How We Collect Malware for Hands-On Antivirus Testing?
When it comes to antivirus testing, we make sure to put the product, and its security features go through a tough one to determine whether its performance and protection. Testing differs according to the type of product and when it comes to antivirus, real-world malware testing is a must.
The independent antivirus testing labs put security products in numerous tests and provide periodic results of each outcomes. Antivirus testing results help provide a detailed review of the security product’s performance and protection.
We mainly follow four lab test results, and if we see, that the scores and rating of the antivirus are right, it’s undoubtedly going to be your best choice. But because not every antivirus company participates in all four tests, performing hands-on antivirus testing is necessary.
Today, in this post, you will go behind the scenes of how we perform the hands-on malware testing and how we collect malware samples for our antivirus tests.
Ensuring a thorough antivirus testing
Even though an antivirus can detect malware samples, it doesn’t mean that the software is good. We perform antivirus testing that some of the security product allows few malwares even after detecting some of the samples.
If an antivirus software claims to provide robust malware detection and protection, we tend to select our samples carefully, analyze them to put the security software to the real test
We use samples that appear several months earlier and a list of threats provided by MRG-Effitas to start the sample collection process. First, we download the malware samples in a virtual machine and then launch them with test system being isolated from the internet.
Detection of Duplication
We locate the duplicate samples in this process because some files may have different names but maybe the same. For this process, we take the help of hash function, a one-way encryption thing.
This function provides us the same results and input. Also, if any information is different, it will surely give a different result.
The Different use of hash function
The VirusTotal website is where many researchers share their malware findings, and anyone can provide their samples for analysis. This website even runs the provided examples on antivirus engines of more than 60 companies.
After the sample antivirus testing, it provides the companies who successfully detected those samples as malware. Even we use this platform to run our collected samples to see the feedback from VirusTool’s analysis.
It indeed helps us to choose the best malware for the antivirus testing.
Time to analyze the malware samples
It’s the starting process of the analysis of the collected malware samples. There is an in-house program called the RunAndWatch to test out each of the malware samples.
We also use PCMag’s InCtrol to snapshot both the before and after changes in the Registry and file system. It helps us to check the changes. Even MS ProcMon Process Monitor helps us to keep an eye on the real-time activities.
Both of the tools help us check the changes report and what made the changes.
Repeat analysis for filtering
Analysis of malware samples for in-depth antivirus testing takes time. To further eliminate the duplicates, we use another in-house program to gather the components of our interests and remove the unrelated malware samples.
When a malware sample passes this process, it’s further put into another filtering process. And in that filtering process, the examples are given a better look to find out duplicates.
Using the final tool, we log the data and check for any malware traces during the antivirus testing.
If required, we adjust the samples.
The final phase of filtering malware samples is using the NuSpyCheck tool. It helps to find and remove the malware traces that are already present in the system.
First, we rest the virtual machine after launching each of the samples and waiting until its completion. When it completes, we use the NuSpyCheck tool. Even in this final process, many malware samples get filtered out, and few of the best remain for hands-on antivirus testing.
Also, ransomware like the Petya is an exemption because if antivirus cannot detect it properly, it becomes significant pain. As some products offer ransomware protection, and we disable the basic virus protection to see whether the ransomware protection alone can defend the system.
Final Thoughts
We make sure to throw a mixture of all kinds of malware samples for our hands-on antivirus testing, which even includes trojans and ransomware. Even PUA or Potentially Unwanted Applications are included in our test to test the product’s PUA detection capabilities.
After reading this post you will come to know how far we and deeply we can go to test out the antivirus’s capabilities to present you with the best antivirus product review. Though we don’t have the numbers in researchers, our reports are indeed not found anywhere.
