Often installed antivirus software does not detect individual malware. We tested cloud services that perform signature checking against dozens of databases at once and supplement it with advanced behavioral analysis.
In * nix systems, antivirus has always been an optional component, and even with it, Windows users have a chance that unknown malware will slip into their system. Heuristics and proactive defense are also not a panacea. With soft settings, they skip many potentially dangerous programs, and with paranoid ones, they swear at everything and paralyze normal work. The learning mode can last forever as the software environment is constantly changing.
It would seem that you can install a second, third, tenth antivirus and increase your protection, putting up with redundancy.
In theory, the likelihood that the malware will not be recognized by any of them should be less. However, in practice, the opposite is true: every modern antivirus contains a resident module and self-defense tools, which are incompatible with similar developments of other companies. If you have a detailed idea of the mechanism of their work and plan to manually eliminate conflicts, then you need to be prepared for the fact that problems arise immediately during installation: when the installer of one antivirus finds another in the system, it usually simply refuses to continue the installation.
There is a more universal and safer way to check any suspicious file against several databases at once - send it for automatic analysis to one of the specialized services. They differ in capabilities, but the principle of operation is the same for all. Several virtual machines are running on the remote server, in which the sent file is scanned in parallel. In addition to fifty antiviruses, modern services provide free advanced analysis, a report on the reputation of a file or site, and also have the ability to re-check and view previous results. Since files can have different names with the same content, their identification is performed by checksums. For this, hash functions MD5, SHA-256 and others are used.
FANTASTIC FOUR
VirusTotal (https://www.virustotal.com) is the most famous of the free online multi-level anti-virus scanning services. It was created ten years ago by the Spanish company Hispasec Sistemas. In the fall of 2012, Google bought it out, but for users, almost nothing has changed. In any case, for the worse.
As before, the service analyzes suspicious files and links for the presence of viruses, worms, Trojans and fragments of other types of malicious code. Analysis of any binary code is supported: Windows executable files, Android APK packages, PDF documents, scripts, and so on. At the time of this writing, 53 antiviruses were supported; by the time of publication, their number had increased to 57.
15 more deep automated analysis utilities are available (including SandBox, Snort, Wireshark and others) plus 61 website reputation databases. The entire arsenal is updated every hour. The interface is translated into 32 languages, including Russian. The file size limit is 128 MB, however, upon an individual request, you can ask to analyze files of even larger size. There are more sending options to VirusTotal than any similar resource. This can be a traditional web form, email, a native upload client, or a module for sending over HTTP via a public API from any third-party application.
VirusTotal's main competitor is Metascan online (https://www.metascan-online.com), a free file analysis service produced by the American company OPSWAT. It was founded in 2002 and offers slightly less strict restrictions: you can send a file of up to 140 MB for analysis. 42 antiviruses will check it. Their total number, although less than that of VirusTotal, includes some programs that are missing there: now it is
Preventon, STOPzilla, VirIT, XVIRUS, Zillya and Zoner. The reputation list is much more modest - only 13 sources, but among them there are also unique ones, such as Brute Force Blocker, Chaos Reigns, Dragon Research Group, Feodo Tracker, The Spamhaus Project and OpenBL. It turns out that VirusTotal and Metascan do not duplicate each other, and just in case you can check both.
Less well known is Jotti (virusscan.jotti.org/ru), a free online scanner that uses 22 antiviruses (only those with a Linux version). The maximum size of a downloadable file is very small here - only 25 MB, but this is usually enough for analyzing individual exe and dll. Jotti's set of analysis tools is modest and completely overlaps with VirustTotal and Metascan. It is good to know about it in case others are not available, but in practice it itself is overloaded with requests much more often.
Another similar project is VirSCAN (virscan.org). The restrictions on the maximum size of uploaded files in it are very strict - 20 MB, however, the service supports the analysis of archives in RAR and ZIP formats. True, only on condition that there are no more than 20 files inside the archive. Why developers love the number 20 so much is a mystery.
Antivirus installed locally or on the side of the provider may interfere with downloading a file to any of the listed services. You can add a temporary exception to the first, and use archive password protection to bypass the second. VirSCAN automatically unpacks archives with virus and infected passwords. Currently, the service uses 39 antiviruses, but about a third of them are very outdated. Ten scanners have not been updated since last year, and the AhnLab and CTCH databases date back to 2013. The remaining 27 current scanners are completely duplicated by VirustTotal and Metascan, where the databases are constantly updated.
If desired, you can perform a check with a specific antivirus. Such a service is usually available on its developer's website, but the way it is provided may vary.
You can also check Comodo (camas.comodo.com) in the cloud-based automated analysis system. The Instant Malware Analyzer service is responsible for it, using proprietary CAMAS technology (Comodo Automated Malware Analysis System). The code of the uploaded files is checked against signature matches, and then its behavior is analyzed in a virtual environment. If the file has signs of malware, it will be added to the global blacklist and transferred to analysts.
The first free online check service (in 1996) was created by the domestic company Dr.Web. The file analysis form is still available at www.freedrweb.ru/aid_admin.
Another type is made up of utilities that can check, in addition to individual files, active processes in the computer's RAM, local and network drives. For example, ESET Online Scanner can be launched in an IE window or downloaded as a separate client application. There are more settings available than many free antiviruses.
Checking your computer with Eset
Kaspersky Security Scan works in a similar way. The application searches for malware and components, but the report also lists the vulnerabilities found, and assesses the state of the security software.
Bitdefender QuickScan offers the fastest cloud-based scan of processes running on your computer. It detects active malicious code in about a minute, but does not perform deep analysis of the file system.
Trend Micro HouseCall is a free utility for searching and removing viruses, Trojans, backdoors and annoying adware components. There are versions for OS with 32 or 64 bits.
Among many others, Panda ActiveScan and F-Secure Online Scanner can be noted.
FIELD TESTS
Comparing the declared characteristics of services is not as interesting as testing them in practice. Of course, I do not pretend to be the level of comparative testing of an analytical company, but my little experiment still gave some results.
First, I ran clean Windows XP in a virtual machine and surfed the web in IE. Honestly perverted, I clicked on everything, and the more willingly, the nastier the banner looked. In about half an hour, the browser cache accumulated several malicious Java scripts and a couple of small Trojans.
Thinking that it was somehow frivolous, I went hunting, armed with a clever flash drive. The trick was that the AUTORUN.INF directory and the LPT5 subdirectory were created on it using the mkdir "\\? \% ~ D0 \ AUTORUN.INF \ LPT5" command. The name of the latter coincides with the identifier of the parallel port, therefore, using standard Windows OS tools, such an entry (and all those associated with it) in the file system cannot be created, renamed, or deleted.
Accordingly, viruses from other people's computers will be easily copied to a USB flash drive, but will not pose a threat until they are manually launched. They will not infect other computers automatically, since they will not be able to create the autorun.inf file and register themselves to autorun. After visiting a couple of universities, the Internet center of the city library and the computer club (yes, they still exist!), The test set was ready.
The archive includes six representatives of different malware families, including a Trojan, a backdoor, a couple of network worms, a packed Win32 virus and one "unwanted program" - a password-protected SFX archive that extorts money for its unpacking. This is not the result of a ransomware Trojan, but a banal social engineering. A search of the websites of antivirus companies showed that all test objects were added to the databases more than two years ago. As you can see, their copies are still found.
All the more curious is that when scanned with VirusTotal, the "detection rate" was 48 out of 53 (bit.ly/14Nc3YB). Five antiviruses did not notice any of the six malicious programs in the archive.
It should be clarified here that AegisLab only searches for Android threats (there were none in the test), so its verdict is clear. SUPERAntiSpyware is primarily aimed at adware modules and is expectedly bad at dealing with Trojans. ByteHero does not use databases at all, but relies on a heuristic algorithm. As further testing will show, the problem lies not in the quality of its heuristics, but in the incorrect unpacking of archives on the virtual machine allocated to it from VirusTotal.
As for AhnLab V3 and MicroWorld-eScan, the total failure is surprising. Both antiviruses are positioned as comprehensive security solutions on different platforms, but they missed all six threats and considered the archive safe. Another scanner (Sophos) was unavailable at the time of the test (apparently, it was being updated), and all the others indicated the name of the first infected file in the results.
Load the same archive into Metascan. First of all, the service pleased me with the detail of the report: it was the only one that showed the detection statistics for each unpacked file on a separate tab. Only two antiviruses considered the archive to be completely safe: Tencent and Xvirus. Please note: ByteHero detected malicious code here, but was unable to do so when analyzing the same archive on VirusTotal. Apparently, these services have their own unpacking features. For now, it's better to send the archives to Metascan.
The humble Jotti service gave a 100% correct verdict to the infected archive. In terms of the number of scanners, it is inferior to other online analysis resources, but its collection includes truly proven solutions. The statistics here, however, are not as detailed as those of Metascan.
Only Eset NOD32 reported the detection of multiple threats (without decryption), while the rest limited themselves to mentioning the first infected file.
VirSCAN service turned out to be the most capricious. When choosing Russian or English for the interface, it continued to show the message in Chinese. It turns out he doesn't like the archive name containing the letters AV. Without Google Translate, I would never have known this.
After games with renaming (the list of non-kosher names is not listed anywhere), I finally managed to send the file for analysis. Out of 39 scanners, 34 found the archive infected (bit.ly/1ss2V5N). For obvious reasons, nothing was found, only antiviruses for Android and frankly Chinese crafts (jiangmin, hauri, pcc). The information content of the report is average: as usual, only the name of the first detected malware is indicated in the result line.
The IObit Cloud service (cloud.iobit.com) has become an example of how not to perform cloud analysis . There was no information in his report at all, except for the vague "risk" status and obvious things. The type of the sent file, its size and checksums were known in advance. What was tested and with what result - a great mystery!
In 2005, The International Secure Systems Lab was established on the basis of five technical universities in different countries. Her team developed specific utilities for analyzing files, on the basis of which they later created publicly available web services - Wepawet and Anubis.
Wepawet (wepawet.iseclab.org) checks typical website content (Flash, JavaScript and PDF). The files sent are analyzed using a proprietary algorithm to detect suspicious network activity, the presence of known exploits, malicious ActiveX components and other unreliable fragments of executable code.
Anubis (anubis.iseclab.org) analyzes Windows executables, Android APK packages and suspicious links.
These are experimental projects aimed primarily at programmers, web designers and other professionals.
AND A LITTLE ABOUT ANONYMITY
The results of the online scanners become available to all users, and copies of suspicious files are sent to the anti-virus software developers. If for some reason you need to perform a check without publicity, then some services are ready to provide such services confidentially, but for money. The problem is that there are no guarantees here, but the money is real. For example, Scan4You.net promises to check the sent files with 35 antiviruses and the entered links against 32 blacklists that are being replenished. How much this is true is unknown.
In theory, such a service can be useful for comparative testing of antiviruses or in order not to lose a competitive advantage when developing your own. The anti-virus scanner engine can be licensed (today it is a common practice), but the database with the signatures of current malware is a valuable intellectual property. In addition, before the release of any program, it is useful to check the reaction of antiviruses to it. False positives can be on executable file packers, shared components, or not the most accurate implementation of network functions. What if you wrote "virus" and you don't even know about it?
In * nix systems, antivirus has always been an optional component, and even with it, Windows users have a chance that unknown malware will slip into their system. Heuristics and proactive defense are also not a panacea. With soft settings, they skip many potentially dangerous programs, and with paranoid ones, they swear at everything and paralyze normal work. The learning mode can last forever as the software environment is constantly changing.
It would seem that you can install a second, third, tenth antivirus and increase your protection, putting up with redundancy.
In theory, the likelihood that the malware will not be recognized by any of them should be less. However, in practice, the opposite is true: every modern antivirus contains a resident module and self-defense tools, which are incompatible with similar developments of other companies. If you have a detailed idea of the mechanism of their work and plan to manually eliminate conflicts, then you need to be prepared for the fact that problems arise immediately during installation: when the installer of one antivirus finds another in the system, it usually simply refuses to continue the installation.
There is a more universal and safer way to check any suspicious file against several databases at once - send it for automatic analysis to one of the specialized services. They differ in capabilities, but the principle of operation is the same for all. Several virtual machines are running on the remote server, in which the sent file is scanned in parallel. In addition to fifty antiviruses, modern services provide free advanced analysis, a report on the reputation of a file or site, and also have the ability to re-check and view previous results. Since files can have different names with the same content, their identification is performed by checksums. For this, hash functions MD5, SHA-256 and others are used.
FANTASTIC FOUR
VirusTotal (https://www.virustotal.com) is the most famous of the free online multi-level anti-virus scanning services. It was created ten years ago by the Spanish company Hispasec Sistemas. In the fall of 2012, Google bought it out, but for users, almost nothing has changed. In any case, for the worse.
As before, the service analyzes suspicious files and links for the presence of viruses, worms, Trojans and fragments of other types of malicious code. Analysis of any binary code is supported: Windows executable files, Android APK packages, PDF documents, scripts, and so on. At the time of this writing, 53 antiviruses were supported; by the time of publication, their number had increased to 57.
15 more deep automated analysis utilities are available (including SandBox, Snort, Wireshark and others) plus 61 website reputation databases. The entire arsenal is updated every hour. The interface is translated into 32 languages, including Russian. The file size limit is 128 MB, however, upon an individual request, you can ask to analyze files of even larger size. There are more sending options to VirusTotal than any similar resource. This can be a traditional web form, email, a native upload client, or a module for sending over HTTP via a public API from any third-party application.
VirusTotal's main competitor is Metascan online (https://www.metascan-online.com), a free file analysis service produced by the American company OPSWAT. It was founded in 2002 and offers slightly less strict restrictions: you can send a file of up to 140 MB for analysis. 42 antiviruses will check it. Their total number, although less than that of VirusTotal, includes some programs that are missing there: now it is
Preventon, STOPzilla, VirIT, XVIRUS, Zillya and Zoner. The reputation list is much more modest - only 13 sources, but among them there are also unique ones, such as Brute Force Blocker, Chaos Reigns, Dragon Research Group, Feodo Tracker, The Spamhaus Project and OpenBL. It turns out that VirusTotal and Metascan do not duplicate each other, and just in case you can check both.
Less well known is Jotti (virusscan.jotti.org/ru), a free online scanner that uses 22 antiviruses (only those with a Linux version). The maximum size of a downloadable file is very small here - only 25 MB, but this is usually enough for analyzing individual exe and dll. Jotti's set of analysis tools is modest and completely overlaps with VirustTotal and Metascan. It is good to know about it in case others are not available, but in practice it itself is overloaded with requests much more often.
Another similar project is VirSCAN (virscan.org). The restrictions on the maximum size of uploaded files in it are very strict - 20 MB, however, the service supports the analysis of archives in RAR and ZIP formats. True, only on condition that there are no more than 20 files inside the archive. Why developers love the number 20 so much is a mystery.
Antivirus installed locally or on the side of the provider may interfere with downloading a file to any of the listed services. You can add a temporary exception to the first, and use archive password protection to bypass the second. VirSCAN automatically unpacks archives with virus and infected passwords. Currently, the service uses 39 antiviruses, but about a third of them are very outdated. Ten scanners have not been updated since last year, and the AhnLab and CTCH databases date back to 2013. The remaining 27 current scanners are completely duplicated by VirustTotal and Metascan, where the databases are constantly updated.
If desired, you can perform a check with a specific antivirus. Such a service is usually available on its developer's website, but the way it is provided may vary.
You can also check Comodo (camas.comodo.com) in the cloud-based automated analysis system. The Instant Malware Analyzer service is responsible for it, using proprietary CAMAS technology (Comodo Automated Malware Analysis System). The code of the uploaded files is checked against signature matches, and then its behavior is analyzed in a virtual environment. If the file has signs of malware, it will be added to the global blacklist and transferred to analysts.
The first free online check service (in 1996) was created by the domestic company Dr.Web. The file analysis form is still available at www.freedrweb.ru/aid_admin.
Another type is made up of utilities that can check, in addition to individual files, active processes in the computer's RAM, local and network drives. For example, ESET Online Scanner can be launched in an IE window or downloaded as a separate client application. There are more settings available than many free antiviruses.
Checking your computer with Eset
Kaspersky Security Scan works in a similar way. The application searches for malware and components, but the report also lists the vulnerabilities found, and assesses the state of the security software.
Bitdefender QuickScan offers the fastest cloud-based scan of processes running on your computer. It detects active malicious code in about a minute, but does not perform deep analysis of the file system.
Trend Micro HouseCall is a free utility for searching and removing viruses, Trojans, backdoors and annoying adware components. There are versions for OS with 32 or 64 bits.
Among many others, Panda ActiveScan and F-Secure Online Scanner can be noted.
FIELD TESTS
Comparing the declared characteristics of services is not as interesting as testing them in practice. Of course, I do not pretend to be the level of comparative testing of an analytical company, but my little experiment still gave some results.
First, I ran clean Windows XP in a virtual machine and surfed the web in IE. Honestly perverted, I clicked on everything, and the more willingly, the nastier the banner looked. In about half an hour, the browser cache accumulated several malicious Java scripts and a couple of small Trojans.
Thinking that it was somehow frivolous, I went hunting, armed with a clever flash drive. The trick was that the AUTORUN.INF directory and the LPT5 subdirectory were created on it using the mkdir "\\? \% ~ D0 \ AUTORUN.INF \ LPT5" command. The name of the latter coincides with the identifier of the parallel port, therefore, using standard Windows OS tools, such an entry (and all those associated with it) in the file system cannot be created, renamed, or deleted.
Accordingly, viruses from other people's computers will be easily copied to a USB flash drive, but will not pose a threat until they are manually launched. They will not infect other computers automatically, since they will not be able to create the autorun.inf file and register themselves to autorun. After visiting a couple of universities, the Internet center of the city library and the computer club (yes, they still exist!), The test set was ready.
The archive includes six representatives of different malware families, including a Trojan, a backdoor, a couple of network worms, a packed Win32 virus and one "unwanted program" - a password-protected SFX archive that extorts money for its unpacking. This is not the result of a ransomware Trojan, but a banal social engineering. A search of the websites of antivirus companies showed that all test objects were added to the databases more than two years ago. As you can see, their copies are still found.
All the more curious is that when scanned with VirusTotal, the "detection rate" was 48 out of 53 (bit.ly/14Nc3YB). Five antiviruses did not notice any of the six malicious programs in the archive.
It should be clarified here that AegisLab only searches for Android threats (there were none in the test), so its verdict is clear. SUPERAntiSpyware is primarily aimed at adware modules and is expectedly bad at dealing with Trojans. ByteHero does not use databases at all, but relies on a heuristic algorithm. As further testing will show, the problem lies not in the quality of its heuristics, but in the incorrect unpacking of archives on the virtual machine allocated to it from VirusTotal.
As for AhnLab V3 and MicroWorld-eScan, the total failure is surprising. Both antiviruses are positioned as comprehensive security solutions on different platforms, but they missed all six threats and considered the archive safe. Another scanner (Sophos) was unavailable at the time of the test (apparently, it was being updated), and all the others indicated the name of the first infected file in the results.
Load the same archive into Metascan. First of all, the service pleased me with the detail of the report: it was the only one that showed the detection statistics for each unpacked file on a separate tab. Only two antiviruses considered the archive to be completely safe: Tencent and Xvirus. Please note: ByteHero detected malicious code here, but was unable to do so when analyzing the same archive on VirusTotal. Apparently, these services have their own unpacking features. For now, it's better to send the archives to Metascan.
The humble Jotti service gave a 100% correct verdict to the infected archive. In terms of the number of scanners, it is inferior to other online analysis resources, but its collection includes truly proven solutions. The statistics here, however, are not as detailed as those of Metascan.
Only Eset NOD32 reported the detection of multiple threats (without decryption), while the rest limited themselves to mentioning the first infected file.
VirSCAN service turned out to be the most capricious. When choosing Russian or English for the interface, it continued to show the message in Chinese. It turns out he doesn't like the archive name containing the letters AV. Without Google Translate, I would never have known this.
After games with renaming (the list of non-kosher names is not listed anywhere), I finally managed to send the file for analysis. Out of 39 scanners, 34 found the archive infected (bit.ly/1ss2V5N). For obvious reasons, nothing was found, only antiviruses for Android and frankly Chinese crafts (jiangmin, hauri, pcc). The information content of the report is average: as usual, only the name of the first detected malware is indicated in the result line.
The IObit Cloud service (cloud.iobit.com) has become an example of how not to perform cloud analysis . There was no information in his report at all, except for the vague "risk" status and obvious things. The type of the sent file, its size and checksums were known in advance. What was tested and with what result - a great mystery!
In 2005, The International Secure Systems Lab was established on the basis of five technical universities in different countries. Her team developed specific utilities for analyzing files, on the basis of which they later created publicly available web services - Wepawet and Anubis.
Wepawet (wepawet.iseclab.org) checks typical website content (Flash, JavaScript and PDF). The files sent are analyzed using a proprietary algorithm to detect suspicious network activity, the presence of known exploits, malicious ActiveX components and other unreliable fragments of executable code.
Anubis (anubis.iseclab.org) analyzes Windows executables, Android APK packages and suspicious links.
These are experimental projects aimed primarily at programmers, web designers and other professionals.
AND A LITTLE ABOUT ANONYMITY
The results of the online scanners become available to all users, and copies of suspicious files are sent to the anti-virus software developers. If for some reason you need to perform a check without publicity, then some services are ready to provide such services confidentially, but for money. The problem is that there are no guarantees here, but the money is real. For example, Scan4You.net promises to check the sent files with 35 antiviruses and the entered links against 32 blacklists that are being replenished. How much this is true is unknown.
In theory, such a service can be useful for comparative testing of antiviruses or in order not to lose a competitive advantage when developing your own. The anti-virus scanner engine can be licensed (today it is a common practice), but the database with the signatures of current malware is a valuable intellectual property. In addition, before the release of any program, it is useful to check the reaction of antiviruses to it. False positives can be on executable file packers, shared components, or not the most accurate implementation of network functions. What if you wrote "virus" and you don't even know about it?