Win32 Virus Removal

Following its August 2009 on-demand report, AV-Comparatives has released its October 2009 removal comparative. Sixteen products were tested between September 1, 2009 and September 15, 2009 on Windows XP Professional SP3 32bit. The latest updates installed on September 1, 2009. The tests in this latest study focus only on the malware removal/cleaning capabilities of the security products installed on an already infected/compromised system; detection rates and protection capabilities are ignored.

Therefore, all samples used were the ones that tested antivirus products and were able to detect (if an antivirus is not able to detect the malware, it won't be able to remove it). AV-comparatives randomly selected 50 malware samples that were seen on at least two PCs customers brought in for virus cleaning to the local Computernotdienst (a partner company) in the last 12 months. Out of those, 10 malware samples significantly unique from each other (part of a different family, had different payloads, and so on) were selected as the final candidates. Another requirement was that the malware was non-destructive (in other words, it should be possible for an antivirus product to clean the system without the need of replacing Windows system files).

The 10 samples were as follows: NetSky!30 (on the WildList / in-the-field), RJump!38 (on the WildList / very widespread), Syrutrk!42 (in-the-field), FakeAV!70 (in-the-field), Autorun!93 (in-the-field), Rontokbro!c5 (on the WildList / widespread), Vundo!ca (very widespread), Rustock!e0 (widespread), Agent!4d (widespread), and ZBot!3d (in-the-field). To avoid providing information to malware authors who could potentially use the information to improve their work, only the general names of the used malware and only general information about the leftovers was disclosed.

For every piece of malware, AV-Comparatives performed the following procedure with each product:

• Enable Administrator account and turn system restore off
• Infect native machine with one threat, reboot, and make sure that threat is fully running
• Boot Windows
• If not possible, use safe mode; if safe mode is not working, use the antivirus product BootCD if available
• Install and update the antivirus product
• Follow instructions of antivirus product to remove the malware
• Run thorough/full scan with highest settings
• Run antivirus again in safe mode if necessary
• Run antivirus again from BootCD if necessary
• Manually check the PC for malware and leftovers

Following all that work, AV-Comparatives looked at the results and rated each product based on how well it removed malware and leftovers. Here are the results.

AV-Comparatives underlined that for the 10 samples, none of the products was rated "very good" in either malware removal or removal of leftovers. Only three products did "good" in both categories: eScan, Symantec, and Microsoft Security Essentials (MSE). Using the above results, as well as a "convenience" factor for the removal process, AV-Comparatives rated the security companies from best to worst in four separate categories:

• Advanced+: eScan, Symantec, Microsoft, F-Secure, Kaspersky, Bitdefender
• Advanced: ESET, Sophos, AVG, McAfee, Avast, AVIRA, Trustport
• Standard: Norman, G DATA
• Tested: Kingsoft

It's worth noting that AV-Comparatives said Windows Live OneCare would have scored Advanced, even though Microsoft Security Essentials managed to grab the Advanced+ rating. OneCare went the way of the dodo in June 2009 and when it did, Redmond essentially left the market for paid consumer security solutions. MSE, the company's free real-time consumer antimalware solution, arrived in September 2009. Given that it was released at the end of the month, though, AV-Comparatives was using a beta version when it conducted these tests.

Following its August 2009 on-demand report, AV-Comparatives has released its October 2009 removal comparative. Sixteen products were tested between September 1, 2009 and September 15, 2009 on Windows XP Professional SP3 32bit. The latest updates installed on September 1, 2009. The tests in this latest study focus only on the malware removal/cleaning capabilities of the security products installed on an already infected/compromised system; detection rates and protection capabilities are ignored.

Therefore, all samples used were the ones that tested antivirus products and were able to detect (if an antivirus is not able to detect the malware, it won't be able to remove it). AV-comparatives randomly selected 50 malware samples that were seen on at least two PCs customers brought in for virus cleaning to the local Computernotdienst (a partner company) in the last 12 months. Out of those, 10 malware samples significantly unique from each other (part of a different family, had different payloads, and so on) were selected as the final candidates. Another requirement was that the malware was non-destructive (in other words, it should be possible for an antivirus product to clean the system without the need of replacing Windows system files).

The 10 samples were as follows: NetSky!30 (on the WildList / in-the-field), RJump!38 (on the WildList / very widespread), Syrutrk!42 (in-the-field), FakeAV!70 (in-the-field), Autorun!93 (in-the-field), Rontokbro!c5 (on the WildList / widespread), Vundo!ca (very widespread), Rustock!e0 (widespread), Agent!4d (widespread), and ZBot!3d (in-the-field). To avoid providing information to malware authors who could potentially use the information to improve their work, only the general names of the used malware and only general information about the leftovers was disclosed.

For every piece of malware, AV-Comparatives performed the following procedure with each product:

• Enable Administrator account and turn system restore off
• Infect native machine with one threat, reboot, and make sure that threat is fully running
• Boot Windows
• If not possible, use safe mode; if safe mode is not working, use the antivirus product BootCD if available
• Install and update the antivirus product
• Follow instructions of antivirus product to remove the malware
• Run thorough/full scan with highest settings
• Run antivirus again in safe mode if necessary
• Run antivirus again from BootCD if necessary
• Manually check the PC for malware and leftovers

Following all that work, AV-Comparatives looked at the results and rated each product based on how well it removed malware and leftovers. Here are the results.

AV-Comparatives underlined that for the 10 samples, none of the products was rated "very good" in either malware removal or removal of leftovers. Only three products did "good" in both categories: eScan, Symantec, and Microsoft Security Essentials (MSE). Using the above results, as well as a "convenience" factor for the removal process, AV-Comparatives rated the security companies from best to worst in four separate categories:

• Advanced+: eScan, Symantec, Microsoft, F-Secure, Kaspersky, Bitdefender
• Advanced: ESET, Sophos, AVG, McAfee, Avast, AVIRA, Trustport
• Standard: Norman, G DATA
• Tested: Kingsoft

It's worth noting that AV-Comparatives said Windows Live OneCare would have scored Advanced, even though Microsoft Security Essentials managed to grab the Advanced+ rating. OneCare went the way of the dodo in June 2009 and when it did, Redmond essentially left the market for paid consumer security solutions. MSE, the company's free real-time consumer antimalware solution, arrived in September 2009. Given that it was released at the end of the month, though, AV-Comparatives was using a beta version when it conducted these tests.