September 28, 2016

AV-TEST removes its certification for Microsoft Security Essentials

(LiveHacking.Com) –  The latest set of tests performed by AV-TEST, an independent IT security and anti-virus research institute  has shown that Microsoft’s Security Essentials (MSE) can only detect 64 per cent of zero-day threats when running under Windows 7. This is down from 69 per cent in the previous round of certification tests, which were carried out in September, and a drop of 26 per cent compared to the 80% result achieved by the product in June. As a result of the dip in performance MSE has lost its certified status for Windows 7, something that no other anti-virus product managed to do!

MSE is Microsoft’s free anti-virus package for home users and businesses (with up to ten PCs). During October’s tests AV-TEST gave MSE 4.0 and 4.1 a score of 1.5 out of 6. This very low score is down from its previous score of 2.5 out of 6 mainly due to the 64 per cent zero-day detection rate. The average zero-day detection rate is 88 per cent.

This doesn’t mean that the software is completely useless, in the “detection of widespread and prevalent malware” category, MSE scored 100 per cent (which is actually also the industry average). What this means is that for common bits of malware PCs are very well protected by MSE, the problem is with its protection against 0-day malware attacks (including web and e-mail threats).

This isn’t the firs time MSE has lost the AV-TEST certification, it also happened in September 2010. To be fair to Microsoft, although it was the only vendor which failed to achieve certification for Windows 7, four other products missed out for Windows Vista and two for Windows XP.

“Microsoft prioritizes protection based on impact and prevalence of malware affecting Microsoft customers from a global perspective,” a Microsoft spokesperson told SecurityWeek in an emailed statement. “The Microsoft Malware Protection Center actively supports third-party testers to use similar methodology in their test results. We reaffirm that Microsoft is committed to providing a trustworthy computing experience and continues to invest heavily in continuously improving our security and protection technologies.”

Four security products scored 6 out of 6 for Windows 7 protection: Bitdefender: Internet Security 2013, F-Secure: Internet Security 2012 & 2013, Trend Micro: Titanium Maximum Security 2013 and G Data: InternetSecurity 2013. Bitdefender was the only product to achieve 6 out of 6 for the repair metric which tests how well a product cleans and repairs a malware-infected computer.

ClamAV Version 0.97.2 Released

ClamAV Logo(LiveHacking.Com) – The ClamAV development team has released version 0.97.2 of its open source anti-virus. This update includes fixes for problems with the bytecode engine, Safebrowsing detection, hash matcher, and other minor issues.

ClamAV is an open source cross-platform anti-virus engine designed for detecting Trojans, viruses, malware and other malicious threats. ClamAV 0.97.2 is available to download for Linux and Unix distributions from the project’s web site.

The ClamAV team have also announced a new service called “Third Party web interface”. It will allow selected individuals/organizations to publish ClamAV Virus Databases (CVD) through the ClamAV mirror network.

ClamAV source code is released under the GNU General Public License (GPL).

Bohu Trojan is Designed to Disable Cloud-Based Antivirus

A recent blog entry from the Microsoft Malware Protection Center details information about a new malware (called Win32/Bohu.A) which is specifically designed to disable and mislead cloud-based antivirus software.

Cloud-based antivirus software differs from traditional antivirus software in that the antivirus client (running on the PC) sends important threat data to a server for backend analysis, and subsequently receives further detection and removal instruction.

The Bohu Trojan originates in China where there is a predominate use of cloud-based antivirus software. Once a Windows based machine is infected the malware installs different network level filters to disrupt and block the antivirus client accessing the backend antivirus services on the Internet.

As well as writing random data at the end of its key payload components to avoid hash-based detection, Bohu also installs a Windows Sockets service provider interface (SPI) filter to block the antivirus network traffic as well as a Network Driver Interface Specification (NDIS) filter. The NDIS filter then stops the antivirus client from uploading data to the server by looking for the server addresses in the data packets.