Viruses, Spyware, and Adware
McAfee and F-Secure's packages did the best job of finding what's loosely classified as viruses and spyware, each scoring among the top three in relevant tests. Panda's package was the best in heuristics tests. The McAfee and Aluria suites surpassed the group in detecting adware.
A note: Spyware has become the catch-all term for keyloggers, adware, back doors, and other Web-borne predators--many of which are not new and not classified as spyware by researchers. In our tests, we differentiate between spyware and adware. The really nasty spyware is included in AV-Test.org's collection of bots, Trojan horses, and back doors; a suite's detection rate for the last of these is a good indicator of how well it works against spyware. Detection of adware--software that can bring unwanted ads and collect data on your Web surfing habits--is a separate test.
Most of the suites were 100 percent successful at detecting the 1822 components of boot, file, macro, and script malware from the January 2006 WildList, a public list of widespread viruses, worms, and bots. Surprisingly, Aluria's package missed all boot-virus components, the beta version of Microsoft's offering failed to spot 14 components of seven worms, and Trend Micro's suite missed two components of one worm. In our WildList tests, boot-virus components were statistically insignificant, which explains Aluria's 100 percent score in our chart. Nevertheless, your security software should detect all WildList threats.
On AV-Test.org's collection of 168,523 back doors, bots, and Trojan horses, results were mixed. CA's suite detected only 37 percent of back doors, 72 percent of bots, and 39 percent of Trojan horses. Zone Labs' suite scored worse, spotting 30 percent of back doors, 49 percent of bots, and 31 percent of Trojan horses. F-Secure's suite was the strongest, catching more than 98 percent of these threats.
In adware tests McAfee's suite scored best, catching 96 percent of 713 actively running components. Aluria, with its background in fighting adware and spyware, ranked second with an 89 percent detection rate. Once again, though, the Zone Labs package performed worst, detecting only 46 percent of adware.
To assess heuristics, AV-Test.org evaluated how well the suites could proactively spot January 2006 WildList malware without the benefit of January (and newer) signature updates. Panda's suite dominated, detecting 91 percent of the files. F-Secure's was a distant second, catching 76 percent. At 41 percent, the Microsoft app's heuristics were the worst; Zone Labs' suite was second from the bottom. We should note, however, that the behavior-based features of the Microsoft and Zone Labs suites (also present in Panda's product) might make up for their poor showing, thereby improving their overall results. For example, AV-Test.org found that Panda TruPrevent will block up to 90 percent of network and e-mail worms and that Zone Labs' OSFirewall will stop up to 70 percent of network and e-mail worms.
We also tested all of the suites on their detection of malware within compressed archives such as .zip, .rar, and .cab files, and within runtime compressed program files like ASPack and UPX. Most of them could look in files that were compressed once, multiple times, or as a self-extracting archive, but they were less uniformly able to penetrate runtime compressed program files. The F-Secure, McAfee, and BitDefender suites did best; Aluria's and Zone Labs' brought up the rear. Aluria says that the ability to unpack a compressed executable will be included in its suite's next version, due later this year as a free upgrade for current users. Zone Labs says that it is working with CA to improve its product's detection of packed malware and that its OSFirewall detects and blocks both known and unknown malware as soon as the packed file opens.
In a perfect world, security software would detect and block all threats at first sight. In reality, bad stuff slips through the cracks. We tested the packages' ability to clean up files, Registry entries, and Hosts-file changes made by ten WildList worms. McAfee's package cleaned the most malware files and system changes, scrubbing everything except a variant of Mytob that targeted the security software itself. Microsoft's product also did well, purging all worms and remnants except Registry changes made by Netsky.BA and Mytob.AR. F-Secure's suite proved better at finding malware than at removing it, cleaning only five of the ten worm files.