Select Page

Andreas Marx of has completed his latest tests on AV engines. From his notes:

We tested 29 products for the detection of most recently seen verified working Win32 PE malware of the last 12 month — separated into the four categories backdoors, bots, trojan horses and worms.

Only detection has been tested, as this was the main request of magazines and readers, some more reviews regarding the system disinfection capabilities and the proactive (behaviour-based) detection will follow within the next two months. Furthermore, as announced during the International Antivirus Testing Workshop last week, we will more closely review the lifecycle of the products, to get a better impression about the developments of the products over time and also risky situations.

PC-WELT (Germany) has published some facts about the test at the following links (the first points to some details about the test, the second link will show you the detailed detection numbers): 29 Virenscanner im Test: Gute Erkennung bei Wuermern [May 23, 2007]

A few more publications (in English) can be found here: Reports Stats from Antivirus Roundup [May 22, 2007], Antivirus Shootout in Magdeburg [May 22, 2007]. BTW: The last comprehensive English-language full-suites and stand-alone review of AV products for Windows XP and Vista can be found at the PC World (US) webpage.

Some additional notes:

We tested all scanners against a set of malware, including 68,864 backdoors, 47,891 bots (zombies), 407,487 Trojan Horses as well as 82,659 worms, so the total number of malware we tested against was 606,901 files. The best product detected 99.83% of our collection while the worst one was only able to identify 62.12% of the samples.

The average product detected 86.95% of the malware files used, with a median of 90.97%. For our testing, we only used current malware — this means, malware which was not older than 12 months or which have been seen at least once during the last 12 months. All old files have been removed. We only used Win32 PE files for the test, all other files, like DOS or 16 bit Windows malware, were removed. Only working malware was used — corrupted or innocent samples were sorted out using manual and automatic analysis tools. So the test results should reflect the real-world situation quite well.

One can see that the detection rates of self-replicating malware (like worms or bots) are the best for all tools, while the detection rates of Trojan Horses (this includes download trojans and droppers) as well as the ones of backdoors still needs some improvements. I’ve also created a diagram, showing the current detection rates of the products at-a-glance (note: the scale starts at 200,000 detections, not at zero.)

Note: WebWasher scored best in our test, but it’s a gateway product, it’s not available for a client/desktop. The same applies to eSafe (from Aladdin). Besides this, Ewido might not be directly comparable with the other products, as it’s an anti-spyware product and not a full anti-malware suite (yet). When comparing desktop products (for home or company users), these products should be removed from the list. In case of “Microsoft”, we’re speaking about OneCare product for home users and the Forefront Client Protection for companies.

You can view the test results here.

Alex Eckelberry