it is not made immediately clear that the activation process is so simple, or indeed, how to achieve activation.

Dr.Web also rejoices in a GUI for on-demand scanning, a feature becoming much more common in Linux scanners. This added complexity did nothing to harm the underlying functions of the product though, and detection rates were easily good enough to warrant a VB 100%. One notable fly in the ointment was the time taken to load all virus definitions before on-demand operations, which added appreciably to the duration of such scans.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

Eset NOD32 2.51.2

Returning to Dazuko products, the Eset submission not only performed admirably in detection, but also offered well documented installation procedures. There was thus ample reason to award NOD32 a further VB 100% for its collection.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

Fortinet Linux Guard 2.81 2.72 8.201

Fortinet's product was certainly the most basic on offer in this test, with no on-access scanning component available. It was equally basic in packaging, with no installation script, thus necessitating the manual addition of the path when scanning was desired. To these limitations must also be added a distinct paucity of on-demand scanning options.

While Linux Guard cannot obtain a VB 100% award due to the lack of an on-access component, the results of scanning on demand were reasonable. Given the rapid improvements that have been seen in Fortinet's Windows products, it will be interesting to see how this application changes over the coming months.

ItW: 100.00%
ItW (o/a): %
Linux: 20.00%
Macro: 99.90%
Standard: 99.45%
Polymorphic: 92.46%

FRISK F-Prot Antivirus 4.66 3.16.14

FRISK's offering on this occasion managed a combination of efficiency and oddness which led to more than a little frustration. The good news was that only one file was missed during both on-access and on-demand scanning, which, combined with no false positives, means that a VB 100% is earned by F-Prot.

On the minus side, however, installation of the product was to a mysterious location, the configuration files having to be hunted down by manual inspection. Worse, during on-access scanning the connection dropped spontaneously on several occasions. Detections therefore were noted by rescanning and deleting infected files. This added another frustration to the mix in that infected documents cannot be deleted in any way at all. Infected archives cannot be deleted, disinfected or quarantined – so you'd better hope that no one ever sends one to you.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

F-Secure Anti-Virus 5.20 5901

This was the third product to have a custom, rather than Dazuko-based, on-access component, and the installation procedure for F-Secure was one of the more automated and relatively pleasant on offer. The scanning of infected files was not particularly speedy, though the same was not true for the clean files.

With only the UUE encoded Linux/Cheese worm missed in the entire test set, in combination with a distinct lack of false positives in the clean sets, FSAV leaves the tests with another VB 100% to its name.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 93.33%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

Grisoft AVG Anti-Virus 7.1.24 718

Returning once more to the lands of Dazuko, AVG was another installation where there were no problems, and which was aided by decent documentation and information. Despite a number of missed detections amongst polymorphic samples, the product's performance when scanning ItW samples was perfect. No false positives were generated either, meaning that Grisoft's scanner once again earns a VB 100% award.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 48.33%
Macro: 100.00%
Standard: 97.33%
Polymorphic: 83.72%

Kaspersky Anti-Virus 5.0 #26

Continuing in the same vein, Kaspersky also provided a product which proved easy both to install and operate. When combined with full detection of all files in our test sets this made for an easy test run indeed. Adding to the exemplary performance a complete lack of false positives, KAV leaves with a well deserved VB 100%.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

McAfee LinuxShield

McAfee's LinuxShield is the first product in this review to be designed primarily to be operated through its GUI. Other products offer this functionality, though can be more conveniently administered from a command line in most cases. Convenience in this case was not aided by the GUI crashing whenever scans were edited.

The problem turned out to be caused by updating via certain virus database upgrades, which in their .tar form seem to be either useless or destructive to Linux installations. Having obtained new instructions from McAfee, matters became much simpler, however, with only a handful of W32/Etap samples being missed. A VB 100% was the happy end result after an unpromising start.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 97.67%

MicroWorld eScan Anti-Virus 2.0-4

eScan is based on Kaspersky's underlying on-access component and as such has the potential to do well, given the quality of performance already demonstrated by KAV. Unfortunately, installation was rather hindered by the instructions given – which were brief if not actually informative. After some wrestling with the command line and GUI of eScan, matters became a little easier, though still rather irritating.

The awkwardness of interaction did not affect the underlying abilities of the scanning engine. All infected files were detected both on access and demand, with no false positives. A VB 100% is thus awarded to MicroWorld.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

Norman Virus Control 5.80.00

Like McAfee's product before it, NVC is very much designed to be operated by means of its GUI. This is unfortunate since the GUI bears only a passing resemblance to the descriptions in the manual. To add insult to injury the manual also refers to components by incorrect names, making manual alteration of settings harder than might be expected.

On-demand scanning was fraught with strange errors, though these and the obscurity of on-access installation were both eventually overcome. Although the result was in doubt to begin with, a VB 100% was eventually the outcome of these troubled tests.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 73.33%
Macro: 100.00%
Standard: 99.45%
Polymorphic: 91.24%

SOFTWIN BitDefender Console 7 (2545)

Although easy to install, the BitDefender product hid itself well from my prying eyes – an activity aided by the choice of name for the on-demand scanner. Although BDC is an obvious choice when it is known that BitDefender Console is the name of the product, there is no clue that this is its name until the BDC file has been tracked down. This minor frustration gave way to slightly greater frustration on access, where on occasion read and write access was denied to all files, not just those which were logged as infected.

Despite these problems, however, the product's overall performance was sufficient to warrant a VB 100% award.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 53.33%
Macro: 99.12%
Standard: 99.04%
Polymorphic: 99.71%

Symantec AntiVirus 1.0.0.61 51.2.0.12

Symantec's Linux client has become much more friendly since my last experience with it, now requiring much less interaction with outside consoles on remote machines. These are still required for updates, as far as I could tell, but scanning and configuration could be controlled from the command line on the Linux box. A semi-GUI is provided within the Linux GUI, though this is more a source of information than a place where much can be done in the way of control.

That said, the command line proved adequate for my needs and detection rates were high as expected with Symantec's past test performances. Not surprisingly a VB 100% is awarded to SAV as a result.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

Trend Micro ServerProtect 6.810

ServerProtect is probably the product that is the most dependent on its GUI for operations, to the extent that I did not even attempt to use command line operations to invoke its scanning. Considering the relative complexity of the packages to be installed, the process was remarkably free from confusion and pain, thanks to detailed, accurate documentation.

With such a happy start it would have been a shame had scanning not been as easy a matter. Thankfully there were no upsets here either and Trend can claim a VB 100% as a result.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 93.33%
Macro: 99.78%
Standard: 99.16%
Polymorphic: 95.81%

VirusBuster 2005 1.2.4

Last in the test, and by far the most aggravating, comes VirusBuster's submission. This comes as two packages: an RPM for the on-access scanner and an archive for the on-demand scanner. The on-demand scanner has no installation process associated with it, thus requiring paths to be set manually. Once this has been done, however, the scanner does operate smoothly.

The on-access scanner is much more painful, since it installs files silently through at least six different directories, giving no warning or hint as to which these might be. After searching through the scattered, sparse documentation on-access scanning was finally activated. The scanning process on-access is laughably slow and the scanning process on occasion caused the Samba share to declare momentarily that no files were present on it. This necessitated spending two days constantly scanning, deleting and rescanning the same set of files, in order to obtain some sort of overall result. A VB 100% is obtained after this nightmare – though I would say undeservedly so.

ItW: 100.00%
ItW (o/a): 100.00%
Linux: 48.33%
Macro: 100.00%
Standard: 99.27%
Polymorphic: 92.59%

Conclusions

Another year and the pain remains the same. While some products improve and mature, others wallow in their own backwardness and cause irritation by their very existence. I, for one, would be pleased to see market forces expunge some of these products from the marketplace. Sadly, however, the companies that produce such atrocities on Linux are capable of producing quite decent software on other platforms, which can support the Linux offerings into a long and torturous future.

Technical details

Test environment. Identical 1.6 GHz Intel Pentium machines with 512 MB RAM, 20 GB dual hard disks, DVD/CD-ROM and 3.5-inch floppy drive running Red Hat Linux 9, kernel build 2.4.20-8 and Samba version 2.2.7a. An additional machine running Windows NT 4 SP 6 was used to perform read operations on the Samba shared files during on-access testing.

Virus test sets.  Complete listings of the test sets used can be found at http://www.virusbtn.com/Comparatives/Linux/2006/test_sets.html.

Results calculation protocol.  A complete description of the results calculation protocol can be found at http://www.virusbtn.com/virusbulletin/archive/1998/01/vb199801-vb100-protocol.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.