One of the least desirable calls IT professionals get are from clients, family members, or friends who mention malware has infected their computer. But not to worry, their “fill in the blank” antimalware app got rid of it, and everything is working just fine. Most IT professionals aren’t that optimistic about things being just fine when it comes to a once infected, then restored, computer’s digital health.
While the IT pro continues to listen to the story, he’s typically debating whether to tell the caller it might be best to reimage the computer to be safe. That kind of comment more often than not raises the ire of the caller, especially when the caller remembers who suggested getting antimalware in the first place. Any further explanation on the IT professional’s part is lost.
There is good news
Andreas Marx, CEO and founder of AV-Test, emailed me about AV-Test’s newest long-term study. Marx attached the press release 17 software packages in a repair performance test after malware attacks. I have written about AV-Test studies before, but this project had special significance. If Marx and his crew determined which antimalware applications indeed restored computers to pre-infection conditions, I know several IT pros who would be appreciative.
Marx and AV-Test engineers spent the last ten months determining whether several popular antivirus software packages and malware-cleaning tools did what their developers advertised — clean and repair Windows-based computers after being infected by malware. The AV-Test engineers scrutinized the following antivirus programs:
● Avast! Free Antivirus 9.0
● AVG AntiVirus Free 2014
● Avira Free Antivirus
● Bitdefender Internet Security 2014
● ESET Smart Security 7
● F-Secure Internet Security 2014
● Kaspersky Internet Security 2014
● Malwarebytes Anti-Malware Free
● Microsoft Security Essentials,
● Norton Internet Security 2014
The engineers then tested the following malware-cleaning tools:
● Avira Cleaner
● Hitman Pro
● F-Secure Removal Tool
● Kaspersky Removal Tool
● Panda Cloud Cleaner
● Norton Power Eraser
The test procedure
Malware creators are fastidious about updating and revising their malware. That is why the AV-Test program lasted ten months, it allowed the researchers to discern whether computer restoration was repeatable or not, even after the bad-guy developer changed the malware.
I was curious about the malware samples. Marx said, “We used a total of 30 malware samples, each from different malware families. We subjected each application to the 30 samples, duplicating conditions as much as possible.”
Something else Marx mentioned; the researchers determined that each antimalware app was able to detect all variations of malware. Marx said, “The object was to examine repair performance and not detection ability.”
During the ten-month test period, antimalware programs and malware-removal tools were loaded onto test computers and exposed to the malware samples first using what AV-Test called the “gradual testing of removal and system repair” approach. Next, the test computers were infected with malware samples before either an antimalware program or a malware-removal tool was installed. AV-Test engineers then installed and activated the antimalware application. Doing so allowed the researchers to determine how each app reacted to already-installed malware.
I asked Marx about the test computers. What besides the operating system, if anything, was installed on the computer, and would having additional applications installed on the computers have any affect? Marx said, “We used a Windows 7 (English), SP1 (64 bit) computer as the test platform. The additional installed applications were a file manager (Total Commander), a screenshot utility (HyperSnap), and AV-Test’s application Sunshine (similar to FileMon, but with more forensics features). We did not believe additional applications such as Microsoft Word, Google Chrome, or Skype would change the outcome of the disinfection tests.”
I had one final question for Marx. How did the AV-Test engineers know the computers were restored to a pre-infection condition? Marx said, “The AV-Test program Sunshine (mentioned earlier) logged every important change to the system. So we knew the clean state, the infected state, and the disinfected state. That way, we were able to compare the different conditions, decide if everything was running correctly, and learn if malware traces were left behind.”
For both test groups, antimalware programs and malware-removal tools, AV-Test judged how the application reacted to each malware using the following classifications:
● Malware not detected: According to what Marx said, this column should have been all zeros. But, Microsoft Security Essentials and Avira Free Antivirus missed one of the 30 samples.
● Active malware components not removed: In this case, the application detected malware, removed some files, but the malware was not rendered harmless.
● Only harmless file remnants left behind: In certain cases, antimalware removal did not get everything. Harmless code remnants were left behind, included ineffective files and orphaned Windows registry entries.
● Complete removal, clean system: Malwarebytes Anti-Malware Free was the only application to get a perfect score. Several others were close, but this is not a horse-shoe tossing contest.
The graph below has all the test results.
The results obtained by AV-Test go a long way to disprove what myself and others have been saying. Marx said it best in his report, “There is now software for the morning after.”