In a recent study conducted in collaboration with the University of Bradford, we put to the test static and dynamic detection of antivirus systems against malicious files and our results were significantly different from those achieved by av-test.org. We tested antivirus with malicious files on the day they were created. The tests performed by av-test.org used malware that had been in circulation for few days.
The following observations were made during the period of research:
- There is significant difference between static and dynamic detection. Most people will submit a file that is suspicious to platforms such as Nodistribute or VirusTotal to gain confidence that the file is safe to open. However, our results show Kaspersky antivirus will achieve a detection rate of 73.3% when using statics scanning against 93.3% when using dynamic detection. Likewise, Panda security will achieve up to 25% detection when using static detection against 60% detection when using dynamic detection.
- The idea of “sheep did” is not adapted to the current threat landscape. Whilst some companies make available a dedicated computer to scan USB drives or untrusted files before they are opened, malware are better at bypassing static signature and heuristics.
- Certain free antivirus products such as AVG had a combined 80% detection rate against commercial products that only had a combined detection rate of 40%
- Some of the well-known brands of antivirus did not achieve a score higher than 40% combined detection rate.
- Shellter and Venom file were the two best free software we have used to bypass antivirus with an average detection rate of less than 2%.
- The detection rate was better when the files were executed. At rest, the detection rate of manual analysis was 60% compared to 70.7% when executed.
- We used 15 different tools to create malicious files. None of the antivirus tools were able to detect all the files created by all the tools. Kaspersky, Avast and AVG performed reasonably well.
- We conclude that operational environment should not rely on antivirus or endpoint protections. Alternative and complementary methods such as a continual monitoring would allow malicious activities to be detected.
Nettitude would like to thank Abidullah Zarghoon and the University of Bradford for their contribution to this project.
The full paper is going to be available on IEEE website in the coming weeks. The paper has been accepted for presentation at the 12th International Conference for Internet Technology and Secured Transactions (ICITST-2017), Co-Sponsored by IEEE UK and RI Computer Chapter. The ICITST-2017 will be held at the University of Cambridge, UK, from the 11th to 14th of December, 2017.