Malware Removal Test 2011

Introduction

Most often users come with infected PC’s with no (or outdated AV-software) to computer repair stores. The used methodology considers this situation: an already infected system that needs to be cleaned.

The test was performed in autumn 2011 under Microsoft Windows XP Professional SP3.

• Detailed Report

Tested Products

• Avast Free Antivirus 6.0
• AVG Anti-Virus 2012
• AVIRA Free Antivirus 2012
• Bitdefender Antivirus+ 2012
• ESET NOD32 Antivirus 5.0
• F-Secure Anti-Virus 2012
• G DATA AntiVirus 2012
• K7 Total Security 11.1
• Kaspersky Anti-Virus 2012
• McAfee AntiVirus Plus 2012
• Microsoft Security Essentials 2.1
• Panda Free Antivirus 1.5.1
• PC Tools Spyware Doctor with AV 2012
• Qihoo 360 Antivirus 2.0
• Sophos Anti-Virus 9.7
• Symantec Norton Anti-Virus 2012
• Trend Micro Titanium Anti-Virus 2012
• Webroot SecureAnywhere AV 2012

Test Procedure

This test focuses only on the malware removal/cleaning capabilities, therefore all selected/used samples were samples that the tested Anti-Virus products were able to detect. It has nothing to do with detection rates or protection capabilities. Of course, if an Anti-Virus is not able to detect the malware, it is also not able to remove it. The main question was if the products are able to successfully remove malware from an already infected/compromised system. The test report is aimed to normal/typical home users and not Administrators or advanced users that may have the knowledge for advanced/manual malware removal/repair procedures.

• Thorough malware analysis to know what to look for
• Administrator account was used with turned off system restore
• Infect native machine with one threat, reboot and make sure that threat is fully running
• Reboot Windows, install and update the Anti-Virus product
• If not possible, reboot in safe mode; if safe mode is not possible and in case a rescue disk of the corresponding AV-Product is available, use it for a full system scan before installing
• Run thorough/full system scan and follow instructions of the Anti-Virus product to remove the malware like a typical home user would do
• Manual inspection/analysis of the PC for malware removal and leftovers

Malware Selection

The samples have been selected by following criteria:

• All Anti-Virus products must be able to detect the used malware dropper on-demand/on-access already at least since over half a year
• The sample must have been prevalent (according to metadata on exact hashes) in the order of at least thousands (and at least hundreds of thousands for their malware family / behavior they represent) of instances AND seen in the field on at least two PC’s of our local customers in 2011.
• The malware must be non-destructive (in other words, it should be possible for an Anti-Virus product to “repair/clean” the system without the need of replacing windows system files etc.) and show common malware behaviors (in order to represent also behaviors observed by many other malware samples). Due to that, the selected malware is representative of a very large amount of other samples which show similar behavior and system changes.
• We randomly took 10 malware samples from the pool of samples matching the above criteria

To avoid providing information to malware authors who could be potentially useful for them to improve their creations, this public report contains only general information about the malware/leftovers, without any technical instructions/details.

Test Results

Award levels reached in this Malware Removal Test

Sophos is a corporate product. Due to that, it may not restore e.g. some registry entries by design, as in a managed environment, some of these settings may be enforced centrally by system administrators. In case of home user products, such settings should be fixed as part of the malware removal process (or at least the possibility to fix them should be given in the products).

• Bitdefender
• Kaspersky
• PC Tools
• Symantec

• Avira
• Microsoft
• Trend Micro
• Webroot

• Avast
• AVG
• ESET
• F-Secure
• G DATA
• K7
• McAfee
• Panda
• Qihoo
• Sophos

Copyright and Disclaimer

This publication is Copyright © 2011 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.

For more information about AV-Comparatives and the testing methodologies, please visit our website.

AV-Comparatives
(December 2011)