January 4, 2006 6:00 PM PST
Antivirus makers catch up to Windows bug
- Related Stories
Microsoft inadvertently leaks WMF patchJanuary 4, 2006
Beating Microsoft to the punchJanuary 4, 2006
Wait for Windows patch opens attack windowJanuary 3, 2006
Windows flaw spawns dozens of attacksJanuary 3, 2006
Trojan delivers unwanted gift to Windows PCsDecember 28, 2005
Microsoft moves beyond patchesOctober 1, 2003
According to a test of a range of antivirus products published on Wednesday, Trend Micro was the only major antivirus vendor that failed to catch a number of malicious files that exploit the new Windows vulnerability.
In the test, administered by independent testing organization AV-Test, 206 malicious files were pushed through virus shields from a number of vendors. Of the top three antivirus companies, Symantec and McAfee caught all bad files, while Trend Micro missed 63, according to the test results, which were e-mailed to CNET News.com.
AV-Test took a range of antivirus products and ran 206 malicious files that exploit the unpatched WMF flaw through them. Some of the products have holes, it turned out.
These products detected all the malicious files:
- Computer Associates eTrust-VET
- Kaspersky Lab
- Eset Nod32
- Microsoft OneCare
These missed just one file:
These tools missed a number of samples (total in parentheses):
- Fortinet (18)
- AntiVir (24)
- eTrust-INO (25)
- Panda (25)
- Ikarus (26)
- Norman (26)
- Ewido (47)
- AVG (59)
- VirusBuster (61)
- QuickHeal (63)
- Trend Micro (63)
- Dr Web (93)
- VBA32 (110)
- Authentium Command (119)
- F-Prot (119)
Several smaller providers of antivirus products also caught all the examples of malicious code, including Sophos, Kaspersky, Computer Associates International, F-Secure and BitDefender. Microsoft's new Windows OneCare, currently available as a test version, also protects against all the attacks, according to AV-Test.
Trend Micro is working to update its product to improve detection, said Raimund Genes, chief technologist for Trend Micro in Europe. "We have the luxury to have some of the biggest customers in the world, but this is also a burden because this means that we have to do very careful quality assurance," he said.
Still, Genes contends that Trend Micro's product offers good protection. It might not catch all the files used in the test, but it does catch all the malicious files currently found "in the wild" on the Internet, he said.
The Windows flaw is atypical, making it more complicated for most makers of antivirus software to provide protection, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany and head of the AV-Test.
The flaw lies in the way Windows renders Windows Meta File images. The bug was discovered last week and is being exploited in attacks that compromise a vulnerable PC if the user visits a Web site with a malicious image file.
"Antivirus companies have the problem that the attacks involve a file format that was not used for previous attacks," Marx said in an interview via e-mail. "The researchers had to dig through the file format, and detection routines had to be carefully tested in order to avoid false positives."
Some providers of antivirus software are still working on proper detection routines and may offer protection against only the most widespread exploits, Marx said.
"All antivirus tools are developed in a different way," he said. "Depending on the code, it might be rather easy for some companies to add detection of the exploit codes by simply adding a new signature. In other cases, engine or even program changes need to be made."
In Trend Micro's case, the company is working on fine-tuning detection capabilities, Genes said. The challenge is finding a balance between detection capabilities of the new file type and speed of the scan engine, he said.
AV-Test also tested free antivirus products, including Clam AntiVirus and AVG. While Clam AntiVirus stopped all but one file, AVG let through 59 malicious files, according to the test.
The detection in Clam AntiVirus works well, but will result in many false positives and stop almost all WMF files, Marx said. That's not a big problem because Clam AntiVirus is used mostly as a gateway scanner, not on the desktop, he said.
"AVG, on the other hand, is mainly used on PCs. The company has to avoid false positives," Marx said. "I know that the AVG team is working day and night on a solution."
Microsoft, however, says it has not seen many attacks on its customers. It plans to deliver a fix on Tuesday as part of its monthly patch cycle. Until then customers can protect themselves using a workaround and by following standard security guidelines, which includes the use of updates antivirus software, Microsoft said in a security advisory.