Since a few months ago we've started participating in a new AV comparative test from PC Security Labs called Total Protection Testing. It's a pretty kewl test since, as opposed to other AV comparatives out there, PC Security Labs has a very interesting testing methodology that takes into consideration:
- Freshness of malware samples. Only the newest samples from the previous month are tested, not year old samples.
- Static detection using traditional signature files, very similar to what other AV comparative testers are doing.
- Dynamic (behavioral) detection of malicious running processes. Only a handful of professional AV testers are doing this.
- Cloud-based detection such as Panda's Collective Intelligence. As far as I know PCSL is the first AV tester with a methodology that takes this type of technology into account.
- False positive testing. Global scores are lowered on each false positive.
All-in-all a very complete testing methodology that gives a broad view of the global performance of different anti-malware solutions. It's no surprise that PC SecurityLabs has recently joined the AntiMalware Testing Standards Organization (AMTSO).
I'm glad to report that Panda has achieved an "Excellent" score in each of the three tests we've participated in so far.
Total Protection Testing reports from PCSL can be downloaded directly from the following locations:
The tests are performed on a monthly basis, so make sure to visit PC Security Labs every now and then to get the latest results!
We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.
As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.
Checking again the SANS activity by port it's obvious this is something you need to worry about:
As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.
As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:
The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:
- If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
- Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
- Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
- Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
- Make sure your antivirus and security solution is up-to-date on the latest version and signature database.