VirusInfo 2月份最新測試報告

How we test

The testing of anti-viruses by VirusInfo is powered by free online scanner VirusTotal. Project participants, being practising specialists in the area of computer security, are uploading at VirusTotal the malicious software that they have received form infected machines, and then publish the results of scanning in a special topic on VirusInfo forum. The malicious software should meet the following requirements:

1) The sample should not be detected by the anti-virus software that protects the infected machine.

2) The sample should be found by the consultant him/herself in a real infection case.

3) The sample should not be taken from some other site or from some other collection of malware.

The results of scanning are regularly generalized as a graph of detection level. The graph is prepared in accord with the following principles:

1) The X axis represents the anti-virus software used by VirusTotal at the current moment. The Y axis represents the number of samples uploaded.

2) For each antivirus we mark the number of samples that it has successfully detected using one or another detection method. The graph reflects the general number of detected samples and the each method's part in the general detection.

3) The following detection methods are distinguished:

a) signature detection (detecting already known malware by the signature method)

b) heuristic detection (detecting yet unknown malware by the method of emulation / code analysis / etc. Examples: "Heur.Trojan.Generic"; "a variant of: XXXXX")

c) detection of suspicious file (detecting yet unknown malware by the method of informing the user about suspicious characteristics of a sample under analysis. Examples: "Suspicious file"; "VIPRE: Suspicious")

d) detection of suspicious cryptor / packer (detecting yet unknown malware by the method of informing the user about the unknown / rare / suspicious packer / cryptor or about the fact of multiple packing / crypting. Example: "HEUR/Crypted").

Testing results

The latest one is the graph for February, 2008, presented below.



General conclusion

In February, 2008 the leader of the testing is Webwasher-Gateway due to its combination of signature, heuristic and packer / cryptor detection methods. The second and third places belong to F-Secure for its good signature detection combined with heuristic module and AntiVir - by the very same reasons as the leader. The worst product in February was FileAdvisor.

The best percent of each method in the whole detection rate: signature method - F-Secure; heuristics - Prevx1; suspicious - eSafe and Panda, packers / cryptors - AntiVir and WebWasher-Gateway.

Comments on how we test and how to understand the results

The material for testing is collected irregularly and voluntarily. VirusInfo publishes a new graph each month. The testing cannot be regarded as the one which completely reflects the detection abilities of anti-virus software, at the same time the data received are of certain value when comparing antiviruses in a complex way, taking into consideration the results of several independent tests.

Additional info

Materials for testing are collected in the Russian section Antiviruses, anti-Spyware/Adware/Hijackers of VirusInfo forum. In that section the forum members can access the earlier graphs. You may discuss the results of testing in English here.

Licensing

Copyright (c) VirusInfo.
All rights reserved.
Using the materials of this article without mentioning the source is prohibited.

Statistics is collected and processed by Shu_b
» Testing: Previous month

qihui

看不懂啊，谁翻译一下

gongfu

第一： Webwasher
第二：F-Secure
第三：AntiVir
然后说特征码检测最NB的是F-Secure，启发最牛的是Prevx1，壳检测最出色的是AntiVir 和Webwasher……

stonejr

样本区有不少样本原来红伞报启发，后来红伞入库就变特征码了。这样分类似乎

gongfu

按文章所说，壳检测是不是指单纯报壳而不是自动脱壳检测出毒来啊……

aerbeisi

我们怎样测试
VirusInfo测试杀毒软件是通过VirusTotal的在线扫描器。项目参与者是电脑安全方面的专家。这些病毒都是通过染毒电脑上传的，结果发布在VirusInfo论坛上。病毒文件需要达到下列要求：
1）样本都是些安装杀毒软件而这些杀毒软件不能发现的。
2）样本是活体
3）样本都是VirusTotal里的，没有其他的来源
结果生成图形表示发现水平。图形说明：
1）横轴表示目前在VirusTotal上的杀毒软件。纵轴表示样本上传的数量
2）每种杀毒软件我们通过长条形表示杀毒软件成功发现病毒的方法。
3）发现方法区分：
a）病毒库定义发现的——红色表示
b）启发（发现未知病毒的方法：虚拟环境/代码分析等。举例："Heur.Trojan.Generic"; "a variant of: XXXXX")——橙色表示
c）可疑文件（发现未知病毒的可疑特征。举例："Suspicious file"; "VIPRE: Suspicious") ——黄色表示
d）加壳加密（发现未知病毒告诉使用者未知/稀少/可疑加壳加密或者复合壳。举例： "HEUR/Crypted"). ——暗黄色表示

综合结论
2008年2月，因为病毒库定义，启发，报壳方法，冠军是Webwasher-Gateway。亚军是F-Secure，病毒定义加启发，季军AntiVir-同样的理由。二月份最糟的是FileAdvisor
每一方面最高检出率的是
病毒定义最高检出率：F-Secure
启发定义最高检出率：Prevx1
可疑定义最高检出率：eSafe and Panda
加壳加密最高检出率：AntiVir and WebWasher-Gateway

评论我们是如何测试和如何理解测试结果
样本收集是无规律和随机的。VirusInfo每个月发布一次结果。检出结果你不能认为反应了一个杀毒软件的检测能力（外国人也怕口水），但是也有参考价值，当从各个方面比较杀毒软件，请参考一些独立测试。

额外信息
这次测试的各种材料收集来源于VirusInfo论坛Antiviruses, anti-Spyware/Adware/Hijackers俄语分版块，在这个分版块，论坛成员可以查看更早期的测试结果图形，你可以用英语在这里讨论。

许可信息
版权（c）VirusInfo
版权所有
转载注明出处
统计的收集和处理者Shu_b

[ 本帖最后由 aerbeisi 于 2008-3-10 18:49 编辑 ]

liangxy

汗，第一名没用过，怎么论坛上没有啊？？

aerbeisi

第一名是服务器网关上用的，基本上是个文件都报，五个引擎。好像是sophos，antivir，avg，avg-antispyware，dr.web。可以按需定制。

ronliang

又是很怪异的 F-secure结果超级好。Kaspersky的结果却不好。

似乎是测试本身的问题。

aerbeisi

1月份不是卡巴好吗？二月份可能卡巴免杀上传的多了点。然后F-Secure另外的引擎发现了，然后成绩比卡巴好了。而且这个样本数目好像少了些。