PC Anti-Virus Protection 2011 12 POPULAR ANTI-VIRUS PROGRAMS COMPARED FOR EFFECTIVENESS Dennis Technology Labs, 03/08/2010 www.DennisTechnologyLabs.com This test aims to compare the effectiveness of the most recent releases of popular anti-virus software1. The products include those from Kaspersky, McAfee, Microsoft, Norton (Symantec) and Trend Micro, as well as free versions from Avast, AVG and Avira. Other products include those from BitDefender, ESET, G-Data and K7. The tests were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of the software available. A total of 12 products were exposed to genuine internet threats that real customers could have encountered during the test period. Crucially, this exposure was carried out in a realistic way, reflecting a customer’s experience as closely as possible. For example, each test system visited real, infected websites that significant numbers of internet users were encountering at the time of the test. These results reflect what would have happened if those users were using one of the seven products tested. EXECUTIVE SUMMARY Q Products that block attacks early tended to protect the system more fully The nature of web-based attacks means that the longer malware has access to a system, the more chances it has of downloading and installing further threats. Products that blocked the malicious and infected websites from the start reduced the risk of compromise by secondary and further downloads. Q 100 per cent protection is rare This test recorded an average protection rate of 87.5 per cent. New threats appear online frequently and it is inevitable that there will be times when specific security products are unable to protect from some of these threats. Q The products rarely blocked the installation of legitimate applications There were a number of cases in which the anti-virus programs warned against allowing legitimate applications full access to the system and the network. However, they rarely blocked these applications from installing . Simon Edwards, Dennis Technology Labs 1 The latest available products were used in the test: Avast! Free AntiVirus 5 AVG Anti-Virus Free Edition 9 Avira Personal - Free Antivirus 10 BitDefender Internet Security 2010 ESET Smart Security 4 G Data InternetSecurity 2011 PC Anti-Virus Protection 2011 K7 Total Security 10 Kaspersky Internet Security 2011 McAfee Internet Security 2010 Microsoft Security Essentials Norton Internet Security 2011 Trend Micro Internet Security 2010 Page 1 of 60 CONTENTS Executive summary ........................................................................................................................................ 1 Contents ......................................................................................................................................................... 2 1. Overall Accuracy........................................................................................................................................ 3 2. Overall Protection ...................................................................................................................................... 5 3. Protection Details ....................................................................................................................................... 7 4. False Positives ............................................................................................................................................. 9 5. The tests ................................................................................................................................................... 14 6. Test details ................................................................................................................................................ 16 7. Conclusions .............................................................................................................................................. 20 Appendix A: Terms...................................................................................................................................... 21 Appendix B: Legitimate Samples.................................................................................................................. 22 Appendix C: Threat report .......................................................................................................................... 26 Appendix D: Tools....................................................................................................................................... 59 Appendix E: Terms of the test ..................................................................................................................... 60 PC Anti-Virus Protection 2011 Page 2 of 60 1. OVERALL ACCURACY Each product has been scored for its accuracy in detecting and handling malware. We awarded two points for defending against a threat, one for neutralizing it and deducted two points every time a product allowed the system to be compromised. The reason behind this score weighting is to give credit to products that deny malware an opportunity to tamper with the system and to penalize those that allow malware to damage it. In some of our test cases a compromised system was made unstable, or even unusable without expert knowledge. Even if active malware was removed, we considered such damaged systems to count as being compromised. The Norton product defended against all threats so it scores a full 80 marks. It was the only product to avoid being compromised by the internet threats. Kaspersky's product came a close second, losing points due to neutralizing two threats and being compromised by one. Accuracy Scores 80 70 60 50 40 30 20 10 0 The Symantec (Norton) product was the only one to protect against all the internet threats used. PC Anti-Virus Protection 2011 Page 3 of 60 ACCURACY SCORES Product Target Defended Target Neutralized Target Compromised Overall Accuracy Norton Internet Security 2011 40 0 0 80 Kaspersky Internet Security 2011 37 2 1 74 ESET Smart Security 4 34 4 2 68 Avast! Free AntiVirus 5 35 2 3 66 G Data InternetSecurity 2011 32 3 5 57 Avira Personal - Free Antivirus 10 29 4 7 48 Trend Micro Internet Security 2010 23 11 6 45 AVG Anti-Virus Free Edition 9 23 11 6 45 BitDefender Internet Security 2010 29 2 9 42 McAfee Internet Security 23 6 11 30 Microsoft Security Essentials 22 4 14 20 K7 Total Security 10 20 5 15 15 PC Anti-Virus Protection 2011 Page 4 of 60 2. OVERALL PROTECTION The following illustrates the general level of protection provided by each of the security products, combining the defended and neutralized incidents into an overall figure. This figure is not weighted with an arbitrary scoring system as it was in 1. Overall accuracy. The average protection levels afforded by the tested products, when exposed to the threats used in this test, was 87.5 per cent. Above average products included those from Symantec (Norton), Kaspersky, ESET, Avast! And G Data. Only one of these was free (Avast). Overall Protection Scores 40 30 20 10 0 The only free product that performed above average was Avast! Free AntiVirus 5. PC Anti-Virus Protection 2011 Page 5 of 60 OVERALL PROTECTION SCORES Product Protected Incidents Percentage of incidents Norton Internet Security 2011 40 100% Kaspersky Internet Security 2011 39 98% ESET Smart Security 4 38 95% Avast! Free AntiVirus 5 37 93% G Data InternetSecurity 2011 35 88% AVG Anti-Virus Free Edition 9 34 85% Trend Micro Internet Security 2010 34 85% Avira Personal - Free Antivirus 10 33 83% BitDefender Internet Security 2010 31 78% McAfee Internet Security 29 73% Microsoft Security Essentials 26 65% K7 Total Security 10 25 63% (Average: 87.5 per cent) PC Anti-Virus Protection 2011 Page 6 of 60 3. PROTECTION DETAILS The security products provided different levels of protection. When a product defended against a threat, it prevented the malware from gaining a foothold on the target system. A threat might have been able to infect the system and, in some cases, the product neutralized it later. When it couldn’t, the system was compromised. The graph below shows that the most successful products tended to defend, rather than neutralize, the threats. Between them the top five products only neutralized 11 threats, while they defended a total of 178. They were compromised 11 times. The five least effective products, on the other hand, neutralized 21 threats and defended just 123. They were compromised a total of 56 times. Protection Details 40 35 30 25 20 15 10 5 0 Target Compromised Target Neutralized Target Defended The most successful products tended to defend rather than neutralize, blocking the threats early in the attack. PC Anti-Virus Protection 2011 Page 7 of 60 PROTECTION DETAILS Product Target Defended Target Neutralized Target Compromised Norton Internet Security 2011 40 0 0 Kaspersky Internet Security 2011 37 2 1 ESET Smart Security 4 34 4 2 Avast! Free AntiVirus 5 35 2 3 G Data InternetSecurity 2011 32 3 5 23 11 6 23 11 6 29 4 7 29 2 9 McAfee Internet Security 23 6 11 Microsoft Security Essentials 22 4 14 K7 Total Security 10 20 5 15 AVG Anti-Virus Free Edition 9 Trend Micro Internet Security 2010 Avira Personal - Free Antivirus 10 BitDefender Internet Security 2010 PC Anti-Virus Protection 2011 Page 8 of 60 4. FALSE POSITIVES 4.1 False positive levels A security product needs to be able to protect the system from threats, while allowing legitimate software to work properly. When legitimate software is misclassified a false positive is generated. We split the results into two main groups because the products all took one of two approaches when attempting to protect the system from the legitimate programs. They either warned that the software was suspicious or took the more decisive step of blocking it. Blocking a legitimate application is more serious than issuing a warning because it directly hampers the user. In this test we only recorded one blocking action, which was by the K7 product as it falsely categorized the mIRC online chat application as being a "High Security Risk". Warnings may be of variable strength, sometimes simply asking if the legitimate application should be allowed to access the internet. This type of warning accounted for the majority seen in this test. The graph below includes the number and type of false positive that each product generated. False Positive Incidents Warnings Trend Micro Internet Security 2010 K7 Total Security 10 G Data InternetSecurity 2011 Kaspersky Internet Security 2011 BitDefender Internet Security 2010 McAfee Internet Security Norton Internet Security 2011 Microsoft Security Essentials ESET Smart Security 4 AVG Anti‐Virus Free Edition 9 Avira Personal ‐ Free Antivirus 10 Avast! Free AntiVirus 5 Trend Micro Internet Security 2010 K7 Total Security 10 G Data InternetSecurity 2011 Kaspersky Internet Security 2011 BitDefender Internet Security 2010 McAfee Internet Security Microsoft Security Essentials Norton Internet Security 2011 ESET Smart Security 4 AVG Anti‐Virus Free Edition 9 Avira Personal ‐ Free Antivirus 10 Avast! Free AntiVirus 5 16 14 12 10 8 6 4 2 0 Total Blockings Despite an apparently high percentage of false positives, most were light warnings. PC Anti-Virus Protection 2011 Page 9 of 60 FALSE POSITIVE INCIDENTS False Positive Type Product Total Warnings Trend Micro Internet Security 2010 15 K7 Total Security 10 10 G Data InternetSecurity 2011 8 Kaspersky Internet Security 2011 7 BitDefender Internet Security 2010 6 McAfee Internet Security 1 Avast! Free AntiVirus 5 0 AVG Anti-Virus Free Edition 9 0 Avira Personal - Free Antivirus 10 0 ESET Smart Security 4 0 Microsoft Security Essentials 0 Norton Internet Security 2011 0 K7 Total Security 10 1 Avast! Free AntiVirus 5 0 AVG Anti-Virus Free Edition 9 0 Avira Personal - Free Antivirus 10 0 BitDefender Internet Security 2010 0 ESET Smart Security 4 0 G Data InternetSecurity 2011 0 Kaspersky Internet Security 2011 0 McAfee Internet Security 0 Microsoft Security Essentials 0 Norton Internet Security 2011 0 Trend Micro Internet Security 2010 0 Blockings PC Anti-Virus Protection 2011 Page 10 of 60 4.2 Taking file prevalence into account The prevalence of each file is significant. If a product misclassified a common file then the situation would be more serious than if it failed to detect a less common one. That said, it is usually expected that anti-malware programs should not misclassify any legitimate software. The files selected for the false positive testing were organized into five groups: Very High Impact, High Impact, Medium Impact, Low Impact and Very Low Impact. These categories were based on download numbers as reported by sites including Download.com at the time of testing. The ranges for these categories are recorded in the table below: FALSE POSITIVE PREVALENCE CATEGORIES Impact category Prevalence (downloads in the previous week) Very High Impact >20,000 High Impact 1,000 – 20,000 Medium Impact 100 – 999 Low Impact 25 – 99 Very Low Impact < 25 4.3 Modifying scores The following set of score modifiers were used to create an impact-weighted accuracy score. Each time a product allowed a new legitimate program to install and run it was awarded one point. It lost points (or fractions of a point) if and when it generated a false positive. We used the following score modifiers: FALSE POSITIVE PREVALENCE SCORE MODIFIERS False positive action Impact category Score modifier Blocked Very High Impact -5 High Impact -2 Medium Impact -1 Low Impact -0.5 Very Low Impact -0.1 Very High Impact -2.5 High Impact -1 Medium Impact -0.5 Low Impact -0.25 Very Low Impact -0.05 Warning PC Anti-Virus Protection 2011 Page 11 of 60 4.4 Distribution of impact categories Products that scored highest were the most accurate when handling the legitimate applications used in the test. The best score possible is 40, while the worst would be -200 (assuming that all applications were classified as Very High Impact and were blocked). In fact the distribution of applications in the impact categories was not restricted only to Very High Impact. The table below shows the true distribution: FALSE POSITIVE CATEGORY FREQUENCY Impact category Number of instances Very High Impact 17 High Impact 12 Medium Impact 6 Low Impact 2 Very Low Impact 3 PC Anti-Virus Protection 2011 Page 12 of 60 4.5 False positive accuracy ratings Combining the impact categories with weighted scores produces the following overall accuracy ratings. False Positive Accuracy Scores 40 35 30 25 20 15 10 5 Total 0 When a product misclassified a popular program it faced a stronger penalty than if the file was more obscure. FALSE POSITIVE ACCURACY SCORE Product Accuracy score Avast! Free AntiVirus 5 40 Avira Personal - Free Antivirus 10 40 AVG Anti-Virus Free Edition 9 40 ESET Smart Security 4 40 Microsoft Security Essentials 40 Norton Internet Security 2011 40 McAfee Internet Security 37.5 BitDefender Internet Security 2010 33.7 Kaspersky Internet Security 2011 33.25 G Data InternetSecurity 2011 30.45 K7 Total Security 10 21.7 Trend Micro Internet Security 2010 19.7 PC Anti-Virus Protection 2011 Page 13 of 60 5. THE TESTS 5.1 The threats Providing a realistic user experience was important in order to illustrate what really happens when a user encounters a threat on the internet. For example, in these tests web-based malware was accessed by visiting an original, infected website using a web browser, and not downloaded from a CD or internal test website. All target systems were fully exposed to the threats. This means that any exploit code was allowed to run, as were other malicious files, They were run and permitted to perform exactly as they were designed to, subject to checks made by the installed security software. A minimum time period of five minutes was provided to allow the malware an opportunity to act. 5.2 Test rounds Tests were conducted in rounds. Each round recorded the exposure of every product to a specific threat. For example, in ‘round one’ each of the products were exposed to the same malicious website. At the end of each round the test systems were completely reset to remove any possible trace of malware before the next test began. Each ‘round’ exposed every product to one specific threat. The partial set of records for round two (highlighted above) shows a range of responses to a particular threat. In this example the Avast, G Data and K7 products allowed the threat to compromise the systems, while the Microsoft and Trend Micro products neutralized the threat. The remaining products blocked the threat early, defending against it. 5.3 Monitoring Close logging of the target systems was necessary to gauge the relative successes of the malware and the antimalware software. This included recording activity such as network traffic, the creation of files and processes and changes made to important files. 5.4 Levels of protection The products displayed different levels of protection. Sometimes a product would prevent a threat from executing, or at least making any significant changes to the target system. In other cases a threat might be able to perform some tasks on the target, after which the security product would intervene and remove some or all of the malware. Finally, a threat may be able to bypass the security product and carry out its malicious tasks unhindered. It may even be able to disable the security software. Occasionally Windows' own protection system might handle a threat while the anti-virus program ignored it. Another outcome is that PC Anti-Virus Protection 2011 Page 14 of 60 the malware may crash for various reasons. The different levels of protection provided by each product were recorded following analysis of the log files. If malware failed to perform properly in a given incident, perhaps because of the very presence of the security product, rather than any specific defending action that the product took, the product was given the benefit of the doubt and a Defended result was recorded. If the test system was damaged, becoming hard to use following an attempted attack, this was counted as a compromise even if the active parts of the malware had eventually been removed by the product. 5.5 Types of protection All of the products tested provided two main types of protection: real-time and on-demand. Real-time protection monitors the system constantly in an attempt to prevent a threat from gaining access. On-demand protection is essentially a ‘virus scan’ that is run by the user at an arbitrary time. The test results note each product’s behavior when a threat is introduced and afterwards. The real-time protection mechanism was monitored throughout the test, while an on-demand scan was run towards the end of each test to measure how safe the product determined the system to be. Manual scans were run only when a tester determined that malware had made an interaction with the target system. In other words, if the security product claimed to block the attack at the initial stage, and the monitoring logs supported this claim, the case was considered closed and a Defended result was recorded. PC Anti-Virus Protection 2011 Page 15 of 60 6. TEST DETAILS 6.1 The targets To create a fair testing environment, each product was installed on a clean Windows XP Professional target system. The operating system was updated with Windows XP Service Pack 2 (SP2), although no later patches or updates were applied. We test with Windows XP SP2 and Internet Explorer 6 due to the high prevalence of internet threats that rely on this combination. The prevalence of these threats suggests that there are many systems with this level of patching currently connected to the internet. A selection of legitimate but old software was pre-installed on the target systems. These posed security risks, as they contained known vulnerabilities. They included out of date versions of Adobe Flash Player and Adobe Reader. A different security product was then installed on each system. Each product’s update mechanism was used to download the latest version with the most recent definitions and other elements. Due to the dynamic nature of the tests, which were carried out in real-time with live malicious websites, the products' update systems were allowed to run automatically and were also run manually before each test round was carried out. The products were also allowed to 'call home' should they be programmed to query databases in realtime. Some products might automatically upgrade themselves during the test. At any given time of testing, the very latest version of each program was used. Each target system contained identical hardware, including an Intel Core 2 Duo processor, 1GB RAM, a 160GB hard disk and a DVD-ROM drive. Each was connected to the internet via its own virtual network (VLAN) to avoid malware cross-infecting other targets. 6.2 Threat selection The malicious web links (URLs) used in the tests were picked from lists generated by Dennis Technology Labs's own malicious site detection system, which uses popular search engine keywords submitted to Google. It analyses sites that are returned in the search results from a number of search engines and adds them to a database of malicious websites. In all cases, a control system (Verification Target System - VTS) was used to confirm that the URLs linked to actively malicious sites. Malicious URLs and files are not shared with any vendors during the testing process. 6.3 Test stages There were three main stages in each individual test: 1. 2. 3. Introduction Observation Remediation During the Introduction stage, the target system was exposed to a threat. Before the threat was introduced, a snapshot was taken of the system. This created a list of Registry entries and files on the hard disk. We used Regshot (see Appendix D: Tools) to take and compare system snapshots. The threat was then introduced. Immediately after the system’s exposure to the threat, the Observation stage is reached. During this time, which typically lasted at least 10 minutes, the tester monitored the system both visually and using a range of third-party tools. The tester reacted to pop-ups and other prompts according to the directives described below (see 6.6 Observation and intervention). PC Anti-Virus Protection 2011 Page 16 of 60 In the event that hostile activity to other internet users was observed, such as when spam was being sent by the target, this stage was cut short. The Observation stage concluded with another system snapshot. This ‘exposed’ snapshot was compared to the original ‘clean’ snapshot and a report generated. The system was then rebooted. The Remediation stage is designed to test the products’ ability to clean an infected system. If it defended against the threat in the Observation stage then we skipped this stage. An on-demand scan was run on the target, after which a ‘scanned’ snapshot was taken. This was compared to the original ‘clean’ snapshot and a report was generated. All log files, including the snapshot reports and the product’s own log files, were recovered from the target. In some cases the target became so damaged that log recovery was considered impractical. The target was then reset to a clean state, ready for the next test. 6.4 Threat introduction Malicious websites were visited in real-time using Internet Explorer. This risky behavior was conducted using live internet connections. URLs were typed manually into Internet Explorer’s address bar. Web-hosted malware often changes over time. Visiting the same site over a short period of time can expose systems to what appear to be a range of threats (although it may be the same threat, slightly altered to avoid detection). Also, many infected sites will only attack a particular IP address once, which makes it hard to test more than one product against the same threat. In order to improve the chances that each target system received the same experience from a malicious web server, we used a web replay system. When the verification target systems visited a malicious site, the page’s content, including malicious code, was downloaded, stored and loaded into the replay system. When each target system subsequently visited the site, it received exactly the same content. The network configurations were set to allow all products unfettered access to the internet throughout the test, regardless of the web replay systems. 6.5 Secondary downloads Established malware may attempt to download further files (secondary downloads), which are stored in a cache by a proxy on the network and re-served to other targets in some circumstances. These circumstances include cases where: 1. 2. The download request is made using HTTP (e.g. http://badsite.example.com/...) and The same filename is requested each time (e.g. badfile1.exe) There are scenarios in which target systems receive different secondary downloads. These include cases where: 1. 2. The download request is made using HTTPS or a non-web protocol such as FTP or A different filename is requested each time (e.g. badfile2.exe; random357.exe) PC Anti-Virus Protection 2011 Page 17 of 60 6.6 Observation and intervention Throughout each test, the target system was observed both manually and in real-time. This enabled the tester to take comprehensive notes about the system’s perceived behavior, as well as to compare visual alerts with the products’ log entries. At certain stages the tester was required to act as a regular user. To achieve consistency, the tester followed a policy for handling certain situations, including dealing with pop-ups displayed by products or the operating system, system crashes, invitations by malware to perform tasks and so on. This user behavior policy included the following directives: 1. 2. 3. 4. 5. 6. Act naively. Allow the threat a good chance to introduce itself to the target by clicking OK to malicious prompts, for example. Don’t be too stubborn in retrying blocked downloads. If a product warns against visiting a site, don’t take further measures to visit that site. Where malware is downloaded as a Zip file, or similar, extract it to the Desktop then attempt to run it. If the archive is protected by a password, and that password is known to you (e.g. it was included in the body of the original malicious email), use it. Always click the default option. This applies to security product pop-ups, operating system prompts (including Windows firewall) and malware invitations to act. If there is no default option, wait. Give the prompt 20 seconds to choose a course of action automatically. If no action is taken automatically, choose the first option. Where options are listed vertically, choose the top one. Where options are listed horizontally, choose the left-hand one. 6.7 Remediation When a target is exposed to malware, the threat may have a number of opportunities to infect the system. The security product also has a number of chances to protect the target. The snapshots explained in 6.3 Test stages provided information that was used to analyze a system’s final state at the end of a test. Before, during and after each test, a ‘snapshot’ of the target system was taken to provide information about what had changed during the exposure to malware. For example, comparing a snapshot taken before a malicious website was visited to one taken after might highlight new entries in the Registry and new files on the hard disk. Snapshots were also used to determine how effective a product was at removing a threat that had managed to establish itself on the target system. This analysis gives an indication as to the levels of protection that a product has provided. These levels of protection have been recorded using three main terms: defended, neutralized, and compromised. A threat that was unable to gain a foothold on the target was defended against; one that was prevented from continuing its activities was neutralized; while a successful threat was considered to have compromised the target. A defended incident occurs where no malicious activity is observed with the naked eye or third-party monitoring tools following the initial threat introduction. The snapshot report files are used to verify this happy state. If a threat is observed to run actively on the system, but not beyond the point where an on-demand scan is run, it is considered to have been neutralized. Comparing the snapshot reports should show that malicious files were created and Registry entries were made after the introduction. However, as long as the ‘scanned’ snapshot report shows that either the files have been removed or the Registry entries have been deleted, the threat has been neutralized. PC Anti-Virus Protection 2011 Page 18 of 60 The target is compromised if malware is observed to run after the on-demand scan. In some cases a product might request a further scan to complete the removal. We considered secondary scans to be acceptable, but further scan requests would be ignored. Even if no malware was observed, a compromise result was recorded if snapshot reports showed the existence of new, presumably malicious files on the hard disk, in conjunction with Registry entries designed to run at least one of these files when the system booted. An edited ‘hosts’ file or altered system file also counted as a compromise. 6.8 Automatic monitoring Logs were generated using third-party applications, as well as by the security products themselves. Manual observation of the target system throughout its exposure to malware (and legitimate applications) provided more information about the security products’ behavior. Monitoring was performed directly on the target system and on the network. Client-side logging A combination of Process Explorer, Process Monitor, TcpView and Wireshark were used to monitor the target systems. Regshot was used between each testing stage to record a system snapshot. A number of Dennis Technology Labs-created scripts were also used to provide additional system information. Each product was able to generate some level of logging itself. Process Explorer and TcpView were run throughout the tests, providing a visual cue to the tester about possible malicious activity on the system. In addition, Wireshark’s real-time output, and the display from the web proxy (see Network logging, below), indicated specific network activity such as secondary downloads. Process Monitor also provided valuable information to help reconstruct malicious incidents. Both Process Monitor and Wireshark were configured to save their logs automatically to a file. This reduced data loss when malware caused a target to crash or reboot. In-built Windows commands such as 'systeminfo' and 'sc query' were used in custom scripts to provide additional snapshots of the running system's state. Network logging All target systems were connected to a live internet connection, which incorporated a transparent web proxy and a network monitoring system. All traffic to and from the internet had to pass through this system. Further to that, all web traffic had to pass through the proxy as well. This allowed the testers to capture files containing the complete network traffic. It also provided a quick and easy view of web-based traffic, which was displayed to the testers in real-time. The network monitor was a dual-homed Linux system running as a transparent router, passing all web traffic through a Squid proxy. This was configured in ‘offline’ mode during testing, which is an aggressive caching mode that still permits internet access. An HTTP replay system ensured that all target systems received the same malware as each other. It was configured to allow access to the internet so that products could download updates and communicate with any available ‘in the cloud’ servers. PC Anti-Virus Protection 2011 Page 19 of 60 7. CONCLUSIONS Where are the threats? The threats used in this test were genuine, real-life threats that were infecting victims globally at the same time as we tested the products. In almost every case the threat was launched from a legitimate website that had been compromised by an attacker. The types of infected or malicious sites were varied, which demonstrates that effective anti-virus software is essential for those who want to use the web using a Windows PC, whether they are looking for pornography, music or a local taco restaurant. The vast majority of the threats installed automatically when a user visited the infected webpage. This infection was usually invisible to a casual observer and rarely did the malware make itself known, unless it was installing a fake anti-virus program. These rogue applications pretend to detect viruses on the system and harass the user into paying for a full license, which the program claims will allow it to remove the ‘infections’. In reality the only infection is the fake anti-virus program itself. Where does protection start? The best-performing products were Norton Internet Security 2011, Kaspersky Internet Security 2011 and ESET Smart Security 4. These three had one notable similarity: they all blocked threats early in the attack process, which meant that there was less opportunity for the malware to infect the systems. The two least effective products, those from Microsoft and K7, often tackled the threat only once the malware had started to infect the system. Sorting the wheat from the chaff The false positive results were quite low, which shows that most of the products are not tuned too aggressively to detect and block malware at the expense of regular programs. Of the three strongest products in terms of threat detection, the Norton and ESET products managed to avoid generating any false positives. Kaspersky's product categorized a few applications as being, "potentially dangerous". These included two utilities that come bundled with popular wireless routers. Anti-virus is important (but not a panacea) This test shows that there is a significant difference in performance between popular anti-virus programs. Most importantly it illustrates this difference using real threats that were attacking real computers at the time of testing. The average protection level of the tested products is 87.5 per cent (see 2. Overall protection), which is significant. The presence of anti-virus software can be seen to decrease the chances of a malware infection even when the only sites being visited are proven to be malicious. It's worth noting, however, that a 100 per cent success rate is rare. Even those products that performed the best in this test are unlikely to be completely bullet-proof in every given situation. PC Anti-Virus Protection 2011 Page 20 of 60 APPENDIX A: TERMS Compromised Malware continues to run on an infected system, even after an on-demand scan. Defended Malware was prevented from running on, or making changes to, the target. False Positive A legitimate application was incorrectly classified as being malicious. Introduction Test stage where a target system is exposed to a threat. Neutralized Malware was able to run on the target, but was then removed by the security product. Observation Test stage during which malware may affect the target. On-demand (protection) Manual ‘virus’ scan, run by the user at an arbitrary time. Prompt Questions asked by software, including malware, security products and the operating system. With security products, prompts usually appear in the form of pop-up windows. Some prompts don’t ask questions but provide alerts. When these appear and disappear without a user’s interaction, they are called ‘toasters’. Real-time (protection) The ‘always-on’ protection offered by many security products. Remediation Test stage that measures a product’s abilities to remove any installed threat. Round Test series of multiple products, exposing each target to the same threat. Snapshot Record of a target’s file system and Registry contents. Target Test system exposed to threats in order to monitor the behavior of security products. Threat A program or other measure designed to subvert a system. Update Code provided by a vendor to keep its software up to date. This includes virus definitions, engine updates and operating system patches. PC Anti-Virus Protection 2011 Page 21 of 60 APPENDIX B: LEGITIMATE SAMPLES PRODUCT DESCRIPTION OBTAINED VIA PREVALENCE STATS (LAST WEEK) PREVALENCE STATS SOURCE PREVALENCE STATS DATE PREVALENCE RATING YouTubeDownloaderSetup256.exe YouTube Downloader Download YouTube videos and convert them to different formats. Download.com 626,027 Download.com 23/07/2010 Very High Impact 2 wrar393.exe WinRAR (32bit) Take full control over RAR and ZIP archives, along with unpacking a dozen other archive formats. Download.com 406,831 Download.com 23/07/2010 Very High Impact 3 PhotoScapeSetup_V3.5.exe PhotoScape View, edit, print, or add frames to your photos. Download.com 313,847 Download.com 23/07/2010 Very High Impact 4 fg680f.exe Freegate 6.80 This program helps millions of Internet users in China to access the Internet faster and more stably Download.com 26,614 Download.com 23/07/2010 Very High Impact 5 TeamViewer_Setup.exe TeamViewer Share your desktop with another person via the Web. Download.com 340,911 Download.com 23/07/2010 Very High Impact 6 camfrog.exe Camfrog Video Chat Join live-video chat rooms from around the world Download.com 270,758 Download.com 23/07/2010 Very High Impact 7 FoxitReader40_enu_Setup.exe Foxit Reader 4.0.0.619 View your PDF files as PDF or as plain text. Download.com 190,967 Download.com 23/07/2010 Very High Impact 8 mirc635.exe mIRC Chat with other people and participate in group discussions. Download.com 144,566 Download.com 23/07/2010 Very High Impact 9 Firefox Setup 3.6.7.exe Mozilla Firefox Surf the Web, block pop-ups, and keep spyware at bay with a lean and fast open-source browser. Download.com 101,875 Download.com 23/07/2010 Very High Impact 10 easy_cdda_extractor_2010_1_trial.exe Easy CD-DA Extractor Rip audio CDs, burn CDs and DVDs, convert music files, and edit metadata. Download.com 31,398 Download.com 23/07/2010 Very High Impact 11 EasyDVDRipc.exe Easy DVD Rip 3.0.801 Rip your DVDs into MPEG-4, AVI, DivX, XviD, MPEG-1, MPEG-2, VCD, and SVCD formats Download.com 3,736 Download.com 23/07/2010 High Impact INCIDENT ORIGINAL FILE NAME 1 PC Anti-Virus Protection 2011 Page 22 of 60 PRODUCT DESCRIPTION OBTAINED VIA PREVALENCE STATS (LAST WEEK) PREVALENCE STATS SOURCE PREVALENCE STATS DATE PREVALENCE RATING EasyDVDtoVCD.exe Easy DVD to VCD Burner Copy DVD movies to VCD, SVCD, or AVI files and burn them to CD-R/RW. Download.com 247 Download.com 23/07/2010 Medium Impact 13 anti_mosquito.zip Anti Mosquito Software 1.0 This is a small software that shall drive the mosquitoes away fast. Simple to use and useful. No need for any external devices. Download.com 4,575 Download.com 23/07/2010 High Impact 14 AutoClick_setup.exe AutoClick 1.0.7.234 Have mouse clicks done for you when you're unable to click. Download.com 1,042 Download.com 23/07/2010 High Impact 15 gardenplanner25setup.exe Garden Planner 2.4 Design and print your own garden plan. Download.com 1,319 Download.com 23/07/2010 High Impact 16 RealPlayerSPGold.exe RealPlayer SP Watch your favorite videos on your favorite devices Download.com 156,729 Download.com 23/07/2010 Very High Impact 17 WWPC-Setup.exe WW Points Calc Calculate your weight watchers points. Download.com 376 Download.com 23/07/2010 Medium Impact 18 bookcat_setup.exe BookCAT Catalog and manage your book collection. Download.com 168 Download.com 23/07/2010 Medium Impact 19 newzcrawler19.msi NewzCrawler Web/RSS newsreader, content gatherer & browser. Download.com 262 Download.com 23/07/2010 Medium Impact 20 AdbeRdr933_en_US.exe Adobe Reader 9.3.3 View, navigate, and print PDF files. Adobe.com 98,168 Download.com 23/07/2010 Very High Impact 21 cpuz_154_setup.exe CPU-Z Access various information about your computer. Download.com 9,133 Download.com 23/07/2010 High Impact 22 defragsetup.exe Smart Defrag Defrag your hard drive in the background automatically. Download.com 12,212 Download.com 23/07/2010 High Impact 23 PandoraRecovery2.1.1Setup.exe Pandora Recovery Find, preview and restore permanently deleted files. Download.com 13,512 Download.com 23/07/2010 High Impact 24 disk-defrag-setup.exe Auslogics Disk Defrag Defragment your disks and improve computer performance and stability. Download.com 49,025 Download.com 23/07/2010 Very High Impact 25 revosetup.exe Revo Uninstaller Uninstall unwanted and even broken applications accurately. Download.com 20,352 Download.com 23/07/2010 Very High Impact INCIDENT ORIGINAL FILE NAME 12 PC Anti-Virus Protection 2011 Page 23 of 60 PRODUCT DESCRIPTION OBTAINED VIA PREVALENCE STATS (LAST WEEK) PREVALENCE STATS SOURCE PREVALENCE STATS DATE PREVALENCE RATING 26 RegpairSetup.exe Free Window Registry Repair Registry repair utility Download.com 8,855 Download.com 23/07/2010 High Impact 27 vlc-1.1.1-win32.exe VLC Media Player Play audio and video files in real-time and streaming modes. Download.com 226,028 Download.com 23/07/2010 Very High Impact 28 media.player.codec.pack.v3.9.6.setup.exe Media Player Codec Pack Play various types of video, audio, movie, music files in Media Player Download.com 44,823 Download.com 23/07/2010 Very High Impact 29 m-ipad-to-pc-transfer-cnet.exe iPad to PC Transfer Transfer files to the iPad http://www.mp4c onverter.net/dow nloads/m-ipadto-pctransfer.exe 57 Download.com 23/07/2010 Low Impact 30 TrueCrypt Setup 7.0.exe TrueCrypt Encrypt your sensitive data with this open-source software Download.com 1,672 Download.com 23/07/2010 High Impact 31 TweetDeck_0_34.3.air TweetDeck 0.34.3 Social networking Download.com 1,444 Download.com 23/07/2010 High Impact office-convert-pdf-to-jpg-jpeg-tiff-free.exe Office Convert PDF to JPG JPEG TIFF Free Convert your PDF files into various image formats. Download.com 6,030 Download.com 23/07/2010 High Impact - Linksys WUSB600N Setup Wizard Wireless router setup program DVD 100 est 23/07/2010 Medium Impact Setup.exe Billion BiPAC 6200NX(L) 3G Management Center Wireless router setup program DVD 100 est 23/07/2010 Medium Impact Disk monitoring utility http://www.acron is.co.uk/enterpri se/download/dri vemonitor/index.ht ml 50 est 23/07/2010 Low Impact INCIDENT ORIGINAL FILE NAME 32 33 34 35 ADM_en-EU.exe PC Anti-Virus Protection 2011 Acronis Drive Monitor Page 24 of 60 PRODUCT DESCRIPTION OBTAINED VIA PREVALENCE STATS (LAST WEEK) PREVALENCE STATS SOURCE PREVALENCE STATS DATE PREVALENCE RATING 36 iconst7p.exe IconCool Studio Pro IconCool Studio is an absolute solution to create, edit, convert, extract 32-bit icons or cursors Download.com 4 Download.com 23/07/2010 Very Low Impact 37 coreftplite.exe Core FTP LE Manage your files remotely and securely via FTP with SFTP, SSL, and HTTPS. Download.com 2,629 Download.com 23/07/2010 High Impact Google Desktop Local search http://desktop.go ogle.com 20988 est 23/07/2010 Very High Impact Investors Database Manage your entire investment data. Download.com 1 Download.com 26/07/2010 Very Low Impact Sync ToGo Mirror, synchronize, and back up your files between portable storage devices and PCs. Download.com 1 Download.com 26/07/2010 Very Low Impact INCIDENT ORIGINAL FILE NAME 38 39 IDBInstall.zip 40 PC Anti-Virus Protection 2011 Page 25 of 60 APPENDIX C: THREAT REPORT Code Product Code Product Code Product AVA Avast! Free AntiVirus 5 ESS ESET Smart Security 4 MIS McAfee Internet Security AVG AVG Anti-Virus Free Edition 9 GIS G Data InternetSecurity 2011 MSE Microsoft Security Essentials AVI Avira Personal - Free Antivirus 10 K7 K7 Total Security 10 NIS Norton Internet Security 2011 BDF BitDefender Internet Security 2010 KIS Kaspersky Internet Security 2011 TIS Trend Micro Internet Security 2010 NOTE: The following table is a summary. The full report was provided to Symantec as an Excel spreadsheet, which includes any Notes that may be referred to in some Threat Report entries. Defended n/a n/a n/a 1 1 1 AVG Pop-up Moved to Virus Vault Threat detected. Trojan horse Adload_tAHD 0 n/a n/a n/a 1 1 1 AVI Pop-up Quarantined JS/Agent.13838; HTML/Crypted.Gen; TR/Drop.TDss.bry x2 0 n/a n/a n/a 1 1 BDF Pop-up Blocked Gen:Variant.TDss.21 0 n/a n/a n/a 1 1 1 ESS Toaster Connection terminated quarantined Threat: Win32/Olmark.ABL trojan 0 n/a n/a n/a 1 1 1 GIS Pop-up Disinfect Gen:Variant.TDss.21 (Engine A); JS:ScriptDC-inf [Trj] (Engine B); 0 n/a n/a n/a 1 1 Alert (intro) PC Anti-Virus Protection 2011 Page 26 of 60 1 Compromised Complete remediation 0 Neutralized Threat Report (manual) Trojan Horse Blocked - JS:ScriptDC-inf [Trj] Quiet logging Blocked Threat report (intro) Toaster Effect (intro) AVA Product 1 Incident Effect (manual) Alert (manual) In cases where the malware fails for any reason, the product is given the full benefit of the doubt and is classified as having Defended with full remediation. Scan completed. One or more risks needs your attention. Two items infected by virus 8a3C5fed0 1 KIS Toaster Blocked Detected: HEUR:Trojan.Script.Iframer 0 n/a n/a n/a 1 1 1 MIS Toaster Removed Trojan Removed. McAfee detected and automatically removed a Trojan from your PC. No further action is requIred. Detected: Artemis!3F82FABE3889 0 n/a n/a n/a 1 1 1 MSE Toaster Removed Detected threat: Trojan/Win32/Alureon.CT 0 n/a n/a n/a 1 1 1 NIS Toaster Quarantined Trojan.Pidief.I and Trojan.Gen 0 n/a n/a n/a 1 1 1 TIS Browser Blocked None 0 n/a n/a n/a 1 1 Compromised No action taken. Cannot be disinfected. Neutralized Yes (see note) Defended Threat Report (manual) 0 Complete remediation Effect (manual) Alert (manual) Threat report (intro) High Security Risk Found Quiet logging Effect (intro) Detected Alert (intro) Toaster Product K7 Incident 1 1 2 AVA Toaster Blocked Trojan Horse Blocked - JS:Redirector-E [Trj] 0 Report Move to Chest Win32:Malware-gen; JS:RedirectorE [Trj]; JS:ScriptDC-inf [Trj]; Win32:Jifas-GB [Trj] 2 AVG Pop-up Moved to Virus Vault Threat detected. Trojan horse Cryptic.AHC 0 n/a n/a n/a 1 1 2 AVI Pop-up Removed TR/Vundo.Gen 0 n/a n/a n/a 1 1 2 BDF Pop-up Denied Trojan.Generic.KD.18874 0 n/a n/a n/a 1 1 2 ESS Toaster Denied 0 n/a n/a n/a 1 1 2 GIS Pop-up Quarantined 0 Report Disinfect Multiple 1 2 K7 Toaster Detected High Security Risk Found 0 Multiple (see note) Quarantined Scan completed. One or more risks needs your attention. Two Trojans "quarantined. Disinfection not possible.!" 1 2 KIS Toaster Denied Denied: HEUR:Exploit.Script.Generic 0 n/a n/a n/a PC Anti-Virus Protection 2011 Access denied. The web page http://91.188.59.192/show.php?s=cc5f09d257 is on the list of web sites with potentially dangerous content. JS:Redirector-E [Trj] (Engine B); Win32:Malware-gen (Engine B); Java:AgentR [Trj] (Engine B); Win32:Jifas-GB [Trj] (Engine B) Page 27 of 60 1 1 1 n/a 1 1 0 Showed alert when the system was rebooted after exposure and after manual scan. Removed Microsoft Security Essentials detected 6 potential threats on your computer. Trojan:Win32/Alureon.gen!J; Trojan:Win32/FakeCog; Trojan:Win32/Alureon.DK; Trojan:Win32/FakeCog; Trojan:WinNT/Alureon.D; Trojan:Win32/Alureon.DA 0 n/a n/a n/a 0 None None None n/a 1 2 MSE None None 2 NIS Toaster Removed 2 TIS Toaster Terminated 3 AVA Toaster Blocked Win32:Renos-PN [Drp] 0 n/a n/a n/a 1 1 3 AVG Pop-up Detected Threat detected! Threat name: Trojan horse Downloader Generic9.CAWP 0 n/a n/a n/a 1 1 3 AVI Pop-up Denied TR/CryptXPACK.Gen 0 n/a n/a n/a 1 1 3 BDF Pop-up Blocked Trojan.Generic.KD.15088 0 n/a n/a n/a 1 1 Scan completed successfully. 1 infected file/1 cleaned file. n/a A program was behaving suspiciously on your computer. You chose to block and remove it Suspicious program terminated. Activity: Unauthorized changes. 3 ESS Toaster Quarantined Connection terminated. Win32/TrojanDownloader.FakeAlert.AZE trojan quarantined. 0 Yes (1) One object has been deleted as it only contained the virus body. (4) Object cannot be opened. It may be in use by another application or operating system. 3 GIS Pop-up Disinfect Trojan.Generic.KD.15088 (Engine A) 0 n/a n/a PC Anti-Virus Protection 2011 Page 28 of 60 1 1 1 1 1 1 Compromised n/a 0 Neutralized Alert (manual) Defended None Complete remediation Script Blocked. McAfee prevented a potentially harmful script from running on your PC. No further action required. Quiet logging Threat report (intro) Effect (intro) Blocked Threat Report (manual) Toaster Effect (manual) MIS Alert (intro) Product Incident 2 Complete remediation Defended 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 None 1 n/a n/a n/a 1 1 Blocked URL:Mal 0 n/a n/a n/a 1 1 Pop-up (2x) Moved to Virus Vault Threat detected! Threat name: Virus found JS/Generic; Trojan jorse Bomka G 0 n/a n/a n/a AVI Toaster Denied TR/Agent.uwi.6144 [trojan] 0 n/a n/a n/a 1 1 4 BDF Pop-up Blocked 0 n/a n/a n/a 1 1 4 ESS Toaster Quarantined 0 n/a n/a n/a 1 1 4 GIS Pop-up Quarantined 0 n/a n/a n/a 1 1 4 K7 Toaster Detected 0 n/a n/a n/a 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 KIS Toaster Denied 3 MIS Toaster Removed 3 MSE Toaster Not found 3 NIS Browser Blocked 3 TIS None None 4 AVA Toaster 4 AVG 4 Alert (intro) 3 Product High Security Risk Found Incident Detected 4 KIS Toaster Denied 4 MIS Toaster Blocked 4 MSE Toaster Removed PC Anti-Virus Protection 2011 Denied: http://mybookface.net/ (analysis using the database of phishing URLs) Trojan Removed. McAfee detected and automatically removed a Trojan from your PC. No further action is requIred. Detected: Downloader.CEW.e Detected items: TrojanDownloader:Win32/Renos.KO This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. Trojan.PWS.Kates.AW; Generic.XPL.ADODB.D5E4C1CB Connection terminated. A variant of Win32/Bamital.DH trojan quarantined. Generic.XPL.ADODB.D5E4C1CB (Engine A); Trojan.PWS.Kates.AW (Engine A); Exploit.PDF-JS.Gen (Engine A) multiple times High Security Risk Found Denied: HEUR:Trojan-Downloader.Script Generic (3x) Script Blocked. McAfee prevented a potentially harmful script from running on your PC. No further action required. Detected items: Trojan:Win32/Bamital.E Page 29 of 60 1 1 Compromised Threat Report (manual) 1 Toaster Neutralized Effect (manual) Alert (manual) n/a K7 Quiet logging n/a Threat report (intro) n/a Effect (intro) 0 3 Complete remediation Defended n/a n/a n/a 1 1 4 TIS None None None 1 n/a n/a n/a 5 AVA Toaster Blocked 0 n/a n/a n/a 5 AVG Pop-up Moved to Virus Vault Trojan Horse Blocked - JS:Illredir-CH [Trj]; Malicious URL Blocked - URL:Mal Threat detected! Threat name: Virus found HTML/Framer 0 Report Removed and healed Moved to Virus Vault 5 AVI Pop-up Denied TR/Crypt.ZPACK.Gen 0 n/a n/a n/a 1 1 5 BDF Pop-up Blocked Gen.Variant.Unruy.1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 None None Scan Completed. No Viruses, spyware or other risks were found. Alert (intro) Effect (intro) Connection terminated. JS/TrojanDownloader.Pegel.BR trojan quarantined Gen:Variant.Unruy.1 (Engine A); Exploit.PDFJS.Gen (Engine A); JS:Illredir-CH [Trj] (Engine B); JS:Downloader-XQ [Trj] (Engine B) System Monitor Alert! A new AutoStart Entry Found A new program has been added to run automatically whenever Windows boots up. Advise: This type of change is common on installation of new software and when the new software is supposed to run automatically every time you boot the system. Hence, unless you have installed a new software or you recognize this application do not accept this change. Default to allow. 1 1 1 1 5 ESS Toaster Quarantined 5 GIS Pop-up Disinfect 5 K7 Toaster Detected 5 KIS Toaster Detected Denied: Trojan.JS.Iframe.mn 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 1 5 MIS Toaster Removed Trojan Removed. McAfee detected and automatically removed a Trojan from your PC. No further action is requIred. Detected: Artemis!51526D4DCD4D 5 MSE Toaster Removed Detected items: Trojan:Win32/Comroki 0 n/a n/a n/a 1 1 5 NIS Browser Blocked This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. 0 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Page 30 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. Quiet logging Blocked Threat report (intro) Browser Product NIS Incident 4 AVA Toaster Blocked 6 AVG Pop-up (2x) Moved to Virus Vault 6 AVI Pop-up Denied 6 BDF Pop-up Blocked 6 ESS Toaster Quarantined 6 GIS Pop-up Disinfect Trojan Horse Blocked - JS:Redirector-CF [Trj]; Malware Blocked - HTML:Iframe-inf; Trojan Horse Blocked - JS:FaveAV-ET [Trj]; Malicious URL Blocked - URL:Mal Threat detected! Threat name: Virus found Trojan horse Cryptic AHC TR/Vundo.Gen; HTML/ExpKit.Gen2 HTML script virus Trojan.Generic.KD.18998 Connection terminated. JS/Exploit.Agent.NBB trojan quarantined JS:Redirector-CF [Trj] (Engine B); HTML:Iframe-inf (Engine B) n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 0 n/a n/a n/a 0 None None None 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 Scan completed. One or more risks needs your attention. Two Trojans "quarantined. Disinfection not possible.!" 6 K7 Toaster Detected High Security Risk Found 0 Yes Recommendation to quarantine two Trojans and clean one suspicious file. 6 KIS Toaster Denied Denied: Trojan.JS.Redirector.bg 0 n/a n/a n/a 0 Yes Viruses, Trojans, and Cookies Removed: Generic Rootkit dlrootkit Quick Scan complete. All issues have been resolved. McAfee has eliminated all threats on your PC. 1 1 1 1 1 1 1 6 MIS Toaster Removed Trojan Removed. McAfee detected and automatically removed a Trojan from your PC. No further action is requIred. Detected: FakeAlert-GA.dll (more than 10x); DNSChanger.bu (2x) 6 MSE Toaster Removed Detected items: TrojanDownloader: JS/Renos 0 n/a n/a n/a 1 1 6 NIS Toaster Blocked HTTP Fake Scan Webpage 5 0 n/a n/a n/a 1 1 6 TIS Toaster (4x) Terminated 0 See note Repaired Security Vulnerabilities Found in the Windows Operating System. 7 AVA Toaster Blocked 0 n/a n/a n/a PC Anti-Virus Protection 2011 Toaster 1-3: Suspicious program terminated. Activity: Unauthorized changes. 4th Toaster: Because the drive listed above contains at least one threat, you should scan the entire computer for malicious software. Trojan Horse Blocked - HTML:Iframe-EP [Trj]; Malicious URL Blocked Page 31 of 60 Compromised 1 Neutralized Alert (manual) Defended 6 None Complete remediation None Threat Report (manual) None Effect (manual) TIS Quiet logging Threat report (intro) Effect (intro) Alert (intro) Product Incident 5 1 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 7 AVI Pop-up Denied HTML/FakeAlert.rd.1; HTML/Crypted.Gen 0 n/a n/a n/a 1 1 7 BDF Pop-up Blocked Trojan.JS.FakeAV.C 0 n/a n/a n/a 1 1 7 ESS Toaster Cleaned by deleting 0 n/a n/a n/a 1 1 7 GIS Pop-up Quarantined 0 n/a n/a n/a 1 1 7 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 7 KIS Toaster Detected Detected: Trojan.JS.Agent.bph 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 None None No threats were detected on your computer during the scan. 0 n/a n/a n/a 1 1 Alert (intro) Effect (intro) Connection terminated. JS.TrojanDownloader.Agent.NUE quarantined HTML:Iframe-EP [Trj] (Engine B); JS:FakeAV-CU [Trj] (Engine B) Script Blocked. McAfee prevented a potentially harmful script from running on your PC. No further action required. Detected: Generic FakeAlert Detected items: TrojanSpy:Win32/Chadem.A; Trojan:Win32/InternetAntivirus; Trojan:Win32/Alureon.CT MSIE Misleading Application Suspicious Notification 1 7 MIS Toaster (2x) Removed 7 MSE Toaster Removed 7 NIS Toaster Blocked 7 TIS None None None 1 n/a n/a n/a 1 1 8 AVA Toaster Blocked Trojan Horse Blocked - HTML:Iframe-LZ [Trz]; Malicious URL Blocked - URL:Mal; Trojan Horse Blocked - JS:Illredir-CB [Trj] 0 n/a n/a n/a 1 1 8 AVG None None None 1 n/a n/a n/a 1 1 8 AVI Pop-up Denied HTML/Infected.WebPage.Gen2 0 n/a n/a n/a 1 1 8 BDF Pop-up Blocked Trojan.FakeAV.KVX 0 n/a n/a n/a 1 1 8 ESS Toaster Cleaned by deleting (after the next restart) Connection terminated. JS/TrojanDownloader.Shadraem.C quarantined 0 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Page 32 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Threat detected! Threat name: Trojan horse SHeur3.ADVG Quiet logging Moved to Virus Vault Threat report (intro) Pop-up (2x) Product AVG Incident 7 1 Complete remediation Defended n/a n/a n/a 1 1 8 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 1 1 8 KIS Toaster Denied Denied: Trojan.JS.Redirector.fq 0 n/a n/a n/a 1 1 8 MIS None None None 1 n/a n/a n/a 1 1 8 MSE Toaster Removed Detected items: Trojan: JS/Gamburi.E 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 Yes Cookie deleted Resolved threats (1 items found): Cookie_YieldManager Alert (intro) Effect (intro) This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. ALSO: Toaster (Trojan.Malscript!html) Suspicious program terminated. Activity: Unauthorized changes. 8 NIS Browser Blocked 8 TIS Toaster Terminated 9 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 9 AVG Pop-up Moved to Virus Vault Threat detected! Threat name: Trojan horse Cryptic AIP 0 n/a n/a n/a 1 9 AVI Pop-up Denied TR/Spy.Zbot.aksg 0 None None None 1 9 BDF Pop-up Blocked Backdoor.Bot.124029 0 n/a n/a n/a 1 1 9 ESS Toaster Quarantined Connection terminated. HTML/Iframe.B.gen.virus quarantined 0 n/a n/a n/a 1 1 9 GIS Pop-up Disinfect Backdoor.Bot.124029 (Engine A) 0 n/a n/a n/a 1 1 9 K7 Toaster (3x) Detected High Security Risk Found 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 None None Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. 9 KIS Toaster Denied 9 MIS Toaster Buffer overflow prevented PC Anti-Virus Protection 2011 Denied: http//mumukafes.net/trf/index.php (analysis using the database of suspicious URLs) and Trojan.JS.Agent.blz McAfee prevented a program from causing a buffer overflow on your PC. Hackers can use buffer overflows to secretly run malicious programs, steal personal information, or hijack your PC. Page 33 of 60 1 1 1 1 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Trojan.Script.455507 (Engine A) Quiet logging Blocked Threat report (intro) Pop-up Product GIS Incident 8 Complete remediation Defended 0 n/a n/a n/a 1 1 9 NIS Browser Blocked This Web pages has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. 0 n/a n/a n/a 1 1 9 TIS None None None 0 None None None 10 AVA Toaster Blocked Malware Blocked - HTML:Script-inf; Malicious URL Blocked - URL:Mal 0 n/a n/a n/a 10 AVG None None None 0 Report Removed and healed 37 infections found. 19 removed and healed. 18 not removed or healed with an option to remove all unhealed infections. 10 AVI None None None 0 None None None 10 BDF None None None 0 None None None 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 Effect (intro) 10 ESS Toaster Quarantined Connection terminated. JS/TrojanDownlaoder.Gumblar.K trojan quarantined 10 GIS Pop-up Quarantined HTML:Script-inf (Engine B) 10 K7 None None None 0 Yes Removed . . .\Temp\jar_cache16260.tmp is a Riskware (16b82aae0). Should be deleted 10 KIS Toaster Denied Denied: HEUR:Trojan.Script.Generic 0 n/a n/a n/a 10 MIS None None None 0 None None Quick Scan complete. All issues have been resolved. McAfee has eliminated all threats on your PC. 10 MSE None None None 0 n/a n/a n/a 10 NIS Toolbar Blocked Site is Unsafe: Drive-By Downloads 0 n/a n/a n/a 10 TIS None None None 0 None None None 11 AVA Toaster Blocked Trojan Horse Blocked - HTML:Iframe-MS [Trj] x2 0 n/a n/a n/a PC Anti-Virus Protection 2011 Page 34 of 60 Compromised Threat Report (manual) Detected items: Trojan:Win32/2bot.gen!Y Neutralized Effect (manual) Alert (manual) Removed Quiet logging Alert (intro) Toaster Threat report (intro) Product MSE Incident 9 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Complete remediation Defended Compromised Threat Report (manual) 0 n/a n/a n/a 1 1 11 AVI Pop-up Quarantined TR/Jorik.Bredolab.R 0 n/a n/a n/a 1 1 11 BDF Pop-up Blocked Trojan.Script.459926 0 n/a n/a n/a 1 1 11 ESS Toaster Blocked Address has been blocked. URL address: addthiss.net/in.cgi?8 0 n/a n/a n/a 1 1 11 GIS Pop-up Disinfect Trojan.Script.459926 (Engine A) 0 n/a n/a n/a 1 1 None None Scan Completed. No Viruses, spyware or other risks were found. 0 n/a n/a n/a 0 None None None 1 1 Effect (intro) Alert (intro) 11 K7 Pop-up Detected 11 KIS Toaster Detected 11 MIS None None 11 MSE None System Monitor Alert! A New Program Found in User StartUp Folder! A new program has been added to your StartUp folder to run whenever Windows boots up. Advise: Not Available. Please proceed with caution. Default to allow. Detected: HEUR:TrojanDownloader.Script.Generic None 1 1 1 None None 0 None None No threats were detected on your computer during the scan. 0 n/a n/a n/a 0 None None None 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 1 1 11 NIS Browser Blocked This Web pages has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. 11 TIS None None None 12 AVA Toaster Blocked 12 AVG Pop-up Moved to Virus Vault Trojan Horse Blocked - HTML:Iframe-NO [Trj]; Malicious URL Blocked - URL:Mal Threat detected! Threat name: Trojan horse Downloader Generic9.CHCT 12 AVI Pop-up Denied TR/Dldr.Small.asso x2 0 n/a n/a n/a 12 BDF None None None 0 None None None 12 ESS Toaster Quarantined Connection terminated. JS/TrojanDownlaoder.Iframe.NIH trojan quarantined 0 n/a n/a n/a PC Anti-Virus Protection 2011 Page 35 of 60 Neutralized Effect (manual) Alert (manual) Threat detected! Threat name: Virus found JS/Dropper Quiet logging Moved to Virus Vault Threat report (intro) Pop-up Product AVG Incident 11 1 1 1 1 1 1 Compromised 1].htm is a Riskware (7a8cbe3d0). Should be deleted Detected: Trojan-Downloader.JS.Iframe.cau 0 n/a n/a n/a 1 1 Removed (2x) Trojan Removed. McAfee detected and automatically removed a Trojan from your PC. No further action is requIred. Detected: Artemis!E8EBA05A8EC5. (2x) Buffer overflow prevented. 0 n/a n/a n/a 1 1 Toaster Removed Detected items: VirTool:Win32/VBInject.GX 0 None None No threats were detected on your computer during the scan. NIS Pop-up Blocked 0 n/a n/a n/a 12 TIS Toaster Detected. Default to allow None None None 1 13 AVA None None None 0 None None None 1 13 AVG None None None 0 n/a n/a n/a 1 Effect (intro) Alert (intro) 12 K7 Pop-up Detected 12 KIS Toaster Detected 12 MIS Toaster (3x) 12 MSE 12 PC Anti-Virus Protection 2011 JS:Prontexi-BX [Trj] (Engine B); HTML:Iframe-NO [Trj] (Engine B); JS:CVE2010-0806-AO [Expl] (Engine B); Trojan.Generic.KD.19200 (Engine A) System Monitor Alert! A new AutoStart Entry Found A new program has been added to run automatically whenever Windows boots up. Advise: This type of change is common on installation of new software and when the new software is supposed to run automatically every time you boot the system. Hence, unless you have installed a new software or you recognize this application do not accept this change. Default to allow. Critical Attack Prevented - Adobe Reader GetIcon BO Suspicious activity detected. To safeguard your security, do not allow the following program to comminicate with the Internet unless you recognize it. Program name: 37756.EXE. Default to Allow. DROB.exe tried to make itself launch automatically whenever Windows starts up. Default to allow. DROB.tmp.exe and svchosts.exe were also flagged as suspicious programs. Default to allow. Page 36 of 60 Neutralized Removed Quarantined Defended Threat Report (manual) Yes Pop-up Complete remediation Effect (manual) Alert (manual) 0 GIS Quiet logging Backdoor.Bot.124029 (Engine A) Threat report (intro) Disinfect Product Report Incident 0 12 1 1 1 1 1 n/a n/a 13 BDF Pop-up Blocked Tojan.Generic.KD.19590 x2 0 n/a n/a n/a 1 1 13 ESS Pop-up Disconnected Warning. Potential threat found. Probably a varient of Win32/Statik potentially unwanted application. Default option to disconnect 0 n/a n/a n/a 1 1 13 GIS Pop-up Disinfect Trojan.Generic.KD.19590 (Engine A) x2 0 n/a n/a n/a 1 1 13 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 1 1 13 KIS Toaster (3x) Denied 0 n/a n/a n/a 1 1 13 MIS Pop-up Restart 0 None None Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. 13 MSE None None None 0 None None No threats were detected on your computer during the scan. 13 NIS Toaster Removed Trojan.Pidief.I 0 n/a n/a n/a 1 1 13 TIS None None None 1 n/a n/a n/a 1 1 14 AVA Pop-up Blocked Malicious URL Blocked 0 n/a n/a n/a 1 1 14 AVG Pop-up Removed Threat detected! Threat name: Trojan horse Adload_r.AHD. Default to select and remove 0 n/a n/a n/a 1 1 14 AVI Pop-up Denied JS/Agent.13838; TR/Drop.TDss.bry x3 0 n/a n/a n/a 1 1 14 BDF Pop-up Blocked Trojan.Generic.4477257 x2 0 n/a n/a n/a 1 1 14 ESS Toaster Quarantined Connection terminated. Win32/Olmarik.ABL trojan quarantined 0 n/a n/a n/a 1 1 14 GIS Pop-up Disinfect Trojan.Generic.4477257 (Engine A) 0 n/a n/a n/a 1 1 14 K7 Toaster (4x) Detected High Security Risk Found 0 Yes Cannot be disinfected Two items are infected by a Virus (8z3c5fed0) Effect (intro) PC Anti-Virus Protection 2011 Denied: Trojan:Win32.FraudPack.azkf; Trojan-Downloader.Java.Agent.fl (2x) Trojan Detected: FakeAlert.FakeSpyfenv.a. We cannot remove a Trojan while the infected file is in use. Restarting your PC frees up the infected file allowing McAfee to fix the issue. Default to restart. Page 37 of 60 Compromised n/a Neutralized 0 Defended Threat Report (manual) None Complete remediation Effect (manual) Alert (manual) None Quiet logging Alert (intro) None Threat report (intro) Product AVI Incident 13 1 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 14 MIS Toaster (2x) Removed Trojan Removed. McAfee detected and automatically removed a Trojan from your PC. No further action is requIred. Detected:Generic.Dropper.va 0 n/a n/a n/a 1 1 14 MSE Toaster Removed Detected threat: Trojan/Win32/Alureon.CT 0 None None No threats were detected on your computer during the scan. 14 NIS Toaster Removed Trojan.Pidief.I 0 n/a n/a n/a 14 TIS None None None 1 None None None 15 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 1 1 15 AVG Pop-up Moved to Virus Vault Threat detected! Threat name: Trojan horse FakeAlert SG 0 n/a n/a n/a 1 1 15 AVI None None None 0 n/a n/a n/a 1 1 15 BDF Pop-up Blocked Trojan.Downloader.FakeAV.FT 0 n/a n/a n/a 1 1 15 ESS Toaster Blocked Address has been blocked. URL address: "domainameat.cc/js2.php 0 n/a n/a n/a 1 1 15 GIS Pop-up Quarantined Trojan.Downloader.FakeAV.FT (Engine A) 0 n/a n/a n/a 1 1 15 K7 None None None 0 None None Scan Completed. No Viruses, spyware or other risks were found. 15 KIS Toaster Denied Denied: Trojan.JS.Redirector.cq 0 n/a n/a n/a 15 MIS None None None 0 None None 15 MSE None None None 0 None None 15 NIS Toaster Blocked HTTP Fake Scan Webpage 5 0 n/a n/a n/a 1 1 15 TIS None None None 0 n/a n/a n/a 1 1 Effect (intro) Alert (intro) PC Anti-Virus Protection 2011 Page 38 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Detected: HEUR:Trojan.Script.Iframer Quiet logging Detected Threat report (intro) Toaster Product KIS Incident 14 1 1 1 1 1 1 1 Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. No threats were detected on your computer during the scan. 1 1 Complete remediation Defended Compromised Threat Report (manual) 0 n/a n/a n/a 1 1 16 AVG None None None 0 None None No infection was found during this scan. 16 AVI Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 1 1 16 BDF Pop-up Blocked Trojan.Generic.4480417 0 n/a n/a n/a 1 1 16 ESS None None None 0 None None 0 infected files 1 16 GIS Pop-up Quarantined Unknown threat (m.274.tmp.exe); Trojan.Generic.4477257 (Engine A) 0 Report Disinfect Trojan.Generic.4477257 (Engine A) 1 16 K7 Pop-up Allow Application Access! 0 None None Scan Completed. No Viruses, spyware or other risks were found. 1 16 KIS Toaster Denied Denied:http://188.120.232..124/221/index.php (analysis using the database of suspicious URLs) n/a n/a n/a 16 MIS None None None 0 None None 16 MSE Toaster (5x) Quarantined Detected threat: TrojanDownloader:Win32/FakeRean 0 Yes Quarantined 16 NIS Toaster Blocked Trojan.Pidief.I 0 n/a n/a n/a 0 None None None 1 1 1 Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. Microsoft Security Essentials detected 1 potential threat. TrojanDownloader:Win32/FakeRean 1 1 1 1 Effect (intro) Alert (intro) 16 TIS Toaster (4x) Detected. Default to allow Suspicious activity detected. To safeguard your security, do not allow the following program to comminicate with the Internet unless you recognize it. Program name: FILE.EXE. Default to Allow. file.exe tried to make itself launch automatically whenever Windows starts up. Default to allow. 17 AVA None None None 0 n/a n/a n/a 1 1 17 AVG Pop-up Moved to Virus Vault Threat detected! Threat name: Virus found HTML/Framer 0 n/a n/a n/a 1 1 17 AVI None None None 0 Report None None PC Anti-Virus Protection 2011 Page 39 of 60 Neutralized Effect (manual) Alert (manual) Malicious URL Blocked Quiet logging Blocked Threat report (intro) Toaster Product AVA Incident 16 1 1 None 17 ESS Toaster Quarantined Connection terminated. A variant of Win32/Cimag.CW trojan quarantined 0 n/a n/a n/a 17 GIS None None None 0 None None None 17 K7 None None None 1 n/a n/a n/a 17 KIS None None None 0 None None None 1 1 1 1 1 1 1 1 Effect (intro) Alert (intro) 17 MIS None None None 0 None None Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. 17 MSE None None None 1 n/a n/a n/a 1 1 17 NIS Browser Malicious Web Site Blocked This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. 0 n/a n/a n/a 1 1 17 TIS None None None 1 n/a n/a n/a 1 1 18 AVA Pop-up Blocked Malware Blocked - HTML:Script-inf x8 0 Report Move to Chest HTML:Script-inf 18 AVG None None None 0 n/a n/a n/a 1 1 18 AVI None None None 0 n/a n/a n/a 1 1 18 BDF None None None 0 n/a n/a n/a 1 1 18 ESS Toaster Quarantined 0 n/a n/a n/a 1 1 18 GIS Pop-up Disinfect 0 n/a n/a n/a 1 1 18 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 1 1 18 KIS Toaster Detected Detected: HEUR:Trojan.Script.Generic 0 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Connection terminated. JS/TrojanDownloader.Gumblar.J trojan quarantined HTML:Script-inf (Engine B) x4; Win32:Rootkit-gen [Rtk] (Engine B) Page 40 of 60 Compromised None Neutralized Threat Report (manual) Report Defended Effect (manual) 0 Complete remediation Alert (manual) Flash Gallery Factory Quiet logging Firewall Alert Threat report (intro) Pop-up Product BDF Incident 17 1 Complete remediation Defended n/a n/a n/a 1 1 18 MSE Toaster Removed Detected threat: JS/Gamburi.E 0 None None No threats were detected on your computer during the scan. 18 NIS None None None 0 n/a n/a n/a 1 1 18 TIS None None None 0 n/a n/a n/a 1 1 19 AVA Toaster Blocked 0 n/a n/a n/a 1 1 19 AVG Pop-up (2x) Moved to Virus Vault Trojan Horse Blocked; Malicious URL Blocked Threat detected! Threat name: Trojan horse Downloader.Generic9.CGOZ 0 n/a n/a n/a 1 1 19 AVI Pop-up Quarantined JS/Agent.13838; TR/Crypt.ZPACK.Gen2 0 n/a n/a n/a 1 1 19 BDF Pop-up Blocked Trojan.Generic.KD.18753 x3 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 Alert (intro) Effect (intro) Connection terminated. Win32/TrojanDownloader.Carberp.H trojan quarantined JS:Downloader-RW [Trj] (Engine B); Trojan.Generic.KD.18753 (Engine A) x2 1 19 ESS Toaster Quarantined 19 GIS Pop-up Quarantined 19 K7 Toaster (2x) Detected High Security Risk Found 0 n/a n/a n/a 1 1 19 KIS Toaster Denied Denied: HEUR:Trojan.Script.Iframer 0 n/a n/a n/a 1 1 19 MIS Toaster (2x) Quarantined Trojan Removed. McAfee detected and automatically quarantined a Trojan from your PC. No further action is requIred. 0 n/a n/a n/a 1 1 19 MSE Toaster Removed Detected threat: Win32/Carberp.A 0 n/a n/a n/a 1 1 19 NIS Toaster Removed Trojan.Pidief.I 0 n/a n/a n/a 1 1 19 TIS None None None 1 None None None 20 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a PC Anti-Virus Protection 2011 Page 41 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Trojan Removed. McAfee detected and automatically quarantined a Trojan from your PC. No further action is requIred. Quiet logging Quarantined Threat report (intro) Toaster Product MIS Incident 18 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 20 AVI Toaster Quarantined JS/Agent.13838; TR/Drop.TDss.bry x3 0 Report Quarantined JAVA/Agent.em.3 1 1 20 BDF Pop-up Blocked Trojan.Generic.4477257 x2 0 n/a n/a n/a 1 1 20 ESS Toaster Quarantined Connection terminated. Win32/Olmark.ABL trojan quarantined 0 n/a n/a n/a 1 1 20 GIS Pop-up Quarantined Trojan.Generic.4477257 (Engine A) x2 0 n/a n/a n/a 1 1 20 K7 Toaster (4x) Detected High Security Risk Found 0 None None Scan Completed. No Viruses, spyware or other risks were found. 20 KIS Toaster Denied Denied: HEUR:Trojan.Script.Iframer 0 n/a n/a n/a 20 MIS None None None 0 None None Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. 20 MSE Toaster (2X) Removed Detected threat: Trojan/Win32/Alureon.CT 0 n/a n/a n/a 1 1 20 NIS Toaster Removed Trojan.Pidief.I 0 n/a n/a n/a 1 1 20 TIS None None None 1 None None None 21 AVA Toaster Blocked Malware Blocked - HTML:Script-inf; Malicious URL Blocked - URL:Mal 0 n/a n/a n/a 1 1 21 AVG None None None 0 n/a n/a n/a 1 1 21 AVI None None None 0 n/a n/a n/a 1 1 21 BDF None None None 0 n/a n/a n/a 1 1 21 ESS Toaster (2x) Quarantined Connection terminated. HTML/ScrInject.B.Gen virus and JS/TrojanDownloader.Gumblar.K trojan quarantined 0 n/a n/a n/a 1 1 21 GIS Pop-up Disinfect HTML:Script-inf (Engine B) 0 n/a n/a n/a 1 1 Effect (intro) Alert (intro) PC Anti-Virus Protection 2011 Page 42 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Threat detected! Threat name: Trojan horse Adload_r.AHD Quiet logging Moved to Virus Vault Threat report (intro) Pop-up (2x) Product AVG Incident 20 1 1 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 21 KIS Toaster Denied Denied: HEUR:Trojan.Script.Generic 0 n/a n/a n/a 1 1 21 MIS Toaster Quarantined Trojan Removed. McAfee detected and automatically quarantined a Trojan from your PC. No further action is requIred. 0 n/a n/a n/a 1 1 21 MSE None None None 1 n/a n/a n/a 1 1 21 NIS None None None 0 n/a n/a n/a 1 1 21 TIS None None None 1 None None None 1 1 22 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 1 1 0 None None No infection was found during this scan. Effect (intro) Alert (intro) 22 AVG Pop-up Moved to Virus Vault Threat detected! May be infected by unknown virus Win32/DH.CAFF840167. Detected on open. 22 AVI Pop-up Quarantined TR/Dropper.Gen 0 n/a n/a n/a 22 BDF None None None 0 None None None 22 ESS Toaster Blocked 0 n/a n/a n/a 22 GIS Pop-up Quarantined 0 n/a n/a n/a 22 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 1 1 22 KIS Toaster Denied Denied: HEUR:Trojan.Script.Iframer 0 n/a n/a n/a 1 1 Allow Program Wants Internet Access. McAfee detected a program on your PC that is tring to accept incoming connections from the Internet. Protect your PC by only allowing Internet access for programs you trust. 0 Yes Removed Viruses, Trojans and Cookies Removed. Generic Rootkit d!rootkit. 22 MIS Toaster PC Anti-Virus Protection 2011 Address has been blocked. URL address: "hostads.cn" Gen:Heur.Krypt.9 (Engine A); Unknown threat; Java:Djewers-T [Trj] (Engine B) {block}; Gen:Heur.Krypt.9 (Engine A); HTML:Script-inf (Engine B) {removed next time reboots} Page 43 of 60 Compromised Threat Report (manual) 1 Neutralized Effect (manual) Alert (manual) None Quiet logging None Threat report (intro) None Product K7 Incident 21 1 1 1 1 1 1 1 1 MSE None None None 0 Yes 22 NIS Browser Blocked Known browser risks detected and blocked 0 Report None None 0 None None The scan found no security threats on this computer. 0 n/a n/a n/a 0 Report Removed Infections: C:\syswnro.exe and C:\Documents . . . \3412[1].gif Detected items upon reboot and Quick Scan: Trojan:Win32/FakeCog (2x) and Trojan:Win32/Tibs.IT. Detected items from Full Scan: Trojan:Win32/Alureon.DN 1 1 22 TIS Toaster 23 AVA Toaster Blocked 23 AVG Pop-up Moved to Virus Vault Virus Found. Infected file: js(1).php. Threat name: JS.WEBSTART.B. An untreatable virus has infected one of your files. Please try deleting the file or running the scan again later to prevent the infection from spreading. Click Get Help for more suggestions. Trojan Horse Blocked; Malicious URL Blocked Threat detected! Threat name: Trojan horse Small.CEU 23 AVI Pop-up Denied TR/Dropper.Gen 0 n/a n/a n/a 1 1 23 BDF Pop-up Blocked Trojan.Crypt.HO x2 0 n/a n/a n/a 1 1 23 ESS Toaster Quarantined Connection terminated. Probably a variant of Win32/Salty.NBB virus quarantined 0 n/a n/a n/a 1 1 23 GIS Pop-up Disinfect JS:ScriptPE-inf [Trj] (Engine B) 0 n/a n/a n/a 1 1 23 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 1 1 23 KIS Toaster Denied Denied: HEUR:Trojan.Script.Iframer 0 n/a n/a n/a 1 1 23 MIS Toaster Blocked VBS/Psyme (Trojan) 0 n/a n/a n/a 1 1 23 MSE Toaster Quarantined Detected threat: Virus:in32/Salty.AT 0 n/a n/a n/a 1 1 Page 44 of 60 Compromised 1 Detected with instructions to manually remove PC Anti-Virus Protection 2011 Neutralized Defended Complete remediation Threat Report (manual) Effect (manual) Alert (manual) Quiet logging Threat report (intro) Effect (intro) Alert (intro) Product Incident 22 Quarantined; Removed; Removed. MSE required a reboot then issued a toaster requiring a full scan. The full scan detected 4 potential threats. 1 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 23 TIS None None None 1 n/a n/a n/a 1 1 24 AVA Toaster Blocked 0 n/a n/a n/a 1 1 24 AVG Pop-up Moved to Virus Vault Trojan Horse Blocked - JS:Downloader-PB [Trj]; Malware Blocked - Win32:Sality Threat detected! Threat name: Virus found Win32/Heur 0 n/a n/a n/a 1 1 24 AVI Pop-up Quarantined HTML/Crypted.Gen; W32/Sality.AT 0 n/a n/a n/a 1 1 24 BDF Pop-up Blocked Win32.Sality.3 x2; Trojan.Downloader.JS.FP 0 n/a n/a n/a 1 1 24 ESS Toaster Quarantined 0 n/a n/a n/a 1 1 24 GIS Pop-up Blocked 0 n/a n/a n/a 1 1 24 K7 Toaster Detected High Security Risk Found 0 None None Scan Completed. No Viruses, spyware or other risks were found. 24 KIS Toaster Denied Denied: Exploit.JS.ADODB.Stream.aw 0 n/a n/a n/a 1 1 24 MIS None None None 1 n/a n/a n/a 1 1 24 MSE Toaster Disinfected Detected threat: Virus:in32/Salty.AT (2x) 0 Yes Quarantined Microsoft Security Essentials detected 1 potential threat on your computer. Detected item: Trojan:Win32/Orsm!rts 24 NIS Browser Malicious Web Page Blocked 0 n/a n/a n/a 24 TIS Toaster Detected 0 None None The scan found no security threats on this computer. 25 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 1 1 25 AVG Pop-up Moved to Virus Vault Threat detected! Threat name: Trojan horse Downloader Generic3.CAYP 0 n/a n/a n/a 1 1 Effect (intro) Alert (intro) PC Anti-Virus Protection 2011 Connection terminated. Probably a variant of Win32/Salty.NBB virus quarantined Win32.Sality.3 (Engine A); JS:DownloaderPB [Trj] (Engine B) This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. (1) Suspicious activity detected. To safeguard your security, do not allow the following program to communicate with the Internet unless you recognize it. Program name: sysfhay.exe. (2) Trojan Horse Program Deleted PE.Sality.BA. Page 45 of 60 1 1 1 1 1 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) HTTP MS Office Web Components Code Exec 1 Quiet logging Blocked Threat report (intro) Toaster Product NIS Incident 23 Complete remediation Defended n/a n/a n/a 1 1 25 BDF Pop-up Blocked Trojan.Generic.4050242 x2 0 n/a n/a n/a 1 1 25 ESS Toaster Quarantined 0 n/a n/a n/a 1 1 25 GIS Pop-up Disinfect 0 n/a n/a n/a 1 1 25 K7 Toaster Detected 0 n/a n/a n/a 1 1 25 KIS Toaster Denied 0 None None None 25 MIS Toaster (3x) Blocked 0 n/a n/a n/a 1 1 25 MSE Toaster Removed 0 n/a n/a n/a 1 1 25 NIS Browser Blocked 0 n/a n/a n/a 1 1 25 TIS Browser Blocked 0 n/a n/a n/a 1 1 26 AVA Toaster Blocked 0 n/a n/a n/a 1 1 26 AVG None None None 1 n/a n/a n/a 1 1 26 AVI Toaster Blocked TR/Drop.Ag.32768.1 0 None None None 26 BDF None None None 0 None None None Effect (intro) Alert (intro) PC Anti-Virus Protection 2011 Connection terminated. Win32/TrojanDownloader.Small.OXR trojan quarantined JS:Prontexi-BX [Trj] (Engine B); Trojan.Generic.4050242 (Engine A); JS:CVE2010-0806-AO [Expl] (Engine B) High Security Risk Found Denied: TrojanDownloader.Win32.Small.ares; Denied: Trojan.Win32.Agent.dzph; Packed: Swf25wc (4x) Artemis!CA21805FFF40 (Trojan); Buffer Overflow Prevented Detected threat: TrojanDownloader:Win32/Small.PF Site is Unsafe: Known browser risks detected and blocked Opening this website may put your security at risk. The website you wanted to see might transmit malicious software to your computer, or has done that before to someone else. It may also show signs of involvement in online scams or fraud. Address: htt://www.koalalist.con/. Rating: Dangerous. Malicious URL Blocked; Trojan Horse Blocked - JS:Redirector-CZ [Trj]; Malware Blocked - HTML:Script-inf x2 Page 46 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) HTML/Ag.igw.55524; TR/Dldr.Small.Ares.13 x2 Quiet logging Quarantined Threat report (intro) Toaster Product AVI Incident 25 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 26 GIS Toaster Quarantined HTML:Script-inf (Engine B) 0 n/a n/a n/a 1 1 26 K7 Toaster Detected High Security Risk Found 0 n/a n/a n/a 1 1 26 KIS Toaster Denied Denied: HEUR:Trojan.Script.Generic 0 n/a n/a n/a 1 1 26 MIS Toaster Quarantined JS.Redirector.V (Trojan) 0 n/a n/a n/a 1 1 26 MSE Toaster Removed Detected threat: JS/Gamburi.E 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 1 1 Effect (intro) Alert (intro) 26 NIS Browser Blocked 26 TIS Toaster Blocked 27 AVA Toaster Blocked This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks Suspicious activity blocked. Threat name: JS.GUMBLAR.SMQ Malware Blocked - HTML:Script-inf; Malicious URL Blocked - URL:Mal 27 AVG None None None 0 Report Removed and healed 41 infections found. 21 removed and healed. 20 not removed or healed with an option to remove all unhealed infections. 27 AVI Toaster Quarantined TR/PSW.Kates.JS 0 n/a n/a n/a 27 BDF None None None 0 None None None 27 ESS Toaster (3x) Quarantined Connection terminated. HTML/ScrInject.B.Gen virus (2x) and JS/TrojanDownloader.Gumblar.K trojan quarantined 0 n/a n/a n/a 1 1 27 GIS Toaster Quarantined HTML:Script-inf (Engine B) x2 0 n/a n/a n/a 1 1 27 K7 Toaster Detected High Security Risk Found 0 None None Scan Completed. No Viruses, spyware or other risks were found. 27 KIS Toaster Denied Denied: HEUR:Trojan.Script.Generic 0 n/a n/a n/a PC Anti-Virus Protection 2011 Page 47 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Connection terminated. JS/TrojanDownloader.Gumblar.J trojan and HTML/ScrInject.B.Gen virus quarantined Quiet logging Quarantined Threat report (intro) Toaster (2x) Product ESS Incident 26 1 1 1 1 MIS Toaster (5x) Removed Artemis!38FD7EA8FE18 (Trojan) 27 MSE Toaster Removed Detected threat: JS/Gamburi.E 27 NIS Browser Blocked This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks 27 TIS Toaster Suspicious Program Terminated. Program name: iexplore.exe. Activity: Unauthorized changes. 28 AVA None None None 28 AVG None None 28 AVI None 28 BDF 28 Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. No threats were detected on your computer during the scan. Compromised Neutralized Defended Complete remediation Threat Report (manual) Effect (manual) Alert (manual) Quiet logging Threat report (intro) Effect (intro) Alert (intro) Product Incident 27 None None 0 None None 0 n/a n/a n/a None None The scan found no security threats on this computer. 1 0 None None None 1 None 0 Report Removed and healed 43 infections found. 22 removed and healed. 21 not removed or healed with an option to remove all unhealed infections. None None 0 None None None 1 None None None 0 None None None 1 ESS Toaster Quarantined Connection terminated. JS/TrojanDownloader.Gumblar.K trojan quarantined 0 n/a n/a n/a 28 GIS None None None 0 None None None 1 28 K7 None None None 0 None None Scan Completed. No Viruses, spyware or other risks were found. 1 28 KIS Toaster Detected Detected: HEUR:Trojan.Script.Generic 0 n/a n/a n/a 1 1 28 MIS Toaster Quarantined JS.Redirector.V (Trojan) 0 n/a n/a n/a 1 1 28 MSE None None None 0 None None No threats were detected on your computer during the scan. 28 NIS Browser Blocked This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks 0 n/a n/a n/a 1 1 28 TIS None None None 1 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Page 48 of 60 1 1 1 1 1 1 1 1 Complete remediation Defended Compromised Threat Report (manual) 0 n/a n/a n/a 1 1 29 AVG None None None 0 n/a n/a n/a 1 29 AVI None None None 0 n/a n/a n/a 1 29 BDF Pop-up Blocked Trojan.Generic.KD.20885 x3 0 n/a n/a n/a 29 ESS None None None 0 None None None 29 GIS Pop-up Disinfect 0 n/a n/a n/a 29 K7 Pop-up Block 0 n/a n/a n/a 29 KIS Toaster Denied HEUR:Exploit.Script.Generic x2 0 n/a n/a n/a 29 MIS Pop-up Detected FakeAlert-FakeSpy!env.a (Trojan) 0 None None None 29 MSE None None None 0 n/a n/a n/a 29 NIS Browser Blocked This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. 0 n/a n/a n/a 1 1 29 TIS None None None 1 n/a n/a n/a 1 1 30 AVA Toaster Blocked Trojan Horse Blocked - Win32.Bredolab-DL [Trj] x2 0 n/a n/a n/a 1 1 30 AVG None None None 0 n/a n/a n/a 1 30 AVI None None None 0 n/a n/a n/a 1 30 BDF Pop-up Blocked Gen.Variant.Bredo.2; Gen.Variant.TDss.3 0 Report Disinfection failed Exploit.PDF-JS.Gen 1 30 ESS Toaster Quarantined Win32/Kryptik.FNJ trojan; Multiple threats 0 n/a n/a n/a Effect (intro) Alert (intro) PC Anti-Virus Protection 2011 Trojan.Generic.KD.20885 (Engine A) x3; Exploit.PDF-JS.Gen (Engine A) New AutoStart Entry Found! Advise: … unless you have installed a new software or you recognize this application do not accept this change. Page 49 of 60 1 Neutralized Effect (manual) Alert (manual) Malicious URL Blocked Quiet logging Blocked Threat report (intro) Toaster Product AVA Incident 29 1 1 1 1 1 1 1 1 1 1 1 Complete remediation Defended n/a n/a n/a 1 1 30 K7 Pop-up Application Access! Allow is default 0 None None None 30 KIS Browser Blocked HEUR:Trojan.Script.Generic 0 n/a n/a n/a 30 MIS Pop-up Removed FakeAlert-FakeSpy!env.a (Trojan) 0 None None None 0 Report Multiple Win32/Winwebsec; Java/CVE-20085353.FJ; Java/OpenConnection.EE; Win32/Fitmu.A 1 1 1 1 Effect (intro) Alert (intro) 30 MSE Pop-up Sample Submission Microsoft Security Essentials detected items on your computer that may have not yet been classified for risks. Sending the files listed below can help Microsoft analysts determine if these items are malicious: 934…exe 30 NIS None None None 0 n/a n/a n/a 1 1 30 TIS Pop-up Untreatable JS WEBSTART.B 0 n/a n/a n/a 1 1 31 AVA Toaster Blocked Trojan Horse Blocked 0 None None None 31 AVG None None None 0 None None No infection was found during this scan. 31 AVI None None None 0 Report Quarantined JAVA/ClassLoader.T 31 BDF None None None 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 Report Log only Java:Djewers-T [Trj] (Engine B) 0 None None Scan Completed. No Viruses, spyware or other risks were found. 0 n/a n/a n/a None Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. 31 ESS Toaster Quarantined 31 GIS Pop-up Disinfect 31 K7 Pop-up Allow 31 KIS Toaster Denied 31 MIS None None PC Anti-Virus Protection 2011 Connection terminated.A variant of Win32/Kryptik.FOO trojan quarantined JS:Redirector-DC [Trj] (Engine B); Java:Djewers-T [Trj] (Engine B) Application Access! The program lsQJ.IbMVq is connecting to a network. The developer of the program is not known. Denied: Exploit.Java.CVE-2010-0886.a None 0 None Page 50 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Win32.Bredolab-DL [Trj] (Engine B) x3; Java:Djewers-T [Trj] (Engine B) Quiet logging Disinfect Threat report (intro) Pop-up Product GIS Incident 30 1 1 1 1 1 1 1 1 1 0 None None No threats were detected on your computer during the scan. 31 NIS Browser Blocked Site is Unsafe 0 n/a n/a n/a 1 1 31 TIS None None None 1 n/a n/a n/a 1 1 32 AVA Toaster Blocked JS:FakeAV-EX [Trj] 0 n/a n/a n/a 1 1 32 AVG Pop-up Moved to Virus Vault Threat detected! Threat name: Trojan horse FakeAlert SG 0 n/a n/a n/a 1 1 32 AVI None None None 0 n/a n/a n/a 1 1 32 BDF None None None 0 n/a n/a n/a 1 1 32 ESS Toaster Blocked Address has been blocked. URL address: "whereisdudescars.com/js2.php" 0 n/a n/a n/a 1 1 32 GIS Pop-up Disinfect JS:FakeAV-EX [Trj] (Engine B) 0 n/a n/a n/a 1 1 32 K7 None None None 0 n/a n/a n/a 1 1 32 KIS None None None 0 n/a n/a n/a 1 1 32 MIS None None None 0 n/a n/a n/a 1 1 32 MSE None None None 1 n/a n/a n/a 1 1 32 NIS Toaster Blocked HTTP Fake Scan Webpage 5 0 n/a n/a n/a 1 1 Virus Found. Infected file: j107ac99.... Threat name:JS.FAKESCAN.SMI. An untreatable virus has infected one of your files. Please try deleting the file or running the scan again later to prevent the infection from spreading. Click Get Help for more suggestions. 0 n/a n/a n/a 1 1 1 32 TIS Toaster Detected with instructions to manually remove 33 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 1 1 33 AVG None None None 1 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Page 51 of 60 Compromised None Defended None Effect (manual) None Neutralized Complete remediation Threat Report (manual) Alert (manual) Quiet logging Threat report (intro) Alert (intro) Effect (intro) Product MSE Incident 31 Complete remediation Defended n/a n/a n/a 1 1 33 BDF Pop-up Blocked Trojan.Crypt.HO x4 0 Report Deleted Trojan.Crypt.HO x7 33 ESS Toaster Quarantined 0 0 1 1 33 GIS Pop-up Quarantined 33 K7 Toaster Removed 33 KIS Toaster Alert (intro) Effect (intro) Connection terminated. Win32/Salty.NBB virus quarantined Trojan.Crypt.HO (Engine A) x3; JS:Downloader-XN [Trj] (Engine B) x3 0 1 0 n/a n/a n/a 1 1 High Security Risk Found 0 n/a n/a n/a 1 1 Detected Detected: Trojan.JS.Iframe.no 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 33 MIS Toaster Blocked Script Blocked. McAfee prevented a potentially harmful script from running on your PC. Detected: VBS/Psyme (Trojan) No further action required. 33 MSE None None None 1 n/a n/a n/a 1 1 33 NIS Browser Blocked This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. 0 n/a n/a n/a 1 1 33 TIS None None None 1 n/a n/a n/a 1 1 34 AVA None None None 0 n/a n/a n/a 1 1 34 AVG None None None 0 n/a n/a n/a 1 1 34 AVI None None None 0 Report Quarantined TR/Dropper.Gen ; JAVA/Agent.M.1 34 BDF None None None 0 n/a n/a n/a 0 None None 0 infected files 1 1 1 34 ESS Toaster Quarantined Connection terminated. A variant of Win32/Cimag.CW trojan quarantined 34 GIS None None None 0 n/a n/a n/a 1 1 34 K7 None None None 0 n/a n/a n/a 1 1 34 KIS None None None 0 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Page 52 of 60 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) TR/Dropper.Gen x3 Quiet logging Quarantined Threat report (intro) Toaster Product AVI Incident 33 1 Complete remediation Defended 0 n/a n/a n/a 1 1 34 MSE None None None 0 n/a n/a n/a 1 1 34 NIS None None None 0 n/a n/a n/a 1 1 34 TIS None None None 0 n/a n/a n/a 1 1 35 AVA Toaster Blocked Trojan Horse Blocked 0 n/a n/a n/a 1 1 35 AVG Pop-up Moved to Virus Vault 0 None None No infection was found during this scan. 35 AVI Pop-up Quarantined Threat detected! Threat name: Trojan horse BackDoor.Generic12BZYQ JS/Cosmu.C; HTML/Infected.WebPage.Gen; BDS/Backdoor.Gen 0 n/a n/a n/a 35 BDF None None None 0 None None None 35 ESS None None None 0 Pop-up (see note) Disconnect is the default option Warning. Potential threat found: probably a variant of Win32/Statik potentially unwanted application. 1 35 GIS Toaster Disinfect Win32:Malware-gen; Win32-Dialer 1486 (Trj) (Engine B) 0 Virus Disinfect (if not possible quarantine) Win32:Malware-gen 1 35 K7 Toaster Removed High Security Risk Found 0 None None Scan Completed. No Viruses, spyware or other risks were found. 35 KIS Toaster Deleted Deleted: TrojanGameThief.Win32.Magania.dmzx 0 None None None 35 MIS None None None 0 None None 35 MSE Toaster Removed Detected threat: Win32/Farfli.K 0 None None 35 NIS Toaster Removed index[1].htm (Trojan Horse) 0 n/a n/a n/a 1 1 35 TIS None None None 1 n/a n/a n/a 1 1 36 AVA Toaster Blocked Trojan Horse Blocked - JS:Redirector-E [Trj] 0 n/a n/a n/a 1 1 Effect (intro) PC Anti-Virus Protection 2011 Page 53 of 60 Compromised Threat Report (manual) None Neutralized Effect (manual) Alert (manual) None Quiet logging Alert (intro) None Threat report (intro) Product MIS Incident 34 1 1 1 1 1 1 Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. No threats were detected on your computer during the scan. 1 1 1 Trojan.Generic.KD.19315 x2 0 n/a n/a n/a 1 1 Quarantined Connection terminated. Win32/Oficia.HW trojan and JS/Exploit.Pdfka.OBH.Gen trojan quarantined 0 n/a n/a n/a 1 1 Pop-up Disinfect JS:Redirector-E [Trj] (Engine B) 0 n/a n/a n/a 1 1 K7 Toaster Removed High Security Risk Found 0 n/a n/a n/a 1 1 36 KIS Toaster Denied 0 n/a n/a n/a 1 1 36 MIS Toaster (3x) Script Blocked/Trojan Removed 0 n/a n/a n/a 1 1 36 MSE Toaster Removed Detected threat: Win32/Oficia.M 0 n/a n/a n/a 1 1 36 NIS Browser Blocked This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. 0 n/a n/a n/a 1 1 36 TIS None None None 1 None None The scan found no security threats on this computer. 37 AVA Toaster Blocked Malicious URL Blocked 0 n/a n/a n/a 37 AVG Pop-up (2x) Moved to Virus Vault Threat detected! Threat name: may be infected by unknown virus Win32/DH.CAFF82016C (2x) 0 Report Removed and healed 1 infection found. 1 removed and healed (C:\Documents and Settings\ …\M8CQYA5P\file(1).exe 37 AVI Pop-up Denied TR/Vilsel.ajct x3 0 n/a n/a n/a 1 1 37 BDF Pop-up Blocked Trojan.Generic.4533749 x2; Exploit.PDFPayload.Gen 0 n/a n/a n/a 1 1 Effect (intro) Alert (intro) 36 AVI Pop-up Denied HTML/Crypted.Gen 36 BDF Pop-up Blocked 36 ESS Toaster (2x) 36 GIS 36 PC Anti-Virus Protection 2011 Denied: http://traffic-source.org… (analysis using the database of suspicious URLs) Script Blocked. McAfee prevented a potentially harmful script from running on your PC. Detected: JS/Redirector.a (Trojan) No further action required. (The same trojan was removed) Page 54 of 60 1 1 1 1 1 Compromised 1 Threat detected! Threat name: Trojan horse Dropper.Generic2.YWZ Neutralized n/a Moved to Virus Vault Defended Threat Report (manual) n/a Pop-up Complete remediation Effect (manual) Alert (manual) n/a AVG Quiet logging 0 Threat report (intro) C:\Documents and Settings\. . .\6F161D1\load[1].exe Product Removed and healed Incident Found 1 infection 36 Quarantined 37 GIS Pop-up Disinfect 37 K7 Toaster Removed 37 KIS Toaster Detected 0 n/a n/a n/a 1 1 High Security Risk Found 0 n/a n/a n/a 1 1 Detected: Trojan.JS.Agent.bia 0 n/a n/a n/a 1 1 (1) Quick Scan complete. 1 remaining issue. (2) same message 1 37 MIS Toaster (3x) Blocked; Removed Buffer Overflow Prevented; Artemis!A1C02BEC3A08 and Exploit.MSDirectShow.b Trojan Removed 0 Yes (1) Unresolved issues. Some items could not be deleted, please restart and scan your PC again. (2) same message 37 MSE Toaster Removed Detected threat: Trojan:Win32/Meredrop 0 n/a n/a n/a 1 1 Blocked This Web page has malicious browser exploits, which use vulnerabilities in browsers to launch attacks. 0 n/a n/a n/a 1 1 37 NIS Browser PC Anti-Virus Protection 2011 Page 55 of 60 Compromised 0 infected files Defended None Complete remediation None Neutralized Alert (manual) 0 Quiet logging Threat Report (manual) Toaster (6x) Effect (manual) ESS Threat report (intro) Effect (intro) Alert (intro) Product Incident 37 Connection terminated. A variant of Win32/Kryptik.FKQ trojan (2x); probably a variant of Win32/TrojanDownloader.Agent trojan; a variant of Java/TrojanDownloader.Agent NAN trojan; VBS/TrojanDownloader.Psyme.NGJ trojan (2x) quarantined JS:Downloader-SG [Trj] (Engine B) x3; Trojan.Generic.4533749 (Engine A) x5; Exploit.PDF-Payload.Gen (Engine A); 1 None 0 n/a n/a n/a 1 1 38 AVG None None None 0 n/a n/a n/a 1 1 38 AVI None None None 0 n/a n/a n/a 1 1 38 BDF None None None 0 n/a n/a n/a 1 1 38 ESS Toaster Quarantined Connection terminated. HTML/ScrInject.B.Gen virus quarantined 0 n/a n/a n/a 1 1 38 GIS None None None 0 n/a n/a n/a 1 1 38 K7 None None None 0 n/a n/a n/a 1 1 38 KIS None None None 0 n/a n/a n/a 1 1 38 MIS None None None 0 n/a n/a n/a 1 1 38 MSE None None None 1 n/a n/a n/a 1 1 38 NIS None None None 0 n/a n/a n/a 1 1 38 TIS None None None 0 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 None The scan found no security threats on this computer. Page 56 of 60 1 Compromised None None Defended None 0 Complete remediation AVA Effect (manual) 38 Threat name: JS.AGENT.AWBF. Neutralized Threat Report (manual) Alert (manual) Quiet logging Effect (intro) Threat report (intro) Alert (intro) Toaster Product TIS Incident 37 An untreatable virus has infected one of your files. Please try deleting the file or running the scan again later to prevent the infection from spreading. Click Get Help for more suggestions. Complete remediation Defended n/a n/a n/a 1 1 39 AVG Pop-up Removed Viruses: Script/Exploit, Exploit, Exploit MsVidCtl, Trojan horse BackDorr Generic 1. . . 0 n/a n/a n/a 1 1 39 AVI Pop-up Denied HTML/Infected.WebPage.Gen 0 n/a n/a n/a 1 1 39 BDF Pop-up Blocked 0 n/a n/a n/a 1 1 39 ESS Toaster (8x) Quarantined 0 None None 0 infected files 39 GIS Pop-up Quarantined 0 n/a n/a n/a 1 1 39 K7 Toaster Removed 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 0 None None Quick Scan complete. McAfee did not detect any issues on your PC. No further action is needed. 0 n/a n/a n/a 1 1 0 n/a n/a n/a 1 1 Alert (intro) Effect (intro) Exploit.Cosmu.Al Exploit.Comele.D; Trojan.Script.455589; Backdoor.Generic.395524; Trojan.Script.444076 Connection terminated. JS/Exploit.CVE-20100249 trojan (4x), JS/Exploit.CVE-2010-0806 trojan (4x) quarantined Exploit.Comele.D (Engine A); Exploit.Cosmu.A (Engine A) High Security Risk Found Denied: Exploit.JS.CVE-2010-0806.b (3x); Exploit.JS.Agent.awx; JS.CVE-2010-0806.i; Trojna-Downloader.Win32.Small.kmu Script Blocked. McAfee prevented a potentially harmful script from running on your PC. Detected:Exploit.Comele (Trojan) No further action required. Detected threat: Trojan:JS/CVE-2010-0249 and Exploit:JS/ShellCode.J This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. 1 39 KIS Toaster Denied 39 MIS Toaster (2x) Blocked; Removed 39 MSE Toaster Removed 39 NIS Browser Blocked 39 TIS None None None 1 n/a n/a n/a 1 1 40 AVA None None None 0 n/a n/a n/a 1 1 40 AVG None None None 0 n/a n/a n/a 1 1 40 AVI None None None 0 n/a n/a n/a 1 1 40 BDF None None None 0 n/a n/a n/a 1 1 PC Anti-Virus Protection 2011 Page 57 of 60 1 Compromised Threat Report (manual) 0 Neutralized Effect (manual) Alert (manual) Exploit Blocked - JS:CVE-2010-0247-N [Exp] Quiet logging Blocked Threat report (intro) Pop-up Product AVA Incident 39 Complete remediation Defended 0 n/a n/a n/a 1 1 40 GIS None None None 0 n/a n/a n/a 1 1 40 K7 None None None 0 n/a n/a n/a 1 1 40 KIS None None None 0 n/a n/a n/a 1 1 40 MIS None None None 0 n/a n/a n/a 1 1 40 MSE None None None 1 n/a n/a n/a 1 1 40 NIS Browser Blocked This is a known mailicious (sic) web site. It is recommended that you do NOT visit this site. 0 n/a n/a n/a 1 1 40 TIS None None None 0 n/a n/a n/a 1 1 Effect (intro) PC Anti-Virus Protection 2011 Page 58 of 60 Compromised Threat Report (manual) None Neutralized Effect (manual) Alert (manual) None Quiet logging Alert (intro) None Threat report (intro) Product ESS Incident 40 APPENDIX D: TOOLS Ebtables http://ebtables.sourceforge.net The ebtables program is a filtering tool for a bridging firewall. It can be used to force network traffic transparently through the Squid proxy. Fiddler2 www.fiddlertool.com A web traffic (HTTP/S) debugger used to capture sessions when visiting an infected site using a verification target system (VTS). HTTPREPLAY http://www.microsoft.com A SOCKTRC plug-in enabling the analysis and replaying of HTTP traffic. Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer shows information about which handles and DLLs processes have opened or loaded. It also provides a clear and real-time indication when new processes start and old ones stop. Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Monitor is a monitoring tool that shows real-time file system, Registry and process/thread activity. Regshot http://sourceforge.net/projects/regshot Regshot is an open-source Registry comparison utility that takes a snapshot of the Registry and compares it with a second one. Squid www.squid-cache.org Squid is a caching web proxy that supports HTTP, HTTPS, FTP and other protocols. Tcpdump www.tcpdump.org Tcpdump is a packet capture utility that can create a copy of network traffic, including binaries. TcpView http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx TcpView displays network connections to and from the system in real-time. Windows Command-Line Tools Those used included 'systeminfo' and 'sc query'. The systeminfo command "enables an administrator to query for basic system configuration information". The sc command is "used for communicating with the NT Service Controller and services. Wireshark www.wireshark.org Wireshark is a network protocol analyzer capable of storing network traffic, including binaries, for later analysis. PC Anti-Virus Protection 2011 Page 59 of 60 APPENDIX E: TERMS OF THE TEST This test was sponsored by Symantec. The test rounds were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of the software available on any given day. All products were able to communicate with their back-end systems over the internet. The products selected for this test were chosen by Symantec. Samples were located and verified by Dennis Technology Labs. Products were exposed to threats within 24 hours of the same threats being verified. In practice there was only a delay of up to three to four hours. Details of the samples, including their URLs and code, were provided to Symantec only after the test was complete. PC Anti-Virus Protection 2011 Page 60 of 60