AV-programs tested against wmf-hole

[Jari Lehtonen]

German av-test.org has tested the major players in AV business against
the new Windows wmf-hole.

Here are the results (in parenthesis the missed variants)

Perfect protection:

BitDefender
Computer Associates eTrust - VET
F-Secure
Kaspersky Lab
McAfee
Eset Nod32
Microsoft OneCare
Sophos
Symantec

Inadequate protection:

Alwil Avast (1)
Clam AntiVirus (1)
Aladdin eSafe (1)

Fortinet (18)
AntiVir (24)
eTrust - INO (25)
Panda (25)
Ikarus (26)
Norman (26)
Ewido (47)
AVG (59)
VirusBuster (61)
QuickHeal (63)
Trend Micro (63)
Dr Web (93)
VBA32 (110)
Authentium Command (119)
F-Prot (119)

 

[Jari Lehtonen]

German av-test.org has tested the major players in AV business against
the new Windows wmf-hole.

Totally 206 variants was tested.
J

 

[Ian Kenefick]

Totally 206 variants was tested.

F-Prot only patched F-Prot for Windows yesterday. Now they detect the
malware without problem.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

F-Prot only patched F-Prot for Windows yesterday. Now they detect the
malware without problem.

If they only started detecting these exploits yesterday, surely that is a
problem? Even Symantec managed to get out definitions shortly after the
WMFs started propagating like bunnies.

Adam Piggott,
Proprietor,
Proactive Services (Computing)
http://www.proactiveservices.co.uk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDvUcf7uRVdtPsXDkRAh78AJsGKD9Kwx1qC4MyLFpklFh94h3JPQCgnG40
O13q2T6i7o+XJegBdUk5BdI=
=DNIZ
-----END PGP SIGNATURE-----

 

[Ian Kenefick]

If they only started detecting these exploits yesterday, surely that is a
problem? Even Symantec managed to get out definitions shortly after the
WMFs started propagating like bunnies.

Yes. This was a big problem.

 

[Peter Seiler]

Jari Lehtonen - 05.01.2006 10:44 :

German av-test.org has tested the major players in AV business against
the new Windows wmf-hole.

Here are the results (in parenthesis the missed variants)

Perfect protection:

BitDefender

so it seems that with my daily actualized BD I'm good protectet? No
need any of the discussed solutions as unregister, Ilfak etc.. Right?

But on the BD site this wmf exploit isn't mentioned.

 

[Dick]

Yes. This was a big problem.

Why were they caught on the hop?

 

[Frankster]

Without more info these statistics are meaningless.

Example: Suppose a vender was the FIRST to release a patter (although not
capable of detecting all variant, better than nothing). Then, each day
thereafter they released another, another, another until after a while all
the variants were covered and they kept moving on (after all, each new
pattern includes much more than *only* the WMF exploit protection).

Isn't the above scenario better than a vendor that might have gone 2 or 3
days with nothing but when they were "tested in the lab" they had it all
together?

It all depends on timing. Without detailed info, really, this test means
nothing. We'd need to know who knew what when and who patched some variants
very quickly while waiting for more info, and who just let it wait a few
days with nothing.

-Frank

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Without more info these statistics are meaningless.

Example: Suppose a vender was the FIRST to release a patter (although not
capable of detecting all variant, better than nothing). Then, each day
thereafter they released another, another, another until after a while all
the variants were covered and they kept moving on (after all, each new
pattern includes much more than *only* the WMF exploit protection).

Isn't the above scenario better than a vendor that might have gone 2 or 3
days with nothing but when they were "tested in the lab" they had it all
together?

The even betterer scenario is heuristic detection, which IIRC NOD32 did on
this occasion (as with most samples I've ever submitted). Quick definition
updates still help though, as with them one knows exactly what infection
has occurred (or tried to).

You'd be surprised how quickly a virus can propagate in two days. Just
multiply the speed of light per second by the world's circumference by two
days' worth of seconds. ;-)

Adam Piggott,
Proprietor,
Proactive Services (Computing)
http://www.proactiveservices.co.uk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDvVcd7uRVdtPsXDkRAmunAJ92rMBAaa68aY1CI6auykeAPrncjwCfQtOC
toCctZ+gX9ipBYxrHXvE73k=
=9zWq
-----END PGP SIGNATURE-----

 

[Ian Kenefick]

Why were they caught on the hop?

WMF's were previously regarded as non infectable objects. I would
image this was the reason. Kaspersky Lab software was also vulnerable.
They released a patch on the 30th. Over 2 days after the vulnerability
was announced. F-Prot was a lot slower... this is obviously not good.
I don't know why... perhaps they had problems in testing their patch?

 

[me]

F-Prot only patched F-Prot for Windows yesterday. Now they
detect the malware without problem.

Ditto F-Prot for DOS.

J

 

[kurt wismer]

If they only started detecting these exploits yesterday, surely that is a
problem?

time to go back and re-read the thread... prior to yesterday's update
they were detecting 119 out of 206.. they didn't just start yesterday,
they updated their engine to better handle wmf files yesterday (i would
imagine)

 

[* * Chas]

| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Frankster wrote:
| > Without more info these statistics are meaningless.
| >
| > Example: Suppose a vender was the FIRST to release a patter
(although not
| > capable of detecting all variant, better than nothing). Then, each
day
| > thereafter they released another, another, another until after a
while all
| > the variants were covered and they kept moving on (after all, each
new
| > pattern includes much more than *only* the WMF exploit protection).
| >
| > Isn't the above scenario better than a vendor that might have gone 2
or 3
| > days with nothing but when they were "tested in the lab" they had it
all
| > together?
|
| The even betterer scenario is heuristic detection, which IIRC NOD32
did on
| this occasion (as with most samples I've ever submitted). Quick
definition
| updates still help though, as with them one knows exactly what
infection
| has occurred (or tried to).
|
| You'd be surprised how quickly a virus can propagate in two days. Just
| multiply the speed of light per second by the world's circumference by
two
| days' worth of seconds. ;-)
|
| Adam Piggott,
<snip>

Jan. 4, 2006 "ESET Protects Against Microsoft Media File Vulnerability"

NOD32 has a free 30 day download to protect non-subscribers:

http://www.eset.com/about/press.htm#media

Chas.

 

[Peter Seiler]

* * Chas - 06.01.2006 05:01 :

| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Frankster wrote:
| > Without more info these statistics are meaningless.
| >
| > Example: Suppose a vender was the FIRST to release a patter
(although not
| > capable of detecting all variant, better than nothing). Then, each
day
| > thereafter they released another, another, another until after a
while all
| > the variants were covered and they kept moving on (after all, each
new

[snipped]

look the terrible quoting (quoting marker mismatch, linefeed). What's
the reason for?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

news:[email protected]...

| The even betterer scenario is heuristic detection, which IIRC NOD32
did on
| this occasion (as with most samples I've ever submitted). Quick
definition
| updates still help though, as with them one knows exactly what
infection
| has occurred (or tried to).
|
| You'd be surprised how quickly a virus can propagate in two days. Just
| multiply the speed of light per second by the world's circumference by
two
| days' worth of seconds. ;-)
|
| Adam Piggott,
<snip>

Jan. 4, 2006 "ESET Protects Against Microsoft Media File Vulnerability"

NOD32 has a free 30 day download to protect non-subscribers:

Don't need to trial NOD32 - it's where I'm going shortly and where all of
my customers are going since a decision a couple of months ago
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDvmCo7uRVdtPsXDkRAjbLAJ9lNwCQqZPNKVXTihonlSAdSGFYuACfS+Ud
u2NjReEan6RwcN53c6HTnNs=
=/I+1
-----END PGP SIGNATURE-----

 

[* * Chas]

* * Chas - 06.01.2006 05:01 :

| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Frankster wrote:
| > Without more info these statistics are meaningless.
| >
| > Example: Suppose a vender was the FIRST to release a patter
(although not
| > capable of detecting all variant, better than nothing). Then, each
day
| > thereafter they released another, another, another until after a
while all
| > the variants were covered and they kept moving on (after all, each
new

[snipped]

look the terrible quoting (quoting marker mismatch, linefeed). What's
the reason for?

I don't know, I have OE set to Line Wrap at 72 Characters using Plain
Text and Uuencode for message format.

Chas.