Quick and active development of online criminal activity has led to appearance of complex modifications of viruses, worms, spy programs and other malicious code. To be created, more sophisticated methods are used: rootkits that hide the presence of malware in the system, packaging, encoding technologies, as well as methods that initiate destruction of protection system.

Introduction

Using the methods of social engineering, it is easily possible to make the user load and run a malicious code not yet known to the antivirus.

 If this is the case , in order to get the full control over the system, the infection carrier will aim at looking for the antivirus, firewall or other defense system files to disrupt its functionality.

In such conditions, the modern antivirus products have to be able to protect themselves. Such a system of self-defense will allow them to stand up to the most complex attacks (where the malware programs will try to destroy the system’s ability to function correctly in different ways), and to delete the infected files without using 3rd party utilities after the upgrading of the antivirus databases.

This test studied the possibilities of the antivirus to withstand against possible attacks in the operational system Windows XP SP2 at following levels:

1. Change of access permissions to registry files and keys

2. Modification and/or deletion of protection system modules

3. Antivirus database deletion.

4. Modification and/or deletion of important registry keys

5. Termination of system processes

6. Modification of system files and/or processes

7. Ability to rollback drivers

Results of the Antivirus Self_protection test (17/09/2007)

Kaspersky Internet Security 7.0 (97%)	Gold Self-Protection Award
VBA32 Antivirus 3.11 (71%)  Symantec Internet Security 2007 (71%)  F-Secure Internet Security 2007 (61%)	Silver Self-Protection Award
ZoneAlarm Internet Security 7.0 (58%)  Panda Internet Security 2007 (48%)  McAfee Internet Security 2007 (47%)  Eset Smart Security 3.0 Beta (44%)  Trend Micro PC-Cillin 2007 (42%)	Bronze Self-Protection Award
Avast! Professional Edition 4.7 (33%)  Avira Premium Security Suite 7.0 (33%)  Sophos Anti-Virus 6.5 (33%)  DrWeb 4.44 Beta (32%)  Microsoft Windows Live OneCare 1.6 (32%)  BitDefender Internet Security 10 (30%)	TEST FAILED

Antivirus Self-Protection Testing Methodology

A test was performed on a VMware GSX Server for this purpose. Separate Virtual PC with Microsoft Windows XP SP2 was cloned for every "experimental" antivirus product. Before the test, we installed every patch available for each antivirus program at our disposal.

The following Anti-Virus products were tested in this comparative test:

1. Avast! Professional Edition 4.7
2. Avira Premium Security Suite 7.0
3. BitDefender Internet Security 10
4. DrWeb 4.44 Beta
5. Eset Smart Security 3.0
6. F-Secure Internet Security 2007
7. Kaspersky Internet Security 7.0
8. McAfee Internet Security 2007
9. Microsoft Windows Live OneCare 1.6
10. Panda Internet Security 2007
11. Sophos Anti-Virus 6.5
12. Symantec Internet Security 2007
13. Trend Micro PC-Cillin 2007
14. VBA32 Antivirus 3.11
15. ZoneAlarm Internet Security 7.0

The self-defense abilities of security packages were tested in accordance with the following parameters:

1. Self-defense on the system level (hook's revision, changing of file permissions, changing of permissions to registry keys)

2. Protection of Antivirus program's files (modification/deletion of security modules, antivirus database deletion)

3. Protection of own registry keys - modification/deletion of program's registry keys, including manual intervention (startup keys, service keys, configuration keys)

4. Protection of own processes:

   - Prevention of unauthorized process termination

1. from task manager

2. b) User-level API (TerminateProcess, TerminateThread, EndTask, EndJob, DebugActiveProcess, EIP, WinStationTerminateProcess, "bruteforce" message posting, deletion after reboot)

3. c) with the help of messages (WM_CLOSE, WM_QUIT, WM_SYSCOMMAND/SC_CLOSE)

4. d) kernel-level API (ZwTerminateProcess, ZwTerminateThread)

    - Process/system code modifications (code injection - CreateRemoteThread, DLL injections, changing memory-protection attributes - VirtualProcessEx, Write Process Memory)

    - Drivers rollback

The attacks were simulated manually or using utilities created specifically for that purpose by anti-malware.ru experts. The functionality and integrity of the correspondent antivirus package was verified after each attack (operability of its modules, active processes, services and drivers)

If one of the processes has been "lost" in the course of the attack for process modification/termination, all other processes were attacked again.