Security

AV-Test proves antimalware apps can restore infected computers

Independent lab AV-Test confirms that certain antimalware apps do restore Windows 7 computers to pre-infection condition.

One of the least desirable calls IT professionals get are from clients, family members, or friends who mention malware has infected their computer. But not to worry, their "fill in the blank" antimalware app got rid of it, and everything is working just fine. Most IT professionals aren't that optimistic about things being just fine when it comes to a once infected, then restored, computer's digital health.

While the IT pro continues to listen to the story, he's typically debating whether to tell the caller it might be best to reimage the computer to be safe. That kind of comment more often than not raises the ire of the caller, especially when the caller remembers who suggested getting antimalware in the first place. Any further explanation on the IT professional's part is lost.

There is good news

Andreas Marx, CEO and founder of AV-Test, emailed me about AV-Test's newest long-term study. Marx attached the press release 17 software packages in a repair performance test after malware attacks. I have written about AV-Test studies before, but this project had special significance. If Marx and his crew determined which antimalware applications indeed restored computers to pre-infection conditions, I know several IT pros who would be appreciative.

Marx and AV-Test engineers spent the last ten months determining whether several popular antivirus software packages and malware-cleaning tools did what their developers advertised -- clean and repair Windows-based computers after being infected by malware. The AV-Test engineers scrutinized the following antivirus programs:

● Avast! Free Antivirus 9.0

● AVG AntiVirus Free 2014

● Avira Free Antivirus

● Bitdefender Internet Security 2014

● ESET Smart Security 7

● F-Secure Internet Security 2014

● Kaspersky Internet Security 2014

● Malwarebytes Anti-Malware Free

● Microsoft Security Essentials,

● Norton Internet Security 2014

The engineers then tested the following malware-cleaning tools:

● Avira Cleaner

● Hitman Pro

● Disinfect2013

● F-Secure Removal Tool

● Kaspersky Removal Tool

● Panda Cloud Cleaner

● Norton Power Eraser

The test procedure

Malware creators are fastidious about updating and revising their malware. That is why the AV-Test program lasted ten months, it allowed the researchers to discern whether computer restoration was repeatable or not, even after the bad-guy developer changed the malware.

I was curious about the malware samples. Marx said, "We used a total of 30 malware samples, each from different malware families. We subjected each application to the 30 samples, duplicating conditions as much as possible."

Something else Marx mentioned; the researchers determined that each antimalware app was able to detect all variations of malware. Marx said, "The object was to examine repair performance and not detection ability."

During the ten-month test period, antimalware programs and malware-removal tools were loaded onto test computers and exposed to the malware samples first using what AV-Test called the "gradual testing of removal and system repair" approach. Next, the test computers were infected with malware samples before either an antimalware program or a malware-removal tool was installed. AV-Test engineers then installed and activated the antimalware application. Doing so allowed the researchers to determine how each app reacted to already-installed malware.

I asked Marx about the test computers. What besides the operating system, if anything, was installed on the computer, and would having additional applications installed on the computers have any affect? Marx said, "We used a Windows 7 (English), SP1 (64 bit) computer as the test platform. The additional installed applications were a file manager (Total Commander), a screenshot utility (HyperSnap), and AV-Test's application Sunshine (similar to FileMon, but with more forensics features). We did not believe additional applications such as Microsoft Word, Google Chrome, or Skype would change the outcome of the disinfection tests."

I had one final question for Marx. How did the AV-Test engineers know the computers were restored to a pre-infection condition? Marx said, "The AV-Test program Sunshine (mentioned earlier) logged every important change to the system. So we knew the clean state, the infected state, and the disinfected state. That way, we were able to compare the different conditions, decide if everything was running correctly, and learn if malware traces were left behind."

Result classifications

For both test groups, antimalware programs and malware-removal tools, AV-Test judged how the application reacted to each malware using the following classifications:

Malware not detected: According to what Marx said, this column should have been all zeros. But, Microsoft Security Essentials and Avira Free Antivirus missed one of the 30 samples.

Active malware components not removed: In this case, the application detected malware, removed some files, but the malware was not rendered harmless.

Only harmless file remnants left behind: In certain cases, antimalware removal did not get everything. Harmless code remnants were left behind, included ineffective files and orphaned Windows registry entries.

Complete removal, clean system: Malwarebytes Anti-Malware Free was the only application to get a perfect score. Several others were close, but this is not a horse-shoe tossing contest.

The graph below has all the test results.

av-test-1.png
 Image: AV-Test

Last thought

The results obtained by AV-Test go a long way to disprove what myself and others have been saying. Marx said it best in his report, "There is now software for the morning after."

About

Information is my field...Writing is my passion...Coupling the two is my mission.

16 comments
skip.berry
skip.berry

I am curious why you did not include Sophos in your testing? 

peterharding
peterharding

No mention of Vipre Rescue Free which is an outstanding product.  This is my scanner of first choice and it will often remove all the infections. If I am still not happy with the clean-up, I will follow up with Malwarebytes Antimalware free. On only very rare occasions has this left a PC still infected.

tomi01
tomi01

I can't bear this article.  If you work cleaning systems out, as an IT consultant  like I do, you know what to do and use a multi tool approach of "APPLICATIONS" not "apps" (for crying out loud, this isn't koolaid land for mobile phone users...)

So, using a multi-stage approach for removing malware and viruses from a computer is pretty much a given to anyone who has had to do it and the products listed remove a certain segment of infections but not the layer that allows infection to begin with.

That requires first  a product ie: an "application" or program called Adwcleaner or similiar product.

Just so sophmoric and moronic this article and please, please stop with the word "apps"..  It sickens me actually, like it gives a whole license to the MS koolaid "Metro apps" concept of computing..

Finally a clean confirmation scan is required and the best "product" out there after Malwarebytes to give confirmation is the online scanner at eSet. I think most people who do this for a living know these things.. why doesn't the article's author?

pgit
pgit

Funny, I IM'd this to a colleague earlier this AM:


"I trusted mbam so much that when a wonky machine tested "clean" I assumed there was another problem. Turned out a database was beyond it's capacity limits and wreaking havoc on the virtual file system. (the one in RAM, not on disk) As a result a lot of read failures prompted the system to reload the correct bits from disk. It was only a small read here and there, but as fast as computers run it looked to us the hard drive was continuously being read."

I also use MSSE and MBAM. If between the 2 of them it says the system is clean, I run the free rootkit tool from Sophos and rkhunter. If they show "clean" then 9 times out of 10 regardless of the actual cause I'd ultimately end up reimaging the system, so that's usually what I do at this point.

So I usually don't get to dig around to find the cause as I did in the case I IM'd about, mainly because the customer simply doesn't care, and are generally not interested in paying for my education. Even if the problem was due to some behavior they should modify or eliminate (eg bad db management) they just don't want to hear about it. "Just get it back up as fast as you can" is the usual order.


That's really too bad because digging into mysteries is the most satisfying part of this work.

Craig_B
Craig_B

This is why at home I use Microsoft Security Essentials (MSE) AND Malwarebytes (MBAM).  Again it's the layers of protection model instead of just relying on one thing.

PhilippeV
PhilippeV

With only 30 samples it"s hard to decide which AV tool is the best at disinfecting the system, notably because the test was also very limited and did not include installation of common softwares like MS Office or Libre Office, Chrome, Firefox, Flash; Adobe Reader; instant messengers (including Google Hangout installed as an addon with Chrome but running separately), and cloud connectors (like Dropbox), and common media players (including iTunes) and their codecs; or printer drivers; or tools for sunchronizing common smartphones from various brands; or GPS navigation devices.


Also the choice of only Windows 7 in 64 bit version limits the kind of possible infections


The number of samples also limits the kind of infections that can target various components and install components in other softwares than just the basic OS components or IE, where they can be plugged in and reactivated to reinfect the system or download variants that will resist to some AV-tools methods.

There are no so many places in a system that an be targeted by malwares; with lots of softwares installed using various ranges of components each one with their defect which can be harnessed.


Also it's a fact that now malwares are trying to attack IOTs (home routers, connected TVs...) because they don't have any AV tool; and attacks ay pass through a well protected router undetected to attack and infect other appliances on the ocal network, where detection of infections and disinfection is often very difficult; and that have enough power then when running inside the local network to reach computers and mobile devices more easily without the protection of the external firewall with an antivirus.


Note also that most home routers do not have any antivirus, and cannot even have one installed on them (their firmware is too opaque for most customers, and frequently it is not even updatable easily).

Michael Kassner
Michael Kassner

@tomi01


As for using apps, I apologize if that offends you. 


I noticed  you promoted Adwcleaner pretty hard. I looked, but could not find any independent test results showing how well it works. Do you perchance have that information? 


As for MBAM, I happen to agree and have written about it extensively, and the AV-Test results once again prove its mettle. 

SmartAceW0LF
SmartAceW0LF

@tomi01  Michael Kassner has a long track record behind him regarding Security of computers.  Where have you been? Under a rock?

Michael Kassner
Michael Kassner

@pgit


I agree Pgit. Most of my clients are to the point where they have current images, and will immediately reimage their workstations. That said, I think it is valuable to know that the antimalware applications are working as claimed.

Michael Kassner
Michael Kassner

@Craig_B


Good point, Craig. I was a bit surprised that MSE was one of two that missed a piece of malware. 

SgtPappy
SgtPappy

@Craig_B  Multi tool approach is always the best way to go.  This looks like more an advertisement for AV-Test Sunshine app.  I'm always skeptical of tests that involve a testers own software.  Is the Sunshine app a good tool to use for a baseline....probably.  But I always scan my computer at least twice using different malware programs especially after a possible infection.

Michael Kassner
Michael Kassner

@PhilippeV


All great points, Philippe. I did mention that Marx and the engineers felt that additional apps would not make a difference. As for the number of malware strains, you may be right. However, this is one of the first tests of its kind, and having an independent house verify that antimalware products do in fact work is an improvement.

tomi01
tomi01

@Michael Kassner @tomi01


Regardless of independent tests evaluating Adwcleaner, those of us who fight viruses as part of our work, year in and year out, have a deep community of understanding of how to fight them and what works.  Over time, choices change, requirements change, but the standard we seek in programs based on current experience doesn't shift. 

No independent tests can compare to the experiences that have taught us what works and what doesn't.   A little digging on the internet will show the relevance of using a program with the capabilities of Adwcleaner in todays environment.

As far as using the word "apps".. we are grown ups and don't have to use the word "apps" to satisfy the public's need to accept the MS Metro version of computer software for personal PC's unless we want to be on their A list.   Which I don't necessarily covet. 


Combofix would have a hard time getting peers to be compared to for independent revue, but everyone knows when you need it, you've got to use it.  Usually as a means of using the jackhammer approach and then you go in with the Adwcleaner and then the Malwarebytes and others.  Not to mention TDSS Killer.  Ever have to remove a few zero access infections? 



tomi01
tomi01

Then you would think he would avoid using a poncy name like "apps" for everything and he would know about the malware that requires an AV program like Adwcleaner in order to remove the registration and infiltration that comes in driveby and pups downloads.  Which is how the viruses get into the sytem these days by marjority.  Just saying.. stop with the sophmoric "apps" talk.. please.

Michael Kassner
Michael Kassner

@SgtPappy @Craig_B


The Sunshine app was not intended to be a potential product. Existing apps did not have the forensic analysis tools that AV-Test engineers wanted. 

Editor's Picks