The content of the article
We will test two British avers in battle, a new Chinese antivirus with our own engine, and an interesting Czech development in beta. All of them are available for free and offer additional levels of protection, in addition to basic system checks. Can these antiviruses defeat the hordes of trojans and worms that we prepared for them?
Our tests of other antiviruses
- Kaspersky Free, Avira Free, AVG Free and Avast! Free
- Comodo, Qihoo 360, Panda and Windows Defender
- Clam Sentinel, FortiClient, Tencent and NANO Antivirus
- Ad-Aware, Crystal Security, Sophos Home, and ZoneAlarm + Firewall
- Anvi Smart Defender Free, Baidu Antivirus, Immunet AntiVirus and Zillya!
- Bitdefender, Clearsight, Rising, Roboscan
- F-Secure Anti-Virus, G Data AntiVirus, eScan Anti-Virus, Webroot SecureAnywhere
- Kaspersky Total Security, Dr.Web Security Space, Norton Security Premium, K7 Ultimate Security
To check each antivirus, we provided the most similar conditions. First, VirtualBox created a test virtual machine with clean Windows 10 Pro (1909). Then we installed all the updates (except for the problem ones), set up automatic login and automatic connection of the network folder, turned off Windows Defender and the antivirus of the main OS.
Then we made clones of the virtual machine – our own for each aver. Immediately before the test, antiviruses were updated. Their settings remained in default, since that is how most users will launch them. Exceptions were made only in the direction of increasing the probability of detection. We made sure that real-time protection was enabled, and we also disabled the limit for files by size and extension, so that everything was guaranteed to be checked in a row.
The author thanks VX Heaven for the provided samples.
A brief description of test suites with malware of all stripes is given below.
- 100 backdoors for Windows;
- 100 network worms (IM, IRC, email, P2P and others);
- 100 Windows Trojans (bankers, clickers, downloaders, droppers, etc.);
- 100 components of intrusive advertising.
- 100 backdoors for Linux;
- 37 rootkits for Windows;
- 87 malware for which there were no signatures at the time of compilation. They were determined only by some heuristic analyzers;
- 49 malicious code examples for non-x86 processor architectures (MIPS, Motorola MC68K, SPARC, PowerPC).
The basic part of the selection is needed to test the antivirus response to typical threats for Windows, and the auxiliary part allows you to evaluate the level of heuristics and cross-platform protection.
All tests were performed for research purposes only. The necessary files have been downloaded from public resources. The developers of the tested antiviruses received automatic notifications of the scan results. The editors and the author are not responsible for any possible harm.
Huorong Internet Security
Chinese antiviruses have bred a lot, but the developer Huorong security Microsoft was accredited as a trusted provider of antivirus software for Windows, and at least deserved attention.
From the official site was loaded version 22.214.171.124 dated November 16, 2019 with a size of 18.5 MB. It claims full support for 32- and 64-bit versions of Windows from XP to 10. Unfortunately, there is no support for the Russian language yet.
After installation, Huorong Internet Security has been updated to version 126.96.36.199. The anti-virus took about 40 MB on disk and lightly loaded the system even when all additional protection components were activated.
They include a proactive module, web traffic analyzer, host intrusion detection system (HIPS), and firewall. The latter two reduce the risk of adding a computer to the botnet and spreading the infection over the local network, blocking abnormal traffic in any direction.
Another relevant component is protection against common methods of unauthorized remote access (for example, it detects and blocks the brute password of the admin account).
Application access control is also available with the ability to set your own rules for all programs and auxiliary security tools. Among them, the vulnerability protection module is interesting. It prevents the use of well-known exploits, which is especially important for countering APT and targeted attacks.
Huorong Internet Security uses its own anti-virus engine called Cobra. Information about him could not be found. All that is known is that it runs the test code in an isolated HVM environment (Huorong virtual machine). The more interesting it will be to test it!
Huorong Anti-Virus could not check any test directory in the network folder. He just hung, endlessly twisting the animation of the shining shield. No indicator of progress, no statistics – in general, nothing informative was displayed.
Then we created in the root of the disk
V and copied backdoors there. Huorong allowed to do this, but then he came to his senses and began to show in the pop-up window how many different infections he had discovered.
He found a little: 52 pieces, and 48 out of 100 backdoors remained on the system partition.
Even worse, the antivirus “coped” with the trojans, identifying only 39 samples, and 61 out of 100 escaped detection. I don’t give further screenshots, they are all of the same type.
With the selection of network worms, everything was also deplorable: he quarantined 48 pieces, and 52 out of 100 remained untouched.
Of the components of intrusive advertising, Huorong recognized less than half: 49 went to quarantine, and 51 out of 100 remained on disk.
Detection statistics in the main round:
- Backdoors – 52%;
- NetWorms – 48%;
- Trojans – 39%;
- Adware – 49%.
Simply put, Huorong defines all types of threats through one. Moreover, he does this in several stages. On each sample of one hundred files, the antivirus three times showed a pop-up window and re-counted the number of malware found in the same folder. He cannot check all at once and, while he sniffs some malware, does not block access to others.
In an additional round, the antivirus also could not be rehabilitated. Of the 37 rootkits, he ignored 22, and among 87 little-known threats, he missed almost everything, leaving 79 pieces. Huorong did not recognize any threats among those written for processor architectures other than x86 / x86-64. Huorong's heuristics and advanced defense turned out to be damn too.
At first, we decided that he would not see any malware for Linux either, but the Chinese antivirus thought a little and removed one from the selection of Linux Malwares (99 remained). It would be better if he didn’t do this at all – he would have passed for the average Windows obverse without claims to protect other platforms.
Detection statistics in the extra round:
- RootKITs – 40%;
- Heuristic – 9%;
- Linux malware – 1%;
- non-x86 threats – 0%.
In general, the antivirus coped with the main task poorly. We also note the following conditional flaws:
- there is no way to check HTTPS traffic (but there is no risk of a Kaspersky in the middle attack by installing your certificate);
- there is no cloud verification tool, so Huorong takes longer to respond to fresh threats. On the other hand, your files will remain yours, and will not be sent to the cloud “for analysis” when the antivirus decides.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru