Rebuilding operating systems has been the only true way to trust malware-infected computers. Security engineers at AV-TEST say there are other options.
Security suites worth their salt do not just prevent malware from gaining a foothold in computer operating systems and ancillary software—they offer the capability to remove malware that unfortunately made it past the suite's perimeter defenses and (usually free) tools to clean and repair corrupted files, operating system or otherwise.
The cat-and-mouse game between malware creators and antimalware developers has been going on long enough to understand it is impossible to completely prevent malware from infecting business or personal computers, and we seem to be okay with that.
However, "being okay" changes when it comes to cleaning an infected system and repairing files. If a product like VMware is used, it is not a problem—the computer's virtual machine (VM) can be quickly rebuilt.
If VMs are not used, the question becomes: Should the installed antimalware and/or the associated rescue disk be trusted to return the computer to a safe condition? An alternative that is sometimes suggested is to format and then re-install the operating system and software. Albeit time consuming, the computer ends up malware free.
SEE: Information security incident reporting policy (Tech Pro Research)
Testing nine security suites and seven rescue media tools
Thanks to AV-TEST, an independent IT-security laboratory, trusting antimalware to do what it advertises has become easier. "Experts at AV-TEST examined nine security suites and seven special tools in terms of their performance after malware attacks," according to the company's website. "The programs were required to detect and repair malware samples, plus repair and clean the Windows system."
The security suites tested are:
- Avast! Free Antivirus
- Avira Antivirus Pro
- Bitdefender Internet Security
- Enigma Software Spyhunter
- G Data Internet Security
- Kaspersky Internet Security
- Malwarebytes Premium
- Microsoft Security Essentials
- Symantec Norton Security
The associated rescue media include:
- Avast Rescue Disk
- Bitdefender Rescue Disk
- G Data BootMedium
- Heise Disinfect
- Kaspersky Virus Removal Tool
- Microsoft Safety Scanner
- l Microsoft Windows Defender Offline
According to Andreas Marx, CEO of AV-TEST, testing took place from January to December 2017. "All products completed four rounds of testing," added Marx. "Each security suite attempted to repair 76 attacks. Each rescue tool was confronted with 38 attacks. In total, the lab performed 950 individual evaluations."
Besides the typical antimalware tests, Marx said that each security suite, once installed, was disabled briefly, allowing the test computer to be infected. As to why, Marx explained, "This simulated when the security suite did not initially recognize the successful attack, and received the detection alert after the fact."
Best recovery scenario
The ultimate goal of those who develop security suites is to be able to return an infected computer back to the form it was in prior to the attack; unfortunately, that kind of result was not obtained by any of the suites tested. Marx said a few of the suites and some of the tools came very close. "Bitdefender and Kaspersky were on top, each with 72 out of 76 completely repaired and cleaned systems," he added. "In each of the Bitdefender and Kaspersky test cases, all that survived were harmless file remnants."
G Data, Avast, Symantec, and Avira (in order of results) did almost as well, repairing 61 to 68 Windows systems, and once again, only harmless file fragments remained. Test results for all the security suites are shown in Figure A.
As for the recovery tools, once again Kaspersky and Bitdefender led the way. "They provided near-perfect assistance in all 38 test cases," stated Marx. "The Kaspersky Removal Tool overlooked harmless file remnants 3 times, the Bitdefender Rescue Disk 5 times." The test results for all the recovery tools are shown in Figure B.
No need to reformat and reinstall software
The experts at AV-TEST believe the results indicate there is no longer a need to format and reinstall software. "The test clearly shows that this advice is totally over-the-top today," suggested Marx. "Anyone already using a good security suite has only a small risk of being caught off guard by malware. In case a suite did not know the malware at the time of the attack, good suites can come to the rescue retroactively."
Marx and the engineers conclude with a warning:
"Malware in the area of ransomware, e.g. Cryptolocker, is an exception, however, as the attack is immediately followed by encryption of data. While it is true that security software would be capable of deleting the malware after the fact, it cannot decrypt the data. Users are urged to create backups only on external drives that are not constantly connected to the PC."
- Cryptocurrency-mining malware: Why it is such a menace and where it's going next (ZDNet)
- The 10 most common types of malware, and how to avoid them (TechRepublic)
- Ransomware: A cheat sheet (TechRepublic)
- Quick glossary: Malware (Tech Pro Research)
- IT leader's guide to the threat of fileless malware (Tech Pro Research)