Institutionen för Systemteknik Department of Electrical Engineering
Examensarbete
Master Thesis “Quality of Freeware Antivirus Software”
LiTH-ISY-EX--11/4541--SE
By
Muhammad Ahsan Rasool
Abdul Jamal
Linköping 2011
Department of Electrical Engineering
Linköping University
S-581 83 Linköping, Sweden
Linköpings tekniska högskola
Institutionen för systemteknik
581 83 Linköping, Sverige
Page ii
Master Thesis
“Quality of Freeware Antivirus Software”. LiTH-ISY-EX--11/4541--SE
By
Muhammad Ahsan Rasool
Abdul Jamal
Thesis Supervisor: Viiveke Fåk
Examiner: Jan-Åke Larsson
Page iii
URL, Electronic Version
http://www.ep.liu.se
Publication Title
Quality of Freeware Antivirus Software
Author(s)
Muhammad Ahsan Rasool
Abdul Jamal
Abstract War between malware and antimalware software started two decade back and have adopted the modern techniques with the evolution of technological development in the field of information technology. This thesis was targeted to analyze the performance of freeware antivirus programs available in the market. Several tests were performed to analyze the performance with respect to the core responsibilities of these software’s to scan and detect the viruses and also prevent and eradicate form them. Although irrelevant for common users may be but very important for technical professionals, many tests were performed to analyze the quality of these softwares with respect to their effects on the system it-self like utilization and engagement of precious resources, processing times and also system slowdown because of monitoring techniques. The results derived from these tests show not only the performance and quality of these softwares but also enlighten some areas to be focused for further analysis.
Keywords
Quality of freeware, Antivirus, security software, Antivirus quality.
Presentation Date
20-12-2011
Publishing Date (Electronic version)
Department and Division
Department of Electrical Engineering
Language
X English
Other (specify below)
Number of Pages
150
Type of Publication
Licentiate thesis
X Degree thesis
Thesis C-level
Thesis D-level
Report
Other (specify below)
ISBN (Licentiate thesis)
ISRN: LiTH-ISY-EX--11/4541--SE
Title of series (Licentiate thesis)
Series number/ISSN (Licentiate thesis)
Page iv
Upphovsrätt
Detta dokument hålls tillgängligt på Internet – eller dess framtida ersättare –från
publiceringsdatum under förutsättning att inga extraordinära omständigheter uppstår.
Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut
enstaka kopior för enskilt bruk och att använda det oförändrat för ickekommersiell
forskning och för undervisning. Överföring av upphovsrätten vid en senare tidpunkt
kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver
upphovsmannens medgivande. För att garantera äktheten, säkerheten och
tillgängligheten finns lösningar av teknisk och administrativ art.
Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den
omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna
sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form eller i
sådant sammanhang som är kränkande för upphovsmannens litterära eller
konstnärliga anseende eller egenart.
För ytterligare information om Linköping University Electronic Press se förlagets
hemsida http://www.ep.liu.se/
Copyright
The publishers will keep this document online on the Internet – or its possible
replacement –from the date of publication barring exceptional circumstances.
The online availability of the document implies permanent permission for anyone to
read, to download, or to print out single copies for his/hers own use and to use it
unchanged for non-commercial research and educational purpose. Subsequent
transfers of copyright cannot revoke this permission. All other uses of the document
are conditional upon the consent of the copyright owner. The publisher has taken
technical and administrative measures to assure authenticity, security and
accessibility.
According to intellectual property law the author has the right to be mentioned when
his/her work is accessed as described above and to be protected against
infringement.
For additional information about the Linköping University Electronic Press and its
procedures for publication and for assurance of document integrity, please refer to its
www home page: http://www.ep.liu.se/.
© Muhammad Ahsan Rasool.
© Abdul Jamal.
Page v
Abstract War between malware and antimalware software started two decade back and have adopted the modern techniques with the evolution of technological development in the field of information technology. This thesis was targeted to analyze the performance of freeware antivirus programs available in the market. Several tests were performed to analyze the performance with respect to the core responsibilities of these software’s to scan and detect the viruses and also prevent and eradicate form them. Although irrelevant for common users may be but very important for technical professionals, many tests were performed to analyze the quality of these softwares with respect to their effects on the system it-self like utilization and engagement of precious resources, processing times and also system slowdown because of monitoring techniques. The results derived from these tests show not only the performance and quality of these softwares but also enlighten some areas to be focused for further analysis.
Page vi
Acknowledgement Unlimited thanks and praises to our LORD Almighty ALLAH, THE Most Beneficent, Most Merciful , The owner of every power, knowledge and existence in this universe and peace and blessings on all the messengers and prophets specially prophet of peace, Muhammad (peace be upon him) who taught us the right path to humanity. Many thanks to our supervisor Professor Viiveke Fåk for her guidance throughout the project and for moral and technical support during this time. Her guidance to complete this work was as important as any teacher is for his / her students. Thanks to Mr. Dan Ahlström for providing us necessary details from the department of defense “ SWECCIS (Swedish command, control and information system) “, which was the seed information for this work. We would also like to appreciate the support of hidden hands of our families, university staff and colleagues. At the end, many thanks to our parents (the trainers of LAP School), and professional and highly skilled teachers from class one to Masters, who have transferred to us their precious knowledge and crux of their whole life struggle and experience without any demand of reward. Special gratitude to Sweden as a whole and to Linköping University specifically for helping us to achieve such an important stage of education and providing us learning opportunity in a professional environment under the supervision of best teachers.
Page vii
Table of contents
Chapter 1: Introduction 1.1 Introduction…….……………………………………………………………… 2 1.2 Aims……………………………………………………………………………. 2 1.3 Layout………………………………………………………………………….. 3 Chapter 2: Taxonomy and Techniques 2.1 History………………………………………………………………………….. 5 2.2 Basic Concepts and Notations……………………………………………...... 6 2.3 Computer infection program or malware …………………………………… 6 2.3.1 Types of Malware …………………………………………………………… 6 Logic Bombs 6 Trojan Horse 7 Virus 7 Worms 7 2.4 How does virus operate? ......................................................................... 8 2.4.1 Infected medium …………………………………………….. 8 2.4.2 Execution ……………………………………………………… 8 2.4.3 Virus carrier media …………………………………..……… 9 2.4.4 Virus infiltration ………………………………………….. 10 2.5 Virus Structure ………………………………………………………………… 10 2.6 Types of virus ………………………………………………………………… 11 2.6.1 Boot sector virus ……………………………………………… 11 2.6.2 Parasitic virus …………………………………………………. 12 2.7 Operating System (OS) dependency ……………………………………….. 12 Chapter 3: War against Viruses 3.1 Introduction……………………………………………………………………... 15 3.2 Main objective of Antivirus……………………………………………………. 15 3.3 How does Antivirus program operate………………………………………... 15 3.3.1 Operation mode……………………………………………….. 16 3.3.2 Antiviral techniques……………………………..................... 16 Static techniques Dynamic techniques 3.4 Classification of malware protection software………………………………. 17 3.4.1 Antivirus software……………………………………………... 17 3.4.2 Anti-spyware software………………………………………… 17 3.4.3 Personal firewall software…………………………………… 17 3.4.4 Internet security solutions……………………………………. 17 3.5 Latest antivirus programs……………………………………………………... 17 3.6 Operating system compatibility………………………………………………. 18 3.7 Antivirus problems…………………………………………………………… 18 Chapter 4: Quality of Antivirus
4.1 Introduction……………………………………………………………………... 21 4.2 Main focus on security products……………………………………………… 21 4.3 Methodology……………………………………………………………………. 21
Page viii
4.4 Selection of antivirus software……………………………………………….. 22 4.5 Security products overview…………………………………………………… 22 Avast Antivirus……………………………………………………… 22 AVG antivirus………………………………………………………. 22 Avira antivirus………………………………………………………. 23 Norton Antivirus 2012……………………………………………… 23 Products and versions…………………………………………….. 23 4.6 Testing environment…………………………………………………………… 23 4.7 Antivirus performance benchmark…………………………………………… 24 4.8 Description of performance metrics………………………………………….. 25 4.8.1 Initial boot time to user desktop……………………………… 25 4.8.2 Boot time degradation………………………………………. 26 4.8.3 User Application launch time………………………………… 26 4.8.4 Third party application installation………………………….. 27 4.8.5 Antivirus installation size…………………………………….. 28 4.8.6 Antivirus installation time…………………………………….. 29 4.8.7 Antivirus un installation time…………………………………. 29 4.8.8 Antivirus interface launch time………………………………. 30 4.8.9 Antivirus scan time……………………………………………. 30 4.8.10 Registry key add, modify and delete………………………. 31 4.8.11 Average processor usage during Idle……………………... 32 4.8.12 Average processor usage during scan……………………. 33 4.8.13 Average memory usage during Idle……………………….. 34 4.8.14 Average memory usage during Scan……………………… 35 4.8.15 Data copy ……………………………………………………. 36 4.8.16 Data delete…………………………..………………………. 36 4.9 Tools and Software (utilities used for testing)………………………………. 37 Chapter 5: performance Analysis 5.1 Introduction…………………………………………………………………….. 39 5.2 Testing methodology………………………………………………………….. 39 5.3 Problem…………………………………………………………………………. 40 5.4 Tests…………………………………………………………………………….. 40 5.4.1 Scanning speed……………………………………………………….…. 41 5.4.2 Detection of malicious programs……………………………………...… 41 5.4.3 Frequency of definition file update…………………………………….. 42 5.4.4 False Detection…………………………………………………..………. 43 5.4.5 Removal of Malicious code………………………………………..……. 44 5.5 Feature Comparison………………………………………………………....... 44 Chapter 6: Quality tests 6.1 Introduction……………………………………………………………………... 47 6.2 Strategy of performance testing……………………………………………… 47 6.2.1 Pre installation phase…………………………………………………… 47 Benchmark 1a: Initial boot time to user desktop…………………. 47 Benchmark 2a: Boot time degradation…………………………… 48 Benchmark 3a: User Application launch time……………………. 48 Benchmark 4a: Third party application installation……………… 49
Page ix
Benchmark 10a: Registry key add, modify and delete…………... 49 Benchmark 15a: Data copy ………………………………………… 50 Benchmark 16a: Data delete………………………………………. 50 6.2.2 Post installation phase………………………………………………… 51 Benchmark 1b: Initial boot time to user desktop…………………. 51 Benchmark 2b: Boot time degradation……………………………. 51 Benchmark 3b: User Application launch time……………………. 52 Benchmark 4b: Third party application installation……………… 53 Benchmark 5b: Antivirus installation size………………………… 53 Benchmark 6b: Antivirus installation time………………………… 54 Benchmark 7b: Antivirus un installation time…………………….. 55 Benchmark 8b: Antivirus interface launch time………………….. 55 Benchmark 9b: Antivirus scan time……………………………….. 56 Benchmark 10b: Registry key add, modify and delete………….. 56 Benchmark 11b: Average processor usage during Idle…………. 57 Benchmark 12b: Average processor usage during scan……….. 57 Benchmark 13b: Average memory usage during Idle…………… 58 Benchmark 14b: Average memory usage during Scan…………. 58 Benchmark 15b: Data copy ………………………………………… 59 Benchmark 16b: Data delete………………………………………. 59 6.2.3 Post un-installation phase…………………………………………….. 60 Benchmark 1c: Initial boot time to user desktop…………………. 60 Benchmark 3c: User Application launch time……………………. 60 Benchmark 4c Third party application installation………………. 61 Benchmark 7c: Antivirus un installation time…………………….. 61 Benchmark 10c: Registry key add, modify and delete…………... 62 Benchmark 15c: Data copy…………………………………………. 62 Benchmark 16c: Data delete……………………………………….. 63 6.3 Quality and performance analysis…………………………………………… 63 Benchmark 1: Initial boot time to user desktop…………………... 63 Benchmark 3: User Application launch time……………………… 64 Benchmark 4 Third party application installation………………… 64 Benchmark 10: Registry key add, modify and delete……………. 65 Benchmark 15: Data copy…………………………………………... 65 Benchmark 16: Data delete………………………………………… 66 Chapter 7: Conclusions 7.1 Conclusions ……………………………………………………………………. 70 7.2 Future work…………………………………………………………………...... 70 7.3 Suggestions…………………………………………………………………….. 71 Appendix A………………………………………………………………………….. 72 List of Figures………………………………………………………… 72
Page x
List of Tables ………………………………………………………… 72 List of Graph…………………………………………………………. 72 Appendix B………………………………………………………………………….. 74 Images of test results……………………………………………….. 74 Terminology and Abbreviations…………………………………………………... 135 Bibliography…………………………………………………………………………. 138
1
Page 2
Introduction
Last two decades there is a marvelous increase in the number of computer users and as well as the development in the field of information and communication technology motivated people to get use to for the traditional computer system to the mini handheld intelligent devices. Invention of internet was a dream in the middle of 20th century, while in the start of this era world has become a global village, more than 20 billion [4] users are linked to each other with this global network through wired and wireless media. With the evolution of technology many concepts of business development are also introduced and to steal information and use the computer programs for destructive purpose is one of the major developments in virus programming aspects. With the introduction of afore mention diseases several groups came into being to treat these computing technology disorders and a new war between these two opposite forces started. Few years ago only few virus writing techniques, spreading and propagation methods were existed, with a very small amount of transfer media, while now these small segments of program became weapon of mass destruction travelling thousands of miles using dozens of transferring media like solid drives, wired and wireless connections and fiber optics. Thousands of different companies advertise their products in the market as the ultimate solutions and survival packs from these viruses exist in millions, but do these antivirus softwares fulfill the requirements and have the ability to remove them without causing any damage to our computers? These questions lead us to work on this topic. Some of the data including versions of Operation Systems, workstations and server specification, installed software and other antivirus programs and network topologies and devices was provided by the backend organization to serve this work.
1.2 Aims
Dozens of commercial and freeware antivirus are available in the market with very attractive marketing plans for the common users of personal computers and the complete network systems as well. In this work our focus was to analyze some of the suggested freeware security software(in our case antivirus) and enlighten the positive and negative sides with the help of performance testing and analysis, regardless of the benefits advertised by the venders . The scope of this work was to analyze the performance of freeware to facilitate our
Page 3
client with the results for the choice of antivirus in the light of features and drawbacks and present the recommendations. 1.3 Layout In this section content layout and brief introduction is defined.
Chapter 1: Introduction Defines the introduction of malicious softwares, aims of this work and also explains the layout of the contents for the ease of reader. Chapter 2: Taxonomy and Techniques Covers the evolutional stages of malicious softwares, their spreading techniques, damaging effects and behavior.
Chapter 3: War against viruses Covers the evolution of antivirus, scanning, detecting and eradication techniques and also introduce some latest antivirus available in the market. Chapter 4: Quality of antivirus Selection of antivirus software, their metrics and description of tests performed to analyze the quality with respect to the effects over the systems Chapter 5: Performance analysis Performance test and the comparison of core responsibility of the antivirus software with advantages and disadvantages Chapter 6: Quality analysis Test results of quality analysis performed with respect to system speed, load, boot time and other side effects of antivirus software. Chapter 7: Conclusions Consist of crux of the whole report with conclusions, recommendations and future aspects of this thesis.
Page 4
2
Page 5
Taxonomy & Techniques
2.1 History
The concept of virus is not new in the human understandable world while the term of computer virus was become common in past few years among the computer users with the different names and terminologies like viruses, Trojans and worms. There are a lot many opinions from the computer professionals but no authentic declaration of the date of birth of computer viruses, but majority of them are agreed on the development of concept of virus in early 70s, since the first computers were not attacked so it did not mean that they were not potentially vulnerable. In early 1980s since the evolution of computer technology begun and people were started understand and gain hands on experience on the computer systems so these PCs became slightly common and invited to some individual to use their knowledge with malicious intentions. The first virus most commonly quoted in the IT literatures is the Brain Virus, introduced in 1986 [1] caused the viral infection in USA. The growth of computer virus is directly proportional to the evolution of technology, the computer generations changed from a from a floppy booted limited machines to the powerful machines of new era with the huge volume data transfer capability within the machine and across the network and with these facilities computer viruses are also gaining the modern shapes, techniques and became more vulnerable. As of the first virus had the job to display a message on the screen, “ Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS : this program is catching program follows after these
messages....$#@%$@!! “ [28] it seemed a fun for today technology rather than the damages while the modern virus a very superior in their jobs, functionality and spreading mechanism. In 1999 more than 45 millions of computer were infected around the globe by the “ I love you “ virus [2] Most recently a virus / worm known as Sapphire target over 200,000 servers with the unbelievable fast distribution time and infected over 75000 servers within few minutes [5] Hundred of viruses are used for the destruction of file structure, steal the bank and credit card data confidential information including numbers , passwords and other details and target the internet traffic for financial benefits. Within past few years virus and antivirus programs have got the status of industry and turned into the very profitable businesses and warfare is started.
Page 6
2.2 Basic Concepts and Notations
The term computer virus seems the street notation of the programs written for some specific objective which can be define as originally the computer infection program or malware. 2.3 Computer Infection Program / malware- A formal Definition A computer malware or infection program is a simple and self replicating software which is capable to install itself in the processing system unit and without prior knowledge and consent of the user with the objective of either endangering data confidentiality, data integrity and system availability [2]. 2.3.1 Types of malware Computer infection programs can be divided into 2 major groups
A. Simple (Epiean) malwares B. Self- reproducing malwares
And further more it could be divided into subcategories logical bombs, Trojans ,virus and worms can be seen in the fig 1.1.[2]
Fig 1.1. Taxonomy of Computer Infection Program. Logic Bombs A logic bombs is a small chunk of program attached with a specific software which start functioning and may cause severe damage when triggered by some condition. Time or some present keywords could be the major parameter for activation of code.[1] A hypothetical example is that it alters data into some suspicious which can be very
Computer Infection Program
Self- reproducing malwares
Simple (Epiean) malwares
Logical Bombs Trojan Horses Viruses worms
Page 7
confusing and need complicated processing to be traced. Spread sheets are one of the major victims for the logic bombs.[1] Logic bombs are used within the virus payload, where the certain payload is activated upon meeting the certain condition. The malware known as “Datacrime” happened to formats hard disk between 13th October and 31st December of any year.[1] Trojan Horses
Trojan horse the term is taken by the Greek story of Trojan war, where Greek soldiers build a big horse a left in front of Troy city gates, Troy soldiers taken that horse into the city as the winners and at night Greek soldiers sneaked out from the belly of that horse and open the city gates. The same function repeats here in computer systems, a program that appear to perform some desirable services for the users. ARC513 is the Trojan version (pretended to be an improved version of ARC ) of a compression program found on some bulletin boards which in fact delete all the files assign for compression[1]. Trojan are commonly used to infect any legitimate program with virus, and pretend it as the original program, and in case of execution of this program by the user as a bona-fide copy, the whole system will be infected.[1] Trojans are badly used by hackers, by residing the program in someone’s computer and control the system by accessing it remotely. Viruses Computer viruses are the programs which are capable to replicate and execute and spread their self in the system and/ or across the network. Since functionality is very similar to its biological counterparts therefore the name “virus” is given to these programs.[1] Infact best explanation of viruses is to see them in the light of four essential characteristics:
1. Replication: Capability of making copies of themselves, spreading within and across the storage media, computer system and networks. [1]
2. Executable path: To perform any function for a virus it is important that the program is executed anyway. So in the computer viruses can find many helpful programs like Operating System itself, or applications of common use even the user can not notice the execution of the virus. [1] After execution it’s next job is to modify the programs within a very small amount of time.[1]
Page 8
3. Damaging-effects: Not only of self-replicating code, the most destructive part of the virus program is the “ payload ” which act as a warhead of missile, and this payload is actually responsible for the destruction, losses and the side effects could be malicious .[1]
4. Disguise: The successful distribution of a virus is depends on its unnoticed replication and it could be achieved through two methods [1]:-
Disguise-encryption (scrambling) Interrupt interception.
Worms Worms are the similar programs pattern to viruses, but their replication methods are different, they do not need any carrier to replicate, they are capable to create exact copy of themselves and can replicate. Computer network and multi-user computers are the normal victims of the worms and as a transmission medium they are capable to use inter-computer or inter-user communications. [1] These programs can work individually and could be occur together with its sister programs, therefore sometimes it becomes very complicated to give a single name for some specific malware. 2.4 How does virus operate ?
There is nothing to be wondered about the way virus enters, penetrates, execute and resides in a computer. The entry methods are well understood and recognition of these processes is the first step towards combating its threat. 2.4.1 Infected Medium
Here one thing is important to discuss that a computer is infected with malware while it is ON and processing, it shows infact the existence of malware in random access memory which flashes while computer gets OFF, but the attached peripherals like hard disk and any other storage devices are still carrying the infection even when the system is switched OFF or power failure. 2.4.2 Execution
After the copy of malware from any media to a computer, next step is to provide the chance to execute in order to penetrate a computer. Initially .COM and .EXE files were the major target of malware infection while with the passage of time we can consider any file contains the executable code could be treated as a carrier. Since the start of a PC (bootstrapp) consist on some well known procedures it can be seen by the step by step analysis of executable objects on a PC and it makes possible to list all the malware points of attack, the only thing we have to make sure that the execution of PC should be protected from infection.
Page 9
If we analyze the bootstrapping process we can observe that a malware may penetrate and change them during performance of one or more of the following steps:-
1. Upon switching ON the PC, a program from ROM (Read Only Memory) is executed which analyze the available hard drive are bootable media and load the contents of first sector (bootstrapped sector) into the memory. Here if the system find the suitable boot program, it starts execution otherwise give an error message and wait for the operator to enter a disk with bootable program inside [1]. Here system gets user given directions from the CMOS prior to perform this step.
2. Read the bootstrap sector in Hard disk or any bootable media and transfer control to Operating System.
3. All configuration files loaded to memory and executes the command.com 4. All the installed device drivers loaded and executed. 5. Applications containing macros are loaded.
Here are some examples of the malware attack during the above mentioned steps and how vulnerable these steps are at the system start. Reading from the ROM Since the Read Only Memory is not modifiable and the CMOS does not contain any executable code so there is no chance of malware attack [1]. Disk boot sector Regardless of the storage media hard disk / USB / floppy disk boot sector and partition boot sectors are vulnerable for several famous malware attacks
like “New Zealand “, “Italian” and “Mistake” [1].
Configuration Files and device drivers Possible malware attack point, usually configuration files are text files only but possibility of execution of malware written as device drivers. Applications most of the malware attack these files and then executes, and this is the point where overall performance of computer system slows down and mess is created in indifferent forms, like directory and file structure, registry, code of the bona-fide program according to the nature of malware. 2.4.3 Virus Carrier Media Any medium which can be used for storage and transmission of executables programs can be enlisted as a potential carrier of parasitic viruses. By nature we can divide the carrier media into two categories:-
1. Media of local use 2. Network interfaces
In the category of media of local use, floppy disks, hard disk, CDs, external storage
Page 10
media like cartridges, removable hard disk drives, USB storage devices (pen drive or memory stick and memory cards) can be considers as victim of malware and cause the transmission to unstoppable manners. On the other hand network interfaces like wired, wireless, Bluetooth, infrared are also playing the very key role not only to transmission of network traffic but also the distribution of malware using the mail servers, bulletin boards and cookies . 2.4.4 Virus Infiltration A major contribution of virus infiltration by several routes and method can be look in a wider view and here we can find that the credit goes to users. A major factor of accepting viruses is not only the file transfer but the greed, carelessness, lack of security and lack of knowledge as well. Some of the key points can be taken from the analysis of real life examples.[1][2] Following are some general methods and routs of this infiltration:-
1. Computer technicians 2. Pirated copies of Operating Systems and software of daily use 3. Bulletin boards 4. Shareware and public domains software 5. Third party infected Compression utilities 6. Shared computers and CDs 7. Freeware security software 8. Community / gaming and pornographic websites 9. Internet advertisement / spam Emails
Several other methods and routes discovers every day and depends on the behavior of computer user, but the above mentioned are the most common we got from over survey during the implementation of our work.
2.5 Virus structure Since the basic objective of virus is to take some specific job from it so its structure is also most common in the virus programming technique. Basic structure of virus is the set io two program codes
1. Self-replicating code 2. Play load [1]
Self replicating code is responsible for the replication and distribution of the program it self while payload is the war head of this program which cause damaging effects according to the vision and will of the virus programmer. Size of a typical virus may be from few bytes to few hundred bytes depending on the payload.
Page 11
Fig: 1.2. Carrier program infected by virus [1] One of the intelligent move from the virus is to check the file if it is already infected by it (this virus), by testing some infection signature. If the executable is already infected then intelligent virus avoid to reinfect it again, otherwise the size of that executable will rapidly increase and virus can be easy seen with the naked eye. Example: One virus known as “Jerusalem” does not verify it own signature prior to infect which results into reinfection of executable images and make the file huge. [1]
2.6 Types of virus In 1990, only 1000 and in year 2000 over 50,000 virus were reported while there is a sharp increase in this number to over 1 millions [26] There may exist many types of viruses in horizon but Virus programs can be divided into two categories according to the point of attack. 2.6.1 Boot sector viruses In the DOS systems 2 decades back this was the most common area for virus attacks because systems could be booted from external floppy which may infect the all file structure by residing the virus in random access memory, since most crucial area that may cause of crash in the whole system. The basic function is to modify the disk boot sector or the partition boot strap sector and disguise it according to the payload of virus and load it self into the memory and gets control over the operating system right from the moment it starts loading.
Jump to virus
Jump back to carrier program
virus
Carrier Program
Replication Code Payload
Page 12
2.6.2 Parasitic Virus
Parasitic viruses modify the content of executable files [1] most commonly COM and/or EXE files. By insert itself in the beginning or at the end of the program and alter the initial instruction for the start of program, and some time they over write the first chunk of program to make it unusable. The basic mechanism of virus is to get the control over the application when application code is executed, virus code is executed as well and the extra time of execution is so miner that it is not notable to users. Most parasitic virus infect the files, reside theirself into the memory and monitor the load other executables and stick with them to infect and the process started to infinity. These two above mentioned types can be divided into further categories [09] like:-
Resident Viruses: Randex, CMJ, Meve, and MrKlunky. Direct Action Viruses Overwrite Viruses:Way, Trj.Reboot, Trivial.88.D. Boot Virus: Polyboot.B, AntiEXE. Macro Virus: Relax, Melissa.A, Bablas, O97M/Y2K. Directory Virus Polymorphic Virus: Elkern, Marburg, Satan Bug, and Tuareg. File Infectors Companion Viruses: Stator, Asimov.1539, and Terrax.1069 FAT Virus Worms: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson. Trojans or Trojan Horses. [09]
2.7 Operating System (OS) dependency
Few years ago it was a common perception that only windows operated system can get infected by virus, and it was true to some extent because Unix/ Linux were operated in command line interfaces and none of the background services were running which kept the system more secure as soon as the graphic user interfaces became common the term virus became common for Unix / Linux as well, one of good thing is that these operation systems are open source so it is easy to write
Page 13
some chunks of programs or get from the forum without any problem. This is true that Unix/ Linux are not as vulnerable to virus as windows is but still the danger exists and here lies the human factor behind initialization of these viruses rather than the automatic mechanism. For the MAC operating system the story seems same as above, in general the system connected to internet is always targeted by such malicious software openly or in a hidden ways using all the techniques that can support the hacking, spamming, spying and stealing information from the computer.
Page 14
3
Page 15
War against viruses
3.1 Introduction
In the early age development in the field of IT, virus was not taken as a serious threat but later on, the war against virus started as soon as the professionals realized the malicious program as a threat against computer system. Professionals start working on antivirus techniques and methods 1986 and possibly first antivirus is claimed to be developed in 1987. Several mailing list with containing the virus names were developed and shared by professionals, but these list could not make them stand in front of rapid evolution of virus signature, writing method and even renaming techniques. This chapter is to make the survey of different method and solutions used for the protection from virus. 3.2 Main objective of antivirus Antivirus is a program code which is used to capture or notify the malicious code and performs some certain functions according to the description written by the programmers. The main objective behind the viral protection programs is to secure the system using these 3 tasks.
1. Take preventive measure 2. Detection of the malicious code 3. Eradication [2]
To perform these tasks this antivirus software uses many resources from the computer system, so the ideal situation is to perform the afore-mentioned tasks without putting extra loads on the processing unit modules [2]. 3.3 How does Antivirus program operate?
To describe the way antivirus program operates some of the building blocks should be taken into considerations. 3.3.1 Operating modes
There are 2 operation modes of the antivirus program which can be described as following:-
1. Static mode: Antivirus programs activated by user (manually or as programmed) on demand, for limited resources computers. Program is not resident and there is no way for the behavior monitoring for existing and / or upcoming viruses [2]
2. Dynamic mode: Antivirus programs are installed, reside in the system and continuously monitor all the activities within the operating system, on peripheral devices and network as well as configured by user. This is the most
Page 16
common mode used by today’s user. This mode puts a specific load on the system and utilizes resources as much as it can, but provides comparatively much more prevention, detection and eradication possibilities than the earlier mode [2].
3.3.2 Antiviral Techniques
There are several individual antiviral techniques used by the antivirus programs to fulfill the objectives but as the viruses are getting more and more complex every day, it leads to the merger of the antiviral techniques as well [6]. In a simple way antiviral techniques can be divided into two main classes with several subclasses [2]. Static Techniques
Static techniques are used to detect the malicious code by examining the records of events without running any special codes for malware detection and these can be further divided into several techniques [6].
String Scanning: scanning the sequence of bit which distinguish the malicious code from other bona-fide program code [2].
Wildcards techniques: by skipping byte method deceive the scanner to compare the next byte [6].
Generic Detection technique: uses one common string to find out all known and unknown signatures [6].
Smart Scanning: by skip junk instructions and analyze the body of virus which have no reference to other data [6].
Skeleton Detection technique: scanner analyzes the statements of the virus line-by-line and only skeleton remains after deleting these statements [6].
Heuristics Analysis: an expert based analysis that check the susceptibility of a system towards particular threat/risk using the weighing methods like MultiCriteria analysis (MCA)[6].
Beside the above mentioned most common techniques several other methods are used which can be observed in up to date literature for malware softwares. Dynamic Techniques
Dynamic techniques are used to analyze the health of a code by running some codes and / or monitoring the behavior of the malicious code.
Behavior monitoring: the antivirus program reside in the memory and monitor if there is any fishy activities are noticed, and act upon by using interruption in system. Such technique can be useful in both cases of known and unknown signatures sometimes, but this technique is a big overload on system and may cause slow down and also creates false alarming. [2]
Code emulation: usually used in static mode and aims at emulating behavior monitoring, during scanning by this technique code is loaded into a protected part of memory and detect the suspicious activity.[2]
Page 17
3.4 Classification of malware protection software
A stand alone computer may have threats from the malwares generated by hidden programs on some specific time or while using external sources of data transfer, while the computer attached to the internet world directly or through a network is always more vulnerable to these malware and a victim of the attacks. Below is the classification of some of malware protection software:- 3.4.1 Antivirus Software
Target to protect computer from the virus and its sister classes like Trojans, worms and other malicious programs [6] 3.4.2 Anti-spyware Software As it is known from the name, the basic target of this software are the spyware programs which reside in the system and transfer the information from the computer to another destination through internet or within the network, working silently [6]. 3.4.3 Personal Firewall Software Software is designed to protect the computers and even networks from the hackers, or anyone having intension to approach our resources without authorization [6] 3.4.4 Internet security Solutions
Is set of above mentioned software provide security from the malicious code transfer and attacks over internet , and furthermore many other modules also can be the part of this software like parental control software, access list software and etc. [6]
3.5 Latest antivirus programs Dozens of antivirus programs are available in the market having different feature and areas of specialty, user can choose according to his requirement and budgets, many of the free antiviruses are also available in the market and can be downloaded from internet. This data is also taken from a website which claims to conduct a survey for the top ten antiviruses for year 2012 [27]
1. BitDefender Antivirus 2012
2. Norton Antivirus 2012
3. Vipre Antivirus 2012
4. ESET Antivirus 2012
5. Kaspersky Antivirus 2012
6. F-Secure Antivirus 2012
7. TrendMicro Antivirus 2012
8. ZoneAlarm Antivirus 2012
9. Panda Antivirus 2012
10. McAfee Antivirus 2012
Page 18
While some other antivirus software also listed here is having a big stake in the
market of computer and internet security solutions
1. Avira Antivirus 2012
2. Avast Antivirus 2012
3. Avanquest Antivirus 2012
4. G Data Antivirus 2012
5. Webroot Antivirus 2012
6. PC Tools Antivirus 2012
7. Comodo Antivirus 2012
8. CA Antivirus 2012
9. Norman Antivirus 2012
10. AVG Antivirus 2012
11. Sophos Endpoint Security 2012
12. Quick Heal Antivirus 2012
13. Microsoft Security Essentials 2012
We have selected few antivirus programs on the merit of their characteristics,
performance, reviews available in the market, and also comparative studies of their
features and other factors like speed, detections, support, price and stealth.
Details of the selected antivirus can be observed in chapter 4.
3.6 Operating System compatibility
Antivirus programs are written by the programmers for all the operating system where
the tendency of having a virus exists.
Many of the afore-mentioned venders have introduced the separate versions for
windows and MAC covering the remedy for the known viruses. Antivirus for Unix /
Linux are also available in the market.
Modern antivirus venders are trying to introdue multi platform antivirus support over
internet and soon user will be able to connect to internet and scan its systems and
get the live support remotely from the technical support professionals at the vender’s
website.
3.7 Antivirus problems Antivirus programs can be good to detect and remove the malicious codes but they are still need a lot of improvements and resolve the issues stated following:-
They can be very good against the known signatures, but still cannot do anything for evolutionary codes or zero day virus [6]
They require a very noticeable time from scanning the systems, since the data volumes are getting huge and virus signature increasing rapidly the antivirus scanning time will increase respectively [6], which tends to the engagement of
Page 19
resources.
Signature definitions should be updated frequently, which may be one financial factor for the venders.
Page 20
4
Page 21
Quality of Antivirus
4.1 Introduction In this chapter , we have performed the qualitative analysis of the
selected freeware security software, in regard with the effect of these software on the
overall performance of the computer. In addition to that we have tried even some of
the trial versions of the commercial security solution.
4.2 Main focus on security product [16] [18] [20]
Good quality of performance
Low cost effective
Fast scanning of files and detection of virus
Low user interaction
Good detection of all virus and removal or cleaning capabilities
Good online security service
Well know vendor products
Low false alarm occurrence
Better user support
Minimum impact on the system
Protection of malwares
Real time safe guard
4.3 Methodology
First time we installed a new and latest version of the Window 7 on the end user. To
do testing of different freeware antivirus many times, we need to create image or
backup of the window, so it will save time and resources.
The image of the window will be restored every time for each antivirus testing. The
freeware antivirus will be testing on the same machines and on the clean image.
Different software and tools will be use to test the performance of the different
freeware antivirus on the machine and these software and tools are also freeware
available online for users.
At the end total performance of the all metrics were measured in the column graph at chap.6.
Page 22
4.4 Selection of Freeware Antivirus Software
Antivirus program are available online for free and some are 30 days free license. In all test cases, we were installed and tested all the latest 2012 versions of antivirus. In this thesis we took seven well know antivirus which have highest download rates.
Additionally, the needs of the home and enterprise user are differ, it is important to evaluate the antivirus software tests in order to know the differences.
This report shows a comparative analysis on the performance, effectiveness and usability of four security solutions from some of the world largest security vendors.
We have tested 4 security solution products are as follows.
Avast! free Antivirus [10]
AVG Anti-Virus Free Edition 2012 users [11]
Avira Free Antivirus [13]
Norton AntiVirus 2012 [14]
We studied that mostly computer users are using free antivirus to secure computer
from the virus, spyware, worms and other risk.
4.5 Security Product Overview
Avast Free Antivirus
It is a free antivirus program for home users. It is designed for home users to
provide strong self protection capabilities as well as faster scanning with
improved detection malwares. It continuously monitors files on the computer
from becoming infected, email and internet traffic. It provides real time
protection. It has very little system impact on the processor and memory. It
has fastest, best overall performance and low traffic overhead for updates.
[10][16][17]
AVG Antivirus Free
It is a free security suite for home users. It promises basic protection against
viruses, worm and spyware. It provides reasonable scanning of file, folder any
time. It has user-focused interface but generate high amount of updates
traffics. [11][16][17]
Page 23
Avira Free Antivirus
It is a free antivirus program to protect the end user computer against viruses,
Trojan, worms, spyware and other malicious software. It performs scheduled
scanning to protect end user machine from the virus without impact on the
user process. [13][16][17]
Norton Antivirus 2012
It is a commercial antivirus program has multilayered security technologies. It
performs comprehensive protection against viruses, worm and other malicious
software before they can harm the end user and more without slowing down
computer. [14][16][18]
Products and Versions
In this report, we used the following latest version of security solutions.
[10][11][12][13][14][15][16]
Product Name
Version Release Date
Vendor Availability
Avast 6.0.1289 Nov 03, 2011
Avast Free
AVG 2012.0.1869
Nov04,2011 AVG Free
Avira 12.0.0.849 Oct 03,2011 Avira Free
Norton 19.0 Sept 07,2011
Symantec Corp
Commercial
Table 4.1 Security software, venders and versions
4.6 Testing Environments
Stand Alone systems
Platforms
o Window 7
Page 24
For each Product, we installed appropriate and commonly support end user
operating system, software and tools that was need to measure each metric to
find out the performance of the product.
Initially, we installed fresh copy of the window 7 operation system and all
supporting drivers. During installation all the default values were kept. For
performance measurement, we disable the updates; firewall and security which
were not affect the measurements.
Next step for testing, we installed all the software and tools that are given in the
table --- after a window installed.
For each security solution we needed fresh operation system all the time on the
system to perform product testing. For this work, we just installed operation
system on time and create the backup and recovery image which saved our time
and resources.
Initially we start testing measured all the performance metric without security
solution to see how much difference between actual performance.
Testing strategy was performed in the chapter 6 to the performance of all security
products.
4.7 Antivirus Performance benchmark [18] [19]
The above anti viruses were tested with using 18 performance and quality metrics
are as follows.
1. Initial Boot Time to User Desktop
2. Boot Time Degradation
3. User Application Launch Time
4. Third Party Installation Time
5. Antivirus Installation Size
6. Antivirus Installation Time
7. Antivirus Un-Installation Time
8. Antivirus Interface Launch Time
9. Antivirus Scan Time
10. Registry Keys added, Modify and Delete
11. Average Processor usage during Idle
Page 25
12. Average Processor usage during scan
13. Average Memory usage during Idle
14. Average Memory usage during scan
15. Data Copy
16. Data Delete
4.8 Description of each performance metrics
4.8.1 Initial Boot Time to User Desktop
a) Description
Boot time is the time that machine taken to load the window to the user
desktop. In the boot process all of the hardware’s and drivers were
initially loaded, than window application launch, service and third party
software are loaded. [18]
Adding more application, software, hardware and utilities, it will take a
bit longer time to boot up the system. Our aim is calculate the additional
time added to the boot process to launch these applications.
This metric actually calculates the amount of time taken by the
computer to come into the user desktop. Longer the boot time means
applications has greater impact on the normal operation of the system.
A security solution is generally installed on the system, when it launch
at startup as result adding an additional amount of time and delaying
the boot process. [18]
b) Test Tools
These three tools were used to measure the amount of time taken by
the boot process.
SolutoInstaller
Event viewer
c) Methodology
After installation of all testing tools, simply run any of the boot time tools
which will restart or reboot the system and show the boot time.
We run these tools five times to calculate the average of the boot time
of the system without and with antivirus programs.
Page 26
d) Results
Our final results measured from an average of five boot time samples
which is given in appendix B
4.8.2 Boot Time Degradation
a) Description
This metric measure the amount of time that security product degrade
the boot time process. It showed that how much the security product
degrades the boot time process and we also see after un-installation of
the antivirus product affect the boot process.
b) Test Tools
EventViewer
c) Methodology
In initial test we noticed that some of the application and utilities
degrade boot time. We did not consider that application and utilities in
the first test boot degradation benchmark-2a. Because these
degradations are the failures or faults of an operation system or
applications. It happened some time when operating system or software
are not successfully run or load during the boot time. In the post
installation we did not consider boot degradation time metric.
In this test event viewer tool we calculated, how much time the security
products degrade the boot process time.
d) Results
Our final results were measured from an average of five boot time
degradation samples which is given in appendix B
4.8.3 User Application Launch Time
Description
This metric is very interesting for the end users to know that which user
application takes more time to run or launch. This metric measured the
user application takes the time to launch, How much responsive an
application appears to an end user on the desktop when it click on the
Page 27
application icons. In this test we took user common applications e.g.
MS Office, Internet Explorer Browser, Firefox Browser and Google
Chrome Browser.
This metric provides that how a user common application response
when antivirus is installed and running in the background. End user
must know that behavior of different antivirus products to scan very
download data for malware when it is downloaded from the internet or
local network. This means that antivirus behavior may effects the
browsing speed as data scan or website scan for any threats. We also
calculate in the metric the browser time when it launched. Because the
security solution may degrade the application launch times as a result
of poor performing antivirus functionality. [18]
Test Tools
Apptimer
ptime
Methodology
In this test, we run the apptimer or ptime software to measure the
amount of time it takes to launch application. We took five test samples
of each user application that wrote in description to measure launch
time with and without antivirus software install. For every sample of the
test machine was restarted and left idle for two minutes to minimize the
background processes. After two minutes the apptime or ptime used to
launch and close user application, than show application launch time.
Results
Average of five User Application Launch and close time samples which
is given in appendix B
4.8.4 Third Party Application Installation
Description
Users may be facing problem or difficulty, when they want to directly
download third party software from internet and then install on a
computer. It’s because of an antivirus products behavior. This
Page 28
benchmark calculated the installation time of the third party software.
We took common third party application that end users are using in
every day on the computer. E.g. Firefox and Google Chrome.
Test Tools
Ptime
Methodology
In this test, we download the third party software and save on the
desktop. We run the ptime in the command promote to measure the
amount of time it takes to install applications. We took five test samples
of each application that wrote in description to measure installation time
with and without antivirus software installed. For every sample of the
test machine was restarted and left idle for two minutes to minimize the
background processes. After two minutes the ptime used to run and
complete the application installation, than show the software installation
time.
Results
The final results were measured from an average of Third Party
Application Installation Time samples which is given in appendix B
4.8.5 Antivirus Installation Size
Description
Whenever new release of the antivirus software came to the user
desktop with new functionally and features were added which bring
consideration on the hard space. Every new release of security product
takes more space on the hard drive as compare to the old version. [18]
Now a day’s home users using large amount of hard space due to
movies, software, pictures, music and documents. It means users are
consider size of product too with quality of detection and scanning
malwares.
In this test, we simple took snapshot of the C drive to know the initial
size before installation and after installation of different antivirus. This
metric showed how much space is used by different antivirus when it
installed on a drive C.
Page 29
Test Tools
Screen shoot of C drive
Methodology
We simply took the initial and after install snapshots of the drive C,
compare the results.
Results
Difference of the two snapshots of drive C, which is given in appendix B
4.8.6 Antivirus Installation Time
Description
In this benchmark, we measured the amount time taken by the antivirus
to install on computer. We took only one sample of installation of every
antivirus product.
Test Tools
Ptime
Methodology
In this test, we already download the antivirus software and save on the
desktop. We run the ptime in the command promote to measure the
amount of time it takes to install different antivirus.
Results
The final results is given in appendix B
4.8.7 Antivirus Un-Installation Time
Description
This metric measure the amount of time, when antivirus is un-install
from the machine.
When user remove antivirus from the computer, it were not fully
removed. Some antivirus files are still on the computer and running,
which affect the performance, and also not allow the other vendor
antivirus software to install on that computer. This makes the bad
impression on a user and take time a lot to reinstall a window on the
Page 30
machine from the beginning and move files from one drive to another
drives.
Test Tools
Stopwatch
Methodology
For un-installation, we used the stop watch to calculate the un-
installation time once. Antivirus were uninstall from a control panel.
Results
Final uninstallation time results are given in appendix B
4.8.8 Antivirus Interface Launch Time
Description
This metric calculate the amount of the time taken by different antivirus
software to appear on the desktop for the user. How much time an
operating system takes to launch different antivirus software interface.
Test Tools
Apptimer
Methodology
We took five samples to test that antivirus interface launch time by
using apptimer tool. Every time machine was restart for each test to
remove extra background and unused processes.
Results
The final results were measured from an average of five Antivirus
Interface Launch Time samples which is given in appendix B
4.8.9 Antivirus Scan Time
Description
Page 31
All antivirus software are designed to detect viruses, spywares, worms
and other malware software. If an antivirus takes a lot of scanning time,
it will make the processor, memory busy.
In this test we measure the average of the scanning time of an
antivirus. How much time is takes to scan a 2GB of clean files?
Methodology
Machine was restart to clear caching for five tests on the files. This
scanning was down by right click on the test folder and select scan
option to start scanning. Every antivirus calculate is own scanning time.
[18]
The sample of test file was same for every antivirus software test. Test
file contain media files, picture, documents, zip and some system files
taken from window folder.
Results
Our final results were measure from the average of five samples, is
given in appendix B
4.8.10 Registry Keys Difference
Description
Every software after installation or uninstall added, modify and delete
registry keys. These keys used a lot of resources of a system, which
degrade the performance, take occupy space of disk. Adding more
software takes more resource and decrease the performance. [18]
This metric measure the added, modify and delete registry keys on the
system when we install antivirus products.
Test Tools
OSForensics
Methodology
In this test we created image of the drive C by OSForensics software
and saved the initial drive C registry keys results before the installation.
We already installed different antivirus products in benchmark-6b, we
saved again registry keys results of the drive C separately to compare
an initial image registry keys results.[18]
Page 32
In this method we used OSForensics which compared initial registry
keys with the result of every install antivirus in drive C. OSForensics
software basically create signature of the drive C.[18] For this test
machine was reboot again.
Results
Final results obtain from the new added, modify and deleted values are
give in appendix B .
4.8.11 Average Processor usage during Idle
Description
This test calculate, how much CPU is using during idle state by the
different the antivirus products , how much antivirus put load on the
CPU during system is idle. In this benchmark, we measure the overall
CPU load of all the software, application, utilities and antivirus were
running in the idle state and also measure how much each antivirus
using amount of CPU percentages. Lower processor time means better
performance of the antivirus and system. End user prefer lower
processor usage antivirus instead of consuming a lot of CPU time.
Because end user have a lot of heavy files which consume CPU e.g.
Games, media file, Programming tools and software.
Test Tools
Performance monitor Tools (perfom)
Task Manager Tools
Resource Monitor tools
Methodology
In this test antivirus was installed in an installation test phase and we
measured the amount of time it took to install. Next we reboot the
computer one more time to free caching effects on the CPU and
memory.
After restart we used any of the testing tools to measure the total CPU
time in percentage and each antivirus consume how much CPU
percentage.
Every time system was idle for two minutes to remove any background
processing and restart for five testing samples. After we run these three
tools from the “Run command” to see the effects. The results were
stored in the file to calculate the average CPU time taken by antivirus.
Page 33
Results
Average of five samples given in appendix B
4.8.12 Average Processor usage during scan
Description
This test calculate, how much CPU is using when we start scanning
process of different antivirus products on a files , how much antivirus
put load on the CPU during scanning files.
In this we measure the overall CPU load of all the software,
application, utilities and antivirus were running and also measure each
antivirus using how much amount of CPU percentages. Lower
processor percentage means better performance of the antivirus
products.
End user prefer lower processor usage antivirus instead of consuming
a lot of CPU time. Because end user have a lot of heavy files which
consume CPU e.g. Games, media file, Programming tools and
software.
Test Tools
Performance monitor Tools (perfom)
Task Manager Tools
Resource Monitor tools
Antivirus software
Methodology
In this test antivirus was installed in the installation test phase and we
measured the amount of time it took to install. Next step we reboot the
computer one more time to free caching effects on the CPU and
memory.
After restart a machine we used any of the testing tools to measure the
total CPU time in percentage and each antivirus consume how much
CPU percentage during scanning.
This scanning was down by right click on the test folder and select scan
option to start scanning, than run any of the given tool to measure how
much CPU is used by the antivirus software.
Page 34
The sample of test file was same for every antivirus software test. Test
file contain media files, picture, office and some system files taken from
window folder.
Machine was restart for every time of scanning 2GB of files and we took
average of five samples.
Results
Our final results were measured from an average of five Average
Processor usage during scan samples which is given in appendix B
4.8.13 Average Memory usage during Idle
Description
End users suffer from the latest, updated software and applications that
consumed a lot of the physical memory of the system. It is very
expensive to increase the RAM of the system, when user gets low
performance, processing speed.
Users think that computer maybe older for the new software to install
and run. A home user does not know about any computer hardware.
In this metric we were measure how much memory is used by the
antivirus software during idle state, we can also calculate memory used
in run time when system is busy.
If antivirus used a lot of system memory than user cannot get significant
performance and give slower performance every time.
Test Tools
Performance monitor Tools (perfom)
Task Manager Tools
Resource Monitor tools
RAMMap
Antivirus software
Methodology
In this test antivirus was installed in the installation test phase and we
measured the amount of time it took to install. Next step we reboot the
computer one more time to free caching effects on the CPU and
memory.
Every time we restarted a machine for five test, we used any of the
testing tools to measure the total memory of the system and how much
each antivirus consume memory space during idle time.
Page 35
We run these three tools from the start Run to see the effects. The
results were stored in the file to calculate the average memory space
taken by antivirus.
Results
Our final results were measured from an Average Memory usage during
Idle samples which is given in appendix B
4.8.14 Average Memory usage during scan
Description
End users suffer from the latest, updated software and applications that
consumed a lot of the physical memory of the system. It is very
expensive to increase the RAM in the system when user gets low
performance. Users think that computer maybe older for the new
software to run. A home user does not know about any computer
hardware.
In this metric we were measure how much memory is used by the
antivirus software during scanning, we can also calculate memory used
in run time when system is busy.
If antivirus used a lot of system memory than user cannot get significant
performance and give slower performance every time
Test Tools
Performance monitor Tools (perfom)
Task Manager Tools
Resource Monitor tools
RAMMap
Antivirus software
Methodology
Every time we restarted a machine for five test, we used any of the
testing tools to measure the total memory of the system and how much
each antivirus consume memory space during idle scanning time.
This scanning was down by right click on the test folder and select scan
option to start scanning, than run any of the given tool to measure how
much memory is used by the antivirus software.
Page 36
The sample of test file was same for every antivirus software test. Test
file contain media files, picture, office and some system files taken from
window folder.
Machine was restart for every time of scanning 2GB of files and we took
average of five samples.
Results
Our final results were measured from an average of five Average
Memory usage during scan samples which is given in appendix B
4.8.15 Data Copy
Description
This benchmark measured the amount of time taken by copy set of
files between two local hard disk. The set of files has 2 GB of space
and contains media files, documents, Rar files, pdf, images and system
files. [18]
Test Tools
Ptime
Methodology
A total of five tests were performed to copy files from the local hard
disk. Before tests system were restarted to free cache. Tests were run
from the command prompt.
Results
Average of five tests is given in appendix B
4.8.16 Data Delete
Description
This benchmark measured the amount of time taken by the process of
delete the data from the entire location on the disk. The set of files has
2 GB of space and contains media files, documents, Rar files, pdf,
images and system files. [18]
Test Tools
Ptime
Page 37
Methodology
A total of five tests were performed to copy and delete files from the
local hard disk. Before tests system were restarted to free cache. Tests
were run from the command prompt.
Results
Average of five tests is given in appendix B
4.9 Tools and Software (utilities used for testing)
Softwares and Tools Commands Manufacture
Performance monitor perfmon.exe Microsoft
Resource Monitor resmon.exe Microsoft
Task Manager ----- Microsoft
Event Viewer eventview Microsoft
Window Registry regedt32.exe Microsoft
Windows Performance Analyzer Tools
Xperf.exe, Xbootmgr.exe
Microsoft
Windows Performance Toolkit version
Microsoft
MS-Office ----- Microsoft
Internet Explorer ------ Microsoft
Mozilla Firefox ----- GUI
Google chrome ------ GUI
Table 4.2 Window builtin Tools
Softwares Venders Working area
Solutioninstaller Soluto Boot Time
Apptimer Passmark Application time
ProcessExplorer Microsft CPU, Memory, Disk
Ptime pc-tools Used in most of tests
Total Uninstall setup
Gavrila Martau Software uninstall
OSForensics Passmark Registry keys
RAMMap Miscrosoft Memory
Table 4.3 Freeware Software and Tools
Page 38
5
Page 39
Performance Analysis
5.1 Introduction
Testing the performance of an antivirus is not a simple task. Many aspects should be
covered and several metrics to test in a single time make it more complicated.
Today’s antivirus is not a simple virus detection and removal program code as it was
few years back, in fact with the development in computer systems, communication
channels and globalization of networked horizon, virus them self become very
complicated in their codes, spreading techniques and damaging effects, therefore the
need in the advancement of antivirus was unavoidable.[3]
In the last decade many institutions and organizations has been started working on
the merit of the performance of antivirus programs, these organizations test and
analyze the performance by using very powerful tools, real-time tests and infected
computers and monitoring software and further more they became authority of
authenticity in the market to issue the certificate of best performance to the antivirus
venders, which can be observed on any product.
Some of the well known test labs are Virus Bulletin, NSS Labs, ICSA Labs, West Coast Labs, AV-Test and CheckVir and many more.[29] In this chapter we have performed a very limited range of test with the three different freeware software selected from a survey, done earlier. The comparison between the performances is done with respect to a commercial antivirus.
5.2 Testing methodology
Ideal environment supposed to be the set of computers with same specification and
working environment installed and the test with all selected antivirus to run at the
same time but since the availability of computers is limited, therefore the tests have
been done on a single PC to maintain the basic testing environment. Here we can
find the methodology adopted to run the test and create the analysis report.
1. Operating System with the latest service pack was installed on the workstation
and an image of the OS is created and stored on the external disk drive for
further test.
2. Image of an infected hard disk removed from an old computer containing 17,4
GB of infected data on it.
Page 40
3. Hard drive is formatted with NTFS file system, and data is copied from the
infected hard drive for every new test.
4. Several bona-fide clean files created and renamed to virus.com, virus.exe and
*.vir to analyze the false test.
5. Some of the bona-fide, clean files have the duplicate copy with the renamed
version as some of the famous virus names SirC32.exe, SCD.DLL,
Scam32.exe [8] .
6. The hard drive containing infected data was attached as secondary hard drive.
7. System was attached to the network.
8. Operating system firewall was disabled.
9. Test to be run with the commercial antivirus and 3 freeware for comparison.
10. Antivirus software is installed and updated.
11. All the tests run with the default setting provided in antivirus
5.3 Problem.
Since no tool was available to get the confirm report about the numbers of virus and
infected files in the specified data, There for 3 different antivirus trial versions known
as ESET NOD32, Kaspersky and MacAfee were used to procure the assumed
numbers of infected files.
In the table below we can see the number of infected files captured by different
antivirus during scanning of the infected data disk, common infected files notified by
ESET NOD32 Kaspersky MacAfee
ESET NOD32 473 456 462
kaspersky 456 464 417
MacAfee 462 417 469
Tab. 5.1 Infected files captured in result of scanning
different antivirus are also mentioned in the table where as a cumulative result 484
files were discovered infected.
In the light of above mentioned data in the tab. 5.1 we assume that there are 484
infected files exist, in addition to that 70 files have bona-fide structure with renamed
and duplicated options as mentioned earlier in methodology.
5.4 Tests [29]
In this section of testing we had performed some of the test typically related with the
working are of antivirus program. Data was collected with respect to their basic
functionality and analysis is performed.
Although there are several test could be performed to judge the performance of
antivirus but due to limited tools, resources and budget we have chosen only few
tests which lead us at least to a basic analysis of performance.
Page 41
5.4.1 Scanning speed
Scanning speed is a very important metric in the term of performance of antivirus but
it does not depend on the antivirus program structure only but it relies on the
processing speed of processors, available memory, scanned data type and size,
operating system itself and (source)disk data seek time as well.
Here are the result of scanning speed taken from the tests
Graph 5.1 Scanning speed test comparison
5.4.2 Detection of malicious programs
Antivirus programs use different techniques to detect the malware with respect to its
nature. Most common detection method is to compare the signature according to
pattern supplied in the virus definition files.
Whenever some new virus signatures discovered the antivirus venders add these to
its definition and then the user can update on demand or antivirus program update
their virus definition regularly as programmed for update.
During the scanning by antivirus software run for the detection of malware follow data
was collected and the detection rate was formed in a graph.
14.6
7.1
12.9
0
2
4
6
8
10
12
14
16
Avast Antivirus AVG Anti-Virus Avira Antivirus
Meg
aB
yte
per
Se
con
d
MB/Sec
Page 42
Graph 5.2 Detection rate comparisons
Term “assumed infected” is the derived number of infected file during the scanning
and detection by the 3 commercial antivirus software.
During the analysis of these tests it was found that all the treats notified by AVG were
captured by the Avira and Avast and the commercial antivirus as well, while Avast
found 13 infected files different from the assumed rate and surprisingly Avira found
12 files more than the assumed ones and they have several different files names
between the notified files.
5.4.3 Frequency of definition file update
This test is an observation rather than a test it-self and also double checked by the
venders site.
Although users are allowed to configure the frequency of the update of definition files
but the antivirus program itself update according to programmers built in
configuration.
This test was performed on 1 day update bases.
488
464
496
484
440
450
460
470
480
490
500
Avast Antivirus AVG Anti-Virus Avira Antivirus Assuemd infected
Infe
cte
d fi
les
Page 43
Graph 5.3 Definition file update
From the detection test we have got a positive psychological impression of the
performance of Avira, therefore we planned to analyze the update of definition file of
Avira , and it was observed that this antivirus software is much more frequently
updating its virus definition file with respect to other freeware ones. The average
update is 4 to 6 times per days with dozens of signatures [7].
5.4.4 False detection
This test was performed assuming that in of disk drive there are only 70 valid files
pretend to be virus by its name, extension and structure. Even though there might be
more bona-fide files which were declared as malware by our testing antivirus
programs, but to get at least a clear picture of the performance in case of false
detection we focused on these 70 files only.
Avast having average number of infected file detection during the scan but in the
false detection case it stood on the first place but in the case of AVG it seemed a bit
fare since AVG has the same performance in both cases detection of malware and
false detection.
3
1
6
0
1
2
3
4
5
6
7
Avast Antivirus AVG Anti-Virus Avira Antivirus
Pe
r d
ay u
pd
ate
Page 44
Graph 5.4 False Detection
False detection can be a major problem in both positive and negative way, antivirus
may detect the file as infected and remove or repair (modify the code) can result into
stop working not only of the concern program but may unstable the system it-self if
some of the system file (necessary to boot, run or operate) are modified or removed,
and on the other hand if antivirus program consider a infected file as a valid program,
the chance of re infection cannot be ignored.
5.4.5 Removal of Malicious code
Almost all the free and / or commercial antivirus are capable to remove and or repair
the infected files infected with the virus known to their virus definition. Here rises the
question, why do we need to purchase an antivirus while our objective is fulfilled by
the free one?
For an average computer user this may be a very much valid question, but the things
are more complicated than it look like.
Since malware are no more simple programs, the basic antivirus (Free edition) could
not give the desirable protection with its limited capabilities.
All the antivirus software detect the malwares on behalf of their virus definition,
therefore the response zero day malware could be varies with respect to the nature
of malware, if its signature is known so it may be predictable otherwise antivirus
software will be blind in this case.
5.5 Features comparison
We can make the comparison of features of antivirus used earlier in our report on
individual bases, but since all the updated feature comparison available on their
9
4
7
3
0
1
2
3
4
5
6
7
8
9
10
Avast Antivirus AVG Anti-Virus Avira Antivirus Comercial
Fals
e D
ete
ctio
n R
ate
Page 45
website so we feel our self not on a right place to make individual comparison but a
collective feature comparison.
Fig 5.1 Overall features comparison
In the light of above figure one can reach to the result that there is no way to
compare the freeware and a paid product and that these freeware are just to
advertise and make the users used to for the products, this is a good product
promotional way to provide a sample working program to the users so that thay can
touch it with the bare fingers rather than read and listen the advertisement and
ignore.
Other Features
Firewall [23]
Email service [23]
Anti spam [23]
Online shopping safety [23]
Internet security
Remote administration [24]
Anti phishing [22]
Rootkit protection [22]
Antibot [22]
Backup system [22]
Child protection [22]
Workstation protection [24]
and many more……
Free Antivirus
System scanner [22]
Limited email protection
Page 46
6
Page 47
Quality Tests
6.1 Introduction This chapter consists of information about results obtained from the test methodology performed in chapter 4. Overall testing environment is divided into three phases to perform the comparative qualitative analysis of impact of freeware security software over the computer process from boot to the successful launch of user application. 6.2 Strategy of Performance Testing First we start from the pre installation test, which were performed without antivirus. In the pre installation test, our aim was to initially find the actual performance of a machine without running antivirus software. This test was helpful to get the Total performance test when we compare the pre installation phase with other phases. In the post installation phase, we installed each security software one by one and calculate the performance of the different metric. Final results were compare with initial phases. In the post un-installation phase, we calculate amount of different metric times, when we un-installed each antivirus software. This test helped that the computer performance may or may not affected after the un-installed of each antivirus. In the total performance test, we were compare all the three test phase and find the best performance result of a six antivirus software. we carry out the following testing.
1. Pre installation performance test Results 2. Post installation Performance Test Results 3. Post un-installation performance test Results 4. Total Performance Test
6.2.1 Pre installation performance test Results
In this test phase, we installed fresh window 7 operated systems, software that we
needed to perform initial testing and no antivirus were installed in the phase. In this
test, we were measure the different 18 performance metric which are given in chapter
4, but some metric in this phase cannot be measured, because they were dependent
on the antivirus software.
Benchmark 1a: Initial Boot Time to User Desktop
This chart shows the average amount of boot time taken by the computer without
antivirus product installed. This is the initial booting time of the window 7 operating
system.
Page 48
Graph 6.1 Initial boot time
Benchmark 2a: Booting Time Degradation
Initially, only window application and third party software degrading the boot timing in
the event viewer logs without antivirus installed. Event viewer log shows the total
history of the operating system. We noticed that boot time degradation was not
always degrading by the same application or software. Every time boot time was
degrade by different software or application. But we are not interested in the window
services or application in this test, to calculate how much time was degrade by
window service or applications. Our aim was to measure how much antivirus
products degrade the boot time of a machine. In pre installation, this test was not
possible to measure the degradation time of machine.
Benchmark 3a: User Application Launch Time
This chart shows the average amount of launch time taken by the user application,
without running antivirus software on a machine. This is the average launch time of
the MS-Office and Explorer which are commonly used now a day.
47.6
Initial Boot Time
Seconds
Page 49
Graph 6.2 User application launch time
Benchmark 4a: Third Party Installation Time
This chart shows the amount of the installation time taken by the third party software
on a machine. The average time was calculated by taking five samples of installation
time without running security products.
Graph 6.3 Third party installation time
Some of the tests mentioned below cannot be performed prior to installation of
antivirus softwares but for the sake of maintainence of sequence the test numbers
will be kept in this regards.
Benchmark 10a: Registry Keys added, Modify and Delete
We have created an initial signature of C: drive before every installation and removal
of the antivirus from the machine. (intial_test).This signature will be used to compare
with after install and remove antivirus.
0.57
User Application Launch Time
second
11
Third Party Installation Time
seconds
Page 50
Benchmark 15a: Data Copy
This chart show average amount of time taken to copy and delete a set of files from
one local drive to another local drive without antivirus installed. We measure that
performance of the file copy and delete when user not using antivirus software. The
test was performed five times to calculate the average time.
Graph 6.4 data copy time
Benchmark 16a: Data Delete
This chart show average amount of time taken to delete the data of sized 2 GB
consist of a set of files from entire location of drive without antivirus installed. We
measure that performance of the data delete when user not using antivirus software.
The test was performed five times to calculate the average time.
Graph 6.5 Data delete time
1.3
Data delete time
Seconds
118
Data Copy time
Seconds
Page 51
6.2.2 Post -installation Performance Test Results
In the post installation phase, every time we installed fresh copy of window operating
system on the same machine for each security software. Each antivirus installation
time and space were measured and different performance calculation were taken in
the next step. Final results were compared with pre installation phases test and post-
uninstallation phase at the end of the chapter.
Benchmark 1b: Initial Boot Time to User Desktop
Boot time is one of the factor shows the performance of the products, the lower boot
time is the more better in performance the product is. The results were calculated as
an average of the five boot time samples, given in appendix B.
Graph 6.6 initial boot time to user desktop
Benchmark 2b: Boot Time Degradation
In the given chart, lower the boot time degradation is consider the better performance
of the security product. The final results were calculated by the window tool known as
event viewer, which shows the cause of the degradation, name of the service or
application and degradation time.
87.6
66.6
75
54
0
10
20
30
40
50
60
70
80
90
100
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
seconds
Page 52
Graph 6.7 boot time degradation
Benchmark 3b: User Application Launch Time
The following chart presents the performance comparison with respect to the user
application launch time. Lower application launch time is consider better performing
antivirus software.
Graph 6.8 User Application launch time
3.8
4.5
3.2
00
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (
Seco
nd
s)
seconds
0.8
10.96
0.7
0
0.2
0.4
0.6
0.8
1
1.2
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
seconds
Page 53
Benchmark 4b: Third Party Installation Time
The following chart shows the different antivirus performance when user wants to
install third party software. Lower third party installation time mean good performing
antivirus. Final results were measure from the average of five test samples, given in
the appendix B.
Graph 6.9 Third party installation time
Benchmark 5b: Antivirus Installation Size
The following chart shows the total size of the antivirus when it installed on the
machine. Final result were calculate from the snapshot of the drive C before and after
installation. Antivirus software consume less space is consider better and well know
vendor product.
18
17
12
15
0
2
4
6
8
10
12
14
16
18
20
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
seconds
Page 54
Graph 6.10 Antivirus installation size
Benchmark 6b: Antivirus Installation Time
Minimum amount of user time taken by the antivirus software is consider better
performance.
Graph 6.11 antivirus installation time
307
614
204
102
0
100
200
300
400
500
600
700
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
MB
MB
2.5
4.05
1.681.54
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (
Min
utt
es)
Minutes
Page 55
Benchmark 7b: Antivirus Un-Installation Time
The following chart present the uninstallation time of the product from the add &
remove program.The final results show the different amount of time taken when it
were remove from the computer. Minimum time represent the better performing
compare to the other products.
Graph 6.12 antivirus uninstallation time
Benchmark 8b: Antivirus Interface Launch Time
The following chart compare the average antivirus interface launch time taken. The
lower launch time mean better performing product.
Graph 6.13 antivirus interface launch time
30
78
2822
0
10
20
30
40
50
60
70
80
90
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (
Seco
nd
s)
Seconds
0.180.12 0.13
0.8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (S
eo
nd
s)
Seconds
Page 56
Benchmark 9b: Antivirus Scan Time
The following chart compare the average antivirus scan time taken. The lower scan
time mean better performing product.
Graph 6.14 antivirus scan time
Benchmark 10b: Registry Keys added, Modify and Delete
The following chart show the amount of keys difference during antivirus installation.
The final result get from the comparsion of the initial test and each antivirus tests.
Graph 6.15 registry modification differences
6.81
5.1
1.541.23
0
1
2
3
4
5
6
7
8
Avast Antivirus AVG Antivirus Avira Antivirus Norton AntiVirus
Tim
e (
Min
ute
s)
Minutes
5535 57975229
8997
0
2000
4000
6000
8000
10000
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Val
ues
Vaules
Page 57
Benchmark 11b: Average Processor usage during idle
The following chart shows, amount of CPU were used by the different antivirus in the
idle case. The final result is the average of the five test sample. But in this benchmark
non of the antivirus product used the CPU during the idle time.
Graph 6.16 Average processor usage during idle
Benchmark 12b Average Processor usage during scan
The following chart represent the average amount of CPU used by the different
antivirus during scanning 2 G.B of different files. During the test it was observed that
AVG and Norton antivirus maintain some scanning history so they deny to scan the
files of same contents.
Graph 6.17 Average processor usage during scan
0.01
0.017
0.005 0.005
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
0.016
0.018
Avast Antivirus AVG Anti-Virus Avira Antivirus Norton AntiVirus
Pe
rce
nta
ge
Percentage
45
26
42
53
0
10
20
30
40
50
60
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Per
cen
tage
Percentage
Page 58
Benchmark 13b: Average Memory usage during Idle
The following chart shows, amount of memory were used by the different antivirus in
the idle case. The final result is the average of the five test samples. But in this
benchmark none of the antivirus product used the memory during the idle time except
avast antivirus.
Graph 6.18 Average memory usage during idle
Benchmark 14b: Average Memory usage during scan
The following chart represent the average amount of memory used by the different
antivirus during scanning of 2 G.B data consists of different files
Graph 6.19 Average memory usage during scan
2.5
0 0 00
0.5
1
1.5
2
2.5
3
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Me
gaB
yte
s
MB
206
45
168
350
0
50
100
150
200
250
300
350
400
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Meg
aB
yte
s
MB
Page 59
Benchmark 15b: Data Copy
The final results in the given graph were calculated from the average of five test
sample to copy of 2 GB consists of different set of files for each antivirus product.
Minimum amount of copy time consider better performing antivirus software.
Graph 6.20 Average copy time
Benchmark 16b: Data Delete
The final results in the given graph were calculated from the average of five test
sample to delete the data of size 2 GB consists of different set of files for each
antivirus product. Minimum amount of delete time consider better performing antivirus
software.
Graph 6.21 Average delete time
156
109124
115
0
20
40
60
80
100
120
140
160
180
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (
Seco
nd
s)
Seconds
3.1
2.2
3.3
2.4
0
0.5
1
1.5
2
2.5
3
3.5
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
Seconds
Page 60
6.2.3 Post un-installation performance test Results In the post un-installation phase, we remove each antivirus software from the
machine after completion of the post installation test phase. We start again
calculating the 17 benchmark for the each antivirus and see the effects of the
antivirus after removed..
Benchmark 1c: Initial Boot Time to User Desktop
Graph 6.22 Initial boot time to user desktop
Benchmark 3c: User Application Launch Time
Graph 6.23 User application launch time
56
53
49 49
44
46
48
50
52
54
56
58
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (
Seco
nd
s)
seconds
0.9
0.7
1
0.67
0
0.2
0.4
0.6
0.8
1
1.2
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
seconds
Page 61
Benchmark 4c: Third Party Installation Time
Graph 6.24 third party installation time
Benchmark 7c: Antivirus Un-Installation Time
Graph 6.25 Antivirus uninstallation time
14.714.1
11.7
13.3
0
2
4
6
8
10
12
14
16
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
seconds
30
78
2822
0
10
20
30
40
50
60
70
80
90
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
Seconds
Page 62
Benchmark 10c: Registry Keys added, Modify and Delete
Graph 6.26 Registry modifications differences
Benchmark 15c: Data Copy
Graph 6.27 Data copy time
5535
11838
50615949
0
2000
4000
6000
8000
10000
12000
14000
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Val
ue
s
Vaules
119
137
119
106
0
20
40
60
80
100
120
140
160
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
Seconds
Page 63
Benchmark 16c: Data delete
Graph 6.28 Data delete time
6.3 Quality and performance analysis.
After getting the results in the pre antivirus installation, post antivirus installation and
post antivirus uninstallation phases, a comparative analysis is done with respect to
every benchmark.
Benchmark 1: Initial Boot Time to User Desktop
Graph 6.29 Initial boot time comparison
1.9
1.5
1.91.8
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
Seconds
47.6
87.6
66.675
5456 5349 49
0
10
20
30
40
50
60
70
80
90
100
Pre Installation Avast Antivirus
AVG Antivirus
Avira Antivirus
Norton AntiVirus
Tim
e (S
eco
nd
s)
Phase 2
Phase 3
Page 64
Benchmark 3: User Application Launch Time
Graph 6.30 User application launch time comparison
Benchmark 4: Third Party Installation Time
Graph 6.31 third party installation time comparison
0.5
0.8
10.96
0.7
0.5
0.9
0.7
1
0.6
0
0.2
0.4
0.6
0.8
1
1.2
Pre Installation
Avast Antivirus
AVG Antivirus
Avira Antivirus
Norton AntiVirus
Tim
e (
Seco
nd
s)
Phase 2
Phase 3
11
1817
12
15
11
14.7 14.1
11.7
13.3
0
2
4
6
8
10
12
14
16
18
20
Pre InstallationAvast Antivirus AVG Antivirus
Avira Antivirus Norton AntiVirus
Tim
e (S
eco
nd
s)
Phase 2
Phase 3
Page 65
Benchmark 10: Registry Keys Difference
Graph 6.32 registry key difference comparisons
Benchmark 15: Data Copy
Graph 6.33 data copy time comparison
5535 57975229
8997
5535
11838
50615949
0
2000
4000
6000
8000
10000
12000
14000
Avast Antivirus AVG AntiVirus Avira Antivirus Norton AntiVirus
Val
ue
s
Ph1 vs Ph2
Ph1 vs Ph3
118
156
109
124115118 119
137
119106
0
20
40
60
80
100
120
140
160
180
Pre Installation Avast Antivirus
AVG AntiVirus
Avira Antivirus
Norton AntiVirus
Tim
e (S
eco
nd
s)
Phase 2
Phase 3
Page 66
Benchmark 16: Data Delete
Graph 6.34 Data delete time comparison
In the light of above mentioned graph chart, we had analyzed some of the important
parameter which has strong effects on the performance of overall system.
Installations of freeware antivirus have almost the same effects as the commercial
one is. These effects can be found following
Slow down of system processing since antivirus software engaged a lot of
resources in the form of processor and memory, therefore they cause to slow
down the processing. E.g. if have look on boot comparison graph we can see
after installation of antivirus boot time was increase from 1.5 to 2 time of the
boot time in pre-installation phase. It is observed that boot time reduced to
normal after installation of antivirus software. This study shows that boot time
delay is comparatively higher in the freeware antivirus software as compare to
commercial one.
In the same manner, user application launch time and third party installation
time increasing as compare to pre-installation phase.
The time to copy the data remain same in the case of commercial antivirus
software while hug fluctuation was notice in the case of Avast antivirus and
AVG. While after removal of these two antivirus software data copy rate or
time is normalized like pre-installation phase.
1.3
3.1
2.2
3.3
2.4
1.3
1.9
1.5
1.9 1.8
0
0.5
1
1.5
2
2.5
3
3.5
Pre Installation Avast Antivirus
AVG AntiVirus
Avira Antivirus
Norton AntiVirus
Tim
e (
Seco
nd
s)
Phase 2
Phase 3
Page 67
In the case of data delete time, freeware antivirus and commercial antivirus
put some special check that results into hug processing in the presence of
Avast antivirus and avira antivirus delete time was rise to thrice. While in case
of AVG and commercial antivirus the delete time was double than pre-
installation time. This study shows that all antivirus monitor that behavior and
run some specific algorithms to watch that if this delete is the activity of any
virus or not.
The analysis of bench mark 10 [registry key different] have given some
strange statistics which makes character of antivirus software somehow
suspicious. For this benchmark we had performed three operations :-
1. First we have created the fresh window initial image before installation
of antivirus.
2. Second we have created another image of the same window with
antivirus installed.
3. Third step we have uninstalled antivirus software and created another
image of the same window for each test.
Upon the comparison of the three signatures’, we have got the results reflected in
graph 6.31. According to that comparison
Avast antivirus have added and modify 5,535 entries in the registry which
were removed and modify by it upon un-install.
While in the case of AVG the difference between phase-1 and phase-2
entries were 5,797, which was increased by 6,041 more than existing entries
of post installation phase and the volume of disk remained greater than pre
installation phase, it leads to the result that AVG antivirus has left hug
number of entries in the registry and several files in the system directory.
In case of Avira antivirus the entries remain comparatively same in compare
post installation and post uninstallation phase.
The commercial antivirus software added and modified a reasonable number
of entries upon installation and remove or modify upon uninstallation.
It was a complicated task to compare the software with different volume, scanning
and detecting methods, having different effects on the computer systems. In the
review of the performance test it is found that Avast antivirus and Avira antivirus are
comparatively closer to each other in their performance and fulfill the qualification of
the good antivirus software but still they put a huge enough load on the system
operation, as in boot time 20-40 seconds which may be not much noticeable for a
Page 68
common user but a big drawback in the world of technology where unit of operations
are micro seconds.
Page 69
7
Page 70
Conclusions
Many tests and analysis are explained in the afore mentioned chapters may require a certain level of understating in the field of computing technology, but in this section whole work is tried to be sum up in few phrases. At the end of this report, the crux of the whole work done previously is mentioned following:- 7.1 Conclusions
The objective of this thesis work was to analyze the performance and qualities of the freeware antivirus software exist in this technical sphere and we hope that we have explored some drops from this ocean. Malware are known as malicious programs but contain nothing mysterious in their nature as it is propagated in media, they are simple chunks of programs written with special spreading algorithms and have specific objectives. Important thing is learn how to live, behave and react with them as we used to do in the case of biological virus in our real lives. The performance and quality analysis of freeware were started to collect the positive aspects of these freeware, but with the passage of time and procured results of tests, we realize that this study should be perform with a critical viewpoint. One of the several other factors is the user ignorance, while selecting the antivirus software. The users do not bear in mind the relationship between the human factor and the virus reproduction and distribution. In our case some of the human factors are:-
Curiosity
Greed
Novelty impression The choice of the anti malware is an important user factor. User always trust the sweet claims of guarantee prevention and protection without understanding the marketing strategies for the financial benefits of the venders. Sometimes users become so innocent that if a virus is offered to them as an antivirus; they do not bother to verify it and cause the problem for their self and others and never realize the underground business objective from the offering side. As far as the overall quality is concerned in term of performance of functionalities and utilization of system resources, it was observed that there are very severe weaknesses in the softwares which made the system poorer than without having any antivirus software in some cases. 7.2 Future work
During the testing phase of performance, some of the other tests were performed
Page 71
which are not mentioned in this report and were focused several different areas, but mainly the registry, and some of the suspicious result were observed.
1. Upon uninstallation of one freeware, few files are still located in Operating System folders.
2. Some of the entries were observed in registry after installation of freeware which were not available before installation and these entries are mentioned as Trojans on websites of some authentic antivirus venders.
To explore the registry is not an easy job especially in dozens of cases and limited time, therefore this side of freeware antivirus should be analyzed with powerful tools and multi computer lab environment to answer the questions
a. How healthy the freeware antivirus, itself is? b. Are the freeware antivirus involve in promoting malware? c. Are they not a secret weapon used by some commercial venders?
7.3 Suggestion In the light of the tests and analysis have been done during our thesis work, some of the suggestions and recommendation can be mentioned here :-
1. If we have a look on some old and new versions of operation systems, we can observe that every new version is the collection of old version and some new applications. The same way a monitoring program for the detection of malicious code can be embedded within the operating system, which may atleast provides the basic functionality of a freeware antivirus. Since Operation system is responsible from boot to application launch, it can provide a better environment in the same price of OS.
2. A universal platform can be established for the collection of virus signatures and a database can be maintained, where all the antivirus programmers can get help centrally and Linköping University can play a key role for this as a pioneer in this regards.
3. Need to promote computer and IT ethics in the users, especially at school level, to avoid unnecessary clicking while surfing the internet, since majority of the website (pornography, free gaming and many more) are the worst source of viruses.
Page 72
Appendix A List of Figures
Figure 1.1 Taxonomy of computer infection program 6 Figure 1.2 Carrier program infected by virus 11 Figure 5.1 Overall features comparison 45
List of Tables Table 4.1 Security software vendors and versions 23 Table 4.2 Windows built-in Tools 37 Table 4.3 Freeware software and Tools 37 Table 5.1 Infected files capture in results of scanning 40
List of Graphs Graph 5.1 Scanning speed test comparison 41 Graph 5.2 Detection rate comparisons 42 Graph 5.3 Definition file update 43 Graph 5.4 False Detection 44 Graph 6.1 Initial boot time 48 Graph 6.2 User application launch time 49 Graph 6.3 Third party installation time 49 Graph 6.4 data copy time 50 Graph 6.5 Data delete time 50 Graph 6.6 Initial boot time to user desktop 51 Graph 6.7 Boot time degradation 52 Graph 6.8 User Application launch time 52 Graph 6.9 Third party installation time 53 Graph 6.10 Antivirus installation size 54 Graph 6.11 Antivirus installation time 54 Graph 6.12 Antivirus un-installation time 55 Graph 6.13 Antivirus interface launch time 55 Graph 6.14 Antivirus scan time 56 Graph 6.15 Registry modification differences 56 Graph 6.16 Average processor usage during idle 57 Graph 6.17 Average processor usage during scan 57 Graph 6.18 Average memory usage during idle 58 Graph 6.19 Average memory usage during scan 58 Graph 6.20 Average copy time 59 Graph 6.21 Average delete time 59 Graph 6.22 Initial boot time to user desktop 60 Graph 6.23 User application launch time 60 Graph 6.24 Third party installation time 61 Graph 6.25 Antivirus un-installation time 61 Graph 6.26 Registry modifications differences 62 Graph 6.27 Data copy time 62
Page 73
Graph 6.28 Data delete time 63 Graph 6.29 Initial boot time comparisons 63 Graph 6.30 User application launch time comparison 64 Graph 6.31 Third party installation time comparison 64 Graph 6.32 Registry key difference comparisons 65 Graph 6.33 Data copy time comparison 65 Graph 6.34 Data delete time comparison 66
Page 74
Appendix B Testing Environment
All the tests were performed on Window 7 with the following client machine specifications.
Page 75
Pre installation performance test Results
1. Initial Boot time to User desktop
Five test samples of Boot time
Page 76
SolutoInstaller Values (Sec) = 51+46+45+47+49
Average Boot time =47.6 seconds
Event Viewer values = 50067ms+49131ms+49209ms+51527ms+56458ms
Average Boot time =51
2. Boot Degradation
Initially, only window application and third party software degrading the boot timing in
the event viewer logs before installed of antivirus.
Page 77
3. User Application Launch and Open Time
Five test samples of Boot time
a) MS office launch and Open time
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5 executions
0,0773+0,0928+0,0770+0,0773+0,0934 = 0.083 seconds
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5 executions
0,7949+0,8106+0,4989+0,8260+0,5146 = 0.68 seconds
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE – 5 executions
0,8730+0,5224+0,3582+0,5918+0,3592 = 0.54 seconds
Note: Delay 2000 milliseconds (2 seconds) and Input Idle
Total average Ms-office time = 0.43 seconds
b) Explorer launch and Open time
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
Application startup time in seconds
1,6536+1,5759+1,5915+1,6068+1,6383 = 1.61 seconds
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chrome.exe – 5
executions
0,2489+0,2176+0,2175+0,2189+0,2173 = 0.22 seconds
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0,4516+0,6392+0,1796+0,1824+0,1553 = 0.32 seconds
Total explorer time = 0.71 seconds
Total average launch time = 0.57 seconds
Third Party Installation Time
Page 78
a) Five sample of Firefox 8.0
13.812+9.932+11.835+10.248+9.298
Average time= 11.025 seconds
4. Registry Keys added, Modified and Deleted
We created an initial signature of C: drive before every installation and removal of the
antivirus from the machine. (intial_test).This signature will be used to compare with
after install and remove antivirus.
5. Data Copy
Page 79
Average copy time = 118 seconds = 1.98 minutes
Page 80
16a Data Delete
Page 81
Total delete time =1.3 seconds
Page 82
Post Installation Phase results and diagrams
Avast Antivirus Results
1. Initial Booting Time to User Desktop
Five Test sample of Boot time
Page 83
Average Boot Time = 7.31/5 = 1.46 minutes = 87.6 second
2. Booting Time Degradation
Five test sample of boot degradation
1359+ 7377+ 2690+ 1988+ 5997 = 3882,2/5 ms
Average time =3.8 seconds
3. User Application Launch Time
Five Test samples
a. MS office launch and Open time
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5
executions
0.1083
0.1265
0.1084
0.1244
Page 84
0.1240
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
0.1563
1.0760
1.0125
1.1696
0.9824
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
0.4670
0.6700
0.7168
0.6854
0.7479
b. Explorer launch and Open time
a) Mozilla Firefox
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
2.4963
2.4653
2.6262
2.9103
2.4650
Average time = 2.59262 seconds
b) Google\Chrome
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chro
me.exe - 5 executions
0.3349
0.4401
0.4640
0.4222
0.3746
Average time = 0.40716 Seconds
c) Internet Explorer
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.1704
0.2488
0.1705
0.1699
0.1545
Average Explorer launch time = 1.06086 seconds
Total average user application launch time = 0.8seconds
Page 85
4. Third Party Installation Time
Five Test samples of Firefox
15.2467+14.252+14.272+15.952+15.700
Average Time =18.1 seconds
5. Antivirus Installation Size
Total installation size = 307 MB
Page 86
6. Antivirus Installation Time
Total Time = 150 seconds = 2.5 minutes
7. Antivirus Un-Installation Time
Total time = 30 seconds
8. Antivirus Interface Launch Time
Five Test samples
C:\Program Files\AVAST Software\Avast\AvastUI.exe - 5 executions
0.1306
0.3353
0.1531
0.1703
0.1079
Average time =0.18 seconds
9. Antivirus Scan Time
Five Test samples
Page 87
Page 88
Average time = 7:14+6:37+6:45+6:58+6:29 = 6.81minutes
10. Registry Keys added, Modify and Delete
Page 89
Total Difference= 5335 values
11. Average Processor usage during Idle
Total performance = 0%
12. Average Processor usage during scan
Five Test samples
Page 90
Page 91
Page 92
49+37+49+42+49
Average CPU = 45%
13. Average Memory usage during Idle
2988+2448+2460+2484+2548KB
Average time = 2.5 MB
14. Average Memory usage during scan
264212+176532+264024+88060+264212 kb
Average Memory= 211,408 KB = 206MB
15. Data Copy
Five Test samples Copy Results
Page 93
Page 94
Average time =152.4+156.4+151.8+160.3+163.1 = 156.8 seconds
15 Data Delete
Page 95
Page 96
3.9+3.2+3.2+3.5+1.7 = 3.1 seconds
AVG Antivirus Performance Metrics
Post-installation phase
16. Initial Booting Time to User Desktop
Five Test sample of Boot time
Page 97
Page 98
Average Boot Time = 1:15+0:58+1:06+1:15+:59 = 66.6 seconds
17. Booting Time Degradation
Five test sample of boot degradation
Average time =5909ms +6268+6274+4261= 4542,4 ms = 4.5 second
18. User Application Launch Time
Five Test samples
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5
executions
1.6060
0.9979
1.3409
1.6061
1.4345
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
1.5127
0.9353
0.8884
0.9821
0.8900
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
Page 99
1.2004
0.7643
0.4202
0.7167
0.7010
Total MsOffice Time = 1.0 seconds
a. Explorer launch and Open time
d) Mozilla Firefox
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
4.5088
2.0745
1.9972
1.9969
1.9659
e) Google\Chrome
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chro
me.exe - 5 executions
0.3349
0.4401
0.4640
0.4222
0.3746
Average time = 0.40716 Seconds
f) Internet Explorer
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.9040
0.2239
0.2008
0.2187
0.1866
Average time = 1.0 seonds
Average Explorer launch time = 1.0 seconds
Page 100
19. Third Party Installation Time
Five Test samples
Firefox
21.21+15.67+16.240+15.70+16.74
Average Time =17 seconds
20. Antivirus Installation Size
Total installation size = 614 MB
21. Antivirus Installation Time
Total Time = 243 seconds = 4.05 minutes
Page 101
22. Antivirus Un-Installation Time
Total time = 1.30min =78 seconds
23. Antivirus Interface Launch Time
Five Test samples
C:\Program Files\AVG\AVG2012\avgui.exe - 5 executions
0.1398
0.1242
0.1242
0.1239
0.1242
Average time=0.12 seconds
24. Antivirus Scan Time
Five Test samples
Page 102
Average time = 5:06+2+0+0= 5.1 minutes
Page 103
25. Registry Keys added, Modify and Delete
Total Difference= 5797 values
26. Average Processor usage during Idle
Total performance = 0%
27. Average Processor usage during scan
Average CPU = 26%
28. Average Memory usage during Idle
0 KB
29. Average Memory usage during scan
46,680+ 0+0+0+0
Average Memory= 45 MB
Page 104
30. Data Copy
Five Test samples Copy Results
Average time =123.4+104.56+112.4+103.1+105.5 = 109.7 second
31. Data Delete
Five Test samples Delete Results
2.99+2.11+2.33+2.7+3.0 = 2.2 seconds
Page 105
Avira Antivirus Performance Metrics
1. Initial Booting Time to User Desktop
Five Test sample of Boot time
Page 106
1:08+1:02+1:08+1:40+1:21 =1.26 minutes
Average Boot Time =75 seconds
2. Booting Time Degradation
Five test sample of boot degradation
Average time =3.2 seconds
3. User Application Launch Time
Five Test samples
a. MS office launch and Open time
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5
executions
1.2319
Page 107
1.5277
1.1998
1.1695
1.1383
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
1.9024
0.6089
0.8573
0.6390
0.8571
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
1.5121
0.6702
0.6701
0.3739
0.6389
Internet explorer
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.8104
0.2176
0.2177
0.2176
0.2178
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
4.3213
1.8877
1.6538
1.6540
1.6536
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chrome.exe
– 5 executions
0,2489
0,2176
0,2175
0,2189
0,2173
Total time of launch time= 0,96 seconds
Page 108
4. Third Party Installation Time
Five Test samples of firefox 14.88+11.92+11.42+10.95+11.30
Average Time = 12 sec
5. Antivirus Installation Size
Total installation size = 204 MB
Page 109
6. Antivirus Installation Time
Total Time = 1.68 minutes
7. Antivirus Un-Installation Time
Total time = 28 seconds
8. Antivirus Interface Launch Time
Five Test samples
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe - 5 executions
0.1841
0.1242
0.1087
0.1240
0.1239
Average time = 0,13 seconds
Page 110
9. Antivirus Scan Time
Five Test samples
Page 111
Page 112
1:44+1:30+1:29+1:30+1:31
Average time =1.54 minutes
10. Registry Keys added, Modify and Delete
Page 113
Total Difference= 5229 values
11. Average Processor usage during Idle
Total performance = 0%
12. Average Processor usage during scan
Five Test samples
45+48+22+48+48
Average CPU = 42%
13. Average Memory usage during Idle
0 MB
14. Average Memory usage during scan
138016 +184144+183672+177932+178788
Average Memory= 168 MB
15. Data Copy
Five Test samples Copy Results 132.4+126.4+131.8+110.3+123.1 = 124 s
16. Data Delete
Five Test samples Delete Results 3.9+3.2+3.2+3.5+2.7 = 3.3 second
Page 114
Norton Antivirus performance metrics calculation and results
1. Initial Booting Time to User Desktop
Five Test sample of Boot time
Average Boot Time = 1:08+57+1:00+43+46 =54.8 seconds
2. Booting Time Degradation
Average time=0 seconds
3. User Application Launch Time
Five Test samples
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5 executions
0.2020
0.0925
0.1239
0.1083
0.0926
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5 executions
1.5746
0.6388
0.6234
0.7008
0.6393
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
0.4369
0.4203
0.4043
0.4204
0.4203
Internet Explorer
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.2017
0.1715
0.1868
0.1397
0.1389
Page 115
Average time = 0,79548 seconds
4. Third Party Installation Time
Five Test samples of Firefox
17.26+ 15.92+15.23+14.45+15.32
Average time=15.63 seconds
5. Antivirus Installation Size
Total installation size = 102 MB
6. Antivirus Installation Time
Total Time = 92.85 seconds= 1,54 minutes
7. Antivirus Un-Installation Time
Total time = 22 seconds
8. Antivirus Interface Launch Time
Five Test samples
C:\Program Files\Norton AntiVirus\Engine\19.1.1.3\uiStub.exe - 5 executions
Page 116
2.3899
0.2943
0.4834
0.3733
0.4827
Average time= 0,80472 seconds
9. Antivirus Scan Time
Five Test samples
Page 117
Average time = 5:32+00:37+0+0+0 = 1,23minutes
10. Registry Keys added, Modify and Delete
Page 118
Total keys =8997 keys
11. Average Processor usage during Idle
Total performance = 0%
12. Average Processor usage during scan
CPU=53%
13. Average Memory usage during Idle
0 MB
14. Average Memory usage during scan
358,804 = 350 MB
15. Data Copy
Five Test samples Copy Results
Average time =135.46+109.22+110+120.23+105.43 =115 minutes
16. Data Delete
Five Test samples Delete Results
3.02+2.8+3+2.5+2.8 =2.47 seconds
Page 119
Post un-installation test results
Avast antivirus Uninstallation
17. Initial Booting Time to User Desktop
Five Test samples
Page 120
1:08+59+55+49+51
Average Boot time = 56.4 seconds
18. User Application Launch Time
Five Test samples
a. MS office launch and Open time
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5
executions
0.3896
0.0772
0.0930
0.0772
0.0769
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
1.0289
0.6390
0.6545
Page 121
0.6698
0.5451
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
0.8204
0.6233
0.5769
0.5763
0.5764
b. Explorer launch and Open time
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
2.3090
2.1686
2.1684
2.2001
2.1530
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chrome.exe
- 5 executions
1.3096
0.2175
0.2180
0.2332
0.2329
Total User application launch time = 0.90 seconds
19. Third Party Installation Time
Five Test samples of Firefox 8.0
14,274+12,07+15,445+14,434+14,278 = 14.7 sec
Total average time = 14.7 seconds
20. Antivirus Un-Installation Time
Time =30 seconds
Page 122
21. Data Copy
Five test samples of Copy
Page 123
155.241+123.624+109.363+102.584+104.743 = 119 sec
6. Data delete
Average Time =2.481+1.516+1.599+2.540+1.481 =1.9 sec
Page 124
AVG uninstallation phase
1. Initial Booting Time to User Desktop
Five Test samples
Page 125
1:03+49+55+49+51
Average Boot time = 53.4 seconds
2. User Application Launch Time
Five Test samples
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5
executions
1.2940
1.4344
1.5749
1.4344
1.4032
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
1.1852
0.7651
Page 126
0.5774
0.8103
0.8261
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
0.7013
0.6546
0.6237
0.6391
0.6545
Average Time 0.97
Internet Explorer
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
1.1237
0.5930
0.5930
0.5932
0.5932
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.2798
0.1551
0.1709
0.1709
0.1708
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chrome.exe
- 5 executions
1.2945
0.2180
0.2177
0.2179
0.2205
Average internet explorer = 0.44 seconds
Total User application launch time = 0.70 seconds
3. Third Party Installation Time
Five Test samples of Firefox 8.0
Page 127
14,274+12,07+15,445+14,434+14,278 = 14.1 sec
Total average time = 14.1 seconds
4. Antivirus Un-Installation Time
Time = 1.30 =78seconds
5. Registry Keys added, Modify and Delete
Total keys 11838
6. Data Copy
Five test samples of Copy
145.501+139.024+154.062+122.081+125.241=137,1818 seconds
Page 128
7. Data delete
Five test sample of delete
Average Time =1.41+1.56+2.099+1.24+1.38
Page 129
Avira un-installation test results
1. Initial Booting Time to User Desktop
Five Test samples
Page 130
Average Boot time = 49.6 seconds
Page 131
2. User Application Launch Time
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5 executions
1.5276
1.5748
1.3565
1.4189
1.4502
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
0.8902
0.8409
0.8416
0.8884
0.8259
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE - 5 executions
1.1539
0.6235
0.6079
0.6076
0.6238
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.5766
0.1712
0.1865
0.1723
0.1554
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
2.5742
1.6072
1.5757
1.5913
1.5600
Total User application launch time = 1,016244 seconds
3. Third Party Installation Time
Five Test samples of Firefox 8.0
13.42+11+11.5+10.2+10
Total average time = 11.7 seconds
Page 132
4. Antivirus Un-Installation Time
Time =28 seconds
5. Registry Keys added, Modify and Delete
Total difference =5061 values
6. Data Copy
Five test samples of Copy
125.211+119.024+124.063+112.584+115.743 =119
7. Data Delete
Five test sample of delete
Average Time =1.910+2.112+1.599+2.521+1.481 =1,9 seconds
Page 133
Norton antivirus un-installation test results
1. Initial Booting Time to User Desktop
Five Test samples
56+45+49+52+44
Average Boot time = 49 seconds
2. User Application Launch Time
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - 5 executions
0.3423
0.0773
0.0777
0.0620
1.6216
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE - 5
executions
1.4344
0.6390
0.9371
0.5925
0.9044
C:\Program Files\Microsoft Office\Office12\excel - 5 executions
0.7950
0.6078
0.5918
0.6233
0.6076
C:\Program Files\Internet Explorer\iexplore.exe - 5 executions
0.4360
0.1710
0.1084
0.1070
0.1214
C:\Program Files\Mozilla Firefox\firefox.exe - 5 executions
1.7698
1.6072
1.6225
1.5911
1.6070
C:\Users\avatar\AppData\Local\Google\Chrome\Application\chrome.exe - 5
executions
0.2218
0.2174
Page 134
0.2174
0.2176
0.2176
Total average of user application launch time = 0.671seconds
3. Third Party Installation Time
Five Test samples of Firefox 8.0
15.3+12.4+12.92+15.4+10.7
Total average time = 13.3 seconds
4. Antivirus Un-Installation Time
Time = 22 seconds
5. Registry Keys added, Modify and Delete
Total difference keys =5949
6. File Copy and Delete
Five test samples of Copy
106.7+102.3+109.4+112.6+102.35 = 106.67seconds
Five test sample of delete
1.7+1.8+1.6+2.2+2.0 =1.86 seconds
Page 135
Terminology and Abbreviations
Authentication Authentication is process for verification of the correctness of a piece
of data.
Anti-spam The program fight against spam attacks. Anti-Fishing The program which protect from attempting to acquire information
like user name, password and bank card details Antibot Program protect from bot applications over internet ,such
webspidering. Background Operation
Background Operation are the application running under and front end and the in a multitasking environment and user have no direct control over them.[1]
Bad sectors During formatting of disks, all sector are checked one by one for usability. Unusable sectors are ´flagged´ as bad and are not used by DOS. The remaining areas can then still used. Bad sectors are sometimes used by viruses to store the code outside the reach of the user and the operating system.[1]
BAT BAT is the extension given to ´batch´files in MS-DOS, used for virus activation in olden times
BIOS BIOS (Basic Input / Output System) is the part of operating system, which is responsible for the initialization of boot process.
Bit A Bit is the smallest unit of information , which can be either 1 or 0.
Boot virus A boot virus is a type of computer virus which infect the boot are of a disk or a partition and disguise the boot records and get control over the machine.
Bootstrapping Bootstrapping means to boot the computer system. The boot after power off is known as ´Cold boot´ while rebooting within the operating system is call soft or warm boot.[1]
Bootstrap Sector
The bootstrap sector is the very initial portion of an OS which is first loaded into memory from disk upon startup of computer and then the remaining OS instructions.[1]
Bulletin Board Bulletin Board System (BBS) is the environment where computers can exchange information.
Byte The smallest unit of storage of characters in the memory that can be read and write and it consists of 8 bits.
Checksum Checksum is the term used for the integrity of data. By some method the checksum is verified by the devices, protocols and software to verify if the data is in its original form
Ciphertex Chipertex is a term used to describe data which is procured in the
Page 136
result of encryption.
CMOS Complementary Metal Oxide Semiconductor chips for low power consumption and used in battery-backed applications like time –of-day clock and the parameter memory in computer[1]
com .COM is the extension given to certain executable in OS
CRC Cyclic Redundancy Check is mathematical method for verification of the integrity of data. It is a form of checksum[1]
Deciphering Deciphering means to reverse the process of ciphering to get the original text back.
Decryption it is the reverse of encryption.
Device Driver A Device driver is a program written to handle the hardware device like modems, mouse and almost all the devices attached to the computer.
Digital signature
Digital signatures are checksums that depend on all the bits of a transmitted message,and also on the secret key,but which can be checked without knowledge of the secret key.
Disk Controller
The operation of the hard drive is control by the disk controller card which is builtin in the machine.
DOS DOS (Disk Operating System)
Encriphtering Information or data convert from plain text to chiper text ,which cannot be understood by unauthorized person
Encryption Information or data convert from plain text to chiper text ,which cannot be understood by unauthorized person.
.EXE .EXE is the extension of a executable files in windows .
Firewall Hardware or software that protect user network from the outside.
Interrupt Interrupt signal alert the processor that has high priority, coming from hardware or software.
Logic Bomb Small chunck of program attach with a specific software with start functing when triggered by some conditions.
Parasitic Virus
This kind of computer virus attach itself to files, program or disk media. It run when the file or progam is execute. It overwrite some part of file or program.
RootKit
Rootkit is a software that enables to provide root privileges to the hacker or attacker.
Page 137
Secret Key Secret keys are encryption or decryption keys that is used to ecnrypt or decrypt the encrpyted data.
.SYS .SYS is extension given to system files.
Trojan Horse Malicious progam that appear to perform some desirable services for remote user.
Virus A computer virus ,is a executable code which makes copies of itself or effect the files in computer.It re-write or change or delete user data.
Virus Signature
An algorithm that is used to identify specific virus.
Page 138
Bibliography [1] Jan Hruska ,(1990) “ Computer Virus and Antivirus warfare”. ELLIS HORWOOD publishers NEWYORK [2] Eric Filiol,(2005) “ Computer Viruses: from theory to application” Springer Publishers NEWYORK. [3] Matt Bishop and Sathyanarayana S. Venkatramanayya,(2005) ”Introduction to Computer Security ”, Pearson Education, INDIA. [4] Internet usage and population statistics [online]. available “ http://www.internetworldstats.com ” [Accessed: October 23, 2011 ] [5] Bruliz N., Filiol E. (2003) Analyse d’unver ultra-rapide:sappire/slammer, Misc, Le journal de la securite informatique, Numero 8. [6] Int. J. Open Problems Compt. Math., Vol. 1, No. 2, September 2008 Computer Virus Strategies and Detection Methods available at
http://www.emis.de/journals/IJOPCM/files/IJOPCM(vol.1.2.3.S.08).pdf [Accessed:
December 04, 2011 ]
[7] http://www.avira.com/en/support-vdf-history [Accessed: December 03, 2011 ]
[8] http://antivirus.nih.gov/archives/Sircam.asp [Accessed: November 16, 2011 ]
[9]http://www.buzzle.com/articles/different-types-of-computer-viruses.html [Accessed:
November 06, 2011 ]
[10] www.avast.com/index [Accessed: October 11, 2011 ]
[11] www.avg.com [Accessed: October 11, 2011 ]
[12] windows.microsoft.com/en-US/windows/products/security-essential [Accessed:
October 12, 2011 ]
[13] www.avira.com/free [Accessed: October 12, 2011 ]
[14] www.us.norton.com/downloads/ [Accessed: October 14, 2011 ]
[15]download.cnet.com/McAfee-AntiVirus-Plus/3000-2239_4-10581368.html
[Accessed: October 12, 2011 ]
[16] download.cnet.com/windows/security-software/?tag=rb_content;main [Accessed:
October 12, 2011 ]
[17] www.anti-virus-software-review.toptenreviews.com/ [Accessed: October 17,
2011 ]
Page 139
[18] www.passmark.com/benchmark-reports/index.htm [Accessed: October 23, 2011
]
[19] www.passmark.com/products/index.htm [Accessed: October 30, 2011 ]
[20] www.av-comparatives.org/en/comparativesreviews [Accessed: November 2,
2011 ]
[21] www.pc-tools.net [Accessed: November 2, 2011 ]
[22] http://www.avira.com/en/for-home-avira-internet-security#tab3 [Accessed:
December 04, 2011 ]
[23] http://www.avast.com/en-se/free-antivirus-download [Accessed: December 04,
2011 ]
[24] http://www.avg.com/eu-en/business-security [Accessed: December
04, 2011 ]
[25] http://antivirusnews.wordpress.com/2010/05/31/compiter-protection-software-
classification/ [Accessed: December 04, 2011 ]
[26] http://www.cknow.com/cms/vtutor/number-of-viruses.html [Accessed: December
04, 2011 ]
[27] http://www.devduff.com/software/top-ten-antivirus-2012.php [Accessed:
December 07, 2011 ]
[28] http://www.f-secure.com/v-descs/brain.shtml [Accessed: December 07, 2011 ]
[29] http://reviews.cnet.com/1990-6600_7-6379091-1.html [Accessed: December 07,
2011 ]
Here are some other sources of information which helped us during this thesis work 1. Adleman L. M 8 ( 1988 ) An abstrack Theory of Computer Viruses. In Advances in Cryptology- CRYPTO´88, Springer. 2. Anderson J. P. ( 1972 ) Computer Security Technology Planning Study, Technical Report ESD-TR-73-51, US Air Force Electronic System Division. 3. Anderson R.( 2001 ) Security Engineering, Wiley. 4. Bell D. E., LaPadula L. J ( 1973 ) Secure Computer Systems; Mathematical Foundations and Model, The Mitre Corporation. 5. Biba K. J. ( 1977 ) Integrity Considerations for Secure Computer Systems USAF Electronic Systems Division. 6. Botchev V. ( 1995 ) Are "good" computer viruses still a bad idea,
Page 140
www.virusbtn.com 7. Chess D. M., White S. R ( 2000 ) An undetectable computer virus, Virus Bulletin Conference, September. 8. Cohen F. ( 1986 ) Computer viruses, Ph. D Thesis, University of Southern California, Janvier 1986. 9. Cohen F. ( 1994 ) A Short Course on Computer viruses, Wiley. 10. Cohen F. ( 1987 ) Computer Viruses-Theory and Eksperiments, IFIP-TCII Computers and Security, vol 6, pp 22-35. 11. Cohen F. ( 1988 ) Model on Practical Defenses against Computer Viruses , IFIP-TCII Computer and Security. 12. Coursen S. ( 2001 ) ´Good`viruses have future www.surferbeware.com 13. Eichin M .W., Rochlis J.A ( 1988 ) With Microsope and tweezers : an analysis of the Internet virus of November 1988, IEEE Symposium on Research in Security and Privacy. 14. Filiol E. ( 2002 ) Applied Cryptanalysis of Cryptosystems and Computer Attacks Through Hidden Ciphertexts Computer viruses. 15. Filiol E. ( 2004 ) Strong Cryptography Armoured Computer Viruses Forbiding Code Analysis: the BRADLEY virus,Proceeding of the 14th EICAR conference, Malta. 16. Hruska J. ( 2002 ) Computer virus prevention : a primer, http://www.sophos.com 17. Leyden J. ( 2001 ) AV vendors split over FBI Trojan Snoops, http://www.theregister.co.uk 18. Ludwig M. A. ( 1991 ) The Little Black Book of Computer Viruses , American Eagle Press 19. Ludwig M. A. ( 1993 ) Computer Viruses and Artificial Life and Evolution , American Eagle Press 20. Ludwig M. A ( 2000 ) The Giant Black Book of Computer viruses second edition , American Eagle Press 21. Pozzo M. et Gray T. ( 1987 ) An Approach to containing Computer Viruses, IFIP-TCII Computer and Security, vol 6 22. Serazzi G. et Zannero S. ( 2003 ) Computer Virus Propagation Models, In Performance Tools and Application to Networked System, revised Tutorial Lectures MASCOTS 2003, Lecture Notes in Computer Science 2965, Springer 2004
Page 141
23. University to run virus writing course , Mai 2003, www.silicon.com. 24. Smith G. C The Virus Creation Labs, American Eagle Press. 25. Antivirus Sophos - www.sophos.com 26. Spinellis D. ( 2003 ) Reliable Identification of Bounded-length Viruses in NP - complete, IEEE Transaction in Information Theory, Vol 49, No 1 Janvier. 27. Sturgeon W. ( 2003 ) Security Firms slam Uni decision to write viruses, Mai 2003, www.silicon.com 28. Zuo Z. et Zhou M. ( 2004 ) , Some further theoretical result about computer viruses, the computer Journal 46:6. 29. http://www.cknow.com/vtutor/NumberofViruses.html. [Accessed: December 04,
2011 ]
30. http://csdl2.computer.org/comp/mags/it/2007/02/f2004.pdf. [Accessed:
December 04, 2011 ]
31. R. Srinivasan , Protecting Anti-Virus Software Under Viral Attacks, Master Degree of Science, Arizona State University (2007). 32. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, (2007)"Automated classification and analysis of internet malware. 33. J. cock,(2006) Computer Viruses and Malware, Springer Essam Al Daoud et al. 34. E. Skoudis and L. Zeltser,(2003) Malware: Fighting Malicious Code, Prentice Hall 35.P. Szor, The Art of Computer Virus Research and Defense. Addison Wesley, (2005) 36. E. Konstantinou,(2008) "Metamorphic Virus: Analysis and Detection", Technical Report 37. A. Walenstein, R. Mathur, R. Mohamed, R. Chouchane and A. Lakhotia. (2007) "The design space of metamorphic malware", In Proceedings of the 2nd International Conference on Information Warfare. http://www.softpanorama.org/Malware/index.shtml [Accessed: December 04, 2011 ]