PC Anti-Virus Protection 2011

advertisement
PC Anti-Virus Protection 2011
12 POPULAR ANTI-VIRUS PROGRAMS COMPARED FOR EFFECTIVENESS
Dennis Technology Labs, 03/08/2010
www.DennisTechnologyLabs.com
This test aims to compare the effectiveness of the most recent releases of popular anti-virus software1. The
products include those from Kaspersky, McAfee, Microsoft, Norton (Symantec) and Trend Micro, as well as
free versions from Avast, AVG and Avira. Other products include those from BitDefender, ESET, G-Data
and K7. The tests were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of
the software available.
A total of 12 products were exposed to genuine internet threats that real customers could have encountered
during the test period. Crucially, this exposure was carried out in a realistic way, reflecting a customer’s
experience as closely as possible. For example, each test system visited real, infected websites that significant
numbers of internet users were encountering at the time of the test. These results reflect what would have
happened if those users were using one of the seven products tested.
EXECUTIVE SUMMARY
Q Products that block attacks early tended to protect the system more fully
The nature of web-based attacks means that the longer malware has access to a system, the more chances it
has of downloading and installing further threats. Products that blocked the malicious and infected websites
from the start reduced the risk of compromise by secondary and further downloads.
Q 100 per cent protection is rare
This test recorded an average protection rate of 87.5 per cent. New threats appear online frequently and it is
inevitable that there will be times when specific security products are unable to protect from some of these
threats.
Q The products rarely blocked the installation of legitimate applications
There were a number of cases in which the anti-virus programs warned against allowing legitimate
applications full access to the system and the network. However, they rarely blocked these applications from
installing .
Simon Edwards, Dennis Technology Labs
1
The latest available products were used in the test:
Avast! Free AntiVirus 5
AVG Anti-Virus Free Edition 9
Avira Personal - Free Antivirus 10
BitDefender Internet Security 2010
ESET Smart Security 4
G Data InternetSecurity 2011
PC Anti-Virus Protection 2011
K7 Total Security 10
Kaspersky Internet Security 2011
McAfee Internet Security 2010
Microsoft Security Essentials
Norton Internet Security 2011
Trend Micro Internet Security 2010
Page 1 of 60
CONTENTS
Executive summary ........................................................................................................................................ 1 Contents ......................................................................................................................................................... 2 1. Overall Accuracy........................................................................................................................................ 3 2. Overall Protection ...................................................................................................................................... 5 3. Protection Details ....................................................................................................................................... 7 4. False Positives ............................................................................................................................................. 9 5. The tests ................................................................................................................................................... 14 6. Test details ................................................................................................................................................ 16 7. Conclusions .............................................................................................................................................. 20 Appendix A: Terms...................................................................................................................................... 21 Appendix B: Legitimate Samples.................................................................................................................. 22 Appendix C: Threat report .......................................................................................................................... 26 Appendix D: Tools....................................................................................................................................... 59 Appendix E: Terms of the test ..................................................................................................................... 60 PC Anti-Virus Protection 2011
Page 2 of 60
1. OVERALL ACCURACY
Each product has been scored for its accuracy in detecting and handling malware. We awarded two points for
defending against a threat, one for neutralizing it and deducted two points every time a product allowed the
system to be compromised.
The reason behind this score weighting is to give credit to products that deny malware an opportunity to
tamper with the system and to penalize those that allow malware to damage it. In some of our test cases a
compromised system was made unstable, or even unusable without expert knowledge. Even if active
malware was removed, we considered such damaged systems to count as being compromised.
The Norton product defended against all threats so it scores a full 80 marks. It was the only product to avoid
being compromised by the internet threats. Kaspersky's product came a close second, losing points due to
neutralizing two threats and being compromised by one.
Accuracy Scores
80
70
60
50
40
30
20
10
0
The Symantec (Norton) product was the only one to protect against all the internet threats used.
PC Anti-Virus Protection 2011
Page 3 of 60
ACCURACY SCORES
Product
Target
Defended
Target
Neutralized
Target
Compromised
Overall
Accuracy
Norton Internet Security 2011
40
0
0
80
Kaspersky Internet Security 2011
37
2
1
74
ESET Smart Security 4
34
4
2
68
Avast! Free AntiVirus 5
35
2
3
66
G Data InternetSecurity 2011
32
3
5
57
Avira Personal - Free Antivirus 10
29
4
7
48
Trend Micro Internet Security 2010
23
11
6
45
AVG Anti-Virus Free Edition 9
23
11
6
45
BitDefender Internet Security 2010
29
2
9
42
McAfee Internet Security
23
6
11
30
Microsoft Security Essentials
22
4
14
20
K7 Total Security 10
20
5
15
15
PC Anti-Virus Protection 2011
Page 4 of 60
2. OVERALL PROTECTION
The following illustrates the general level of protection provided by each of the security products,
combining the defended and neutralized incidents into an overall figure. This figure is not weighted with an
arbitrary scoring system as it was in 1. Overall accuracy.
The average protection levels afforded by the tested products, when exposed to the threats used in this test,
was 87.5 per cent. Above average products included those from Symantec (Norton), Kaspersky, ESET,
Avast! And G Data. Only one of these was free (Avast).
Overall Protection Scores
40
30
20
10
0
The only free product that performed above average was Avast! Free AntiVirus 5.
PC Anti-Virus Protection 2011
Page 5 of 60
OVERALL PROTECTION SCORES
Product
Protected Incidents
Percentage of incidents
Norton Internet Security 2011
40
100%
Kaspersky Internet Security 2011
39
98%
ESET Smart Security 4
38
95%
Avast! Free AntiVirus 5
37
93%
G Data InternetSecurity 2011
35
88%
AVG Anti-Virus Free Edition 9
34
85%
Trend Micro Internet Security 2010
34
85%
Avira Personal - Free Antivirus 10
33
83%
BitDefender Internet Security 2010
31
78%
McAfee Internet Security
29
73%
Microsoft Security Essentials
26
65%
K7 Total Security 10
25
63%
(Average: 87.5 per cent)
PC Anti-Virus Protection 2011
Page 6 of 60
3. PROTECTION DETAILS
The security products provided different levels of protection. When a product defended against a threat, it
prevented the malware from gaining a foothold on the target system. A threat might have been able to infect
the system and, in some cases, the product neutralized it later. When it couldn’t, the system was
compromised.
The graph below shows that the most successful products tended to defend, rather than neutralize, the
threats. Between them the top five products only neutralized 11 threats, while they defended a total of 178.
They were compromised 11 times. The five least effective products, on the other hand, neutralized 21 threats
and defended just 123. They were compromised a total of 56 times.
Protection Details
40
35
30
25
20
15
10
5
0
Target Compromised
Target Neutralized
Target Defended
The most successful products tended to defend rather than neutralize, blocking the threats early in the
attack.
PC Anti-Virus Protection 2011
Page 7 of 60
PROTECTION DETAILS
Product
Target Defended
Target Neutralized
Target Compromised
Norton Internet Security 2011
40
0
0
Kaspersky Internet Security
2011
37
2
1
ESET Smart Security 4
34
4
2
Avast! Free AntiVirus 5
35
2
3
G Data InternetSecurity 2011
32
3
5
23
11
6
23
11
6
29
4
7
29
2
9
McAfee Internet Security
23
6
11
Microsoft Security Essentials
22
4
14
K7 Total Security 10
20
5
15
AVG Anti-Virus Free Edition
9
Trend Micro Internet Security
2010
Avira Personal - Free
Antivirus 10
BitDefender Internet Security
2010
PC Anti-Virus Protection 2011
Page 8 of 60
4. FALSE POSITIVES
4.1 False positive levels
A security product needs to be able to protect the system from threats, while allowing legitimate software to
work properly. When legitimate software is misclassified a false positive is generated. We split the results
into two main groups because the products all took one of two approaches when attempting to protect the
system from the legitimate programs. They either warned that the software was suspicious or took the more
decisive step of blocking it.
Blocking a legitimate application is more serious than issuing a warning because it directly hampers the user.
In this test we only recorded one blocking action, which was by the K7 product as it falsely categorized the
mIRC online chat application as being a "High Security Risk".
Warnings may be of variable strength, sometimes simply asking if the legitimate application should be
allowed to access the internet. This type of warning accounted for the majority seen in this test.
The graph below includes the number and type of false positive that each product generated.
False Positive Incidents
Warnings
Trend Micro Internet Security 2010
K7 Total Security 10
G Data InternetSecurity 2011
Kaspersky Internet Security 2011
BitDefender Internet Security 2010
McAfee Internet Security Norton Internet Security 2011
Microsoft Security Essentials
ESET Smart Security 4
AVG Anti‐Virus Free Edition 9
Avira Personal ‐ Free Antivirus 10
Avast! Free AntiVirus 5
Trend Micro Internet Security 2010
K7 Total Security 10
G Data InternetSecurity 2011
Kaspersky Internet Security 2011
BitDefender Internet Security 2010
McAfee Internet Security Microsoft Security Essentials
Norton Internet Security 2011
ESET Smart Security 4
AVG Anti‐Virus Free Edition 9
Avira Personal ‐ Free Antivirus 10
Avast! Free AntiVirus 5
16
14
12
10
8
6
4
2
0
Total
Blockings
Despite an apparently high percentage of false positives, most were light warnings.
PC Anti-Virus Protection 2011
Page 9 of 60
FALSE POSITIVE INCIDENTS
False Positive Type
Product
Total
Warnings
Trend Micro Internet Security 2010
15
K7 Total Security 10
10
G Data InternetSecurity 2011
8
Kaspersky Internet Security 2011
7
BitDefender Internet Security 2010
6
McAfee Internet Security
1
Avast! Free AntiVirus 5
0
AVG Anti-Virus Free Edition 9
0
Avira Personal - Free Antivirus 10
0
ESET Smart Security 4
0
Microsoft Security Essentials
0
Norton Internet Security 2011
0
K7 Total Security 10
1
Avast! Free AntiVirus 5
0
AVG Anti-Virus Free Edition 9
0
Avira Personal - Free Antivirus 10
0
BitDefender Internet Security 2010
0
ESET Smart Security 4
0
G Data InternetSecurity 2011
0
Kaspersky Internet Security 2011
0
McAfee Internet Security
0
Microsoft Security Essentials
0
Norton Internet Security 2011
0
Trend Micro Internet Security 2010
0
Blockings
PC Anti-Virus Protection 2011
Page 10 of 60
4.2 Taking file prevalence into account
The prevalence of each file is significant. If a product misclassified a common file then the situation would be
more serious than if it failed to detect a less common one. That said, it is usually expected that anti-malware
programs should not misclassify any legitimate software.
The files selected for the false positive testing were organized into five groups: Very High Impact, High
Impact, Medium Impact, Low Impact and Very Low Impact. These categories were based on download
numbers as reported by sites including Download.com at the time of testing. The ranges for these categories
are recorded in the table below:
FALSE POSITIVE PREVALENCE CATEGORIES
Impact category
Prevalence (downloads in the previous week)
Very High Impact
>20,000
High Impact
1,000 – 20,000
Medium Impact
100 – 999
Low Impact
25 – 99
Very Low Impact
< 25
4.3 Modifying scores
The following set of score modifiers were used to create an impact-weighted accuracy score. Each time a
product allowed a new legitimate program to install and run it was awarded one point. It lost points (or
fractions of a point) if and when it generated a false positive. We used the following score modifiers:
FALSE POSITIVE PREVALENCE SCORE MODIFIERS
False positive action
Impact category
Score modifier
Blocked
Very High Impact
-5
High Impact
-2
Medium Impact
-1
Low Impact
-0.5
Very Low Impact
-0.1
Very High Impact
-2.5
High Impact
-1
Medium Impact
-0.5
Low Impact
-0.25
Very Low Impact
-0.05
Warning
PC Anti-Virus Protection 2011
Page 11 of 60
4.4 Distribution of impact categories
Products that scored highest were the most accurate when handling the legitimate applications used in the
test. The best score possible is 40, while the worst would be -200 (assuming that all applications were
classified as Very High Impact and were blocked). In fact the distribution of applications in the impact
categories was not restricted only to Very High Impact. The table below shows the true distribution:
FALSE POSITIVE CATEGORY FREQUENCY
Impact category
Number of instances
Very High Impact
17
High Impact
12
Medium Impact
6
Low Impact
2
Very Low Impact
3
PC Anti-Virus Protection 2011
Page 12 of 60
4.5 False positive accuracy ratings
Combining the impact categories with weighted scores produces the following overall accuracy ratings.
False Positive Accuracy Scores
40
35
30
25
20
15
10
5
Total
0
When a product misclassified a popular program it faced a stronger penalty than if the file was more obscure.
FALSE POSITIVE ACCURACY SCORE
Product
Accuracy score
Avast! Free AntiVirus 5
40
Avira Personal - Free Antivirus 10
40
AVG Anti-Virus Free Edition 9
40
ESET Smart Security 4
40
Microsoft Security Essentials
40
Norton Internet Security 2011
40
McAfee Internet Security
37.5
BitDefender Internet Security 2010
33.7
Kaspersky Internet Security 2011
33.25
G Data InternetSecurity 2011
30.45
K7 Total Security 10
21.7
Trend Micro Internet Security 2010
19.7
PC Anti-Virus Protection 2011
Page 13 of 60
5. THE TESTS
5.1 The threats
Providing a realistic user experience was important in order to illustrate what really happens when a user
encounters a threat on the internet. For example, in these tests web-based malware was accessed by visiting
an original, infected website using a web browser, and not downloaded from a CD or internal test website.
All target systems were fully exposed to the threats. This means that any exploit code was allowed to run, as
were other malicious files, They were run and permitted to perform exactly as they were designed to, subject
to checks made by the installed security software. A minimum time period of five minutes was provided to
allow the malware an opportunity to act.
5.2 Test rounds
Tests were conducted in rounds. Each round recorded the exposure of every product to a specific threat. For
example, in ‘round one’ each of the products were exposed to the same malicious website.
At the end of each round the test systems were completely reset to remove any possible trace of malware
before the next test began.
Each ‘round’ exposed every product to one specific threat. The partial set of records for round two (highlighted
above) shows a range of responses to a particular threat. In this example the Avast, G Data and K7 products
allowed the threat to compromise the systems, while the Microsoft and Trend Micro products neutralized the
threat. The remaining products blocked the threat early, defending against it.
5.3 Monitoring
Close logging of the target systems was necessary to gauge the relative successes of the malware and the antimalware software. This included recording activity such as network traffic, the creation of files and processes
and changes made to important files.
5.4 Levels of protection
The products displayed different levels of protection. Sometimes a product would prevent a threat from
executing, or at least making any significant changes to the target system. In other cases a threat might be
able to perform some tasks on the target, after which the security product would intervene and remove some
or all of the malware. Finally, a threat may be able to bypass the security product and carry out its malicious
tasks unhindered. It may even be able to disable the security software. Occasionally Windows' own
protection system might handle a threat while the anti-virus program ignored it. Another outcome is that
PC Anti-Virus Protection 2011
Page 14 of 60
the malware may crash for various reasons. The different levels of protection provided by each product were
recorded following analysis of the log files.
If malware failed to perform properly in a given incident, perhaps because of the very presence of the
security product, rather than any specific defending action that the product took, the product was given the
benefit of the doubt and a Defended result was recorded. If the test system was damaged, becoming hard to
use following an attempted attack, this was counted as a compromise even if the active parts of the malware
had eventually been removed by the product.
5.5 Types of protection
All of the products tested provided two main types of protection: real-time and on-demand. Real-time
protection monitors the system constantly in an attempt to prevent a threat from gaining access. On-demand
protection is essentially a ‘virus scan’ that is run by the user at an arbitrary time.
The test results note each product’s behavior when a threat is introduced and afterwards. The real-time
protection mechanism was monitored throughout the test, while an on-demand scan was run towards the
end of each test to measure how safe the product determined the system to be. Manual scans were run only
when a tester determined that malware had made an interaction with the target system. In other words, if the
security product claimed to block the attack at the initial stage, and the monitoring logs supported this claim,
the case was considered closed and a Defended result was recorded.
PC Anti-Virus Protection 2011
Page 15 of 60
6. TEST DETAILS
6.1 The targets
To create a fair testing environment, each product was installed on a clean Windows XP Professional target
system. The operating system was updated with Windows XP Service Pack 2 (SP2), although no later patches
or updates were applied.
We test with Windows XP SP2 and Internet Explorer 6 due to the high prevalence of internet threats that
rely on this combination. The prevalence of these threats suggests that there are many systems with this level
of patching currently connected to the internet.
A selection of legitimate but old software was pre-installed on the target systems. These posed security risks,
as they contained known vulnerabilities. They included out of date versions of Adobe Flash Player and
Adobe Reader.
A different security product was then installed on each system. Each product’s update mechanism was used
to download the latest version with the most recent definitions and other elements. Due to the dynamic
nature of the tests, which were carried out in real-time with live malicious websites, the products' update
systems were allowed to run automatically and were also run manually before each test round was carried
out. The products were also allowed to 'call home' should they be programmed to query databases in realtime. Some products might automatically upgrade themselves during the test. At any given time of testing,
the very latest version of each program was used.
Each target system contained identical hardware, including an Intel Core 2 Duo processor, 1GB RAM, a
160GB hard disk and a DVD-ROM drive. Each was connected to the internet via its own virtual network
(VLAN) to avoid malware cross-infecting other targets.
6.2 Threat selection
The malicious web links (URLs) used in the tests were picked from lists generated by Dennis Technology
Labs's own malicious site detection system, which uses popular search engine keywords submitted to
Google. It analyses sites that are returned in the search results from a number of search engines and adds
them to a database of malicious websites. In all cases, a control system (Verification Target System - VTS)
was used to confirm that the URLs linked to actively malicious sites.
Malicious URLs and files are not shared with any vendors during the testing process.
6.3 Test stages
There were three main stages in each individual test:
1.
2.
3.
Introduction
Observation
Remediation
During the Introduction stage, the target system was exposed to a threat. Before the threat was introduced, a
snapshot was taken of the system. This created a list of Registry entries and files on the hard disk. We used
Regshot (see Appendix D: Tools) to take and compare system snapshots. The threat was then introduced.
Immediately after the system’s exposure to the threat, the Observation stage is reached. During this time,
which typically lasted at least 10 minutes, the tester monitored the system both visually and using a range of
third-party tools. The tester reacted to pop-ups and other prompts according to the directives described
below (see 6.6 Observation and intervention).
PC Anti-Virus Protection 2011
Page 16 of 60
In the event that hostile activity to other internet users was observed, such as when spam was being sent by
the target, this stage was cut short. The Observation stage concluded with another system snapshot. This
‘exposed’ snapshot was compared to the original ‘clean’ snapshot and a report generated. The system was
then rebooted.
The Remediation stage is designed to test the products’ ability to clean an infected system. If it defended
against the threat in the Observation stage then we skipped this stage. An on-demand scan was run on the
target, after which a ‘scanned’ snapshot was taken. This was compared to the original ‘clean’ snapshot and a
report was generated. All log files, including the snapshot reports and the product’s own log files, were
recovered from the target. In some cases the target became so damaged that log recovery was considered
impractical. The target was then reset to a clean state, ready for the next test.
6.4 Threat introduction
Malicious websites were visited in real-time using Internet Explorer. This risky behavior was conducted
using live internet connections. URLs were typed manually into Internet Explorer’s address bar.
Web-hosted malware often changes over time. Visiting the same site over a short period of time can expose
systems to what appear to be a range of threats (although it may be the same threat, slightly altered to avoid
detection). Also, many infected sites will only attack a particular IP address once, which makes it hard to test
more than one product against the same threat.
In order to improve the chances that each target system received the same experience from a malicious web
server, we used a web replay system. When the verification target systems visited a malicious site, the page’s
content, including malicious code, was downloaded, stored and loaded into the replay system. When each
target system subsequently visited the site, it received exactly the same content.
The network configurations were set to allow all products unfettered access to the internet throughout the
test, regardless of the web replay systems.
6.5 Secondary downloads
Established malware may attempt to download further files (secondary downloads), which are stored in a
cache by a proxy on the network and re-served to other targets in some circumstances. These circumstances
include cases where:
1.
2.
The download request is made using HTTP (e.g. http://badsite.example.com/...) and
The same filename is requested each time (e.g. badfile1.exe)
There are scenarios in which target systems receive different secondary downloads. These include cases
where:
1.
2.
The download request is made using HTTPS or a non-web protocol such as FTP or
A different filename is requested each time (e.g. badfile2.exe; random357.exe)
PC Anti-Virus Protection 2011
Page 17 of 60
6.6 Observation and intervention
Throughout each test, the target system was observed both manually and in real-time. This enabled the tester
to take comprehensive notes about the system’s perceived behavior, as well as to compare visual alerts with
the products’ log entries. At certain stages the tester was required to act as a regular user. To achieve
consistency, the tester followed a policy for handling certain situations, including dealing with pop-ups
displayed by products or the operating system, system crashes, invitations by malware to perform tasks and
so on.
This user behavior policy included the following directives:
1.
2.
3.
4.
5.
6.
Act naively. Allow the threat a good chance to introduce itself to the target by clicking OK to
malicious prompts, for example.
Don’t be too stubborn in retrying blocked downloads. If a product warns against visiting a site,
don’t take further measures to visit that site.
Where malware is downloaded as a Zip file, or similar, extract it to the Desktop then attempt to run
it. If the archive is protected by a password, and that password is known to you (e.g. it was included
in the body of the original malicious email), use it.
Always click the default option. This applies to security product pop-ups, operating system prompts
(including Windows firewall) and malware invitations to act.
If there is no default option, wait. Give the prompt 20 seconds to choose a course of action
automatically.
If no action is taken automatically, choose the first option. Where options are listed vertically,
choose the top one. Where options are listed horizontally, choose the left-hand one.
6.7 Remediation
When a target is exposed to malware, the threat may have a number of opportunities to infect the system.
The security product also has a number of chances to protect the target. The snapshots explained in 6.3 Test
stages provided information that was used to analyze a system’s final state at the end of a test.
Before, during and after each test, a ‘snapshot’ of the target system was taken to provide information about
what had changed during the exposure to malware. For example, comparing a snapshot taken before a
malicious website was visited to one taken after might highlight new entries in the Registry and new files on
the hard disk. Snapshots were also used to determine how effective a product was at removing a threat that
had managed to establish itself on the target system. This analysis gives an indication as to the levels of
protection that a product has provided.
These levels of protection have been recorded using three main terms: defended, neutralized, and
compromised. A threat that was unable to gain a foothold on the target was defended against; one that was
prevented from continuing its activities was neutralized; while a successful threat was considered to have
compromised the target.
A defended incident occurs where no malicious activity is observed with the naked eye or third-party
monitoring tools following the initial threat introduction. The snapshot report files are used to verify this
happy state.
If a threat is observed to run actively on the system, but not beyond the point where an on-demand scan is
run, it is considered to have been neutralized. Comparing the snapshot reports should show that malicious
files were created and Registry entries were made after the introduction. However, as long as the ‘scanned’
snapshot report shows that either the files have been removed or the Registry entries have been deleted, the
threat has been neutralized.
PC Anti-Virus Protection 2011
Page 18 of 60
The target is compromised if malware is observed to run after the on-demand scan. In some cases a product
might request a further scan to complete the removal. We considered secondary scans to be acceptable, but
further scan requests would be ignored. Even if no malware was observed, a compromise result was recorded
if snapshot reports showed the existence of new, presumably malicious files on the hard disk, in conjunction
with Registry entries designed to run at least one of these files when the system booted. An edited ‘hosts’ file
or altered system file also counted as a compromise.
6.8 Automatic monitoring
Logs were generated using third-party applications, as well as by the security products themselves. Manual
observation of the target system throughout its exposure to malware (and legitimate applications) provided
more information about the security products’ behavior. Monitoring was performed directly on the target
system and on the network.
Client-side logging
A combination of Process Explorer, Process Monitor, TcpView and Wireshark were used to monitor the
target systems. Regshot was used between each testing stage to record a system snapshot. A number of
Dennis Technology Labs-created scripts were also used to provide additional system information. Each
product was able to generate some level of logging itself.
Process Explorer and TcpView were run throughout the tests, providing a visual cue to the tester about
possible malicious activity on the system. In addition, Wireshark’s real-time output, and the display from the
web proxy (see Network logging, below), indicated specific network activity such as secondary downloads.
Process Monitor also provided valuable information to help reconstruct malicious incidents. Both Process
Monitor and Wireshark were configured to save their logs automatically to a file. This reduced data loss
when malware caused a target to crash or reboot.
In-built Windows commands such as 'systeminfo' and 'sc query' were used in custom scripts to provide
additional snapshots of the running system's state.
Network logging
All target systems were connected to a live internet connection, which incorporated a transparent web proxy
and a network monitoring system. All traffic to and from the internet had to pass through this system.
Further to that, all web traffic had to pass through the proxy as well. This allowed the testers to capture files
containing the complete network traffic. It also provided a quick and easy view of web-based traffic, which
was displayed to the testers in real-time.
The network monitor was a dual-homed Linux system running as a transparent router, passing all web traffic
through a Squid proxy. This was configured in ‘offline’ mode during testing, which is an aggressive caching
mode that still permits internet access.
An HTTP replay system ensured that all target systems received the same malware as each other. It was
configured to allow access to the internet so that products could download updates and communicate with
any available ‘in the cloud’ servers.
PC Anti-Virus Protection 2011
Page 19 of 60
7. CONCLUSIONS
Where are the threats?
The threats used in this test were genuine, real-life threats that were infecting victims globally at the same
time as we tested the products. In almost every case the threat was launched from a legitimate website that
had been compromised by an attacker. The types of infected or malicious sites were varied, which
demonstrates that effective anti-virus software is essential for those who want to use the web using a
Windows PC, whether they are looking for pornography, music or a local taco restaurant.
The vast majority of the threats installed automatically when a user visited the infected webpage. This
infection was usually invisible to a casual observer and rarely did the malware make itself known, unless it
was installing a fake anti-virus program. These rogue applications pretend to detect viruses on the system and
harass the user into paying for a full license, which the program claims will allow it to remove the
‘infections’. In reality the only infection is the fake anti-virus program itself.
Where does protection start?
The best-performing products were Norton Internet Security 2011, Kaspersky Internet Security 2011 and
ESET Smart Security 4. These three had one notable similarity: they all blocked threats early in the attack
process, which meant that there was less opportunity for the malware to infect the systems. The two least
effective products, those from Microsoft and K7, often tackled the threat only once the malware had started
to infect the system.
Sorting the wheat from the chaff
The false positive results were quite low, which shows that most of the products are not tuned too
aggressively to detect and block malware at the expense of regular programs. Of the three strongest products
in terms of threat detection, the Norton and ESET products managed to avoid generating any false positives.
Kaspersky's product categorized a few applications as being, "potentially dangerous". These included two
utilities that come bundled with popular wireless routers.
Anti-virus is important (but not a panacea)
This test shows that there is a significant difference in performance between popular anti-virus programs.
Most importantly it illustrates this difference using real threats that were attacking real computers at the time
of testing.
The average protection level of the tested products is 87.5 per cent (see 2. Overall protection), which is
significant. The presence of anti-virus software can be seen to decrease the chances of a malware infection
even when the only sites being visited are proven to be malicious. It's worth noting, however, that a 100 per
cent success rate is rare. Even those products that performed the best in this test are unlikely to be
completely bullet-proof in every given situation.
PC Anti-Virus Protection 2011
Page 20 of 60
APPENDIX A: TERMS
Compromised
Malware continues to run on an infected system, even after an on-demand scan.
Defended
Malware was prevented from running on, or making changes to, the target.
False Positive
A legitimate application was incorrectly classified as being malicious.
Introduction
Test stage where a target system is exposed to a threat.
Neutralized
Malware was able to run on the target, but was then removed by the security product.
Observation
Test stage during which malware may affect the target.
On-demand (protection)
Manual ‘virus’ scan, run by the user at an arbitrary time.
Prompt
Questions asked by software, including malware, security products and the operating
system. With security products, prompts usually appear in the form of pop-up windows.
Some prompts don’t ask questions but provide alerts. When these appear and
disappear without a user’s interaction, they are called ‘toasters’.
Real-time (protection)
The ‘always-on’ protection offered by many security products.
Remediation
Test stage that measures a product’s abilities to remove any installed threat.
Round
Test series of multiple products, exposing each target to the same threat.
Snapshot
Record of a target’s file system and Registry contents.
Target
Test system exposed to threats in order to monitor the behavior of security products.
Threat
A program or other measure designed to subvert a system.
Update
Code provided by a vendor to keep its software up to date. This includes virus
definitions, engine updates and operating system patches.
PC Anti-Virus Protection 2011
Page 21 of 60
APPENDIX B: LEGITIMATE SAMPLES
PRODUCT
DESCRIPTION
OBTAINED VIA
PREVALENCE
STATS
(LAST WEEK)
PREVALENCE
STATS
SOURCE
PREVALENCE
STATS DATE
PREVALENCE
RATING
YouTubeDownloaderSetup256.exe
YouTube
Downloader
Download YouTube videos and
convert them to different
formats.
Download.com
626,027
Download.com
23/07/2010
Very High
Impact
2
wrar393.exe
WinRAR (32bit)
Take full control over RAR and
ZIP archives, along with
unpacking a dozen other archive
formats.
Download.com
406,831
Download.com
23/07/2010
Very High
Impact
3
PhotoScapeSetup_V3.5.exe
PhotoScape
View, edit, print, or add frames
to your photos.
Download.com
313,847
Download.com
23/07/2010
Very High
Impact
4
fg680f.exe
Freegate
6.80
This program helps millions of
Internet users in China to access
the Internet faster and more
stably
Download.com
26,614
Download.com
23/07/2010
Very High
Impact
5
TeamViewer_Setup.exe
TeamViewer
Share your desktop with another
person via the Web.
Download.com
340,911
Download.com
23/07/2010
Very High
Impact
6
camfrog.exe
Camfrog
Video Chat
Join live-video chat rooms from
around the world
Download.com
270,758
Download.com
23/07/2010
Very High
Impact
7
FoxitReader40_enu_Setup.exe
Foxit Reader
4.0.0.619
View your PDF files as PDF or
as plain text.
Download.com
190,967
Download.com
23/07/2010
Very High
Impact
8
mirc635.exe
mIRC
Chat with other people and
participate in group discussions.
Download.com
144,566
Download.com
23/07/2010
Very High
Impact
9
Firefox Setup 3.6.7.exe
Mozilla
Firefox
Surf the Web, block pop-ups,
and keep spyware at bay with a
lean and fast open-source
browser.
Download.com
101,875
Download.com
23/07/2010
Very High
Impact
10
easy_cdda_extractor_2010_1_trial.exe
Easy CD-DA
Extractor
Rip audio CDs, burn CDs and
DVDs, convert music files, and
edit metadata.
Download.com
31,398
Download.com
23/07/2010
Very High
Impact
11
EasyDVDRipc.exe
Easy DVD
Rip 3.0.801
Rip your DVDs into MPEG-4,
AVI, DivX, XviD, MPEG-1,
MPEG-2, VCD, and SVCD
formats
Download.com
3,736
Download.com
23/07/2010
High Impact
INCIDENT
ORIGINAL FILE NAME
1
PC Anti-Virus Protection 2011
Page 22 of 60
PRODUCT
DESCRIPTION
OBTAINED VIA
PREVALENCE
STATS
(LAST WEEK)
PREVALENCE
STATS
SOURCE
PREVALENCE
STATS DATE
PREVALENCE
RATING
EasyDVDtoVCD.exe
Easy DVD to
VCD Burner
Copy DVD movies to VCD,
SVCD, or AVI files and burn
them to CD-R/RW.
Download.com
247
Download.com
23/07/2010
Medium Impact
13
anti_mosquito.zip
Anti
Mosquito
Software 1.0
This is a small software that
shall drive the mosquitoes away
fast. Simple to use and useful.
No need for any external
devices.
Download.com
4,575
Download.com
23/07/2010
High Impact
14
AutoClick_setup.exe
AutoClick
1.0.7.234
Have mouse clicks done for you
when you're unable to click.
Download.com
1,042
Download.com
23/07/2010
High Impact
15
gardenplanner25setup.exe
Garden
Planner 2.4
Design and print your own
garden plan.
Download.com
1,319
Download.com
23/07/2010
High Impact
16
RealPlayerSPGold.exe
RealPlayer
SP
Watch your favorite videos on
your favorite devices
Download.com
156,729
Download.com
23/07/2010
Very High
Impact
17
WWPC-Setup.exe
WW Points
Calc
Calculate your weight watchers
points.
Download.com
376
Download.com
23/07/2010
Medium Impact
18
bookcat_setup.exe
BookCAT
Catalog and manage your book
collection.
Download.com
168
Download.com
23/07/2010
Medium Impact
19
newzcrawler19.msi
NewzCrawler
Web/RSS newsreader, content
gatherer & browser.
Download.com
262
Download.com
23/07/2010
Medium Impact
20
AdbeRdr933_en_US.exe
Adobe
Reader 9.3.3
View, navigate, and print PDF
files.
Adobe.com
98,168
Download.com
23/07/2010
Very High
Impact
21
cpuz_154_setup.exe
CPU-Z
Access various information
about your computer.
Download.com
9,133
Download.com
23/07/2010
High Impact
22
defragsetup.exe
Smart Defrag
Defrag your hard drive in the
background automatically.
Download.com
12,212
Download.com
23/07/2010
High Impact
23
PandoraRecovery2.1.1Setup.exe
Pandora
Recovery
Find, preview and restore
permanently deleted files.
Download.com
13,512
Download.com
23/07/2010
High Impact
24
disk-defrag-setup.exe
Auslogics
Disk Defrag
Defragment your disks and
improve computer performance
and stability.
Download.com
49,025
Download.com
23/07/2010
Very High
Impact
25
revosetup.exe
Revo
Uninstaller
Uninstall unwanted and even
broken applications accurately.
Download.com
20,352
Download.com
23/07/2010
Very High
Impact
INCIDENT
ORIGINAL FILE NAME
12
PC Anti-Virus Protection 2011
Page 23 of 60
PRODUCT
DESCRIPTION
OBTAINED VIA
PREVALENCE
STATS
(LAST WEEK)
PREVALENCE
STATS
SOURCE
PREVALENCE
STATS DATE
PREVALENCE
RATING
26
RegpairSetup.exe
Free Window
Registry
Repair
Registry repair utility
Download.com
8,855
Download.com
23/07/2010
High Impact
27
vlc-1.1.1-win32.exe
VLC Media
Player
Play audio and video files in
real-time and streaming modes.
Download.com
226,028
Download.com
23/07/2010
Very High
Impact
28
media.player.codec.pack.v3.9.6.setup.exe
Media Player
Codec Pack
Play various types of video,
audio, movie, music files in
Media Player
Download.com
44,823
Download.com
23/07/2010
Very High
Impact
29
m-ipad-to-pc-transfer-cnet.exe
iPad to PC
Transfer
Transfer files to the iPad
http://www.mp4c
onverter.net/dow
nloads/m-ipadto-pctransfer.exe
57
Download.com
23/07/2010
Low Impact
30
TrueCrypt Setup 7.0.exe
TrueCrypt
Encrypt your sensitive data with
this open-source software
Download.com
1,672
Download.com
23/07/2010
High Impact
31
TweetDeck_0_34.3.air
TweetDeck
0.34.3
Social networking
Download.com
1,444
Download.com
23/07/2010
High Impact
office-convert-pdf-to-jpg-jpeg-tiff-free.exe
Office
Convert PDF
to JPG JPEG
TIFF Free
Convert your PDF files into
various image formats.
Download.com
6,030
Download.com
23/07/2010
High Impact
-
Linksys
WUSB600N
Setup
Wizard
Wireless router setup program
DVD
100
est
23/07/2010
Medium Impact
Setup.exe
Billion BiPAC
6200NX(L)
3G
Management
Center
Wireless router setup program
DVD
100
est
23/07/2010
Medium Impact
Disk monitoring utility
http://www.acron
is.co.uk/enterpri
se/download/dri
vemonitor/index.ht
ml
50
est
23/07/2010
Low Impact
INCIDENT
ORIGINAL FILE NAME
32
33
34
35
ADM_en-EU.exe
PC Anti-Virus Protection 2011
Acronis Drive
Monitor
Page 24 of 60
PRODUCT
DESCRIPTION
OBTAINED VIA
PREVALENCE
STATS
(LAST WEEK)
PREVALENCE
STATS
SOURCE
PREVALENCE
STATS DATE
PREVALENCE
RATING
36
iconst7p.exe
IconCool
Studio Pro
IconCool Studio is an absolute
solution to create, edit, convert,
extract 32-bit icons or cursors
Download.com
4
Download.com
23/07/2010
Very Low Impact
37
coreftplite.exe
Core FTP LE
Manage your files remotely and
securely via FTP with SFTP,
SSL, and HTTPS.
Download.com
2,629
Download.com
23/07/2010
High Impact
Google
Desktop
Local search
http://desktop.go
ogle.com
20988
est
23/07/2010
Very High
Impact
Investors
Database
Manage your entire investment
data.
Download.com
1
Download.com
26/07/2010
Very Low Impact
Sync ToGo
Mirror, synchronize, and back up
your files between portable
storage devices and PCs.
Download.com
1
Download.com
26/07/2010
Very Low Impact
INCIDENT
ORIGINAL FILE NAME
38
39
IDBInstall.zip
40
PC Anti-Virus Protection 2011
Page 25 of 60
APPENDIX C: THREAT REPORT
Code
Product
Code
Product
Code
Product
AVA
Avast! Free AntiVirus 5
ESS
ESET Smart Security 4
MIS
McAfee Internet Security
AVG
AVG Anti-Virus Free Edition 9
GIS
G Data InternetSecurity 2011
MSE
Microsoft Security Essentials
AVI
Avira Personal - Free Antivirus 10
K7
K7 Total Security 10
NIS
Norton Internet Security 2011
BDF
BitDefender Internet Security 2010
KIS
Kaspersky Internet Security 2011
TIS
Trend Micro Internet Security 2010
NOTE: The following table is a summary. The full report was provided to Symantec as an Excel spreadsheet, which includes any Notes that may be referred to in some
Threat Report entries.
Defended
n/a
n/a
n/a
1
1
1
AVG
Pop-up
Moved to Virus
Vault
Threat detected. Trojan horse Adload_tAHD
0
n/a
n/a
n/a
1
1
1
AVI
Pop-up
Quarantined
JS/Agent.13838; HTML/Crypted.Gen;
TR/Drop.TDss.bry x2
0
n/a
n/a
n/a
1
1
BDF
Pop-up
Blocked
Gen:Variant.TDss.21
0
n/a
n/a
n/a
1
1
1
ESS
Toaster
Connection
terminated quarantined
Threat: Win32/Olmark.ABL trojan
0
n/a
n/a
n/a
1
1
1
GIS
Pop-up
Disinfect
Gen:Variant.TDss.21 (Engine A);
JS:ScriptDC-inf [Trj] (Engine B);
0
n/a
n/a
n/a
1
1
Alert (intro)
PC Anti-Virus Protection 2011
Page 26 of 60
1
Compromised
Complete
remediation
0
Neutralized
Threat Report
(manual)
Trojan Horse Blocked - JS:ScriptDC-inf [Trj]
Quiet logging
Blocked
Threat report
(intro)
Toaster
Effect (intro)
AVA
Product
1
Incident
Effect
(manual)
Alert (manual)
In cases where the malware fails for any reason, the product is given the full benefit of the doubt and is classified as having Defended with full remediation.
Scan completed. One or more risks
needs your attention. Two items
infected by virus 8a3C5fed0
1
KIS
Toaster
Blocked
Detected: HEUR:Trojan.Script.Iframer
0
n/a
n/a
n/a
1
1
1
MIS
Toaster
Removed
Trojan Removed. McAfee detected and
automatically removed a Trojan from your
PC. No further action is requIred. Detected:
Artemis!3F82FABE3889
0
n/a
n/a
n/a
1
1
1
MSE
Toaster
Removed
Detected threat: Trojan/Win32/Alureon.CT
0
n/a
n/a
n/a
1
1
1
NIS
Toaster
Quarantined
Trojan.Pidief.I and Trojan.Gen
0
n/a
n/a
n/a
1
1
1
TIS
Browser
Blocked
None
0
n/a
n/a
n/a
1
1
Compromised
No action taken.
Cannot be
disinfected.
Neutralized
Yes (see
note)
Defended
Threat Report
(manual)
0
Complete
remediation
Effect
(manual)
Alert (manual)
Threat report
(intro)
High Security Risk Found
Quiet logging
Effect (intro)
Detected
Alert (intro)
Toaster
Product
K7
Incident
1
1
2
AVA
Toaster
Blocked
Trojan Horse Blocked - JS:Redirector-E [Trj]
0
Report
Move to Chest
Win32:Malware-gen; JS:RedirectorE [Trj]; JS:ScriptDC-inf [Trj];
Win32:Jifas-GB [Trj]
2
AVG
Pop-up
Moved to Virus
Vault
Threat detected. Trojan horse Cryptic.AHC
0
n/a
n/a
n/a
1
1
2
AVI
Pop-up
Removed
TR/Vundo.Gen
0
n/a
n/a
n/a
1
1
2
BDF
Pop-up
Denied
Trojan.Generic.KD.18874
0
n/a
n/a
n/a
1
1
2
ESS
Toaster
Denied
0
n/a
n/a
n/a
1
1
2
GIS
Pop-up
Quarantined
0
Report
Disinfect
Multiple
1
2
K7
Toaster
Detected
High Security Risk Found
0
Multiple
(see
note)
Quarantined
Scan completed. One or more risks
needs your attention. Two Trojans
"quarantined. Disinfection not
possible.!"
1
2
KIS
Toaster
Denied
Denied: HEUR:Exploit.Script.Generic
0
n/a
n/a
n/a
PC Anti-Virus Protection 2011
Access denied. The web page
http://91.188.59.192/show.php?s=cc5f09d257
is on the list of web sites with potentially
dangerous content.
JS:Redirector-E [Trj] (Engine B);
Win32:Malware-gen (Engine B); Java:AgentR [Trj] (Engine B); Win32:Jifas-GB [Trj]
(Engine B)
Page 27 of 60
1
1
1
n/a
1
1
0
Showed
alert
when the
system
was
rebooted
after
exposure
and after
manual
scan.
Removed
Microsoft Security Essentials
detected 6 potential threats on your
computer.
Trojan:Win32/Alureon.gen!J;
Trojan:Win32/FakeCog;
Trojan:Win32/Alureon.DK;
Trojan:Win32/FakeCog;
Trojan:WinNT/Alureon.D;
Trojan:Win32/Alureon.DA
0
n/a
n/a
n/a
0
None
None
None
n/a
1
2
MSE
None
None
2
NIS
Toaster
Removed
2
TIS
Toaster
Terminated
3
AVA
Toaster
Blocked
Win32:Renos-PN [Drp]
0
n/a
n/a
n/a
1
1
3
AVG
Pop-up
Detected
Threat detected! Threat name: Trojan horse
Downloader Generic9.CAWP
0
n/a
n/a
n/a
1
1
3
AVI
Pop-up
Denied
TR/CryptXPACK.Gen
0
n/a
n/a
n/a
1
1
3
BDF
Pop-up
Blocked
Trojan.Generic.KD.15088
0
n/a
n/a
n/a
1
1
Scan completed successfully. 1
infected file/1 cleaned file.
n/a
A program was behaving suspiciously on your
computer. You chose to block and remove it
Suspicious program terminated. Activity:
Unauthorized changes.
3
ESS
Toaster
Quarantined
Connection terminated.
Win32/TrojanDownloader.FakeAlert.AZE
trojan quarantined.
0
Yes
(1) One object
has been deleted
as it only
contained the
virus body. (4)
Object cannot be
opened. It may
be in use by
another
application or
operating
system.
3
GIS
Pop-up
Disinfect
Trojan.Generic.KD.15088 (Engine A)
0
n/a
n/a
PC Anti-Virus Protection 2011
Page 28 of 60
1
1
1
1
1
1
Compromised
n/a
0
Neutralized
Alert (manual)
Defended
None
Complete
remediation
Script Blocked. McAfee prevented a
potentially harmful script from running on your
PC. No further action required.
Quiet logging
Threat report
(intro)
Effect (intro)
Blocked
Threat Report
(manual)
Toaster
Effect
(manual)
MIS
Alert (intro)
Product
Incident
2
Complete
remediation
Defended
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
None
1
n/a
n/a
n/a
1
1
Blocked
URL:Mal
0
n/a
n/a
n/a
1
1
Pop-up
(2x)
Moved to Virus
Vault
Threat detected! Threat name: Virus found
JS/Generic; Trojan jorse Bomka G
0
n/a
n/a
n/a
AVI
Toaster
Denied
TR/Agent.uwi.6144 [trojan]
0
n/a
n/a
n/a
1
1
4
BDF
Pop-up
Blocked
0
n/a
n/a
n/a
1
1
4
ESS
Toaster
Quarantined
0
n/a
n/a
n/a
1
1
4
GIS
Pop-up
Quarantined
0
n/a
n/a
n/a
1
1
4
K7
Toaster
Detected
0
n/a
n/a
n/a
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
KIS
Toaster
Denied
3
MIS
Toaster
Removed
3
MSE
Toaster
Not found
3
NIS
Browser
Blocked
3
TIS
None
None
4
AVA
Toaster
4
AVG
4
Alert (intro)
3
Product
High Security Risk Found
Incident
Detected
4
KIS
Toaster
Denied
4
MIS
Toaster
Blocked
4
MSE
Toaster
Removed
PC Anti-Virus Protection 2011
Denied: http://mybookface.net/ (analysis
using the database of phishing URLs)
Trojan Removed. McAfee detected and
automatically removed a Trojan from your
PC. No further action is requIred. Detected:
Downloader.CEW.e
Detected items:
TrojanDownloader:Win32/Renos.KO
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
Trojan.PWS.Kates.AW;
Generic.XPL.ADODB.D5E4C1CB
Connection terminated. A variant of
Win32/Bamital.DH trojan quarantined.
Generic.XPL.ADODB.D5E4C1CB (Engine A);
Trojan.PWS.Kates.AW (Engine A);
Exploit.PDF-JS.Gen (Engine A) multiple
times
High Security Risk Found
Denied: HEUR:Trojan-Downloader.Script
Generic (3x)
Script Blocked. McAfee prevented a
potentially harmful script from running on your
PC. No further action required.
Detected items: Trojan:Win32/Bamital.E
Page 29 of 60
1
1
Compromised
Threat Report
(manual)
1
Toaster
Neutralized
Effect
(manual)
Alert (manual)
n/a
K7
Quiet logging
n/a
Threat report
(intro)
n/a
Effect (intro)
0
3
Complete
remediation
Defended
n/a
n/a
n/a
1
1
4
TIS
None
None
None
1
n/a
n/a
n/a
5
AVA
Toaster
Blocked
0
n/a
n/a
n/a
5
AVG
Pop-up
Moved to Virus
Vault
Trojan Horse Blocked - JS:Illredir-CH [Trj];
Malicious URL Blocked - URL:Mal
Threat detected! Threat name: Virus found
HTML/Framer
0
Report
Removed and
healed
Moved to Virus Vault
5
AVI
Pop-up
Denied
TR/Crypt.ZPACK.Gen
0
n/a
n/a
n/a
1
1
5
BDF
Pop-up
Blocked
Gen.Variant.Unruy.1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
Alert (intro)
Effect (intro)
Connection terminated.
JS/TrojanDownloader.Pegel.BR trojan
quarantined
Gen:Variant.Unruy.1 (Engine A); Exploit.PDFJS.Gen (Engine A); JS:Illredir-CH [Trj]
(Engine B); JS:Downloader-XQ [Trj] (Engine
B)
System Monitor Alert! A new AutoStart Entry
Found A new program has been added to run
automatically whenever Windows boots up.
Advise: This type of change is common on
installation of new software and when the
new software is supposed to run
automatically every time you boot the system.
Hence, unless you have installed a new
software or you recognize this application do
not accept this change. Default to allow.
1
1
1
1
5
ESS
Toaster
Quarantined
5
GIS
Pop-up
Disinfect
5
K7
Toaster
Detected
5
KIS
Toaster
Detected
Denied: Trojan.JS.Iframe.mn
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
1
5
MIS
Toaster
Removed
Trojan Removed. McAfee detected and
automatically removed a Trojan from your
PC. No further action is requIred. Detected:
Artemis!51526D4DCD4D
5
MSE
Toaster
Removed
Detected items: Trojan:Win32/Comroki
0
n/a
n/a
n/a
1
1
5
NIS
Browser
Blocked
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
0
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Page 30 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks.
Quiet logging
Blocked
Threat report
(intro)
Browser
Product
NIS
Incident
4
AVA
Toaster
Blocked
6
AVG
Pop-up
(2x)
Moved to Virus
Vault
6
AVI
Pop-up
Denied
6
BDF
Pop-up
Blocked
6
ESS
Toaster
Quarantined
6
GIS
Pop-up
Disinfect
Trojan Horse Blocked - JS:Redirector-CF
[Trj]; Malware Blocked - HTML:Iframe-inf;
Trojan Horse Blocked - JS:FaveAV-ET [Trj];
Malicious URL Blocked - URL:Mal
Threat detected! Threat name: Virus found
Trojan horse Cryptic AHC
TR/Vundo.Gen; HTML/ExpKit.Gen2 HTML
script virus
Trojan.Generic.KD.18998
Connection terminated. JS/Exploit.Agent.NBB
trojan quarantined
JS:Redirector-CF [Trj] (Engine B);
HTML:Iframe-inf (Engine B)
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
0
n/a
n/a
n/a
0
None
None
None
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
Scan completed. One or more risks
needs your attention. Two Trojans
"quarantined. Disinfection not
possible.!"
6
K7
Toaster
Detected
High Security Risk Found
0
Yes
Recommendation
to quarantine two
Trojans and
clean one
suspicious file.
6
KIS
Toaster
Denied
Denied: Trojan.JS.Redirector.bg
0
n/a
n/a
n/a
0
Yes
Viruses, Trojans,
and Cookies
Removed:
Generic Rootkit
dlrootkit
Quick Scan complete. All issues
have been resolved. McAfee has
eliminated all threats on your PC.
1
1
1
1
1
1
1
6
MIS
Toaster
Removed
Trojan Removed. McAfee detected and
automatically removed a Trojan from your
PC. No further action is requIred. Detected:
FakeAlert-GA.dll (more than 10x);
DNSChanger.bu (2x)
6
MSE
Toaster
Removed
Detected items: TrojanDownloader: JS/Renos
0
n/a
n/a
n/a
1
1
6
NIS
Toaster
Blocked
HTTP Fake Scan Webpage 5
0
n/a
n/a
n/a
1
1
6
TIS
Toaster
(4x)
Terminated
0
See note
Repaired
Security Vulnerabilities Found in the
Windows Operating System.
7
AVA
Toaster
Blocked
0
n/a
n/a
n/a
PC Anti-Virus Protection 2011
Toaster 1-3: Suspicious program terminated.
Activity: Unauthorized changes. 4th Toaster:
Because the drive listed above contains at
least one threat, you should scan the entire
computer for malicious software.
Trojan Horse Blocked - HTML:Iframe-EP [Trj];
Malicious URL Blocked
Page 31 of 60
Compromised
1
Neutralized
Alert (manual)
Defended
6
None
Complete
remediation
None
Threat Report
(manual)
None
Effect
(manual)
TIS
Quiet logging
Threat report
(intro)
Effect (intro)
Alert (intro)
Product
Incident
5
1
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
7
AVI
Pop-up
Denied
HTML/FakeAlert.rd.1; HTML/Crypted.Gen
0
n/a
n/a
n/a
1
1
7
BDF
Pop-up
Blocked
Trojan.JS.FakeAV.C
0
n/a
n/a
n/a
1
1
7
ESS
Toaster
Cleaned by
deleting
0
n/a
n/a
n/a
1
1
7
GIS
Pop-up
Quarantined
0
n/a
n/a
n/a
1
1
7
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
7
KIS
Toaster
Detected
Detected: Trojan.JS.Agent.bph
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
None
None
No threats were detected on your
computer during the scan.
0
n/a
n/a
n/a
1
1
Alert (intro)
Effect (intro)
Connection terminated.
JS.TrojanDownloader.Agent.NUE
quarantined
HTML:Iframe-EP [Trj] (Engine B);
JS:FakeAV-CU [Trj] (Engine B)
Script Blocked. McAfee prevented a
potentially harmful script from running on your
PC. No further action required. Detected:
Generic FakeAlert
Detected items: TrojanSpy:Win32/Chadem.A;
Trojan:Win32/InternetAntivirus;
Trojan:Win32/Alureon.CT
MSIE Misleading Application Suspicious
Notification
1
7
MIS
Toaster
(2x)
Removed
7
MSE
Toaster
Removed
7
NIS
Toaster
Blocked
7
TIS
None
None
None
1
n/a
n/a
n/a
1
1
8
AVA
Toaster
Blocked
Trojan Horse Blocked - HTML:Iframe-LZ
[Trz]; Malicious URL Blocked - URL:Mal;
Trojan Horse Blocked - JS:Illredir-CB [Trj]
0
n/a
n/a
n/a
1
1
8
AVG
None
None
None
1
n/a
n/a
n/a
1
1
8
AVI
Pop-up
Denied
HTML/Infected.WebPage.Gen2
0
n/a
n/a
n/a
1
1
8
BDF
Pop-up
Blocked
Trojan.FakeAV.KVX
0
n/a
n/a
n/a
1
1
8
ESS
Toaster
Cleaned by
deleting (after
the next
restart)
Connection terminated.
JS/TrojanDownloader.Shadraem.C
quarantined
0
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Page 32 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Threat detected! Threat name: Trojan horse
SHeur3.ADVG
Quiet logging
Moved to Virus
Vault
Threat report
(intro)
Pop-up
(2x)
Product
AVG
Incident
7
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
8
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
8
KIS
Toaster
Denied
Denied: Trojan.JS.Redirector.fq
0
n/a
n/a
n/a
1
1
8
MIS
None
None
None
1
n/a
n/a
n/a
1
1
8
MSE
Toaster
Removed
Detected items: Trojan: JS/Gamburi.E
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
Yes
Cookie deleted
Resolved threats (1 items found):
Cookie_YieldManager
Alert (intro)
Effect (intro)
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks. ALSO: Toaster (Trojan.Malscript!html)
Suspicious program terminated. Activity:
Unauthorized changes.
8
NIS
Browser
Blocked
8
TIS
Toaster
Terminated
9
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
9
AVG
Pop-up
Moved to Virus
Vault
Threat detected! Threat name: Trojan horse
Cryptic AIP
0
n/a
n/a
n/a
1
9
AVI
Pop-up
Denied
TR/Spy.Zbot.aksg
0
None
None
None
1
9
BDF
Pop-up
Blocked
Backdoor.Bot.124029
0
n/a
n/a
n/a
1
1
9
ESS
Toaster
Quarantined
Connection terminated.
HTML/Iframe.B.gen.virus quarantined
0
n/a
n/a
n/a
1
1
9
GIS
Pop-up
Disinfect
Backdoor.Bot.124029 (Engine A)
0
n/a
n/a
n/a
1
1
9
K7
Toaster
(3x)
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
None
None
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
9
KIS
Toaster
Denied
9
MIS
Toaster
Buffer overflow
prevented
PC Anti-Virus Protection 2011
Denied: http//mumukafes.net/trf/index.php
(analysis using the database of suspicious
URLs) and Trojan.JS.Agent.blz
McAfee prevented a program from causing a
buffer overflow on your PC. Hackers can use
buffer overflows to secretly run malicious
programs, steal personal information, or
hijack your PC.
Page 33 of 60
1
1
1
1
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Trojan.Script.455507 (Engine A)
Quiet logging
Blocked
Threat report
(intro)
Pop-up
Product
GIS
Incident
8
Complete
remediation
Defended
0
n/a
n/a
n/a
1
1
9
NIS
Browser
Blocked
This Web pages has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks.
0
n/a
n/a
n/a
1
1
9
TIS
None
None
None
0
None
None
None
10
AVA
Toaster
Blocked
Malware Blocked - HTML:Script-inf; Malicious
URL Blocked - URL:Mal
0
n/a
n/a
n/a
10
AVG
None
None
None
0
Report
Removed and
healed
37 infections found. 19 removed and
healed. 18 not removed or healed
with an option to remove all
unhealed infections.
10
AVI
None
None
None
0
None
None
None
10
BDF
None
None
None
0
None
None
None
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
Effect (intro)
10
ESS
Toaster
Quarantined
Connection terminated.
JS/TrojanDownlaoder.Gumblar.K trojan
quarantined
10
GIS
Pop-up
Quarantined
HTML:Script-inf (Engine B)
10
K7
None
None
None
0
Yes
Removed
. . .\Temp\jar_cache16260.tmp is a
Riskware (16b82aae0). Should be
deleted
10
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
10
MIS
None
None
None
0
None
None
Quick Scan complete. All issues
have been resolved. McAfee has
eliminated all threats on your PC.
10
MSE
None
None
None
0
n/a
n/a
n/a
10
NIS
Toolbar
Blocked
Site is Unsafe: Drive-By Downloads
0
n/a
n/a
n/a
10
TIS
None
None
None
0
None
None
None
11
AVA
Toaster
Blocked
Trojan Horse Blocked - HTML:Iframe-MS [Trj]
x2
0
n/a
n/a
n/a
PC Anti-Virus Protection 2011
Page 34 of 60
Compromised
Threat Report
(manual)
Detected items: Trojan:Win32/2bot.gen!Y
Neutralized
Effect
(manual)
Alert (manual)
Removed
Quiet logging
Alert (intro)
Toaster
Threat report
(intro)
Product
MSE
Incident
9
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Complete
remediation
Defended
Compromised
Threat Report
(manual)
0
n/a
n/a
n/a
1
1
11
AVI
Pop-up
Quarantined
TR/Jorik.Bredolab.R
0
n/a
n/a
n/a
1
1
11
BDF
Pop-up
Blocked
Trojan.Script.459926
0
n/a
n/a
n/a
1
1
11
ESS
Toaster
Blocked
Address has been blocked. URL address:
addthiss.net/in.cgi?8
0
n/a
n/a
n/a
1
1
11
GIS
Pop-up
Disinfect
Trojan.Script.459926 (Engine A)
0
n/a
n/a
n/a
1
1
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
0
n/a
n/a
n/a
0
None
None
None
1
1
Effect (intro)
Alert (intro)
11
K7
Pop-up
Detected
11
KIS
Toaster
Detected
11
MIS
None
None
11
MSE
None
System Monitor Alert! A New Program Found
in User StartUp Folder! A new program has
been added to your StartUp folder to run
whenever Windows boots up. Advise: Not
Available. Please proceed with caution.
Default to allow.
Detected: HEUR:TrojanDownloader.Script.Generic
None
1
1
1
None
None
0
None
None
No threats were detected on your
computer during the scan.
0
n/a
n/a
n/a
0
None
None
None
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
1
1
11
NIS
Browser
Blocked
This Web pages has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks.
11
TIS
None
None
None
12
AVA
Toaster
Blocked
12
AVG
Pop-up
Moved to Virus
Vault
Trojan Horse Blocked - HTML:Iframe-NO
[Trj]; Malicious URL Blocked - URL:Mal
Threat detected! Threat name: Trojan horse
Downloader Generic9.CHCT
12
AVI
Pop-up
Denied
TR/Dldr.Small.asso x2
0
n/a
n/a
n/a
12
BDF
None
None
None
0
None
None
None
12
ESS
Toaster
Quarantined
Connection terminated.
JS/TrojanDownlaoder.Iframe.NIH trojan
quarantined
0
n/a
n/a
n/a
PC Anti-Virus Protection 2011
Page 35 of 60
Neutralized
Effect
(manual)
Alert (manual)
Threat detected! Threat name: Virus found
JS/Dropper
Quiet logging
Moved to Virus
Vault
Threat report
(intro)
Pop-up
Product
AVG
Incident
11
1
1
1
1
1
1
Compromised
1].htm is a Riskware (7a8cbe3d0).
Should be deleted
Detected: Trojan-Downloader.JS.Iframe.cau
0
n/a
n/a
n/a
1
1
Removed (2x)
Trojan Removed. McAfee detected and
automatically removed a Trojan from your
PC. No further action is requIred. Detected:
Artemis!E8EBA05A8EC5. (2x) Buffer
overflow prevented.
0
n/a
n/a
n/a
1
1
Toaster
Removed
Detected items: VirTool:Win32/VBInject.GX
0
None
None
No threats were detected on your
computer during the scan.
NIS
Pop-up
Blocked
0
n/a
n/a
n/a
12
TIS
Toaster
Detected.
Default to
allow
None
None
None
1
13
AVA
None
None
None
0
None
None
None
1
13
AVG
None
None
None
0
n/a
n/a
n/a
1
Effect (intro)
Alert (intro)
12
K7
Pop-up
Detected
12
KIS
Toaster
Detected
12
MIS
Toaster
(3x)
12
MSE
12
PC Anti-Virus Protection 2011
JS:Prontexi-BX [Trj] (Engine B);
HTML:Iframe-NO [Trj] (Engine B); JS:CVE2010-0806-AO [Expl] (Engine B);
Trojan.Generic.KD.19200 (Engine A)
System Monitor Alert! A new AutoStart Entry
Found A new program has been added to run
automatically whenever Windows boots up.
Advise: This type of change is common on
installation of new software and when the
new software is supposed to run
automatically every time you boot the system.
Hence, unless you have installed a new
software or you recognize this application do
not accept this change. Default to allow.
Critical Attack Prevented - Adobe Reader
GetIcon BO
Suspicious activity detected. To safeguard
your security, do not allow the following
program to comminicate with the Internet
unless you recognize it. Program name:
37756.EXE. Default to Allow. DROB.exe
tried to make itself launch automatically
whenever Windows starts up. Default to
allow. DROB.tmp.exe and svchosts.exe were
also flagged as suspicious programs. Default
to allow.
Page 36 of 60
Neutralized
Removed
Quarantined
Defended
Threat Report
(manual)
Yes
Pop-up
Complete
remediation
Effect
(manual)
Alert (manual)
0
GIS
Quiet logging
Backdoor.Bot.124029 (Engine A)
Threat report
(intro)
Disinfect
Product
Report
Incident
0
12
1
1
1
1
1
n/a
n/a
13
BDF
Pop-up
Blocked
Tojan.Generic.KD.19590 x2
0
n/a
n/a
n/a
1
1
13
ESS
Pop-up
Disconnected
Warning. Potential threat found. Probably a
varient of Win32/Statik potentially unwanted
application. Default option to disconnect
0
n/a
n/a
n/a
1
1
13
GIS
Pop-up
Disinfect
Trojan.Generic.KD.19590 (Engine A) x2
0
n/a
n/a
n/a
1
1
13
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
13
KIS
Toaster
(3x)
Denied
0
n/a
n/a
n/a
1
1
13
MIS
Pop-up
Restart
0
None
None
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
13
MSE
None
None
None
0
None
None
No threats were detected on your
computer during the scan.
13
NIS
Toaster
Removed
Trojan.Pidief.I
0
n/a
n/a
n/a
1
1
13
TIS
None
None
None
1
n/a
n/a
n/a
1
1
14
AVA
Pop-up
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
1
1
14
AVG
Pop-up
Removed
Threat detected! Threat name: Trojan horse
Adload_r.AHD. Default to select and remove
0
n/a
n/a
n/a
1
1
14
AVI
Pop-up
Denied
JS/Agent.13838; TR/Drop.TDss.bry x3
0
n/a
n/a
n/a
1
1
14
BDF
Pop-up
Blocked
Trojan.Generic.4477257 x2
0
n/a
n/a
n/a
1
1
14
ESS
Toaster
Quarantined
Connection terminated. Win32/Olmarik.ABL
trojan quarantined
0
n/a
n/a
n/a
1
1
14
GIS
Pop-up
Disinfect
Trojan.Generic.4477257 (Engine A)
0
n/a
n/a
n/a
1
1
14
K7
Toaster
(4x)
Detected
High Security Risk Found
0
Yes
Cannot be
disinfected
Two items are infected by a Virus
(8z3c5fed0)
Effect (intro)
PC Anti-Virus Protection 2011
Denied: Trojan:Win32.FraudPack.azkf;
Trojan-Downloader.Java.Agent.fl (2x)
Trojan Detected: FakeAlert.FakeSpyfenv.a.
We cannot remove a Trojan while the infected
file is in use. Restarting your PC frees up the
infected file allowing McAfee to fix the issue.
Default to restart.
Page 37 of 60
Compromised
n/a
Neutralized
0
Defended
Threat Report
(manual)
None
Complete
remediation
Effect
(manual)
Alert (manual)
None
Quiet logging
Alert (intro)
None
Threat report
(intro)
Product
AVI
Incident
13
1
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
14
MIS
Toaster
(2x)
Removed
Trojan Removed. McAfee detected and
automatically removed a Trojan from your
PC. No further action is requIred.
Detected:Generic.Dropper.va
0
n/a
n/a
n/a
1
1
14
MSE
Toaster
Removed
Detected threat: Trojan/Win32/Alureon.CT
0
None
None
No threats were detected on your
computer during the scan.
14
NIS
Toaster
Removed
Trojan.Pidief.I
0
n/a
n/a
n/a
14
TIS
None
None
None
1
None
None
None
15
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
1
1
15
AVG
Pop-up
Moved to Virus
Vault
Threat detected! Threat name: Trojan horse
FakeAlert SG
0
n/a
n/a
n/a
1
1
15
AVI
None
None
None
0
n/a
n/a
n/a
1
1
15
BDF
Pop-up
Blocked
Trojan.Downloader.FakeAV.FT
0
n/a
n/a
n/a
1
1
15
ESS
Toaster
Blocked
Address has been blocked. URL address:
"domainameat.cc/js2.php
0
n/a
n/a
n/a
1
1
15
GIS
Pop-up
Quarantined
Trojan.Downloader.FakeAV.FT (Engine A)
0
n/a
n/a
n/a
1
1
15
K7
None
None
None
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
15
KIS
Toaster
Denied
Denied: Trojan.JS.Redirector.cq
0
n/a
n/a
n/a
15
MIS
None
None
None
0
None
None
15
MSE
None
None
None
0
None
None
15
NIS
Toaster
Blocked
HTTP Fake Scan Webpage 5
0
n/a
n/a
n/a
1
1
15
TIS
None
None
None
0
n/a
n/a
n/a
1
1
Effect (intro)
Alert (intro)
PC Anti-Virus Protection 2011
Page 38 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Detected: HEUR:Trojan.Script.Iframer
Quiet logging
Detected
Threat report
(intro)
Toaster
Product
KIS
Incident
14
1
1
1
1
1
1
1
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
No threats were detected on your
computer during the scan.
1
1
Complete
remediation
Defended
Compromised
Threat Report
(manual)
0
n/a
n/a
n/a
1
1
16
AVG
None
None
None
0
None
None
No infection was found during this
scan.
16
AVI
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
1
1
16
BDF
Pop-up
Blocked
Trojan.Generic.4480417
0
n/a
n/a
n/a
1
1
16
ESS
None
None
None
0
None
None
0 infected files
1
16
GIS
Pop-up
Quarantined
Unknown threat (m.274.tmp.exe);
Trojan.Generic.4477257 (Engine A)
0
Report
Disinfect
Trojan.Generic.4477257 (Engine A)
1
16
K7
Pop-up
Allow
Application Access!
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
1
16
KIS
Toaster
Denied
Denied:http://188.120.232..124/221/index.php
(analysis using the database of suspicious
URLs)
n/a
n/a
n/a
16
MIS
None
None
None
0
None
None
16
MSE
Toaster
(5x)
Quarantined
Detected threat:
TrojanDownloader:Win32/FakeRean
0
Yes
Quarantined
16
NIS
Toaster
Blocked
Trojan.Pidief.I
0
n/a
n/a
n/a
0
None
None
None
1
1
1
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
Microsoft Security Essentials
detected 1 potential threat.
TrojanDownloader:Win32/FakeRean
1
1
1
1
Effect (intro)
Alert (intro)
16
TIS
Toaster
(4x)
Detected.
Default to
allow
Suspicious activity detected. To safeguard
your security, do not allow the following
program to comminicate with the Internet
unless you recognize it. Program name:
FILE.EXE. Default to Allow. file.exe tried to
make itself launch automatically whenever
Windows starts up. Default to allow.
17
AVA
None
None
None
0
n/a
n/a
n/a
1
1
17
AVG
Pop-up
Moved to Virus
Vault
Threat detected! Threat name: Virus found
HTML/Framer
0
n/a
n/a
n/a
1
1
17
AVI
None
None
None
0
Report
None
None
PC Anti-Virus Protection 2011
Page 39 of 60
Neutralized
Effect
(manual)
Alert (manual)
Malicious URL Blocked
Quiet logging
Blocked
Threat report
(intro)
Toaster
Product
AVA
Incident
16
1
1
None
17
ESS
Toaster
Quarantined
Connection terminated. A variant of
Win32/Cimag.CW trojan quarantined
0
n/a
n/a
n/a
17
GIS
None
None
None
0
None
None
None
17
K7
None
None
None
1
n/a
n/a
n/a
17
KIS
None
None
None
0
None
None
None
1
1
1
1
1
1
1
1
Effect (intro)
Alert (intro)
17
MIS
None
None
None
0
None
None
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
17
MSE
None
None
None
1
n/a
n/a
n/a
1
1
17
NIS
Browser
Malicious Web
Site Blocked
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
0
n/a
n/a
n/a
1
1
17
TIS
None
None
None
1
n/a
n/a
n/a
1
1
18
AVA
Pop-up
Blocked
Malware Blocked - HTML:Script-inf x8
0
Report
Move to Chest
HTML:Script-inf
18
AVG
None
None
None
0
n/a
n/a
n/a
1
1
18
AVI
None
None
None
0
n/a
n/a
n/a
1
1
18
BDF
None
None
None
0
n/a
n/a
n/a
1
1
18
ESS
Toaster
Quarantined
0
n/a
n/a
n/a
1
1
18
GIS
Pop-up
Disinfect
0
n/a
n/a
n/a
1
1
18
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
18
KIS
Toaster
Detected
Detected: HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Connection terminated.
JS/TrojanDownloader.Gumblar.J trojan
quarantined
HTML:Script-inf (Engine B) x4;
Win32:Rootkit-gen [Rtk] (Engine B)
Page 40 of 60
Compromised
None
Neutralized
Threat Report
(manual)
Report
Defended
Effect
(manual)
0
Complete
remediation
Alert (manual)
Flash Gallery Factory
Quiet logging
Firewall Alert
Threat report
(intro)
Pop-up
Product
BDF
Incident
17
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
18
MSE
Toaster
Removed
Detected threat: JS/Gamburi.E
0
None
None
No threats were detected on your
computer during the scan.
18
NIS
None
None
None
0
n/a
n/a
n/a
1
1
18
TIS
None
None
None
0
n/a
n/a
n/a
1
1
19
AVA
Toaster
Blocked
0
n/a
n/a
n/a
1
1
19
AVG
Pop-up
(2x)
Moved to Virus
Vault
Trojan Horse Blocked; Malicious URL
Blocked
Threat detected! Threat name: Trojan horse
Downloader.Generic9.CGOZ
0
n/a
n/a
n/a
1
1
19
AVI
Pop-up
Quarantined
JS/Agent.13838; TR/Crypt.ZPACK.Gen2
0
n/a
n/a
n/a
1
1
19
BDF
Pop-up
Blocked
Trojan.Generic.KD.18753 x3
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
Alert (intro)
Effect (intro)
Connection terminated.
Win32/TrojanDownloader.Carberp.H trojan
quarantined
JS:Downloader-RW [Trj] (Engine B);
Trojan.Generic.KD.18753 (Engine A) x2
1
19
ESS
Toaster
Quarantined
19
GIS
Pop-up
Quarantined
19
K7
Toaster
(2x)
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
19
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Iframer
0
n/a
n/a
n/a
1
1
19
MIS
Toaster
(2x)
Quarantined
Trojan Removed. McAfee detected and
automatically quarantined a Trojan from your
PC. No further action is requIred.
0
n/a
n/a
n/a
1
1
19
MSE
Toaster
Removed
Detected threat: Win32/Carberp.A
0
n/a
n/a
n/a
1
1
19
NIS
Toaster
Removed
Trojan.Pidief.I
0
n/a
n/a
n/a
1
1
19
TIS
None
None
None
1
None
None
None
20
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
PC Anti-Virus Protection 2011
Page 41 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Trojan Removed. McAfee detected and
automatically quarantined a Trojan from your
PC. No further action is requIred.
Quiet logging
Quarantined
Threat report
(intro)
Toaster
Product
MIS
Incident
18
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
20
AVI
Toaster
Quarantined
JS/Agent.13838; TR/Drop.TDss.bry x3
0
Report
Quarantined
JAVA/Agent.em.3
1
1
20
BDF
Pop-up
Blocked
Trojan.Generic.4477257 x2
0
n/a
n/a
n/a
1
1
20
ESS
Toaster
Quarantined
Connection terminated. Win32/Olmark.ABL
trojan quarantined
0
n/a
n/a
n/a
1
1
20
GIS
Pop-up
Quarantined
Trojan.Generic.4477257 (Engine A) x2
0
n/a
n/a
n/a
1
1
20
K7
Toaster
(4x)
Detected
High Security Risk Found
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
20
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Iframer
0
n/a
n/a
n/a
20
MIS
None
None
None
0
None
None
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
20
MSE
Toaster
(2X)
Removed
Detected threat: Trojan/Win32/Alureon.CT
0
n/a
n/a
n/a
1
1
20
NIS
Toaster
Removed
Trojan.Pidief.I
0
n/a
n/a
n/a
1
1
20
TIS
None
None
None
1
None
None
None
21
AVA
Toaster
Blocked
Malware Blocked - HTML:Script-inf; Malicious
URL Blocked - URL:Mal
0
n/a
n/a
n/a
1
1
21
AVG
None
None
None
0
n/a
n/a
n/a
1
1
21
AVI
None
None
None
0
n/a
n/a
n/a
1
1
21
BDF
None
None
None
0
n/a
n/a
n/a
1
1
21
ESS
Toaster
(2x)
Quarantined
Connection terminated.
HTML/ScrInject.B.Gen virus and
JS/TrojanDownloader.Gumblar.K trojan
quarantined
0
n/a
n/a
n/a
1
1
21
GIS
Pop-up
Disinfect
HTML:Script-inf (Engine B)
0
n/a
n/a
n/a
1
1
Effect (intro)
Alert (intro)
PC Anti-Virus Protection 2011
Page 42 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Threat detected! Threat name: Trojan horse
Adload_r.AHD
Quiet logging
Moved to Virus
Vault
Threat report
(intro)
Pop-up
(2x)
Product
AVG
Incident
20
1
1
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
21
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
1
1
21
MIS
Toaster
Quarantined
Trojan Removed. McAfee detected and
automatically quarantined a Trojan from your
PC. No further action is requIred.
0
n/a
n/a
n/a
1
1
21
MSE
None
None
None
1
n/a
n/a
n/a
1
1
21
NIS
None
None
None
0
n/a
n/a
n/a
1
1
21
TIS
None
None
None
1
None
None
None
1
1
22
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
1
1
0
None
None
No infection was found during this
scan.
Effect (intro)
Alert (intro)
22
AVG
Pop-up
Moved to Virus
Vault
Threat detected! May be infected by unknown
virus Win32/DH.CAFF840167. Detected on
open.
22
AVI
Pop-up
Quarantined
TR/Dropper.Gen
0
n/a
n/a
n/a
22
BDF
None
None
None
0
None
None
None
22
ESS
Toaster
Blocked
0
n/a
n/a
n/a
22
GIS
Pop-up
Quarantined
0
n/a
n/a
n/a
22
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
22
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Iframer
0
n/a
n/a
n/a
1
1
Allow
Program Wants Internet Access. McAfee
detected a program on your PC that is tring to
accept incoming connections from the
Internet. Protect your PC by only allowing
Internet access for programs you trust.
0
Yes
Removed
Viruses, Trojans and Cookies
Removed. Generic Rootkit d!rootkit.
22
MIS
Toaster
PC Anti-Virus Protection 2011
Address has been blocked. URL address:
"hostads.cn"
Gen:Heur.Krypt.9 (Engine A); Unknown
threat; Java:Djewers-T [Trj] (Engine B)
{block}; Gen:Heur.Krypt.9 (Engine A);
HTML:Script-inf (Engine B) {removed next
time reboots}
Page 43 of 60
Compromised
Threat Report
(manual)
1
Neutralized
Effect
(manual)
Alert (manual)
None
Quiet logging
None
Threat report
(intro)
None
Product
K7
Incident
21
1
1
1
1
1
1
1
1
MSE
None
None
None
0
Yes
22
NIS
Browser
Blocked
Known browser risks detected and blocked
0
Report
None
None
0
None
None
The scan found no security threats
on this computer.
0
n/a
n/a
n/a
0
Report
Removed
Infections: C:\syswnro.exe and
C:\Documents . . . \3412[1].gif
Detected items upon reboot and
Quick Scan: Trojan:Win32/FakeCog
(2x) and Trojan:Win32/Tibs.IT.
Detected items from Full Scan:
Trojan:Win32/Alureon.DN
1
1
22
TIS
Toaster
23
AVA
Toaster
Blocked
23
AVG
Pop-up
Moved to Virus
Vault
Virus Found. Infected file: js(1).php. Threat
name: JS.WEBSTART.B. An untreatable
virus has infected one of your files. Please try
deleting the file or running the scan again
later to prevent the infection from spreading.
Click Get Help for more suggestions.
Trojan Horse Blocked; Malicious URL
Blocked
Threat detected! Threat name: Trojan horse
Small.CEU
23
AVI
Pop-up
Denied
TR/Dropper.Gen
0
n/a
n/a
n/a
1
1
23
BDF
Pop-up
Blocked
Trojan.Crypt.HO x2
0
n/a
n/a
n/a
1
1
23
ESS
Toaster
Quarantined
Connection terminated. Probably a variant of
Win32/Salty.NBB virus quarantined
0
n/a
n/a
n/a
1
1
23
GIS
Pop-up
Disinfect
JS:ScriptPE-inf [Trj] (Engine B)
0
n/a
n/a
n/a
1
1
23
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
23
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Iframer
0
n/a
n/a
n/a
1
1
23
MIS
Toaster
Blocked
VBS/Psyme (Trojan)
0
n/a
n/a
n/a
1
1
23
MSE
Toaster
Quarantined
Detected threat: Virus:in32/Salty.AT
0
n/a
n/a
n/a
1
1
Page 44 of 60
Compromised
1
Detected with
instructions to
manually
remove
PC Anti-Virus Protection 2011
Neutralized
Defended
Complete
remediation
Threat Report
(manual)
Effect
(manual)
Alert (manual)
Quiet logging
Threat report
(intro)
Effect (intro)
Alert (intro)
Product
Incident
22
Quarantined;
Removed;
Removed. MSE
required a reboot
then issued a
toaster requiring
a full scan. The
full scan detected
4 potential
threats.
1
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
23
TIS
None
None
None
1
n/a
n/a
n/a
1
1
24
AVA
Toaster
Blocked
0
n/a
n/a
n/a
1
1
24
AVG
Pop-up
Moved to Virus
Vault
Trojan Horse Blocked - JS:Downloader-PB
[Trj]; Malware Blocked - Win32:Sality
Threat detected! Threat name: Virus found
Win32/Heur
0
n/a
n/a
n/a
1
1
24
AVI
Pop-up
Quarantined
HTML/Crypted.Gen; W32/Sality.AT
0
n/a
n/a
n/a
1
1
24
BDF
Pop-up
Blocked
Win32.Sality.3 x2; Trojan.Downloader.JS.FP
0
n/a
n/a
n/a
1
1
24
ESS
Toaster
Quarantined
0
n/a
n/a
n/a
1
1
24
GIS
Pop-up
Blocked
0
n/a
n/a
n/a
1
1
24
K7
Toaster
Detected
High Security Risk Found
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
24
KIS
Toaster
Denied
Denied: Exploit.JS.ADODB.Stream.aw
0
n/a
n/a
n/a
1
1
24
MIS
None
None
None
1
n/a
n/a
n/a
1
1
24
MSE
Toaster
Disinfected
Detected threat: Virus:in32/Salty.AT (2x)
0
Yes
Quarantined
Microsoft Security Essentials
detected 1 potential threat on your
computer. Detected item:
Trojan:Win32/Orsm!rts
24
NIS
Browser
Malicious Web
Page Blocked
0
n/a
n/a
n/a
24
TIS
Toaster
Detected
0
None
None
The scan found no security threats
on this computer.
25
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
1
1
25
AVG
Pop-up
Moved to Virus
Vault
Threat detected! Threat name: Trojan horse
Downloader Generic3.CAYP
0
n/a
n/a
n/a
1
1
Effect (intro)
Alert (intro)
PC Anti-Virus Protection 2011
Connection terminated. Probably a variant of
Win32/Salty.NBB virus quarantined
Win32.Sality.3 (Engine A); JS:DownloaderPB [Trj] (Engine B)
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks.
(1) Suspicious activity detected. To
safeguard your security, do not allow the
following program to communicate with the
Internet unless you recognize it. Program
name: sysfhay.exe. (2) Trojan Horse
Program Deleted PE.Sality.BA.
Page 45 of 60
1
1
1
1
1
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
HTTP MS Office Web Components Code
Exec 1
Quiet logging
Blocked
Threat report
(intro)
Toaster
Product
NIS
Incident
23
Complete
remediation
Defended
n/a
n/a
n/a
1
1
25
BDF
Pop-up
Blocked
Trojan.Generic.4050242 x2
0
n/a
n/a
n/a
1
1
25
ESS
Toaster
Quarantined
0
n/a
n/a
n/a
1
1
25
GIS
Pop-up
Disinfect
0
n/a
n/a
n/a
1
1
25
K7
Toaster
Detected
0
n/a
n/a
n/a
1
1
25
KIS
Toaster
Denied
0
None
None
None
25
MIS
Toaster
(3x)
Blocked
0
n/a
n/a
n/a
1
1
25
MSE
Toaster
Removed
0
n/a
n/a
n/a
1
1
25
NIS
Browser
Blocked
0
n/a
n/a
n/a
1
1
25
TIS
Browser
Blocked
0
n/a
n/a
n/a
1
1
26
AVA
Toaster
Blocked
0
n/a
n/a
n/a
1
1
26
AVG
None
None
None
1
n/a
n/a
n/a
1
1
26
AVI
Toaster
Blocked
TR/Drop.Ag.32768.1
0
None
None
None
26
BDF
None
None
None
0
None
None
None
Effect (intro)
Alert (intro)
PC Anti-Virus Protection 2011
Connection terminated.
Win32/TrojanDownloader.Small.OXR trojan
quarantined
JS:Prontexi-BX [Trj] (Engine B);
Trojan.Generic.4050242 (Engine A); JS:CVE2010-0806-AO [Expl] (Engine B)
High Security Risk Found
Denied: TrojanDownloader.Win32.Small.ares; Denied:
Trojan.Win32.Agent.dzph; Packed: Swf25wc
(4x)
Artemis!CA21805FFF40 (Trojan); Buffer
Overflow Prevented
Detected threat:
TrojanDownloader:Win32/Small.PF
Site is Unsafe: Known browser risks detected
and blocked
Opening this website may put your security at
risk. The website you wanted to see might
transmit malicious software to your computer,
or has done that before to someone else. It
may also show signs of involvement in online
scams or fraud. Address:
htt://www.koalalist.con/. Rating: Dangerous.
Malicious URL Blocked; Trojan Horse
Blocked - JS:Redirector-CZ [Trj]; Malware
Blocked - HTML:Script-inf x2
Page 46 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
HTML/Ag.igw.55524; TR/Dldr.Small.Ares.13
x2
Quiet logging
Quarantined
Threat report
(intro)
Toaster
Product
AVI
Incident
25
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
26
GIS
Toaster
Quarantined
HTML:Script-inf (Engine B)
0
n/a
n/a
n/a
1
1
26
K7
Toaster
Detected
High Security Risk Found
0
n/a
n/a
n/a
1
1
26
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
1
1
26
MIS
Toaster
Quarantined
JS.Redirector.V (Trojan)
0
n/a
n/a
n/a
1
1
26
MSE
Toaster
Removed
Detected threat: JS/Gamburi.E
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
1
1
Effect (intro)
Alert (intro)
26
NIS
Browser
Blocked
26
TIS
Toaster
Blocked
27
AVA
Toaster
Blocked
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks
Suspicious activity blocked. Threat name:
JS.GUMBLAR.SMQ
Malware Blocked - HTML:Script-inf; Malicious
URL Blocked - URL:Mal
27
AVG
None
None
None
0
Report
Removed and
healed
41 infections found. 21 removed and
healed. 20 not removed or healed
with an option to remove all
unhealed infections.
27
AVI
Toaster
Quarantined
TR/PSW.Kates.JS
0
n/a
n/a
n/a
27
BDF
None
None
None
0
None
None
None
27
ESS
Toaster
(3x)
Quarantined
Connection terminated.
HTML/ScrInject.B.Gen virus (2x) and
JS/TrojanDownloader.Gumblar.K trojan
quarantined
0
n/a
n/a
n/a
1
1
27
GIS
Toaster
Quarantined
HTML:Script-inf (Engine B) x2
0
n/a
n/a
n/a
1
1
27
K7
Toaster
Detected
High Security Risk Found
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
27
KIS
Toaster
Denied
Denied: HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
PC Anti-Virus Protection 2011
Page 47 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Connection terminated.
JS/TrojanDownloader.Gumblar.J trojan and
HTML/ScrInject.B.Gen virus quarantined
Quiet logging
Quarantined
Threat report
(intro)
Toaster
(2x)
Product
ESS
Incident
26
1
1
1
1
MIS
Toaster
(5x)
Removed
Artemis!38FD7EA8FE18 (Trojan)
27
MSE
Toaster
Removed
Detected threat: JS/Gamburi.E
27
NIS
Browser
Blocked
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks
27
TIS
Toaster
Suspicious
Program
Terminated.
Program name: iexplore.exe. Activity:
Unauthorized changes.
28
AVA
None
None
None
28
AVG
None
None
28
AVI
None
28
BDF
28
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
No threats were detected on your
computer during the scan.
Compromised
Neutralized
Defended
Complete
remediation
Threat Report
(manual)
Effect
(manual)
Alert (manual)
Quiet logging
Threat report
(intro)
Effect (intro)
Alert (intro)
Product
Incident
27
None
None
0
None
None
0
n/a
n/a
n/a
None
None
The scan found no security threats
on this computer.
1
0
None
None
None
1
None
0
Report
Removed and
healed
43 infections found. 22 removed and
healed. 21 not removed or healed
with an option to remove all
unhealed infections.
None
None
0
None
None
None
1
None
None
None
0
None
None
None
1
ESS
Toaster
Quarantined
Connection terminated.
JS/TrojanDownloader.Gumblar.K trojan
quarantined
0
n/a
n/a
n/a
28
GIS
None
None
None
0
None
None
None
1
28
K7
None
None
None
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
1
28
KIS
Toaster
Detected
Detected: HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
1
1
28
MIS
Toaster
Quarantined
JS.Redirector.V (Trojan)
0
n/a
n/a
n/a
1
1
28
MSE
None
None
None
0
None
None
No threats were detected on your
computer during the scan.
28
NIS
Browser
Blocked
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks
0
n/a
n/a
n/a
1
1
28
TIS
None
None
None
1
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Page 48 of 60
1
1
1
1
1
1
1
1
Complete
remediation
Defended
Compromised
Threat Report
(manual)
0
n/a
n/a
n/a
1
1
29
AVG
None
None
None
0
n/a
n/a
n/a
1
29
AVI
None
None
None
0
n/a
n/a
n/a
1
29
BDF
Pop-up
Blocked
Trojan.Generic.KD.20885 x3
0
n/a
n/a
n/a
29
ESS
None
None
None
0
None
None
None
29
GIS
Pop-up
Disinfect
0
n/a
n/a
n/a
29
K7
Pop-up
Block
0
n/a
n/a
n/a
29
KIS
Toaster
Denied
HEUR:Exploit.Script.Generic x2
0
n/a
n/a
n/a
29
MIS
Pop-up
Detected
FakeAlert-FakeSpy!env.a (Trojan)
0
None
None
None
29
MSE
None
None
None
0
n/a
n/a
n/a
29
NIS
Browser
Blocked
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks.
0
n/a
n/a
n/a
1
1
29
TIS
None
None
None
1
n/a
n/a
n/a
1
1
30
AVA
Toaster
Blocked
Trojan Horse Blocked - Win32.Bredolab-DL
[Trj] x2
0
n/a
n/a
n/a
1
1
30
AVG
None
None
None
0
n/a
n/a
n/a
1
30
AVI
None
None
None
0
n/a
n/a
n/a
1
30
BDF
Pop-up
Blocked
Gen.Variant.Bredo.2; Gen.Variant.TDss.3
0
Report
Disinfection
failed
Exploit.PDF-JS.Gen
1
30
ESS
Toaster
Quarantined
Win32/Kryptik.FNJ trojan; Multiple threats
0
n/a
n/a
n/a
Effect (intro)
Alert (intro)
PC Anti-Virus Protection 2011
Trojan.Generic.KD.20885 (Engine A) x3;
Exploit.PDF-JS.Gen (Engine A)
New AutoStart Entry Found! Advise: … unless
you have installed a new software or you
recognize this application do not accept this
change.
Page 49 of 60
1
Neutralized
Effect
(manual)
Alert (manual)
Malicious URL Blocked
Quiet logging
Blocked
Threat report
(intro)
Toaster
Product
AVA
Incident
29
1
1
1
1
1
1
1
1
1
1
1
Complete
remediation
Defended
n/a
n/a
n/a
1
1
30
K7
Pop-up
Application
Access!
Allow is default
0
None
None
None
30
KIS
Browser
Blocked
HEUR:Trojan.Script.Generic
0
n/a
n/a
n/a
30
MIS
Pop-up
Removed
FakeAlert-FakeSpy!env.a (Trojan)
0
None
None
None
0
Report
Multiple
Win32/Winwebsec; Java/CVE-20085353.FJ; Java/OpenConnection.EE;
Win32/Fitmu.A
1
1
1
1
Effect (intro)
Alert (intro)
30
MSE
Pop-up
Sample
Submission
Microsoft Security Essentials detected items
on your computer that may have not yet been
classified for risks. Sending the files listed
below can help Microsoft analysts determine
if these items are malicious: 934…exe
30
NIS
None
None
None
0
n/a
n/a
n/a
1
1
30
TIS
Pop-up
Untreatable
JS WEBSTART.B
0
n/a
n/a
n/a
1
1
31
AVA
Toaster
Blocked
Trojan Horse Blocked
0
None
None
None
31
AVG
None
None
None
0
None
None
No infection was found during this
scan.
31
AVI
None
None
None
0
Report
Quarantined
JAVA/ClassLoader.T
31
BDF
None
None
None
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
Report
Log only
Java:Djewers-T [Trj] (Engine B)
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
0
n/a
n/a
n/a
None
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
31
ESS
Toaster
Quarantined
31
GIS
Pop-up
Disinfect
31
K7
Pop-up
Allow
31
KIS
Toaster
Denied
31
MIS
None
None
PC Anti-Virus Protection 2011
Connection terminated.A variant of
Win32/Kryptik.FOO trojan quarantined
JS:Redirector-DC [Trj] (Engine B);
Java:Djewers-T [Trj] (Engine B)
Application Access! The program lsQJ.IbMVq
is connecting to a network. The developer of
the program is not known.
Denied: Exploit.Java.CVE-2010-0886.a
None
0
None
Page 50 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Win32.Bredolab-DL [Trj] (Engine B) x3;
Java:Djewers-T [Trj] (Engine B)
Quiet logging
Disinfect
Threat report
(intro)
Pop-up
Product
GIS
Incident
30
1
1
1
1
1
1
1
1
1
0
None
None
No threats were detected on your
computer during the scan.
31
NIS
Browser
Blocked
Site is Unsafe
0
n/a
n/a
n/a
1
1
31
TIS
None
None
None
1
n/a
n/a
n/a
1
1
32
AVA
Toaster
Blocked
JS:FakeAV-EX [Trj]
0
n/a
n/a
n/a
1
1
32
AVG
Pop-up
Moved to Virus
Vault
Threat detected! Threat name: Trojan horse
FakeAlert SG
0
n/a
n/a
n/a
1
1
32
AVI
None
None
None
0
n/a
n/a
n/a
1
1
32
BDF
None
None
None
0
n/a
n/a
n/a
1
1
32
ESS
Toaster
Blocked
Address has been blocked. URL address:
"whereisdudescars.com/js2.php"
0
n/a
n/a
n/a
1
1
32
GIS
Pop-up
Disinfect
JS:FakeAV-EX [Trj] (Engine B)
0
n/a
n/a
n/a
1
1
32
K7
None
None
None
0
n/a
n/a
n/a
1
1
32
KIS
None
None
None
0
n/a
n/a
n/a
1
1
32
MIS
None
None
None
0
n/a
n/a
n/a
1
1
32
MSE
None
None
None
1
n/a
n/a
n/a
1
1
32
NIS
Toaster
Blocked
HTTP Fake Scan Webpage 5
0
n/a
n/a
n/a
1
1
Virus Found. Infected file: j107ac99.... Threat
name:JS.FAKESCAN.SMI. An untreatable
virus has infected one of your files. Please try
deleting the file or running the scan again
later to prevent the infection from spreading.
Click Get Help for more suggestions.
0
n/a
n/a
n/a
1
1
1
32
TIS
Toaster
Detected with
instructions to
manually
remove
33
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
1
1
33
AVG
None
None
None
1
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Page 51 of 60
Compromised
None
Defended
None
Effect
(manual)
None
Neutralized
Complete
remediation
Threat Report
(manual)
Alert (manual)
Quiet logging
Threat report
(intro)
Alert (intro)
Effect (intro)
Product
MSE
Incident
31
Complete
remediation
Defended
n/a
n/a
n/a
1
1
33
BDF
Pop-up
Blocked
Trojan.Crypt.HO x4
0
Report
Deleted
Trojan.Crypt.HO x7
33
ESS
Toaster
Quarantined
0
0
1
1
33
GIS
Pop-up
Quarantined
33
K7
Toaster
Removed
33
KIS
Toaster
Alert (intro)
Effect (intro)
Connection terminated. Win32/Salty.NBB
virus quarantined
Trojan.Crypt.HO (Engine A) x3;
JS:Downloader-XN [Trj] (Engine B) x3
0
1
0
n/a
n/a
n/a
1
1
High Security Risk Found
0
n/a
n/a
n/a
1
1
Detected
Detected: Trojan.JS.Iframe.no
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
33
MIS
Toaster
Blocked
Script Blocked. McAfee prevented a
potentially harmful script from running on your
PC. Detected: VBS/Psyme (Trojan) No
further action required.
33
MSE
None
None
None
1
n/a
n/a
n/a
1
1
33
NIS
Browser
Blocked
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
0
n/a
n/a
n/a
1
1
33
TIS
None
None
None
1
n/a
n/a
n/a
1
1
34
AVA
None
None
None
0
n/a
n/a
n/a
1
1
34
AVG
None
None
None
0
n/a
n/a
n/a
1
1
34
AVI
None
None
None
0
Report
Quarantined
TR/Dropper.Gen ; JAVA/Agent.M.1
34
BDF
None
None
None
0
n/a
n/a
n/a
0
None
None
0 infected files
1
1
1
34
ESS
Toaster
Quarantined
Connection terminated. A variant of
Win32/Cimag.CW trojan quarantined
34
GIS
None
None
None
0
n/a
n/a
n/a
1
1
34
K7
None
None
None
0
n/a
n/a
n/a
1
1
34
KIS
None
None
None
0
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Page 52 of 60
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
TR/Dropper.Gen x3
Quiet logging
Quarantined
Threat report
(intro)
Toaster
Product
AVI
Incident
33
1
Complete
remediation
Defended
0
n/a
n/a
n/a
1
1
34
MSE
None
None
None
0
n/a
n/a
n/a
1
1
34
NIS
None
None
None
0
n/a
n/a
n/a
1
1
34
TIS
None
None
None
0
n/a
n/a
n/a
1
1
35
AVA
Toaster
Blocked
Trojan Horse Blocked
0
n/a
n/a
n/a
1
1
35
AVG
Pop-up
Moved to Virus
Vault
0
None
None
No infection was found during this
scan.
35
AVI
Pop-up
Quarantined
Threat detected! Threat name: Trojan horse
BackDoor.Generic12BZYQ
JS/Cosmu.C; HTML/Infected.WebPage.Gen;
BDS/Backdoor.Gen
0
n/a
n/a
n/a
35
BDF
None
None
None
0
None
None
None
35
ESS
None
None
None
0
Pop-up
(see
note)
Disconnect is the
default option
Warning. Potential threat found:
probably a variant of Win32/Statik
potentially unwanted application.
1
35
GIS
Toaster
Disinfect
Win32:Malware-gen; Win32-Dialer 1486 (Trj)
(Engine B)
0
Virus
Disinfect (if not
possible
quarantine)
Win32:Malware-gen
1
35
K7
Toaster
Removed
High Security Risk Found
0
None
None
Scan Completed. No Viruses,
spyware or other risks were found.
35
KIS
Toaster
Deleted
Deleted: TrojanGameThief.Win32.Magania.dmzx
0
None
None
None
35
MIS
None
None
None
0
None
None
35
MSE
Toaster
Removed
Detected threat: Win32/Farfli.K
0
None
None
35
NIS
Toaster
Removed
index[1].htm (Trojan Horse)
0
n/a
n/a
n/a
1
1
35
TIS
None
None
None
1
n/a
n/a
n/a
1
1
36
AVA
Toaster
Blocked
Trojan Horse Blocked - JS:Redirector-E [Trj]
0
n/a
n/a
n/a
1
1
Effect (intro)
PC Anti-Virus Protection 2011
Page 53 of 60
Compromised
Threat Report
(manual)
None
Neutralized
Effect
(manual)
Alert (manual)
None
Quiet logging
Alert (intro)
None
Threat report
(intro)
Product
MIS
Incident
34
1
1
1
1
1
1
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
No threats were detected on your
computer during the scan.
1
1
1
Trojan.Generic.KD.19315 x2
0
n/a
n/a
n/a
1
1
Quarantined
Connection terminated. Win32/Oficia.HW
trojan and JS/Exploit.Pdfka.OBH.Gen trojan
quarantined
0
n/a
n/a
n/a
1
1
Pop-up
Disinfect
JS:Redirector-E [Trj] (Engine B)
0
n/a
n/a
n/a
1
1
K7
Toaster
Removed
High Security Risk Found
0
n/a
n/a
n/a
1
1
36
KIS
Toaster
Denied
0
n/a
n/a
n/a
1
1
36
MIS
Toaster
(3x)
Script
Blocked/Trojan
Removed
0
n/a
n/a
n/a
1
1
36
MSE
Toaster
Removed
Detected threat: Win32/Oficia.M
0
n/a
n/a
n/a
1
1
36
NIS
Browser
Blocked
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
0
n/a
n/a
n/a
1
1
36
TIS
None
None
None
1
None
None
The scan found no security threats
on this computer.
37
AVA
Toaster
Blocked
Malicious URL Blocked
0
n/a
n/a
n/a
37
AVG
Pop-up
(2x)
Moved to Virus
Vault
Threat detected! Threat name: may be
infected by unknown virus
Win32/DH.CAFF82016C (2x)
0
Report
Removed and
healed
1 infection found. 1 removed and
healed (C:\Documents and Settings\
…\M8CQYA5P\file(1).exe
37
AVI
Pop-up
Denied
TR/Vilsel.ajct x3
0
n/a
n/a
n/a
1
1
37
BDF
Pop-up
Blocked
Trojan.Generic.4533749 x2; Exploit.PDFPayload.Gen
0
n/a
n/a
n/a
1
1
Effect (intro)
Alert (intro)
36
AVI
Pop-up
Denied
HTML/Crypted.Gen
36
BDF
Pop-up
Blocked
36
ESS
Toaster
(2x)
36
GIS
36
PC Anti-Virus Protection 2011
Denied: http://traffic-source.org… (analysis
using the database of suspicious URLs)
Script Blocked. McAfee prevented a
potentially harmful script from running on your
PC. Detected: JS/Redirector.a (Trojan) No
further action required. (The same trojan
was removed)
Page 54 of 60
1
1
1
1
1
Compromised
1
Threat detected! Threat name: Trojan horse
Dropper.Generic2.YWZ
Neutralized
n/a
Moved to Virus
Vault
Defended
Threat Report
(manual)
n/a
Pop-up
Complete
remediation
Effect
(manual)
Alert (manual)
n/a
AVG
Quiet logging
0
Threat report
(intro)
C:\Documents and Settings\. .
.\6F161D1\load[1].exe
Product
Removed and
healed
Incident
Found 1
infection
36
Quarantined
37
GIS
Pop-up
Disinfect
37
K7
Toaster
Removed
37
KIS
Toaster
Detected
0
n/a
n/a
n/a
1
1
High Security Risk Found
0
n/a
n/a
n/a
1
1
Detected: Trojan.JS.Agent.bia
0
n/a
n/a
n/a
1
1
(1) Quick Scan complete. 1
remaining issue. (2) same message
1
37
MIS
Toaster
(3x)
Blocked;
Removed
Buffer Overflow Prevented;
Artemis!A1C02BEC3A08 and
Exploit.MSDirectShow.b Trojan Removed
0
Yes
(1) Unresolved
issues. Some
items could not
be deleted,
please restart
and scan your
PC again. (2)
same message
37
MSE
Toaster
Removed
Detected threat: Trojan:Win32/Meredrop
0
n/a
n/a
n/a
1
1
Blocked
This Web page has malicious browser
exploits, which use vulnerabilities in browsers
to launch attacks.
0
n/a
n/a
n/a
1
1
37
NIS
Browser
PC Anti-Virus Protection 2011
Page 55 of 60
Compromised
0 infected files
Defended
None
Complete
remediation
None
Neutralized
Alert (manual)
0
Quiet logging
Threat Report
(manual)
Toaster
(6x)
Effect
(manual)
ESS
Threat report
(intro)
Effect (intro)
Alert (intro)
Product
Incident
37
Connection terminated. A variant of
Win32/Kryptik.FKQ trojan (2x); probably a
variant of Win32/TrojanDownloader.Agent
trojan; a variant of
Java/TrojanDownloader.Agent NAN trojan;
VBS/TrojanDownloader.Psyme.NGJ trojan
(2x) quarantined
JS:Downloader-SG [Trj] (Engine B) x3;
Trojan.Generic.4533749 (Engine A) x5;
Exploit.PDF-Payload.Gen (Engine A);
1
None
0
n/a
n/a
n/a
1
1
38
AVG
None
None
None
0
n/a
n/a
n/a
1
1
38
AVI
None
None
None
0
n/a
n/a
n/a
1
1
38
BDF
None
None
None
0
n/a
n/a
n/a
1
1
38
ESS
Toaster
Quarantined
Connection terminated.
HTML/ScrInject.B.Gen virus quarantined
0
n/a
n/a
n/a
1
1
38
GIS
None
None
None
0
n/a
n/a
n/a
1
1
38
K7
None
None
None
0
n/a
n/a
n/a
1
1
38
KIS
None
None
None
0
n/a
n/a
n/a
1
1
38
MIS
None
None
None
0
n/a
n/a
n/a
1
1
38
MSE
None
None
None
1
n/a
n/a
n/a
1
1
38
NIS
None
None
None
0
n/a
n/a
n/a
1
1
38
TIS
None
None
None
0
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
None
The scan found no security threats
on this computer.
Page 56 of 60
1
Compromised
None
None
Defended
None
0
Complete
remediation
AVA
Effect
(manual)
38
Threat name: JS.AGENT.AWBF.
Neutralized
Threat Report
(manual)
Alert (manual)
Quiet logging
Effect (intro)
Threat report
(intro)
Alert (intro)
Toaster
Product
TIS
Incident
37
An untreatable
virus has
infected one of
your files.
Please try
deleting the
file or running
the scan again
later to prevent
the infection
from
spreading.
Click Get Help
for more
suggestions.
Complete
remediation
Defended
n/a
n/a
n/a
1
1
39
AVG
Pop-up
Removed
Viruses: Script/Exploit, Exploit, Exploit
MsVidCtl, Trojan horse BackDorr Generic 1. .
.
0
n/a
n/a
n/a
1
1
39
AVI
Pop-up
Denied
HTML/Infected.WebPage.Gen
0
n/a
n/a
n/a
1
1
39
BDF
Pop-up
Blocked
0
n/a
n/a
n/a
1
1
39
ESS
Toaster
(8x)
Quarantined
0
None
None
0 infected files
39
GIS
Pop-up
Quarantined
0
n/a
n/a
n/a
1
1
39
K7
Toaster
Removed
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
0
None
None
Quick Scan complete. McAfee did
not detect any issues on your PC.
No further action is needed.
0
n/a
n/a
n/a
1
1
0
n/a
n/a
n/a
1
1
Alert (intro)
Effect (intro)
Exploit.Cosmu.Al Exploit.Comele.D;
Trojan.Script.455589;
Backdoor.Generic.395524;
Trojan.Script.444076
Connection terminated. JS/Exploit.CVE-20100249 trojan (4x), JS/Exploit.CVE-2010-0806
trojan (4x) quarantined
Exploit.Comele.D (Engine A);
Exploit.Cosmu.A (Engine A)
High Security Risk Found
Denied: Exploit.JS.CVE-2010-0806.b (3x);
Exploit.JS.Agent.awx; JS.CVE-2010-0806.i;
Trojna-Downloader.Win32.Small.kmu
Script Blocked. McAfee prevented a
potentially harmful script from running on your
PC. Detected:Exploit.Comele (Trojan) No
further action required.
Detected threat: Trojan:JS/CVE-2010-0249
and Exploit:JS/ShellCode.J
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
1
39
KIS
Toaster
Denied
39
MIS
Toaster
(2x)
Blocked;
Removed
39
MSE
Toaster
Removed
39
NIS
Browser
Blocked
39
TIS
None
None
None
1
n/a
n/a
n/a
1
1
40
AVA
None
None
None
0
n/a
n/a
n/a
1
1
40
AVG
None
None
None
0
n/a
n/a
n/a
1
1
40
AVI
None
None
None
0
n/a
n/a
n/a
1
1
40
BDF
None
None
None
0
n/a
n/a
n/a
1
1
PC Anti-Virus Protection 2011
Page 57 of 60
1
Compromised
Threat Report
(manual)
0
Neutralized
Effect
(manual)
Alert (manual)
Exploit Blocked - JS:CVE-2010-0247-N [Exp]
Quiet logging
Blocked
Threat report
(intro)
Pop-up
Product
AVA
Incident
39
Complete
remediation
Defended
0
n/a
n/a
n/a
1
1
40
GIS
None
None
None
0
n/a
n/a
n/a
1
1
40
K7
None
None
None
0
n/a
n/a
n/a
1
1
40
KIS
None
None
None
0
n/a
n/a
n/a
1
1
40
MIS
None
None
None
0
n/a
n/a
n/a
1
1
40
MSE
None
None
None
1
n/a
n/a
n/a
1
1
40
NIS
Browser
Blocked
This is a known mailicious (sic) web site. It is
recommended that you do NOT visit this site.
0
n/a
n/a
n/a
1
1
40
TIS
None
None
None
0
n/a
n/a
n/a
1
1
Effect (intro)
PC Anti-Virus Protection 2011
Page 58 of 60
Compromised
Threat Report
(manual)
None
Neutralized
Effect
(manual)
Alert (manual)
None
Quiet logging
Alert (intro)
None
Threat report
(intro)
Product
ESS
Incident
40
APPENDIX D: TOOLS
Ebtables
http://ebtables.sourceforge.net
The ebtables program is a filtering tool for a bridging firewall. It can be used to force network traffic
transparently through the Squid proxy.
Fiddler2
www.fiddlertool.com
A web traffic (HTTP/S) debugger used to capture sessions when visiting an infected site using a verification
target system (VTS).
HTTPREPLAY
http://www.microsoft.com
A SOCKTRC plug-in enabling the analysis and replaying of HTTP traffic.
Process Explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process Explorer shows information about which handles and DLLs processes have opened or loaded. It also
provides a clear and real-time indication when new processes start and old ones stop.
Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Process Monitor is a monitoring tool that shows real-time file system, Registry and process/thread activity.
Regshot
http://sourceforge.net/projects/regshot
Regshot is an open-source Registry comparison utility that takes a snapshot of the Registry and compares it
with a second one.
Squid
www.squid-cache.org
Squid is a caching web proxy that supports HTTP, HTTPS, FTP and other protocols.
Tcpdump
www.tcpdump.org
Tcpdump is a packet capture utility that can create a copy of network traffic, including binaries.
TcpView
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
TcpView displays network connections to and from the system in real-time.
Windows Command-Line Tools
Those used included 'systeminfo' and 'sc query'. The systeminfo command "enables an administrator to
query for basic system configuration information". The sc command is "used for communicating with the
NT Service Controller and services.
Wireshark
www.wireshark.org
Wireshark is a network protocol analyzer capable of storing network traffic, including binaries, for later
analysis.
PC Anti-Virus Protection 2011
Page 59 of 60
APPENDIX E: TERMS OF THE TEST
This test was sponsored by Symantec.
The test rounds were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of
the software available on any given day.
All products were able to communicate with their back-end systems over the internet.
The products selected for this test were chosen by Symantec.
Samples were located and verified by Dennis Technology Labs.
Products were exposed to threats within 24 hours of the same threats being verified. In practice there was
only a delay of up to three to four hours.
Details of the samples, including their URLs and code, were provided to Symantec only after the test was
complete.
PC Anti-Virus Protection 2011
Page 60 of 60
Download