The detection rate for fake antivirus malware amongst antivirus vendors is usually below 25%. I was curious to see which AV engines were the best and worst, when it comes to blocking malicious fake AV executables. In order to figure it out, I obtained 16 different samples which I uploaded to VirusTotal in order to get the detection information on 43 AV engines.
Before I get into the results, it is interesting to note that fake AV perpetrators often reuse the same names for different executables. For example, the malicious executable scanner.exe, was found with different file sizes, which resulted in different AV detection results, depending on where the executables came from. The opposite is also true. The same exact file (same size, same MD5) was found on different domains under different names. I made sure my 16 samples were indeed different files to not skew the comparison.
No absolute protection
The average detection rate was found to be 30%. The detection rate for each sample varied from 12% to 49%.
The best AV engine detected 13 of the 16 samples (81% detection rate). Only 13 out of the 43 AV software detected at least 50% of the samples.
Best AV solutions
The best AV solution to detect fake AV malware is Sophos, with an 81% detection rate, followed by Sunbelt (75%).
The 13 AV engines which detected at least 50% of the malicious executables are (in alphabetical order):
The following 7 AV engines did not detect any of the samples:
Conclusion
The AV vendors need to step up and improve their detection. Samples are easily found. I've explained how to get to the fake AV pages from a Google query of the Hot Trends in previous posts.
-- Julien
Before I get into the results, it is interesting to note that fake AV perpetrators often reuse the same names for different executables. For example, the malicious executable scanner.exe, was found with different file sizes, which resulted in different AV detection results, depending on where the executables came from. The opposite is also true. The same exact file (same size, same MD5) was found on different domains under different names. I made sure my 16 samples were indeed different files to not skew the comparison.
 |
| VirusTotal - Detection information for one sample |
The average detection rate was found to be 30%. The detection rate for each sample varied from 12% to 49%.
The best AV engine detected 13 of the 16 samples (81% detection rate). Only 13 out of the 43 AV software detected at least 50% of the samples.
 |
| Click on the image to see the detection rate for all AV software |
The best AV solution to detect fake AV malware is Sophos, with an 81% detection rate, followed by Sunbelt (75%).
 |
| 5 best AV solutions against fake AV malware |
The 13 AV engines which detected at least 50% of the malicious executables are (in alphabetical order):
- AhnLab-V3
- AntiVir
- BitDefender
- F-Secure
- GData
- Kaspersky
- NOD32
- PCTools
- Sophos
- Sunbelt
- Symantec
- TrendMicro
- TrendMicro-HouseCall
The following 7 AV engines did not detect any of the samples:
- ClamAV
- eSafe
- Fortinet
- Jiangmin
- TheHacker
- ViRobot
- VirusBuster
Conclusion
The AV vendors need to step up and improve their detection. Samples are easily found. I've explained how to get to the fake AV pages from a Google query of the Hot Trends in previous posts.
-- Julien
