Q2 2011 Test Results of Security Suites

July 20th, 2011 5 comments

Recently both AV-Test.org and AV-Comparatives.org have announced respective results for their dynamic real-world or whole-product tests. Basically these AV tests try to replicate user experience by introducing malware to the test machine in pretty much the same way a regular user would encounter malware and get infected. We are very proud of the results of Panda Internet Security 2011/2012 as it shows consistency in providing top quality detection and protection, on top of better known security vendors such as Symantec, Avast, AVG, ESET, Trend Micro, Microsoft, Webroot, etc.

AV-TEST REAL-WORLD TEST – Q2 2011 RESULTS

In this real-world test results for Q2 2011 Panda was one of only 4 vendors to achieve a score higher than 15 points.

AV-COMPARATIVES WHOLE-PRODUCT TEST – JUNE 2011

In the June 2011 test Panda Internet Security achieved the first place in “blocking” rate without requiring any user interaction along with two other vendors.

Tis the comparative season

April 25th, 2011 Comments off

There’s been a few comparative tests published as of late. In case you’ve missed any of them here’s a quick rundown of the most significant ones.

First on the list are the Q1-2011 quarterly results of the Full Product Test (FPT)  by AV-Test.org. These FPT’s are performed on a monthly basis and are very in-depth, covering pretty much all aspects of a modern security software and testing from a users’ perspective by replicating infection vectors and user experience. The areas tested include real-time blocking of malicious websites, detection of relevant and active malware samples (zoo malware, wildlist malware according to AV-Test.org criteria of wildlist, not the limited WildList.org list), false positive testing, performance testing, disinfection testing, detection and disinfection of active rootkits, behaviour-based dynamic detection, dynamic false positives and packing and archive support. Overall one of the most comprehensive regular tests out there. It’s such a tough test that 5 out of the 22 vendors tested did not obtain the minimum score to achieve certification. Panda Internet Security came out with very good scores and achieved certification. The report on Panda Internet Security can be found here (PDF) and the complete results for all vendors here.

Next in line are a couple of tests by AV-Comparatives.org. The first one is the traditional On-Demand test from February 2011 which also tests false positives and performance of the on-demand scanner. In this test Panda Antivirus Pro achieved the #4 rank in terms of malware detection. We still had 18 false positives that, even though are of low prevalence according to AV-Comparatives.org, prevented us from achieving the Advanced+ certification. We’re doing a lot of work in improving in this area. Panda Antivirus Pro also achieved the #2 rank in the performance test for scanning speeds. The full report can be downloaded from the AV-Comparatives.org website here.

The second test by AV-Comparatives.org that has been published recently is the Whole-Product Test. Similar to the AV-Test.org Full Product Test, this test tries to test user experience by replicating the infection vector. Unlike the AV-Test.org FPT, this one focuses only on malicious websites and behaviour-based dynamic detection. Panda Internet Security scored very good with a 98.8% protection index. More information can be found at the AV-Comparatives.org site here.

If you’re interested in these types of AV tests, make sure to vote on your favourite AV testing outfit in our open poll here. So far both AV-Comparatives and AV-Test are leading the pack.

Microsoft’s 6-year long open door to malware

March 9th, 2011 4 comments
Finally Microsoft has released an automatic update which disables AutoPlay in USB drives for all its Windows Operating Systems. Up until now only Windows 7 disabled this functionality by default. With this update Microsoft finally puts a stop to one of the most common malware infection vectors of the last 6 years.

Let’s quickly review the history of this functionality which during 2010 has been said to account for 25% of malware infections worldwide and the source of quite a few embarrassments for many companies (examples here and here). But first some definitions:

AutoRun: feature to automatically launch programs from removable media as soon as they are mounted on the system. Under Windows the parameters of this auto-execution are defined inside a file called autorun.inf which is located at the root of the removable media.
AutoPlay: introduced with Windows XP, analizes the removable media and depending on the contents launches a dialog window which suggests the most appropriate programs to reproduce the content. If the default is chosen the dialog window will not show again thanks to AutoRun and the AutoPlay “memory”.

Important milestones
  • In 2005 USB drives became popular and malware started using them to propagate.
  • Even three years after malware started actively using this method to infect customers, Microsoft refused to accept the reality of the problem and continued offering AutoRun enabled by default in the Windows OS’s. However in 2008 Microsoft added an option for disabling AutoRun via policies or manual registry entries. However the workaround provided did not work. Even when disabled users were still open to attack from the AutoRun infection vector.
  • In July 2008 Microsoft published MS08-038 which “fixed the broken fix” but this was only available via Windows Update for Windows Vista and Windows 2008. Instead of patching XP users as well, it kept the problem unsolved in what some might consider a business strategy to sell more Vista licenses.
  • Towards the end of 2008 Conficker showed up taking advantage of the AutoRun feature in a never seen before manner. It created an autorun.inf file whose content looked like garbage yet was fully functional. All the Microsoft recommended workarounds to date via NoDriveTypeAutorun policies continued to be useless against malware exploits.
  • In early 2009 and due to Conficker’s success Microsoft corrected a bug (CVE-2009-0243) which fixed portions of the previous problem and which was pushed out automatically to all Windows XP users. Amazingly it wasn’t considered a “security patch” and does not have an associated Microsoft Bulletin. In addition the patch modified the behaviour of AutoRun and after applying it created a new registry entry which was required to be manually configured correctly. Effectively AutoRun continued being a problem for the vast majority of users.
  • In mid 2009 there seems to be some light at the end of the tunnel and Microsoft decides to improve the security of AutoRun in writeable removable media by preventing the AutoPlay dialog window in USB drives. However this is only included by default under Windows 7. Windows XP users, still the most widely used platform by far, had to manually download and install KB971029. This move was effectively useless from the point of protecting XP users from malware infection. Again some might consider this move a business-driven decision to “keep security low in XP in order to drive sales of the more secure Windows 7″.
  • In July 2010 Stuxnet shocks the world. It is able to propagate via USB drives without requiring an autorun.inf file and using a zero-day vulnerability in .LNK files which allows for code execution even with AutoRun and AutoPlay disabled, which Microsoft promptly patches.
  • Finally in February 2011 Microsoft decided to push an update to fix the problem for Operating Systems prior to Windows 7.
It has been a long and tedious road to have this wide open door finally shut down. The main question that comes to mind given the technical simplicity of the fix is “why wasn’t this issue fixed before?“. Why has Microsoft allowed its users to become easily infected by malware for years when the solution was readily available? Of course the real reasons might never see the light of day. Instead arguments such as “improved usability and portability” will probably take the spotlight. But how about the security implications of the dozens of millions of infections which have siphoned credentials, money and personal information from users during all these years?

As a side note, there are still many infected and unpatched machines out there so be sure to apply the Microsoft patch and use something like USB Vaccine to provide an additional layer of protection.

NOTE: this post is based on the original published by Hispasec .

Panda Antivirus Command Line Scanner 9.5.1.2

February 10th, 2011 5 comments

We have an updated version of Panda Antivirus command-line scanner available, version 9.5.1.2.  It can be downloaded from http://research.pandasecurity.com/blogs/images/pavcl.zip. The package includes a signature file (pav.sig) from today. In order to download updated signature files you can use a current license to any Panda products (except Panda Cloud Antivirus) to access the updates available a http://acs.pandasoftware.com/member/pavsig/pav.zip with the license credentials.


Possible parameters:
-auto Scan without user intervention.
-nob Do not scan boot sectors.
-lis Show virus list
-del Delete infected files.
-cmp Search for viruses into compressed files.
-clv Disinfect the viruses found.
-exc: Use exclusion list
-ext: Use valid extension list
-help Show help
-heu Activate heuristic detection method.
-heu: Activate heuristic detection method with level (1-3).
-onlype Use only PE Heuristic during analysis
-nbr Does not allow interrupting the program with Ctrl-C.
-nomalw Do not detect Malware
-nojoke Do not detect Jokes
-nodial Do not detect Dialers
-nohackt Do not detect Hacking Tools
-nospyw Do not detect Spyware
-nof Do not analyze files
-nocookiesDo not detect Tracking Cookies.
-nor Do not generate result files.
-noscr Do not output to console.
-nos Deactivate sounds.
-nsub Do not scan nested subdirectories.
-path Scan the directories specified in the path environment variable.
-sig: Alternate location for signature files
-ren Rename infected files.
-rto Restore original name for renamed files
-rpt: Report file
-save Saves the parameters to a file for its use the next time it is run.
-esp Change language to SPANISH.
-eng Change language to ENGLISH.
-aex Scan all files, independently of their extension.
-info Show configuration status information.
-no2 Do not perform the second action
-loc Analyze local drives
-all Analyze all drives

Categories: Heuristics, Malware, Utils Tags: ,

AV-Test.org 2010 Test Results

January 31st, 2011 2 comments

The independent AV testing organization AV-Test.org recently released the last results of its monthly “Full Product Tests”. The Full Product Tests are a comprehensive look at anti-malware products’ ability to protect end users in real-life situations. It covers three main areas of each product: Protection, Repair and Usability. Under each area there are multiple sub-tests, such as signature detection, behavioural or dynamic detection, etc. The detailed results are available at www.av-test.org/certifications.

In order to gain certification a product has to achieve a minimum score of 12 or above. The results are very revealing, with many products not reaching the mininum score nor the certification. We are happy to announce that in the 3 quarters that AV-Test.org has conducted these tests, Panda Internet Security has achieved the certification in all cases.

On a related note, AV-Test.org recently surpassed the 50 million unique malicious sample mark. This is aligned with what our Collective Intelligence servers have analyzed and processed automatically, which is up to 146 million files (both good and bad files).

Microsoft just doesn’t get it…. Security is about diversity

November 8th, 2010 44 comments

Microsoft recently started installing its Microsoft Security Essentials (MSE) free antivirus product via the Operating System update mechanism to computers which don’t already have an antivirus installed. Basically Microsoft is saying they are worried about the security of its users and they need to make sure they are protected. Perhaps Microsoft is trying to position itself as a provider of secure Operating Systems given the market perception of Linux, Apple and potentially Google as having more secure alternatives to Windows OS, but that’s a different story.

We agree with Microsoft; it’s better to have some protection than not having any at all. However the way the guys in Redmond are executing the idea is risky from a security perspective and could very well make the malware situation much worse for Internet users. That’s why we encourage Microsoft to continue using Windows/Microsoft Update but instead to push all free antivirus products available on the market, not just MSE.

These are the reasons why pushing only MSE from Windows/Microsoft Update is a very bad idea:

  1. MSE is not a good solution to the malware problem. While the argument of protecting users who do not have AV is commendable, the reality is that MSE only installs on computers with a valid Windows OS license (paid to Microsoft).
    • The problem is that an estimated 40% of worldwide computers connected to the Internet are running pirated software and spreading viruses, especially in China, Latin America, Asia, Southern Europe, etc. So while Microsoft wants us to think it is doing this out of the goodness of their hearts, the reality is that the measure will have little impact as millions and millions of unlicensed Windows PCs will continue spreading viruses and infecting the rest of us.
    • Even Microsoft itself acknowledges that malware infections are more prevalent in illegal copies of Windows: “There is a direct correlation between piracy and the malware infection ratesaid Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. If that’s correct and the objective is truly to protect users from malware, then why doesn’t Microsoft allow MSE to install in pirated copies of Windows OS?
  2. Monocultures are a hacker’s paradise. If pushing MSE via Windows/Microsoft Update is very successful it will end up creating a monoculture of hundreds of millions of users having the same antivirus product. Right now hackers have to worry about bypassing multiple antivirus products and protection layers every time they release a new piece of malware. Having to bypass only one AV product makes their life so much easier. This alone will allow hackers to push more new malware that bypasses MSE exclusively and infect many more users with every new variant. Alternatively, reverse engineering of MSE and related Windows components will boom, potentially discovering zero-day vulnerabilities which could cause infections in tens of millions of PCs with a single attack. Monoculture in Operating Systems is in and by itself bad. Monoculture in security is A VERY BAD THING.

  3. Insufficient Detection. Even though MSE is a good basic product, from a detection perspective it has not proven itself to provide sufficient protection according to the latest independent comparative studies:
    • AV-Comparatives.org’s latest On-Demand Test ranks MSE 15 out of 20 in signature detection while vendors with alternative free antivirus products were ranked well above that.
    • In AV-Test.org’s latest Real-World Test MSE could not achieve the minimum score to obtain certification, while vendors with alternative free antivirus products did. MSE was ranked as one of the worst three products.
  4. Not Enough Prevention. There are other free antivirus alternatives on the market which offer much more than just reactive signature detection. These more advanced (and still completely free) products have multiple security layers which provide users with proactive protection, such as web filtering, behavior blocking, instant messaging filters, etc. MSE provides very basic antivirus protection, certainly not enough to protect users against today’s malware threat landscape.

  5. Secure the Operating System itself. Even though Microsoft has made significant improvements in securing the OS in recent years, there is still a long way to go as witnessed by the constant zero-day vulnerabilities that are published every month, such as the incredibly dangerous LNK vulnerability that Stuxnet exploited. Microsoft’s security resources should work on making the OS more secure, not just putting a band-aid on it. Who knows, maybe someday if Microsoft manages to really make their OS secure, antivirus products won’t be needed anymore. But until that day comes, Microsoft should make a serious development effort to secure the OS from the ground up and not limit the security tools currently available to its users.

In summary, while it’s commendable that Microsoft is trying to protect users, offering only “their” basic MSE antivirus provides neither sufficient protection against today’s threats nor does it solve the malware problem of millions upon millions of pirated PCs who will continue spreading viruses. In fact, it can easily achieve the contrary by making it easier for hackers to infect users. Microsoft should offer the complete portfolio of more advanced and secure alternatives of free antivirus products and time-limited versions of paid security suites, allowing users to choose any of them from the Optional Windows/Microsoft Update.

Note: this post is being published simultaneously in Panda Research, PandaLabs and PandaInsight blogs.

Dear Microsoft: Please Stop Pushing Potentially Unwanted Software Through Windows Update

October 23rd, 2010 25 comments

One of my home machines is Windows 7 Enterprise x64. A few days ago an interesting thing started happening. Windows Update (WU) traybar is notifying that there is a new “Important Update” that needs to be installed. I have it configured for manual update because I want to decide what gets installed and what doesn’t. So I open the WU console and look at the details of the “Important Update” and to my surprise its not an update at all but rather a bunch of new software which I don’t really want in the first place nor have already installed on my machine, so it doesn’t need updating.

It seems Microsoft is reverting to using WU to push unwanted software, kinda like what adware, spyware and rogue software does. I guess if you can’t convince users to download and install your software the next best thing is to push it down their throats whether they like it or not. Nice move MSFT!

I decide to un-check the “Important Update” and forget about it. But to my (second) surprise, the WU notification from the traybar does not disappear as it normally does when you decide not to install an update. I open the WU console again and, surprise surprise, the “Important Update” is still there checked by default (even though I already told it I don’t want it), ready to be installed as soon as a user hits the “Install Updates” button.

The “important” software bundle is named Windows Live Essentials 2011 and at a 160MB size includes the following:
– Messenger
– Photo Gallery
– Mail
– Movie Maker
– Writer
– Family Safety
– Windows Live Mesh
– Messenger Companion
– Microsoft Outlook Hotmail Connector
– MS Outlook Social Connector Provider for Messenger
– Microsoft Silverlight
– And as a BONUS you also get: Bing Toolbar for your browser, agreeing to a new Service Agreement and a new Privacy Policy updated a couple of months ago and asking you to provide personal information.

Searching around a bit I found a couple of interesting blog posts by Microsoft. One here saying that the install will only be shown as “Recommended Update” or even “Optional Update”, which is not true as it is showing as an “Important Update”. But more interestingly, here and here there’s hundreds of users complaining not only about the tactics of the installation but also about the buggy software and how this “update” has changed their preferences, lost their business contacts, lost functionality previsouly used in other software, etc.

This is wrong is so many levels that I’m still amazed that such a respectable company can get away with it.

a) Microsoft is conveniently confusing “updating” with “installing” and using WU for their own business benefit. WU should only be used for updating software and drivers already on the machine, not for installing completely new software which the user didn’t ask for and which in some cases replaces non-Microsoft software chosen by the user and already installed on the machine.

b) The tactics for installing this software bundle are less than ethical. Microsoft has configured it so that it tries to install again and again, even if WU is configured as allowing the user to choose which updates s/he wants and even if the user already chose not to install it. Even if you’re part of the lucky ones that has WU set to manual, chances are the next time Microsoft releases some real security updates, Windows Live Essentials 2011 will be installed along with it as it is checked by default. This is suspiciously close to how adware and spyware behaves.

c) Is this the type of behaviour we are to expect from Microsft’s WU in the future? What’s to stop them from changing your browser, your Office, your settings, your search engine provider, your preference for other software, etc. and replacing it with their own? What if I don’t want Silverlight, Bing toolbar, Writer or any of that other software? I already have chosen other software or services to perform those tasks. Is Microsoft ignoring user decisions and imposing their own software without anybody stopping them from doing so? What if we did the same and started installing Chrome and disabling Internet Explorer in all our users’ machines citing “security reasons” for the change?

WindowsLive-Update-0

WindowsLive-Update-1

WindowsLive-Update-2

WindowsLive-Update-3

WindowsLive-Update-4

WindowsLive-Update-5

Virus Bulletin 2010

October 5th, 2010 7 comments

This year’s Virus Bulletin conference in Vancouver was a big success as it included some very interesting talks, specially on Stuxnet and social media security issues. There were also some presentations about ongoing efforts in the IEEE regarding telemetry on malware and a taggant system for runtime packers. Overall some great talks by very knowleadgeable folks.

I also gave a presentation on the ButterFly and Mariposa botnet shutdown with details of the arrests made earlier this year. Both Kaspersky and Avira mentioned the talk in their respective blogs here and here.
img_2190
img_2199

Tony Lee and Jimmy Kuo from Microsoft giving a presentation on telemetry sharing and an interesting idea of using telemetry to prioritize certain signatures over others, something we have been doing with Panda Cloud Antivirus for almost 2 years now ;)
img_2855

During the conference Andreas Marx from AV-Test.org officially handed us the “Certified” plaque for Panda Internet Security, which achieved the top ranking in the Full Product Test of Q2 2010.
IMG_2207

VB is a great chance for people from competing AV companies to get together and talk shop. If you’re lucky you might even catch the rare sight of competing testing labs talking together. Here we can see “the Andreases” from both AV-Test.org and AV-Comparatives.org:
img_2233

Jeff Williams (Microsoft), myself and Mark Kennedy (Symantec) during the gala dinner:
img_2713

Phillip (Avira), Jong (Webroot), Andreas (AV-Test.org) and Tjark (Avira) hanging out:
img_2235
img_2286

Andy from ICSALabs always behind a camara:
img_2307

The Ikarus and G-Data crews. Great guys!:
img_2321

Finally as is now a yearly tradition, G-Data held they table soccer tournament. Unfortunately Luis and I were only able to get 4th rank after Sophos brought in the guns from their local Vancouver office. But next year’s VB 2011 in Barcelona will be payback!!

Spain (Panda) kicking some UK (Sophos) butt during the initial rounds:
img_2251

USA (Microsoft) losing to Germany (G-Data) in the final:
img_2899

All pictures above were taken by Andreas Marx from AV-Test.org. I’m sure VB will soon be uploading more photos to their VB2010 conference webpage here, so be sure to keep an eye on that.

AV-Comparatives Performance Test 2010

August 23rd, 2010 11 comments

‘Tis the comparative season ;)

Right after the AV-Test Certification and the chinese PCSL Full-Protection test, the new AV-Comparatives Performance Test has just been published.

Once again, Panda Internet Security gets an excellent score, obtaining the #1 rank as best performer and winning the Advanced+ award.
perf_adv+_aug10

For more details be sure to visit AV-Comparatives and download the full report from http://www.av-comparatives.org/comparativesreviews/performance-tests, altough I can give you a preview of the full results here:
avc-201008-table

PC Security Labs July 2010 Test Results

August 23rd, 2010 3 comments

 
Right after the good news from the AV-Test Certification results comes the newest test results from Chinese independent lab PC Securitylabs (www.pcsecuritylabs.net).

In this test Panda Internet Security has achieved both “5 Star” rating as well as a special award for “Top Detection” out of all tested solutions.

201007

The full test report can be downloaded from www.pcsecuritylabs.net or directly from our server here.