[PANTUGGeneral] Informal A/V testing = corporate McAfee fails
JP Vossen
Subject: Informal A/V testing = corporate McAfee fails
Date: Sun, 20 Aug 2006 01:13:50 -0400
From: JP Vossen <j...@jpsdomain.org>
To: PANTUG...@pantug.org
In the ongoing sage of rebuilding/fixing/whatever my wife's machine, I
did some testing of three free A/V products. For the heck of it, I also
tested both the "free" McAfee I can get from AOL (don't ask) or Comcast,
and my corporate edition from work. Both failed miserably.
While my test is simple, the fact that it failed is so simple a case yet
sort-of worked in other cases is troubling at best. As noted below, for
my test I created eicar.com
(http://www.eicar.org/anti_virus_test_file.htm) and eicar.exe from
Linux, and put the files in a location served by Samba. I then tried to
run them over the network using an Explorer window and UNC paths (not
mapped drives). I then tried to copy them locally (Explorer GUI, using
UNC) and run them again. For the corporate edition on my work laptop I
also tried running the executable from the mapped network drive, and
then copied it locally.
Test results using VirusScan Enterprise 8.0.0 edition on my work laptop:
1) The "virus" ran from both UNC and mapped network drives! This is
very, very bad.
2) The virus was stopped from being copied locally via the GUI or
command line, but I was then locked into an alert message loop. It
seemed like it was detecting the file in quarantine, alerting, and
trying to quarantine it again, which it couldn't, since it already had.
I had to disable on-access scanning and delete c:\quarantine to get
out of the loop. VERY sloppy.
3) Once copied locally, it was stopped from executing, but I was put
into the same loop.
In all three loop cases (GUI, CLI, local run) the delete or clean
buttons were grayed out. They would presumably have solved the loop
problem.
Naturally, my concern is that if the "virus" is recognized locally, why
is it allowed to run from a network drive. My "My Documents" folder is
on my H: drive, so anything that gets saved to my desktop (as is the
default in Firefox, for example), would be on a network drive and
presumably not be blocked. That's certainly disturbing.
As a side note, anyone who reads this list knows you should avoid all
Symantec A/V and F/W products at all costs. They hose the machine and
are virtually impossible to uninstall cleanly. So I don't have any
around to test anymore. I don't have the CA product either, though
maybe if Troy or one of his guys (Matt) has time....
My test documentation, which I wrote as ASCII to be placed in my local
p:\apps\Anti-Virus folder for my own future reference is below.
In the end, I chose Avast, so we'll see how that goes.
Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Updated: 2006-08-19
Summary
-------
Avast More configuration options, have to register, may be incompatible
with ZoneAlarm
AVG Less configuration options, slightly more memory use
AntiVir Do not use, failed eicar test over UNC path to network drive!
McAfee Do not use, failed eicar test over UNC path to network drive!
Testing: I used a stock W2K Pro install in VMware, reverting to a
common snapshot between tests.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
General URLs
------------
Best of the Free Anti-virus Choices? 2006-05-22
http://ask.slashdot.org/askslashdot/06/05/22/1310211.shtml
Retrospective / ProActive - Test May 2006 Copyright (c) by Andreas
Clementi (www.av-comparatives.org) - Tested on Windows XP Professional SP2
http://www.av-comparatives.org/seiten/ergebnisse_2006_05.php
Free A/V 2005-09-28
http://www.pcmag.com/print_article2/0,1217,a=161233,00.asp
Free AntiVirus Utilities
http://www.thefreecountry.com/security/antivirus.shtml
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Avast v4.7
----------
http://www.avast.com/eng/avast_4_home.html
Tested 2008-08-19 JPV
Memory seems a little over 11M with 5 processes, 4 services (with
descriptions)
In Add/Remove Programs
Pro No noticeable slowdown
Auto-updated during install
Can do boot-time scan
IM, POP, IMAP, other, with lots of options
Can add "scanned by" note to e-mail
Can set exclusions (dirs/files) for scans!
Can send admin/alert e-mails!
Can do file checksums (and other?) [VRDB] for recovery
Mostly nice interface, seems like lots of good options (good and bad)
Passed the eicar test [1]! And had very useful info about it
Con Must register after 60 days and then every 14 months
Installer needed a reboot (though it did ask to do a boot-time scan)
No setting to scan only EXEs
No full scan scheduler [2]
Annoying default skins for the full system scan interface
Its WebShield transparent proxy has a conflict with ZoneAlarm's Privacy
blocker
AVG v405 2006-08-08
-------------------
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Tested 2008-08-19 JPV
Memory seems a little over 20M with 4 processes, 3 services
In Add/Remove Programs
Pro No noticeable slowdown
Auto-updated during install
No REBOOT!
Scan scheduler [2]
Only scans "infectable" files
Passed the eicar test [1]! But had no useful info
Limited interface, not many options (good and bad)
Many people on Slashdot (above link) like it
Con Complained about old version of Roxio Easy CD that can interfere?!?
Roxio was not installed, this was a drop-dead stock W2KPro
Confirms a license agreement with you during install :-(
Per Slashdot (link above), not great performance on some tests
Full scans turned on by default, can delete schedule but not turn off?
AntiVir v6.35.00.00
-------------------
http://www.free-av.com/
SHOW-STOPPER -- do not use -- ignored eicar [1] from network drive!
Tested 2008-08-19 JPV
Memory seems a little over 30M with 2 processes, 2 services
In Add/Remove Programs
Pro Created a random serial number during install
Limited interface, not many options (good and bad)
Auto-updated during install
Con NOT compatible with Cygwin per Readme!?!
Installed needed reboot
Tried to open a page in a custom browser window but failed!
FAILED THE EICAR TEST [1] when run from a network drive!!! (both .com
and .exe)
Could not scan the eicar file over a net drive!
"Worked" during copy to local drive and running from local
Nasty Nagware according to Slashdot, but I didn't see that (maybe
didn't test long enough?)
McAfee
------
http://www.comcast.net/security/mcafee/
Logged in as me, this worked even from FiOS!
SHOW-STOPPER -- do not use -- ignored eicar [1] from network drive!
Tested 2008-08-19 JPV
Memory seems a little over 40M with 4 processes, 3 services
Two entries in Add/Remove Programs
Pro No reboot
Can schedule scans, but is not turned on by default
Auto-updated during install
Con Web install since it's via Comcast (or AOL, yuck!)
Virtually no configuration options
Targeted by virus authors
Re-registers itself to startup at every boot, triggering StartupMon [3] :-(
System seemed a little slower...
FAILED THE EICAR TEST [1] when run from a network drive!!! (both .com
and .exe)
No ability to right-click and scan the eicar file
"Worked" during copy to local drive and running from local
The VirusScan Enterprise 8.0.0 edition I have on my work machine not
only failed the same test, it even failed it over a mapped drive:
C:\> i:\tmp\eicar.exe
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
--------
Notes
[1] Eicar is http://www.eicar.org/anti_virus_test_file.htm
For my test, I created eicar.com and eicar.exe from Linux, and put the
files in a location served by Samba. I then tried to run them over the
network using an Explorer window and UNC paths (not mapped drives). I
then tried to copy them locally (Explorer GUI, using UNC) and run them
again.
[2] I do not really believe in running scheduled full scans of the
system. But then it's too late, you're infected. If the real-time
monitor doesn't work (oh, say for example it allows you to run viruses
via Explorer and UNC paths from a network drive), then it's useless.
Running a full-system scan on first install is probably a good idea,
but after that, if the product works, it should not be necessary.
Thus, I don't consider NOT having a scan scheduler a big deal, but I
mention it because it may seem counter-intuitive at first.
[3] StartupMon = http://www.mlin.net/StartupMonitor.shtml
"StartupMonitor is a small utility that runs transparently (it doesn't
even use a tray icon) and notifies you when any program registers
itself to run at system startup. It prevents annoying programs from
registering themselves behind your back."
To unsubscribe from this list, send an e-mail to pantug...@pantug.org with the subject: Unsubscribe
Stear, Brad
I've been using Avast for over a year and I like it. Pretty
lightweight. Disable the annoying sounds, though, if your volume is up
high it'll scare the crap out of you when it fires an alert. The visual
alert is a large window with a logo that looks like a nuclear warning
sign that'll freak out newbies when it goes off.
It even asks to block some basic spam messages coming through Outlook,
or messages without a subject or body text.
I registered once and I use that code on over 2 dozen installs at my
church. Once a year I renew the registration and go around to each
installation and refresh the reg code. You can overwrite the reg code
anytime and extend the expiration when you have a new code.
Brad
Troy Sorzano
Subject: Informal A/V testing = corporate McAfee fails
Date: Sun, 20 Aug 2006 01:13:50 -0400
From: JP Vossen <j...@jpsdomain.org>
>>I don't have the CA product either, though maybe if Troy or one of his guys
(Matt) has time....
Just an update from the CA side. After deciding that Symantec and McAfee
were not up to the task for many of the same reasons JP mentions. We began
using CA e-Trust around 2000. They had a resonable cost and sig updates were
free so the product did not stop working after your maintenance ran out.
Also they had two AV engines VET and InculateIT. It was also very light
weight.
Well that was untill version 8.0. With version 8.0+ they put in a web
interface for management of the client. Which requires apache and some
middleware to be runing on each client. So CA is no longer a lightweight
solution. They also dropped the InculateIT engine an now only have VET. CA
e-Trust still works but I am not as thrilled with it as I was before 8.0. I
started looking for a new vendor last year.
I have rolled out Kaspersky enterprise to one client. It is light weight and
very managable with the ability to have a heirichary of management servers.
However I must say with the flexability of the management comes complexity.
This is the first AV product feel I need to go to a training class for. I am
also researching AVG network edition.
Later,
Troy
________________________________________________________________________
This message has been scanned for viruses and is virus free. ________________________________________________________________________