A year of AV testing

A little under a year has passed since I took over the AV testing from AppleSerialNumberInfo.com. It has taken up tremendous amounts of time and took a little while to evolve into what it is today. I think by now I have the hang of it though and figured out a good way to test thoroughly, reliably and frequently. For me to do this I had to drop the individual AV product reviews that focused on behavior, resource usage, interface and more as it simply took up way too much time. By focusing purely on the detection of malware I am able to use my time much more efficiently and get much more testing done.

I appreciate all the feedback and help I have gotten from readers all over the world that continue to make this test better!

So, after a year, are there any trends? Have I collected enough data to definitively state a product is the best or the worst? Actually, I haven’t. But I will share what I have observed so far, taken from 22 tests done over the past year.
Continue reading “A year of AV testing” »

Tagged with: , , ,
Posted in Security

Catastrophic bug in OpenSSL

A bug was discovered in OpenSSL, CVE-2014-0160, that has since been named “The Heartbleed Bug”. If you have not heard about this, have a look at this website that explains the bug in detail much better than I can with my limited understanding of crypto. In short:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The bug is said to affect 2 out of 3 web servers on the internet which is a staggering amount. This can include your website hosting server, your banks web server, email server etc etc. What’s worse is that this bug has been around since 2011 and those that have potentially been exploiting this bug have gone undetected as exploits leave no trace on the affected server. OpenSSl is an open source piece of software that is used all over the world including OS X. However, from what I can tell, all versions of OS X are not affected by this bug.

The vulnerability was introduced in OpenSSL version 1.0.1 in early 2012 and was not fixed until April 7th of this year when version 1.0.1g was released. Luckily, Apple had decided to deprecate OpenSSL from it’s systems in 2012 due to stability issues. The last version of OpenSSL shipped by Apple was 0.9.8y which is still included in the latest 10.9.2 Mavericks. OpenSSL has also never been provided as a part of iOS. This goes for both Client and Server versions of OS X.

Even though Macs and iOS devices are safe from this particular bug, there are still many servers out there that do not run OS X and/or have chosen to upgrade the OpenSSL on their OS X machines themselves. Connecting to these vulnerable servers can still compromise the data that is supposed to be encrypted. Now that the word is out, administrators all over the world are scrambling to update their versions of OpenSSL but it is a race against the clock. As with all newly discovered vulnerabilities there are many people out there that are eager to exploit them before they get fixed. Exploits have already been demonstrated and discussed for Yahoo Mail for example. Any server that has not updated their OpenSSL to version 1.0.1g will remain vulnerable and unfortunately there will be many that take their time updating, if ever. There is a way to use a current version and still patch it to fix the vulnerability. Apparently recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag is equally effective.

It is recommended to check with the companies/services you use if this bug was a concern and if so, if it has been patched. If it has indeed been patched, change passwords immediately. Changing passwords before the bug is patched is useless as the new password can be compromised just as easily as the old one. Luckily most responsible companies and services are doing everything they can to update their OpenSSL versions and proudly let their customers know this process is underway or completed. For all others, follow up yourself.

For years we assumed this portion of the internet was safe, only to be proven it was not later. Now that there is a fix we can all go back to believing it’s safe, or can we? Probably not. By now we all know that the illusion of safety is just that, an illusion. Ed Snowden has opened our eyes to that. More vulnerabilities will be discovered in systems we trust, not just OpenSSL. As we are not psychics we won’t know what these vulnerabilities will be so it’s hard to prepare but there are some ways you can better protect yourself.

In this particular case, let’s say your mailserver is running a vulnerable version of OpenSSL, and someone has exploited it. That person now has your name and password. If you use the same password for other sites and services, that person can now potentially access those as well, even though those other servers were not vulnerable to this particular bug. So, always use different passwords for different sites and services. This way if one is compromised, the other should be safe. I have covered passwords before here, here and here. Luckily the severs hosting this website, our email, my bank and other services I use have all patched and/or updated their servers.

Update: Something I had not even thought about was brought to my attention by this article. Indeed most modems, routers, firewalls and other network equipment use OpenSSL as well. Disabling remote management features on most common home routers should be enough to protect yourself from this particular bug but this will not be easy on modems, which use SSL connections that allow your Internet Service Provider secure access remotely when you call tech support about an issue.

If readers have more information on this that may be relevant please do not hesitate to leave comments.

More info:
- Business Insider
- CNN

Tagged with: , , ,
Posted in Security

Adobe updates Flash Player

Adobe released updates to it’s Flash Player versions for Mac, Windows and Linux today. Update your versions as soon as possible via System Preferences > Flash Player > Advanced or download a fresh copy from the Adobe website.

The full bulletin can be found here.

Update: Read the comments to this post to find out more about this particular update. Thanks Al for the heads up.

Tagged with: ,
Posted in Security

New version of VirusBarrier included in test

X8Naturally one day after I update the test I find out Intego has released a new version of VirusBarrier, X8. Serves me right for not paying closer attention. Some of the new features listed are:

  • New:  Revised and polished User Interface to improve the customer experience
  • New:  Low priority scan setting to enhance system performance while scanning
  • New:  Audible alerts on scan completion
  • New:  Scan information available from Mac OS X Notification Center
  • New:  Easy-to-use Setup Assistant for first time users
  • New:  Improved scanning performance and malware detection

I immediately downloaded it, installed it into a virtual machine crawling with nasties and let it rip. Here are my findings:

I like the interface, it’s clean, simple and seems more responsive.
The X8 trial is crippled, meaning it will find malware but any cleaning or quarantine features are disabled. So when malware is found you are forced to “Trust” it as it is the only action available. In my opinion a “Cancel” button alongside the other options would have been better.

After entering a license code and restarting the app the test was underway. Not surprisingly the results are near identical to the previous 2013 (X7) version however I did experience a few more issues with stability. If samples were encountered that could not be cleaned, the status window would just show a spinning gear that simply lasts forever. X8 has to be force quit and restarted. However after a force quit the software becomes mostly useless as it’s suddenly unable to detect anything. So the whole Mac needs to be restarted. This happened a few times while working on the samples from 2007 and 2013.

When dropping multiple folders onto the X8 interface it will give separate prompts for each folder scanned. Occasionally after repairing a found infection it will just continue scanning that folder in the sidebar even though it is already finished. This happens to the last folder that is scanned 9 out of 10 times. Again a restart of the application is needed to clear this up or just scanning something else will cause X8 to snap out of it too.

X8 has issues cleaning .pkg and .app files leaving more than half as much files to be cleaned by the user compared to the previous version.

Overall this new release of VirusBarrier is a little rough around the edges but has great detection results still. Even with the few issues I found and the few samples that were missed X8 is still 5% better (in this test) than the current runner-up, Avast.

Tests with and without the new “Scan with low priority” setting show no differences in CPU usage at all on the quad-core virtual machine. Perhaps older Core 2 Duo machines will see a benefit to using this feature but any Macs with an i5 or newer processor have no need for this as far as I can tell.

For current VirusBarrier 2013 and even VirusBarrier X6 users I’d say hold off on upgrading for a little while until the bugs are ironed out. For those that do want to give it a try you can find it here.

The detection results can be found in the PDF. Current X6 users can enjoy great protection as long as the virus definitions are kept up to date. The only reason these users will have to upgrade to a newer version is incompatibility with future versions of OSX but I hear from X6 users it runs just fine on 10.9 Mavericks. VirusBarrier X6 has proven itself by now so I see no need for future testing of this discontinued product.

Tagged with: , , , , ,
Posted in Security

Malware detection rates updated

Sorry for the wait folks, I’ve been quite busy lately. Finally got around to updating the antivirus test, the results can be found here.

The virtual machines were updated with the latest available software (still OS X 10.8.5 though), plugins and some new malware.
New software since last test:
- iTunes 11.1.5
- Security Update 2014-001
- Mac App Store Update 1.0
- Latest Browsers
• Firefox 28, automatically disabled the Codec-M add-on.
• Chrome 33.0.1750.152
• Opera 20.0.1387.82
New plugins since last test:
- Flash Player 12.0.0.77
- Java Version 7 Update 51 (re-installed)
New malware since last test:
- Tored (2009)
- DevilRobber / Miner (2011)
- Musminim / BlackHole (2011)
- Tsunami / Kaiten (2011)
- Dockster / Maljava (2012)
- GetShell (2012)
- SMSSend (2012)
- LaoShu.A (2014)
- Careto / Mask (2014)
- CoinThief (2014)
- NetWeird / WireNet (2014)
- VSearch (2014)
Total samples are now 420

I also introduced some false positives. These are files that are very closes to infected samples but are actually harmless. An antivirus application should not detect any of them. This list will grow in future tests. MD5 hashes were added to the trace files where available, these can be found in the far right side of the PDF.

NetWeird, even though most samples are blocked by XProtect now, was still able to install itself on the system as the invisible folder ‘.Install’ with the Host file in it was found in my home directory.

A new AV was added called Max Secure Antivirus.

In January ClamXav had asked to be re-tested as they made some significant changes to their product. I tested ClamXav again and indeed they have noticeably improved their detection rates. With the updates and improvements the ClamXav team have made, their AV now finds themselves amongst the top.

There’s more work to be done but this update at least brings the AV with 80% or more up to date. The rest will be done soon.

Tagged with: , , ,
Posted in Security

Safari Updates

Apple released updates for Safari 6 and 7. The versions, once installed, are 6.1.3 and 7.0.3. Apart from a few enhancements there are also some security fixes. The full list of enhancements can be found in the update description in the App Store and the security content can be found here.

Tagged with: ,
Posted in Security

Could it be? USB Syncing of Contacts and Calendars returns in Mavericks?

An article on MacRumors today tells us that Apple has re-enabled the syncing of Contacts and Calendars in a beta version of iTunes 11.1.6. Whether this feature is back because of the iTunes beta or the latest developer seed of Mavericks 10.9.3 is unknown but it has a lot of people very excited, including myself.

Since the USB sync of Contacts and Calendars was lost when Mavericks was installed I decided to set up my own server instead. This has been a great learning experience but given the choice I would prefer to sync with a USB cable. It looks like soon this will be a possibility again. I found an application currently in beta a short while ago called SyncMate 5 and shared this with others who did not like the idea of being forced to use iCloud as an alternative. Overall the response was good and quite a few were happy with it including myself. However nothing is better than the built-in functionality to sync over USB, so if Apple is really giving us the local sync feature back applications like SyncMate and server solutions will probably be dropped by those that only adopted it as a replacement for local sync.

I will keep running my server to test/experiment and maybe even replace USB sync at some point but it will be whenever I am ready, not when Apple decides I am ready :)

Tagged with: , , , ,
Posted in Just an update

Firefox updated. New features and Security fixes.

Firefox
Today Mozilla released Firefox version 28 for Mac, Linux, Windows and Android. Mac users can now enjoy Notification Center support and other additions. This release also had several security fixes; 5 critical, 3 high, 7 moderate and 3 low priority. To update your Firefox go to the Firefox menu and select “About Firefox”. The about window will show you the current version and if your version needs updating. You can also get the latest version directly from the Mozilla website.

The full changelog can be found here. If you are only interested in the security fixes you can find those here.

Tagged with: , , ,
Posted in Security

Updates for Adobe Flash Player

Adobe today released a small update to it’s Flash Player for Windows, Mac and Linux.The vulnerabilities that were patched are listed as “Important” and it is recommended to install the patch sooner rather than later. As always Mac users can go to their System Preferences > Flash Player > Advanced > Updates to check for the latest version. The update can also be downloaded directly from the Adobe website here. The latest version is 12.0.0.77

Tagged with: , , ,
Posted in Security

iOS 7.1 released, fixes a lot of security issues

Today Apple pushed out iOS 7.1 that comes with some new features and enhancements but also quite a few security patches. These fixes make the update an important one that should be installed on any device that currently run iOS 7. Owners of iPhone 4 and 4S can look forward to a more responsive overall experience and with more control over contrast, brightness and white balance some improved battery life can be expected as well. I find it runs noticeably smoother on my iPhone 5 as well.

The security issues addressed are described in this document but here are a few highlights showing the part of the OS that was impacted and a description of how the vulnerability could be exploited:
Backup
Impact:  A maliciously crafted backup can alter the filesystem
Description:  A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem.

FaceTime
Impact:  A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description:  FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen.

ImageIO
Impact:  Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description:  An uninitialized memory access issue existed in
libjpeg’s handling of JPEG markers, resulting in the disclosure of
memory contents.

IOKit HID Event
Impact:  A malicious application may monitor on user actions in other apps
Description:  An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps.

Profiles
Impact:  A configuration profile may be hidden from the user
Description:  A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI.

Safari
Impact:  User credentials may be disclosed to an unexpected site via
autofill
Description:  Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame.

You can red all of the patches in the document I liked to earlier. I don’t have to tell you that having the contents of your Idevice’s memory leaked, Safari handing out your saved names and passwords and apps being able to monitor your actions in other apps (think banking app, paypal etc) is a bad thing. A configuration profile can be used to control almost every aspect of your phone so having one that you don’t know about can also be a disaster. To me these are major issues but you won’t see mention of them in the mainstream news like you probably did with the GoToFail issue not too long ago. Good for Apple but bad for iOS users that don’t know these security issues exist. So if you read this, be a pal and let your friends and family know they should update their iDevices :) It’s only been a couple of hours but I like the changes and improvements the 7.1 update brought. I’ve heard from a few iPhone 4 and 4S owners they see a difference in responsiveness as well. This is important to mention as most (if not all) 4 and 4S owners regret ever installing iOS 7 because it turned their once fast phone into a sluggish one. This is a good time to get some performance back specially on those older models and fix big security flaws in the process.

Tagged with: , , ,
Posted in Security

Malware Detection Rate Results

Last updated:
Friday April 5th, 2:54PM EST
420 Samples, 43 Applications
#1 Intego
#2 Avast
#3 Dr.Web
Get it here.

Previous posts