MRG Effitas In-the-wild Rootkit Remediation Comparative Analysis 2015 Q3

[frogboy]

Content source

https://www.mrg-effitas.com/mrg-effitas-in-the-wild-rootkit-remediation-comparative-analysis-2015-q3/

• In-the-wild rootkits (MBR, VBR, WMI, Powershell, Fileless, kernel mode and user mode)
• Five products tested
• Manual test and result analysis
• Sponsored by Zemana

Full article. https://www.mrg-effitas.com/mrg-eff...kit-remediation-comparative-analysis-2015-q3/

 

[Tony Cole]

How comes Emsisoft came last, that has shocked me!

 

[OneDay]

"Sponsored by Zemana", first place Zemana Antimalware...
Earlier this year: "Sponsored by Surfright", first place HitmanPro.Alert (testing antiexploit protection)...
What a surprise!!

 

[Enju]

"Sponsored by Zemana", first place Zemana Antimalware...
Earlier this year: "Sponsored by Surfright", first place HitmanPro.Alert (testing antiexploit protection)...
What a surprise!!

I always had high regard for MRG Effitas but a lot of their latest tests seem kinda fishy, not too sure what to think of it.

 

[frogboy]

I always had high regard for MRG Effitas but a lot of their latest tests seem kinda fishy, not too sure what to think of it.

Yes i did not spot the sponsored by Zemana bit first off. So not sure either now.

 

[Solarquest]

How comes Emsisoft came last, that has shocked me!

I agree, shocking results!
I hope Emsi s low score is caused by standard settings and malware scan instead of custom scan with direct disk access.
Anyway, since most users don't know the subtile but important difference I was expecting way better results from Emsi.
I hope Fabian/Emsi Team from Emsisoft can help us understand what happened.
I was also surprised by Tdsskiller score since this tool is used by many to find these rootkits.
Also for Tdsskiller I hope the results were influenced by the standard setting.....I hope with all scan options checked Tdsskiller would have detected more/all....

Frogboy, thank you for sharing these test results!!!

 

[Enju]

Also for Tdsskiller I hope the results were influenced by the standard setting.....I hope with all scan options checked Tdsskiller would have detected more/all....

Kaspersky TDSSKiller was specially made for the TDSS rootkit family, the detections for other rootkits were most likely heuristics. Instead of the TDSSKiller they should have tested the Kaspersky Virus Removal Tool since Zemana is a general removal tool too. This seems like they cherrypicked their competition to score higher than them...

 

[kmr1684]

hmm......still believing in these testing thingy people

 

[Solarquest]

Kaspersky TDSSKiller was specially made for the TDSS rootkit family, the detections for other rootkits were most likely heuristics. Instead of the TDSSKiller they should have tested the Kaspersky Virus Removal Tool since Zemana is a general removal tool too. This seems like they cherrypicked their competition to score higher than them...

If I remember right Tddskiller should also detect e g cidox, goodkit etc but apparently it doesn't. ..
just checked...according to Kaspersky Tddskiller should detect:
List of malicious programs: Rootkit.Win32.TDSS, Rootkit.Win32.Stoned.d, Rootkit.Boot.Cidox.a, Rootkit.Boot.SST.a, Rootkit.Boot.Pihar.a,b,c, Rootkit.Boot.CPD.a, Rootkit.Boot.Bootkor.a, Rootkit.Boot.MyBios.b, Rootkit.Win32.TDSS.mbr, Rootkit.Boot.Wistler.a, Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k, Rootkit.Boot.SST.b, Rootkit.Boot.Fisp.a, Rootkit.Boot.Nimnul.a, Rootkit.Boot.Batan.a, Rootkit.Boot.Lapka.a, Rootkit.Boot.Goodkit.a, Rootkit.Boot.Clones.a, Rootkit.Boot.Xpaj.a, Rootkit.Boot.Yurn.a, Rootkit.Boot.Prothean.a, Rootkit.Boot.Plite.a, Rootkit.Boot.Geth.a, Rootkit.Boot.CPD.b, Backdoor.Win32.Trup.a,b, Backdoor.Win32.Sinowal.knf,kmy, Backdoor.Win32.Phanta.a,b, Virus.Win32.TDSS.a,b,c,d,e, Virus.Win32.Rloader.a, Virus.Win32.Cmoser.a, Virus.Win32.Zhaba.a,b,c, Trojan-Clicker.Win32.Wistler.a,b,c, Trojan-Dropper.Boot.Niwa.a, Trojan-Ransom.Boot.Mbro.d, e, Trojan-Ransom.Boot.Siob.a, Trojan-Ransom.Boot.Mbro.f.
..so why did it miss them in this test? Standard Settings or..?

 

[Enju]

..so why did it miss them in this test? Standard Settings or..?

Thanks! Didn't know that they still updated it!
But still my point stands, why didn't they use the real Virus Removal Tool? They tested MBAM too and not just their antirootkit.
I also now took a closer look at the paper: All of the rootkits that Kaspersky missed are not in their TDSSKiller detections as far as I can see, maybe they use different detection names so please tell me if I missed something.
As I said, something very fishy is going on here...

 

[Solarquest]

I didn't check them all but Tddskiller should detect e. g. cidox, goodkit...and I expected it to detect the other too since it's specialsed in rootkits/rootkits
Emsi should also detect cidox....I ll check with them and will post here the answer...

 

[Solarquest]

2 Emsisoft employees wrote that without having the samples they cannot comment on the test or confirm the validity of the results of this commissioned test.
Elise then confirmed that probably standard settings were an issue since to deteckt some of the samples direckt disk access should have been selected ...
http://support.emsisoft.com/topic/14493-bootcidox-a-rootkit-detection-by-anti-malware-and-or-eek/

 

[Nightwalker]

There seems to be a bad blood between MRG Effitas and Emsisoft; until the end of 2014 they were partners (Emsisoft paid to be tested) and Emsisoft has never ever got a bad result, it was always at the top.

December 2014 Emsisoft decided to withdraw at MRG Effitas tests, it was a financial/marketing decision. After that Emsisoft results in MRG tests were very bad, almost bottom place.

The "Real World Exploit Prevention Test" methodology for example really hurted Emsisoft. MRG didnt considered the behavior blocker module, with this methodology Emsisoft shouldnt have being tested.

It could be just my impression, but it seems strange ...

 

[Solarquest]

Emsisoft could replicate the test with samples of the same family/variant and post their result at least for the peace of mind of their users and for their reputation that wasn't helped by the test results.
Does anyone have some samples of the malware used in the test ?
I ll ask them if they are interested in replicating the test.
I know that the samples tested might not be 100% exactly as the one tested since msybe they didn't specify the varisnt used but it will be as close to it as possible.
Not sure if they could get them from Effitas...

 

[kiric96]

If you ask me emsisoft is a great software however when it comes to EEK you may expect some limitations for cleaning and detection, as all of the engines implemented in EAM or EIS are not within EEK, remember that an active rootkit hides itself in order to dont be detected, so in first place that is why we have "direct access scan" also please notice that at emsisoft they prefer a manual clean up, to make sure that everything would run just fine at the end, so that is why we dont see some clean up options within their software instead they tell you go to to their forums.

Last but not least, for me when it comes to rootkit infection is much better formatting rather than cleaning.. as rootkit may leave one thing or two damaged beyond repair...

 

[Azure]

Emsisoft could replicate the test with samples of the same family/variant and post their result at least for the peace of mind of their users and for their reputation that wasn't helped by the test results.
Does anyone have some samples of the malware used in the test ?
I ll ask them if they are interested in replicating the test.
I know that the samples tested might not be 100% exactly as the one tested since msybe they didn't specify the varisnt used but it will be as close to it as possible.
Not sure if they could get them from Effitas...

Do you mean these samples that a Zemana employee gave Fabian?
http://www.wilderssecurity.com/threads/zemana-antimalware-2-beta.372569/page-37#post-2510288


Carberp.exe 11bba9b2333559b727caf22896092217
Gapz.exe 33d154d84e830aa18973b04e64879466
Phasebot.exe 12dccdec47928e5298055996415a94f2
Poweliks.exe cfa0c5abe024043c014d71eb0fcb5584
Rovnix.exe 56db6a59aebbb977b67c7470b493379c
TDL4.exe 4a052246c5551e83d2d55f80e72f03eb
Wmighost.exe 0df40b226a4913a57668b83b7c7b443c
ZeroAccess.exe 1010e9ee806c26f367ba5ce068214502

 

[Solarquest]

Elise said they are not ibterested since they are vety old samples...

Azure Phoenix,
Thank you for sharing the link!!!
I m happy to see that Fabian got interested in the samples.. I hope to see an answer from him now on why EEK didn't detect them.

Would be nice to hear from Kaspersky why Tddskiller missed some samples too...is any Kis user here that can pks ask them? Thank you

Gricardo21,
Rootkits are very bad malware, very difficult to detect and to delete, agreed on that.
EEK as far as I know had the same scan and detection capabilities as AM...it doesn't have the resident modules as the BB that could/should prevent an infection.

EEK is also a "second opinion scanner" ..in my opinion a second opinion scanner is used to detect malwares that a first scanner might have missed.
For this reason I expected EEK and Tdsskiller to be able at least to detect these samples, even more considering that some are apparently old!
Regarding direct disk access my guess was right, it might have helped to detect some samples but again, as a second opinion scanner, why isn't it selected by default, same for special settings in tdsskiller ?
Last, Emsisoft AM and IS are aimed to protect the system more than to clean it, as Fabian stated in another forum, since there is no way to protect an already infected system....but EEK is a scanner that I thought it would detect these samples. ..after detection I m more than fine and agree it s best to ask Emsi/Kevin for a help to clean the pc, if still possible.

In other words, why do we need a second opinion scanner if it doesn't detect these dangerous and hidden malwares?

 

[jamescv7]

Rootkits and other nasty threats should properly conduct by a bootable rescue CD/ special tools to detect hidden activity to ensure it doesn't cause any issues.

Rootkits can really prevented by an active running protection + whitelisting/blacklisting since majority does not have a digital signature due to hefty expense (it doesn't mean your safe cause few done already)

If there's a corrupted file which affected by rootkit then likely it needs a repair whereas tools for disinfection may fail and leave the option to delete whic is dangerous.

 

[Solarquest]

I found the test, even with all doubts and limitations, interesting ( I never saw a rootkit test before) and at the same time, kind of "scaring".
The message I personally got is that most AV have big big issues and problems with rootkits, even very old ones.
It s really best to prevent than to cure.