Many Antivirus Tools Fail in LinuxWorld Test

talkinsecurity writes "In a public, side-by-side test conducted last night at LinuxWorld, ten antivirus products were confronted with 25 known viruses. The results were surprisingly disparate. Only three of the products caught all of the viruses; three only caught 61 percent, and one caught an abysmal 6 percent. The test, which wasn't particularly complicated, proves that there still are wide differences in the effectiveness of AV tools. A lot of people think all AV tools are the same — they're not!"

Re:The winners:

[alx5000]

What's even funnier:

WatchGuard disputes the test results, stating that it uses ClamAV -- one of the products that caught all of the viruses -- in its own product. "We don't see how the results could be valid -- our product uses ClamAV," a spokesman says.

math question

[jeebee]

How does i/25 not equal 4*i%? Were some of the 25 viruses half-caught, or one-quarter caught?

Odd numbers.

[DerekLyons]

Something seems a little strange here. With 25 test cases, and a binary outcome (either the virus was detected or it was not), the %caught should proceed in even step of 4%. There's some number massaging going on somewhere.
 
Hmm... the Fight Club Website [untangle.com] lists 35 test cases, not 25. It's not clear if there is any overlap between the various test cases. In fact, there's not any discussion of the testing methodology (let alone what precisely was tested) at all. Just "here's our numbers - believe them or infect your own machine and find out for yourself".
 
Now, while I admire the 'do it yourself' hacker ethos as much as the next guy - this is taking it a bit too far.

Online Scanners Considered... Bad?

[eddy]

For fun I downloaded an application where I suspected the "keygen" was trojanized. I was correct; the real keygen had been bundled with some, as it would turn out, Off The Shelf trojan. However, I didn't know what trojan so I scanned with F-Secure's online-engine, which didn't detect anything (neither did my active AVG installation). So I sent in the exectuable as a sample, explained what little I had to say; where I found the file, that it was pecompact2'ed, that their online scan didn't detect it. The process of submitting a file req. you to attach the scanner log.

Got the reply that "The file you submitted was found to be malicious, and is already detected as Trojan-Downloader.Win32.Delf.asz using the latest virus definitions." and "Please update your virus definition databases to properly detect the file".

Remember, I had scanned it using their latest online scanner and provided the log where the trojan was NOT detected.

So, maybe an extra warning for online scanning engines.

PS.
Shortly after I had submitted the file to f-prot, AVG started detecting it.

I run Linux because...

[BearRanger]

Let me preface this by saying that I work in a Windows free environment. I understand that not everyone has this luxury.

Am I a bad citizen because I don't scan for Windows viruses on my Linux systems? It's almost like another Microsoft tax--you're expected to degrade your performance to prevent their victims, uh, customers (yeah, that's it) from infecting each other. Those folks need to be responsible for their own safety and not expect the rest of us to do it for them. They could start by holding Microsoft accountable and making other choices at purchasing time. To me, Windows isn't worth the hassle.

Rainbow Fonts

[Tablizer]

The charts used those damned ClearType sub-pixelation fonts in the image, which is not going to work right with many monitors since they have to be tuned per user. When I see that rainbowy tinge, at first I check to make sure I haven't drank too much c c c coffee again.

Re:Zombies

[ozzee]

I actually do the same kind of thing. Whenever I get a new machine, I snaphot the HDD before I even boot it the first time. Then I run the auto updates from MS and snapshot it again. I then regularly wipe the machine by restoring a snapshot. (It also forces me to keep my data somewhere else that is safe.)

The only advantage of this over the DeepFreeze thing is that I can unfreeze to multiple prior states.

I think it should be a standard feature with these 100GB++ notebook drives.

Re:The winners:

[flu1d]

I guess that really all depends if they're using ClamAV's definition updates or not. The anti-virus engine is useless without a good list of definitions. ClamAV is pretty sweet due to the fact that you can create your own definition for a 0 day and submit it back to ClamAV while using the new definition.

Re:I run Linux because...

[tech10171968]

I, too, work in a completely Windows-free enviroment at our company (in fact, I'm the one who spec'd everything, from our database server to the workstations). But I still insist on everyones' machine running ClamAV because, while we don't have many/any worries about being compromised by malware, we do exchange web traffic with our customers (like, say, most any business using at least one computer with an internet connection). I'd hate like hell to think that we may have inadvertently passed a virus- or trojan-infected email or spreadsheet to a customer - doesn't exactly do wonders for customer relations, ya know?

Detected, not Caught

[Riquez]

Only three of the products caught all of the viruses

Does this not strike anyone as a really stupid way to word the detection of a virus?
If you "catch a virus", you're infected.

"where's geoff today?",
"oh, he caught the flu"
"he caught it! nice one geoff, you managed to destroy that pesky flu & not get infected - so he's out celebrating right?"
"erm... fk off weirdo"