Non-authoritative scan results of BitDefender, ClamAV and F-prot
Posted 07-01-2009 at 08:35 PM by unSpawn
Tags antivirus
Like before here's some results of running BitDefender, ClamAV and F-prot on over 11K of files containing Rootkits, LKM's and other goodies. Because of what I do most of the files are GNU/Linux related. (I run AV like a pentester would run metasploit against a networked entity.) I'm well aware of the AV-on-GNU/Linux-yes-or-no debate and this is not the place to go into that: search LQ or open up a thread if you need to discuss validity.
The commercial AV market is kind of an odd place (to put it politely), and products that don't (have the inclination, licensing or resources to) play along, well, show it. That doesn't mean I don't respect ClamAV developers for what they've brought us in terms of OSS. The only thing I hope these results emphasise is that you should make your own informed decision. This goes especially for those that choose to promote just one product without realising the effects of doing so.
Files scanned:
BDC: 65525
F-prot: 65253
ClamAV: 220
Infected found:
BDC: 1641 (0 suspects)
F-prot: 1158 (19 files with errors)
ClamAV: 19
Old rootkit material:
sauber (T0rnkit), modhide.o (Knark), relink (Adore)
BDC: Y Y Y
F-prot: Y Y Y
ClamAV: N N N
2.6 LKMs: Override, Intoxonia-NG, EnyeLKM, Mood-NT:
BDC: N N N N
F-prot: N N N N
ClamAV: N N N N
Misc: boxer (obfuscated ELF), OSXrk (Mac), Fbrk (BSD), Vlogger (keylogger):
BDC: N Y Y Y
F-prot: N Y Y Y
ClamAV: N N N N
Malware: PHP mass mailer, r57shell, C99Shell, C99Shell other version, I-Frame Trojan:
BDC: Y Y Y Y Y Y
F-prot: Y Y Y Y Y Y
ClamAV: N N N N N Y
App/engine version info:
BDC: v7.90123 Linux-i586
F-prot: version 6.2.1.4252, engine version: 4.4.4.56
ClamAV: 0.95.2/9532
Commandline:
BDC: --action=ignore --recursive-level=100 --archive-level=100 --no-list
F-prot: --boot --follow --mount --maxdepth=60 --heurlevel=3 --archive=10 --adware --applications --verbose=2
ClamAV: --verbose --remove=no --tempdir=/dev/shm --detect-pua=yes --detect-structured=yes --scan-mail=yes --phishing-scan-urls=yes --heuristic-scan-precedence=yes --algorithmic-detection=yes --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --detect-broken=yes --block-encrypted=no --mail-follow-urls=no
Scan time (MM:SS):
BDC: 05:56
F-prot: 01:52
ClamAV: 40.85
The commercial AV market is kind of an odd place (to put it politely), and products that don't (have the inclination, licensing or resources to) play along, well, show it. That doesn't mean I don't respect ClamAV developers for what they've brought us in terms of OSS. The only thing I hope these results emphasise is that you should make your own informed decision. This goes especially for those that choose to promote just one product without realising the effects of doing so.
Files scanned:
BDC: 65525
F-prot: 65253
ClamAV: 220
Infected found:
BDC: 1641 (0 suspects)
F-prot: 1158 (19 files with errors)
ClamAV: 19
Old rootkit material:
sauber (T0rnkit), modhide.o (Knark), relink (Adore)
BDC: Y Y Y
F-prot: Y Y Y
ClamAV: N N N
2.6 LKMs: Override, Intoxonia-NG, EnyeLKM, Mood-NT:
BDC: N N N N
F-prot: N N N N
ClamAV: N N N N
Misc: boxer (obfuscated ELF), OSXrk (Mac), Fbrk (BSD), Vlogger (keylogger):
BDC: N Y Y Y
F-prot: N Y Y Y
ClamAV: N N N N
Malware: PHP mass mailer, r57shell, C99Shell, C99Shell other version, I-Frame Trojan:
BDC: Y Y Y Y Y Y
F-prot: Y Y Y Y Y Y
ClamAV: N N N N N Y
App/engine version info:
BDC: v7.90123 Linux-i586
F-prot: version 6.2.1.4252, engine version: 4.4.4.56
ClamAV: 0.95.2/9532
Commandline:
BDC: --action=ignore --recursive-level=100 --archive-level=100 --no-list
F-prot: --boot --follow --mount --maxdepth=60 --heurlevel=3 --archive=10 --adware --applications --verbose=2
ClamAV: --verbose --remove=no --tempdir=/dev/shm --detect-pua=yes --detect-structured=yes --scan-mail=yes --phishing-scan-urls=yes --heuristic-scan-precedence=yes --algorithmic-detection=yes --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --detect-broken=yes --block-encrypted=no --mail-follow-urls=no
Scan time (MM:SS):
BDC: 05:56
F-prot: 01:52
ClamAV: 40.85
