Forgot your password?
typodupeerror
Security Software Worms IT

Many Antivirus Tools Fail in LinuxWorld Test 234

Posted by CowboyNeal
from the survival-of-the-fittest dept.
talkinsecurity writes "In a public, side-by-side test conducted last night at LinuxWorld, ten antivirus products were confronted with 25 known viruses. The results were surprisingly disparate. Only three of the products caught all of the viruses; three only caught 61 percent, and one caught an abysmal 6 percent. The test, which wasn't particularly complicated, proves that there still are wide differences in the effectiveness of AV tools. A lot of people think all AV tools are the same — they're not!"
This discussion has been archived. No new comments can be posted.

Many Antivirus Tools Fail in LinuxWorld Test

Comments Filter:
  • The winners: (Score:5, Informative)

    by RichPowers (998637) on Thursday August 09, 2007 @08:48PM (#20177373)
    From TFA:

    Kaspersky, Symantec, and Clam AV: 100% caught

    FProt and Sophos: 94%

    McAfee: 89%

    GlobalHauri, Fortinet, and SonicWall: 61%

    WatchGuard's Linux AV: 6%

    And a graph of the results plus links to some of the test viruses: http://virus.untangle.com/ [untangle.com]
  • AVG (Score:4, Informative)

    by DigiShaman (671371) on Thursday August 09, 2007 @08:54PM (#20177411) Homepage
    What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

    Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.
  • by adam.dorsey (957024) on Thursday August 09, 2007 @08:57PM (#20177431)
    Linux mail directors/servers/etc. often run AV to scan mail for their more vulnerable cousins from Redmond.
  • Not surprising... (Score:4, Informative)

    by SuperBanana (662181) on Thursday August 09, 2007 @09:14PM (#20177579)

    ...considering that most of the antivirus programs were tricked when a new "variant" of one of the worms back around '99 or so. So kids- just insert random whitespace into your worms!

    The change? The line endings in the VBS script changed. It probably wasn't even intentional- some broken mail server probably modified CR's into CRLF's. It sailed right past Trend Micro's email scanner and infected several dozen systems.

    I was the first person to notice why it slipped by, and brought it to the attention of a big-name "security expert" who ran a mailing list which shall go unnamed. He thanked us for the research, passed along my findings to the list, and then promptly went around doing interviews with the press using the first person voice. "I discovered that...", blah blah was what I read the next day.

  • Re:AVG (Score:5, Informative)

    by Southpaw018 (793465) * on Thursday August 09, 2007 @09:16PM (#20177583) Journal
    They left out Eset NOD32 as well. Symantec and McAffee are the AV old guard: still strong, but also bloated, slow, and weakening. And they have the occasional health problems.

    Kaspersky and Eset seem to be the two main up and comers, and they left one out!
  • by Kymermosst (33885) on Thursday August 09, 2007 @09:22PM (#20177641) Journal
    The story could have shown a list of the tested viruses verses the AV software being tested. A simple table would have conveyed a great deal more information than the druel the fellow wrote. Yes I RTFA and as I said - it is not very informative.

    You RTFA and then sadly don't do any research. Why would they bother to list the tested viruses when provide the actual viruses [untangle.com] (see "Test Set")?

  • Re:AVG (Score:4, Informative)

    by Kymermosst (33885) on Thursday August 09, 2007 @09:25PM (#20177659) Journal
    What about AVG? I really love it. I've installed on both my workstations and a server (Windows). It uses minimal resources, it's fast, and it's managed to catch more stuff then Trend Micro, Symantec and McAfee.

    Also, Bitdefender and Nod32 are also good for the Windows enviroment. I'm curious to how all these ranked in the Linux world.


    Test them yourself. The virus samples they used are found here [untangle.com].
  • by RootWind (993172) on Thursday August 09, 2007 @09:33PM (#20177729)
    Not to knock Clam but there is something odd about these results (Besides the absurdly low testbed). TFA says Clam won two years ago (which meant Untangle would use it), and again now. However, just last May the results from AV-Test.org (a real trusted legitimate source) against a comprehensive testbed put ClamAV near the bottom of the heap: http://www.pcmag.com/article2/0,1895,2135053,00.as p [pcmag.com]
    I can't help but think that Untangle is trying to justify their own choice, rather than have a real test. With a testbed of only 25-35, it is possible to pick a group of malware that can put any AV on top. Even the user submitted malware is suspect, especially when that testset is also so low. ClamAV is great against virus outbreaks, with one of the fastest signature responses, but it has pretty atrocious trojan and zoo detection, since there is not enough man-power to collect and create signatures for less prevalent and non-replicating malware.
  • by archen (447353) on Thursday August 09, 2007 @09:34PM (#20177741)
    And this is especially good news for those of us utilizing CLAM. You COULD spend a heap of cash adding on tons of crap to an exchange server and hope that it doesn't implode under the weight... or you could have a postfix mail gateway with Clam AV and some simple spam blocking techniques for only the cost of time and hardware. It's also good in a way that not only do you not get viruses IN, but you can keep them from going out as well. You've obviously got issues at that point, but at least you're not spreading the plague. All thanks to open source goodness.
  • Re:AVG (Score:4, Informative)

    by omeomi (675045) on Thursday August 09, 2007 @09:49PM (#20177855) Homepage
    I've had good experiences with AVG. Unfortunately, on the rare occasions that I have had to deal with a virus, I've had to go through just about every single virus scanner that I can find before I'm able to completely eliminate the virus. Last time around, AVG was the one that correctly identified the virus, allowing me to find some special utility that somebody had written specifically to delete that particular virus. I think it was still a fairly new virus, which might explain why the major brands weren't able to clean my system, but I've been somewhat surprised in the past that it's so difficult to remove a virus/worm with commercial virus scanners.
  • Re:Odd numbers. (Score:5, Informative)

    by Bibz (849958) <seb2004@hotmai[ ]om ['l.c' in gap]> on Thursday August 09, 2007 @09:50PM (#20177865)
    Well examining the Excel sheet here http://virus.untangle.com/ [untangle.com], they used 18 test cases, so they got 5.6% for Watchguard

    The summary was wrong, it's either 18 test case or 35 test case, depending of the section you're looking at...
  • by Leemeng (970560) on Thursday August 09, 2007 @09:54PM (#20177889)
    For the Excel-averse, I have uploaded the Excel Results of the test to the Zoho Viewer website. So you needn't install Excel or OO. http://viewer.zoho.com/docs/edblaI [zoho.com]
  • by JeffSh (71237) <jeffslashdot&m0m0,org> on Thursday August 09, 2007 @10:18PM (#20178029)
    Another viable option are the managed services i.e. messagelabs and postini. they are becoming increasingly popular and are alot simpler to implement for small business.
  • Re:math question (Score:5, Informative)

    by Bibz (849958) <seb2004@hotmai[ ]om ['l.c' in gap]> on Thursday August 09, 2007 @10:21PM (#20178051)
    Because the summary isn't right.

    They used 18 test cases, Watchguard got only one : 1/18 = 5.55%, rounded = 6%

    All from the spreadsheet available at http://virus.untangle.com/ [untangle.com]
  • Re:Zombies (Score:5, Informative)

    by imemyself (757318) on Thursday August 09, 2007 @10:33PM (#20178117)

    There is something that computer labs and libraries swear by and not at: Faronics' DeepFreeze


    Have you ever worked in a tech department that had to support frozen computers? It turns a project that would maybe take fifteen or twenty minutes per lab into something more like and hour long. The school district that I work for used Deep Freeze on most of the desktops at the high school up until about a year or two ago. Taking DF off made it a lot quicker to make minor changes to the computers during the year, and there hasn't been any significant problems. Students and teachers are also happier with it because it prevents stuff that people have saved in My Documents (yes, the kids are told over, and over again to save to their mapped home directories - but occasionally they don't) from being wiped out.

    About the same time as that we also took students out of the Admin group (I'm not exactly sure why they were in there in the first place - no apps have had any problems with it), so that mitigated any significant problems as well. We also have McAfee managed AV and 8e6 web filtering, but AFAIK its fairly rare that any viruses or malware are found on the student computers. The laptops that the teachers have(and have admin rights on) are another story. But they would whine if they couldn't add weatherbug and have five different toolbars in IE. Deep Freeze is really just a crappy way of avoiding the problem instead of dealing with it and fixing it. Students/regular non-admin users should not be able to cause damage to the OS. In a well run environment there shouldn't be tons of problems with malware. Yeah, there is going to be an occasional piece of malware that exploits a security vulnerability that could screw up the system. But it is not that hard to lock down boxes properly, with group policy and using the default Windows groups.
  • Re:AVG (Score:4, Informative)

    by Feyr (449684) on Thursday August 09, 2007 @11:23PM (#20178417) Journal
    my experience mirrors yours. based on many dozens of PCs running AVG: it's excellent at detection but once a virus does get past it you're fucked
  • by JackieBrown (987087) <dbroome@gmail.com> on Thursday August 09, 2007 @11:24PM (#20178423)
    000_eicar.com
    001_eicarcom2.zip
    002_eicar_com.zip
    003_eicar.rar
    004_eicar.zip.bad_extension
    005_eicar_big.zip
    010_18_04_2005.exe
    011_abuselist.zip
    012_fullstory.exe
    013_image.jpg.exe
    014_message.pif
    015_mntrup.exe
    016_patch-6143.zip
    017_photo.pif
    018_q347558.exe
    019_scan_check.jpg.exe
    020_test.zip
    021_The_taxation.zip
    100_8.zip
    101_scan.jpg
    102_Syndony.zip
    103_Update-KB8136
    104_Attachement.scr
    105_image.jpg.exe
    106_Info.exe
    107_Please-confirm-pay
    108_virus_87
    109_virus_88
    110_vvzh.scr
    111_xxx.com
    112_untangle1.zip
    113_untangle21.zip
    114_untangle22.zip
    115_untangle3.zip
    116_untangle4.zip
  • by quadra23 (786171) on Thursday August 09, 2007 @11:51PM (#20178607) Journal
    One product, WatchGuard's Linux AV tool, caught fewer than 6 percent of the viruses sent to it. "We're not exactly sure what the problem with WatchGuard is," says Morris. "The test was set up the same way for all of the vendors."

    This number quoted by the original poster missed the section in bold, it was technically < 6%, which could mean either 0 or 1 virus (funny how everything always works out to binary in some way or another :). My question would be which is it? Either way, my system would be compromised by either 24 or 25 viruses -- neither of which is a good scenario especially in regards to well-known viruses (according to the article no 0-day exploits were accepted).
  • Re:AVG (Score:3, Informative)

    by schwaang (667808) on Friday August 10, 2007 @12:14AM (#20178741)

    NOD32 Antivirus for File Servers runs seamlessly on all mainstream Linux distributions (RedHat, Mandrake, SuSE, Debian and others) and FreeBSD. The small footprint and fast performance makes NOD32 optimally suited for real-time or on-demand protection of your Unix File System Servers.


    http://www.eset.com/products/linux.php [eset.com]
  • RTFLITFA (Score:0, Informative)

    by Anonymous Coward on Friday August 10, 2007 @01:07AM (#20179081)
    that is Read the Fucking Link in the Fucking Article, which says 18 test viruses, not 25. 1/18 = 5.555...% rounded up to 6%.
  • Re:AVG (Score:1, Informative)

    by Anonymous Coward on Friday August 10, 2007 @02:04AM (#20179365)
    I downloaded their sample viruses (35 files) and scanned them using AVG.
    After remembering to turn on archive scanning it found 31 of them to be infected.
    I'd say that's pretty decent, a shame they left it out of the their tests.

    They don't exactly make the Linux version easy to find on their site but here's a forum link:
    http://forum.grisoft.cz/freeforum/read.php?10,9450 1,backpage=,sv= [grisoft.cz]
  • Re:The winners: (Score:2, Informative)

    by blaine the monorail (1140679) on Friday August 10, 2007 @03:39AM (#20179815)
    If you read the website with the original results [untangle.com], it says that there were actually only 18 viruses in the first test, and Watchguard only caught one, which is 5.6%. You can download a nice spreadsheet with detailed information about which viruses every solution caught, too.
  • Ugh, not binary (Score:2, Informative)

    by gerf (532474) <edtgerf@gmail.com> on Friday August 10, 2007 @03:52AM (#20179875) Journal

    I couldn't ignore the anal-retentive troll inside of me.

    which could mean either 0 or 1 virus (funny how everything always works out to binary in some way or another :).

    That is not binary, but rather only could be binary, but could be any m-ary. True, it could be binary, if you assume two viruses would be represented by 01, three by 11, four by 001, and so forth. As it is, it's ambiguous, as are all numbers. 234 viruses could be decimal, hexadecimal, or a higher base, just as X amount of something does not denote the actual base. Now, if there was a subscript "1," that could mean it was binary, but that's obviously not there, now is it, hmm.

    On another tangent, I have seen a similar analog-digital converter in a PIC program quite a few years back. Basically, if I had an analog value that I knew were only going to be 0 or 1, I could convert it to a digital 0 or 1. For some reason the label of the value mattered more than the actual value in the application. What a fun program in school. I was able to use the free 15-step limited program to do what I wanted, while everyone else had to resort to some ungodly large amount of logic that required the paid program.

  • Re:Odd numbers. (Score:2, Informative)

    by sneakerpimps (1082011) on Friday August 10, 2007 @03:55AM (#20179885)

    Look at the page: http://virus.untangle.com/ [untangle.com].

    • For the "Wild + Eicar Catch Rate" it says, "The sample size of this test is 18 (not 25 as some cited)."
    • For the "Overall Catch Rate" it says, "The sample size of this test is 35."
  • Re:The winners: (Score:3, Informative)

    by sbryant (93075) on Friday August 10, 2007 @06:19AM (#20180561)

    How, with 25 different viruses can one catch 6%?

    Because the test set was 18, and not 25 as reported. 100/18=5.555. Have a look at the test results [untangle.com].

    -- Steve

It seems that more and more mathematicians are using a new, high level language named "research student".

Working...