Home What is a Trojan Horse? How we reviewed anti-trojans About us |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The aim here to get a measure of how thoroughly the vendors of anti-trojan programs update their signature files. This is of critical importance; the effectiveness of any anti-trojan product is, to a considerable degree, only as good as the quality of its database. Detection Tests for New Trojans All programs were tested against a test set of newly released trojans downloaded from hacker sites. The trojans were selected on the basis of download popularity. The list included the latest versions of of some of the most potent trojans including Subseven, Bionet and Optix. The test set also included some trojan components rather than complete products. For example AVKillar is a component designed to pull down anti-virus, anti-trojan and firewall defenses prior to the execution of the trojan server itself. All the anti-trojan products were tested twice. The first time was approximately one month after the trojan test set was collected. The second test was conducted approximately three months after collection. All products were tested on the same day and the signature files used were the latest available as at that time. The procedure used for both the 2002 and 2003 series was essentially the same though in 2003 series we carried out scanner tests alone rather than scanner and monitor tests. This change reflects the fact that modern trojans now routinely pull down monitor defenses, so scanning has taken on an increased performance. On each occasion the test set and test conditions were the same, apart from the signature file. The test set was left uncompressed and as distributed. In our 2003 series, we refined the method by manually building custom servers for each of the trojans using the tools supplied in the distributed product. For each anti-trojan program, the test set was scanned using the most comprehensive scanning options available for each product. BoClean has no scanner component so all results were obtained by actually executing the trojans servers or in the case of AVKillar, the program itself. The 2003 tests involved scanning only and the results shown for BoClean are based on whether the exact version of each trojan was listed in the BoClean database. After each anti-trojan program was tested, the hard disk was restored from a mirrored copy. This ensured that all programs were evaluated in identical conditions. Detection Test for New Trojans - Results 2002
Detection Test for New Trojans - Results 2003
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||