A very first look into something we're working on

If you want to sign up for a limited technology preview drop us a note with your details. Only a few people will be selected.

First it was the Eurocup, then Wimbeldon, and to top it all off, Panda Anti-Rootkit has won Germany's PC WELT "Most Popular Freeware Tool" Championship 2008. This is a prize run by members of PC Welt forums and the selection is done by reader voting. Panda Anti-Rootkit won the final after a close vote against finalist IPTV Zattoo (52,32% vs. 47,68%).

This latest prize, in addition to PC Magazine USA Editor's Choice Award, confirms the quality and effectiveness of Panda Anti-Rootkit in helping users free their PCs from hidden malware and rootkits.

Again many many thanks to readers of this blog for spreading the word about Panda Anti-Rootkit.

There’s been a lot of talk about the WildList lately. On one hand Larry Seltzer criticized the WildList based certifications as not representative of reality plus a strain on antivirus products by having to detect 10 year old viruses. Some key comments from Larry:

“There is an extraordinary amount of malware that was making headlines in 2004, back in the heyday of the mail worm. There’s W32/BugBear.A-mm from 2002. Go all the way down to the bottom of the list and you’ll find W95/Spaces.1445 from 2000. Yes, that’s one of two Windows 95 viruses on the list.”

“It’s all self-replicating malware, viruses and worms. Research has shown for years that self-replicating malware is not the way people get infected anymore”

“But what if that most advanced product fails to detect W95/Dupator.1503, a Windows 95 virus? A black mark on their marketing which probably precludes them from certain bids. It’s nuts.”

On the other hand Alex from Sunbelt reported on how Trend Micro decided to “boycott the WildList” by cancelling its participation in the Virus Bulletin 100% certification:

“The shocker was last Thursday, when it was reported that Trend Micro (following Panda’s lead) has decided to “boycott” the Wildlist.”

In Trend Micro’s own words:

“Testing is not done with an internet connection and it isn’t testing for things like rootkits. Pattern matching is now only one piece of puzzle, alongside behaviour blocking technology but pattern matching is all VB100 tests,”

Now, while I  agree with almost all the arguments against the WildList (other than the argument against replicating viruses, which ARE still prevalent), it is not true that Panda decided to “boycott the WildList”. In fact early 2007 we submitted a position paper to the ICSA AVPD (owners of WildList.org) titled “The Disconnect Between the WildList and Reality” (I’m releasing it now as it’s one and a half years old), pinpointing the flaws of WildList-based certification and testing and proposing measures to correct the problem, such as:

* Change the WildList reporting criteria to include all types of malware, not only viruses
* Encourage current members to report based on these new criteria
* Release the updated WildList more rapidly
* Design a new certification scheme with extended participation from CERTs and others

These are some of the reasons we don’t participate in Virus Bulletin 100% WildList-based certification tests. Now I know for a fact (even though I can’t disclose details about it) that there’s a lot being done to improve the WildList.

Finally and as proof that Panda is not trying to “boycott the WildList”, I gathered some statistics for the current WildList submissions from the January to May WildCore and Supplemental Lists.

 Init	Reporter 	Vendor		Jan	Feb	Mar	Apr	May	Total 
==================================================================================== 
Pa	Luis Corrons	Panda 		824	734	670	618	405	3251
Tl/Za	Tony Lee	Microsoft	326	381	641	1035	387	2770
St	Stuart Taylor	Sophos		393	361	340	331	249	1674
Ao	Amyn Sachedina	Symantec	319	324	412	414	144	1613
Mt	Miroslav Trnka	Eset		266	227	206	206	201	1106
Sj	Sanjay Katkar	Quickheal	188	179	160	157	162	846
Mo	Martin Overton	Independent	142	134	123	124	119	642
Is	Jim Wu		IBM		119	118	111	113	112	573
Fn	Bryan Lu	Fortinet	141	32	31	79	76	359
Sr	Subramanya Rao	Proland		78	72	68	66	60	344
Ww	Martin Stecher	WebWasher	61	61	60	61	61	304
Ta	Tjark Auerbach	Avira		64	63	63	60	30	280
Jc	Luogang		Rising		37	35	36	33	29	170
Jy	Jamz Yaneza	Trend Micro	45	45	36	36	0	162
Ss	Szilard Stange	Virus Buster	36	32	31	31	29	159
So	SiHaeng Cho	Ahnlab		28	26	26	27	40	147
Id	Ken Dunham	Independent	24	22	22	24	22	114
Nl	Laura Hartmann	Anchiva		26	14	14	26	9	89
Ay	Allysa Myers	McAfee		1	1	0	0	0	2

The above figures are only the self-replicating viruses submitted that actually make it to the lists. Following our own proposal of expanding the WildList, we also submit on a weekly basis many more non-replicating Trojans which do not make it to the traditional WildList (see Malware Prevalence for April & May for details of what we submit).

I think it’s obvious from the data that we’re not trying to boycott the WildList. We’re just trying to make certification testing meaningful and useful for consumers.

I'm happy to announce the availability of our new Panda Antivirus Command-Line scanner (PAVCL) version 9.5.1.00. This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:

* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).

The new log format is as follows:
[Date];[Complete_path];[File_name_in_compressed];[Malware_name];[Detection_ID];[Action_taken];
[Sub_action];[Additional_information];[Status_ok_or_error];

As always we have a signature file available from the blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact us for a regular signature feed.

Download the new PAVCL 9.5.1.00 from download.com:

Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.

This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).