Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

3/12/2008
09:20 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

AV Still Weak on Rootkit Detection, Fixing Infections

New AV-Test.org results reveal some nagging problems with antivirus products

Independent antivirus testing organization AV-Test.org has released new test results on the latest versions of 30 antivirus products, and the report cards weren't all good.

None of the AV products scored straight As, and a few failed in some categories, such as remediation from malware infections and AV's old nemesis, rootkit detection.

New malware just keeps on coming, according to the report. In January and February alone, AV-Test.org discovered a whopping 1.1 million samples of unique malware spreading around the Net. The organization found nearly 5.5 million total during all of last year, up from 972,000 in 2006. (See Bake-off: Many AV Products Can't Detect Rootkits.)

“We thought it would be a good idea to start a new test of anti-malware software in order to see how well the tools are currently performing, given the masses of malware ‘in the wild,’” says Andreas Marx, CEO and managing director for the Germany-based AV-Test.org. AV-Test.org only tested the newest versions (as of March 1) of the English-language versions of the products, he says.

Researcher Alex Eckelberry, who is president and CEO of Sunbelt Software, took the results a step further by assigning them equivalent letter grades.

AV-Test tested the products on their on-demand detection of malware; on-demand detection of adware and spyware; false positives per 100,000 files; performance (scanning speed); proactive detection of new and unknown malware; response time to new widespread malware; and detection of active, running rootkits; and remediation.

Each product had its ups and downs in various categories. While Microsoft’s Forefront aced the false positives test and got a 98 percent score in remediation -- for instance, it received the equivalent of an “F” for its response time to new widespread malware outbreaks, taking more than eight hours to do so.

"There is this problem with remediation. I think that was borne out in the test results, which showed the lowest scores all around in remediation -- basically, a C -- score if you average it out," Eckelberry says. "So if the user caught something, how are they going to get rid of it? This often involved a process of trying multiple programs and remedies... I think this might be due in part to legacy antivirus engines dealing with highly complex threats."

Aside from the same troubles with rootkit detection, which scored an average C-, performance was a problem in the tests, he says. "An antivirus product is worse than useless if the user uninstalls it due to frustration with high resource usage, slow boot times, endless pop-ups -- and worse, an inability to deal effectively with certain types of malware," he says.

Overall, Sophos scored well (all As and Bs) in the AV-Test.org tests, as did Symantec’s Norton Antivirus (five As, two Bs, and a C in response time to new malware, with a 4- to 6-hour window). McAfee got all As and Bs, except for two Cs -- in performance, and in response time to new malware (4-6 hours).

CA’s eTrust VET earned the dubious distinction of scoring the lowest of all of the products in detecting adware and spyware, with only a 56.5 percent success rate, while K7 Computing wasn’t far behind, with a 59.5 percent rate of detection. K7 fared better in malware detection, with a score of 65.5 percent, and CA’s eTrust VET was more successful, with a 72.1 percent score.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Sophos plc
  • Microsoft Corp. (Nasdaq: MSFT)
  • Symantec Corp. (Nasdaq: SYMC)
  • McAfee Inc. (NYSE: MFE) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/25/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15208
    PUBLISHED: 2020-09-25
    In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
    CVE-2020-15209
    PUBLISHED: 2020-09-25
    In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
    CVE-2020-15210
    PUBLISHED: 2020-09-25
    In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
    CVE-2020-15211
    PUBLISHED: 2020-09-25
    In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
    CVE-2020-15212
    PUBLISHED: 2020-09-25
    In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...