In focus: extensions
03.03.2009. | Updated: 13.06.2009.
Certain antivirus protection systems are said to restrict the range of files to be checked, and can, therefore, operate faster. One such simple method is by checking only files with certain extensions. But does this result in a security risk?
The fact which files a security system checks and which ones it does not is in reality a secondary problem. As long as the protection can provide maximum security, it does not matter how its operation is influenced by the management of extensions. The reason for the present testing was that, in our experience, certain antivirus softwares check only files with certain extensions during their operation. Therefore, they can operate much more quickly, which is then exploited in the marketing of virus security systems. Several antivirus protection systems use slogans referring to their speed. The question is to what extent it results in compromising security and to what extent this reduces the range of malware that it is capable of detecting.
Tested products and versions
| Product | Developer | Version |
|---|---|---|
| AVG Internet Security | AVG | 8.0.200 |
| McAfee VirusScan Enterprise | McAfee | 8.5i |
| ESET Smart Security | ESET Software | 3.0.672.0 |
| Panda Internet Security 2009 | Panda Software | 14.00.00 |
| Sunbelt VIPRE Antivirus + Antispyware | Sunbelt Software | 3.2.1866.2 |
| Trend Micro Internet Security 2009 | Trend Micro | 17.0.1305 |
Test environment
All tests were carried out in the following environment:
| Hardware | Intel Pentium 4 CPU 1.7 GHz |
|---|---|
| ABIT BD7 II | |
| 512 MB RAM | |
| 80 GB Maxtor HDD | |
| Software | Microsoft Windows XP Professional v2002 SP3 |
Speed test
In the course of testing, the on-access protection of antivirus softwares was measured. Windows XP Home + SP3 operating system was used. The speed of the system was measured with virus-free files. Three groups of files with a total size of approx. 20 Gbyte was used, with the number of files approaching one hundred thousand. The first group contained unzipped, executable files; the second zipped, executable files; while the third group contained non-executable files (documents, html files, multimedia files, etc.). "On-access" antivirus protection was inspected by reading the files (every byte from the beginning to the end) with a small shell while the protection was installed/switched on. Taking the fact that the operating system itself also carries out background activities into consideration, the test was performed 30 times. The table displaying the results of on-access tests contains the minimum, maximum and average values, too.
Important note: The file packages used during testing were aimed at sampling the sets of files found on average, Windows-based computers. It is possible, however, that in some cases different speed rates might occur. The test results, however, display the speed of each virus search engine. The table containing the results displays all speed vales in minute:second format. Furthermore, it is important to note that in order to calculate the slow-down effect of antivirus protection, the value without antivirus protection has to be deducted from the time given for each antivirus protection system.
Average run time of antivirus products with on-access protection when opening virus-free files.
Click on the picture for details!
Results
Virus-free files, package 1:
| Run time | Without protection | AVG | McAfee | ESET | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|---|
| minimal | 0:00:53 | 0:13:38 | 0:02:25 | 0:02:11 | 0:03:00 | 0:03:16 | 0:04:18 |
| maximal | 0:03:28 | 0:17:21 | 0:10:44 | 0:04:40 | 0:53:32 | 0:05:44 | 0:05:20 |
| average | 0:01:13 | 0:13:46 | 0:02:27 | 0:02:22 | 0:13:21 | 0:03:17 | 0:04:22 |
Virus-free files, package 2:
| Run time | Without protection | AVG | McAfee | ESET | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|---|
| minimal | 0:00:21 | 0:00:55 | 0:01:03 | 0:00:26 | 0:00:49 | 0:00:50 | 0:00:51 |
| maximal | 0:00:51 | 0:01:22 | 0:03:59 | 0:01:53 | 0:15:28 | 0:01:20 | 0:01:24 |
| average | 0:00:26 | 0:00:57 | 0:01:04 | 0:00:30 | 0:03:48 | 0:00:51 | 0:00:53 |
Virus-free files, package 2:
| Run time | Without protection | AVG | McAfee | ESET | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|---|
| minimal | 0:01:18 | 0:07:10 | 0:02:32 | 0:03:22 | 0:05:20 | 0:05:59 | 0:04:47 |
| maximal | 0:06:17 | 0:10:09 | 0:07:04 | 0:07:43 | 0:46:49 | 0:06:26 | 0:07:52 |
| average | 0:01:56 | 0:07:22 | 0:02:42 | 0:03:41 | 0:15:59 | 0:06:23 | 0:04:55 |
Checking of extensions
The continuous on-access protection of antivirus protection systems was checked by examining what extensions they check. Copies of a well-known malicious code were prepared in which the up to 3 character long extensions of the files were set to all possible values (nearly 57.198 copies), and 1000 pcs. 4 character extension copies were also made with random extensions. The checking was done by updating the newly installed operating system, then the appropriate protection system was also installed and updated. Then we tried to read the infected samples with a batch program (by copying on the so-called nul device). At the end of the procedure, the messages and log files of the protection systems and the changes in the infected samples were analysed. The table below shows how many extensions the protection system examined and how many it did not. It is interesting to see that the protection system of Sunbelt VIPRE only recognised malicious codes in files with 49 (!) extensions and it was successful in none of the extensions with 4 characters. There were some files in the case of the other protection systems, too in which these did not make a search. These meant extensions which contained special characters (e.g. #, $).
The sample used for the tests
The malware with b60e6e27040a86fedb4986fcf2c13c52 MD5 hash was used for the test. It was identified by the antivirus protection systems as follows:
| Product | Name |
|---|---|
| AVG Internet Security | Win32/Virut.A |
| ESET Smart Security | Win32/Virut.B |
| McAfee VirusScan Enterprise | W32/Virut.b |
| Panda Internet Security 2009 | W32/Virutas.A |
| Sunbelt VIPRE Antivirus + Antispyware | Win32.virut.b |
| Trend Micro Internet Security 2009 | PE_VIRUT.B |
Results
Up to 3 character extension (57198):
| Checked | AVG | McAfee | ESET | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|
| yes | 52363 | 53959 | 52638 | 52582 | 49 | 53824 |
| no | 4835 | 3239 | 4560 | 4616 | 57149 | 3374 |
4 character extension (1000)
| Checked | AVG | McAfee | ESET | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|
| yes | 1000 | 1000 | 1000 | 933 | 0 | 1000 |
| no | 0 | 0 | 0 | 67 | 1000 | 0 |
The results displayed in the table were prepared on the basis of the log files created by antivirus protection programs.
The log file prepared by Panda Internet Security contained only 4649 entries, which referred only to the last hits, therefore, this log file proved to be unsuitable for further processing. In the case of Panda Internet Security, in order to check the detection attributes, the change in the size of the files containing viruses was checked, which allowed us to conclude on the detection attributes of the antivirus.
Risks of extensions
In the case of on-access protections, the “knowledge” or “lack of knowledge” of extensions does not in itself result in a problem. If the protection system is able to identify each malicious code, it does not matter files of what extensions it checks. However, examining the unrecognised extensions in the case of Sunbelt VIPRE, there were extensions used by certain malicious codes. When examining the risks of extensions, MP3, SWF and WMA extensions were tested, not by copying but with actual malicious codes that really spread in these extensions.
This examination of this test was originally not planed. It was indicated by the recognition of the previously mentioned problem related to the Sunbelt VIPRE program. The purpose of this examination was not the comparison of the detection capability related to these types of malware. The purpose was only to answer the following question: Does the mentioned problem related to extensions cause real security problem?
For the sake of adequate information, more detailed examinations were carried out related to different exploits (including malware spreading in MP3, SWF and WMA files). More
Results
Checking Mp3, swf and wma extensions:
| Checked | AVG | McAfee | ESET | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|
| yes | - | mp3, swf, wma | mp3, swf, wma | mp3 | - | swf, wma |
| no | mp3, swf, wma * | - | - | swf, wma ** | mp3, swf, wma ** | mp3 ** |
* It does not identify malware by default but it finds them if the user sets the extension
** It does not identify malware even if the extensions are added
The table was incorrectly published in the 10. March 2009 issue of ComputerWorld.
Videos
| product | View video | Download video |
|---|---|---|
| AVG Internet Security (default settings) | view | download |
| AVG Internet Security (checks all files) | view | download |
| McAfee VirusScan Enterprise | view | download |
| ESET Smart Security | view | download |
| Panda Internet Security 2009 | view | download |
| Sunbelt VIPRE Antivirus + Antispyware | view | download |
| Trend Micro Internet Security 2009 | view | download |
Log files
- AVG Internet security
- McAfee VirusScan Enterprise
- mcafee.txt - log file for all examined extensions
- ESET Smart Security
- eset.txt - log file for all examined extensions
- Panda Internet Security 2009
- panda.txt - log file contained only 4649 entries, which referred only to the last hits
- panda-filelist1.txt - number of files containing a virus after run 1
- panda-filelist2.txt - number of files containing a virus after run 2
- panda-filelist3.txt - number of files containing a virus after run 3
- Sunbelt VIPRE Antivirus + Antispyware
- sunbelt-orig.zip - *.xml files generated by the antivirus program in compressed file
- sunbelt-all.xml - *.xml files generated by the antivirus program summed up in one file (utf-16)
- sunbelt-all2.xml - *.xml files generated by the antivirus program summed up in one file (utf-8)
- Trend Micro Internet Security 2009
- trendmicro.txt - log file for all examined extensions (utf-16)
- trendmicro2.txt - log file for all examined extensions (utf-8)