This article has been accepted for publication in Computer but has not yet been fully edited

. Some content may change prior to final publication.

An Empirical Study of Commercial Antivirus Software Effectiveness
Orathai Sukwong Hyong S. Kim
Electrical and Computer Engineering Carnegie Mellon University, Pittsburgh, PA {osukwong,kim,jhoe}

James C. Hoe

Despite the widespread use of antivirus software (AV) malware is pervasive in today’s computing environment. This paper presents an empirical study on the effectiveness of six commercial AVs against Windows malware collected from April to July 2009. A subset of the studied AVs performs new-to-the-market behavior-based detection in addition to traditional signature-based detection. The study shows that the AVs can identify at most 62.15% of the malware on the first day of collection. 8.61% of the malware are not detected by any of the studied AVs for more than a month after being collected. During the malware’s execution, the AVs with behavior-based detection provide protection against modifications to certain system and network registry keys, but leave some keys (e.g. a Microsoft-Word key controlling macro execution) unprotected, leading to security breaches. Behaviorbased detection also prevents code injection and malicious behaviors (e.g. download non-executable files with executable content), but not all of them. Keywords: Operating systems. Security and privacy protection. Invasive software.

1 Current State of Antivirus Software
This paper reports the effectiveness of the protection offered by current AVs against contemporary malware currently in circulation. The study quantifies the fraction of malware detected successfully by the AVs during the study period and the time required for detection after the malware’s initial appearance. The study also records the AVs’ responses to malware’s execution.

1.1 Antivirus Detection Mechanism
Users rely on antivirus software (AV) to keep their computers free of malware. We refer malware to any malicious software which is detected by one or more AVs. AV products employ two common detection mechanisms: signature-based detection and behavior-based detection.

1.1.1 Signature-based Detection
Signature-based detection is a static method most commonly used by AVs. As illustrated in Figure 1, when a computer receives a new file, the signature-based detector scans the file. If the file contains a byte sequence that matches one of the known threats' byte-based identifications, the file is considered a risk and is quarantined. These byte-based identifications are commonly known as signatures. Traditional signatures are typically derived by analyzing the contents of files that have been confirmed to be malicious. This file analysis takes time. Traditional signatures rarely cause false-positive detections (i.e. identifying benign software as malware), but cannot detect new, not-previously-identified malware for which no signature is available. Besides traditional signatures, some AVs also statically look for program-logic signatures that identify specific behaviors in an executable file. For example (from Symantec White Paper Series Volume XXXIV), if a program

Digital Object Indentifier 10.1109/MC.2010.187

0018-9162/$26.00 ) 2010 IEEE

2 Behavior-based Detection Behavior-based detection dynamically examines the program’s execution behavior and then classifies the program as malicious or benign based upon its behavior. These packer identifiers are derived from packers that are currently found in malware that packs only malicious files. It can also provide swift protection against dangerous executions by preventing actions that violate pre-defined execution restrictions. However. Beginning with Forrest et al [2]. configuration changes. network communications. the approach proposed by [8] doubles scanning speed and reduces memory consumption.1109/MC. it can cause unacceptable false positive rates because benign programs can behave similarly to malicious programs. anomaly detection does not work well with the rapid changes in software development. By definition. it means the program opens a file. researchers have been focusing on improving signature accuracy as well as developing an automated process for signature generation to combat with fast automatic attacks (e. into normal behavior models. Symantec employs a CPU emulator to allow the virus to decrypt and reveal its malicious code without harming the system (from Symantec’s paper on Understanding and Managing Polymorphic Viruses). However. the AVs can proceed with a signature scan on the malicious code and mutation engine. shown in Figure 1 as the preexecution stage. To detect this virus. The AVs have a very limited amount of time from the moment a user clicks on a file to the time the file is uploaded to emulate an unknown program. Code obfuscation techniques change the byte-level representation of the malware so that their byte sequences do not match the signatures in an AV’s signature collection. Then. A polymorphic virus is an example of an obfuscated threat. For example. but can also lead to false positive identification because benign programs could also match a flagged heuristic signature.187 0018-9162/$26. AVs create packer identifiers and use them to heuristically classify whether a file is malicious. although their functions are the same. such as variable renaming and garbage insertion [1].g. CPU emulation is a relatively slow process.1. this new polymorphic virus (infected file) has little or no resemblance to its parent. Some content may change prior to final publication.This article has been accepted for publication in Computer but has not yet been fully edited. When it infects other programs. Additionally. Heuristic signatures can potentially identify not-previously-identified malware. It consists of three main components: decryption routine. and user interaction (see Figure 1). In signature-based detection. It encrypts the mutation engine and its copy. These program-logic signatures are commonly referred to as heuristic signatures. One area that researchers have been investigating is how to accurately identify malicious behaviors with minimal false positives. The AVs thus have to heuristically rely on other characteristics to classify the file. The speed of signature scanning is also important due to a continuous growth of data. 9] enhanced detection accuracy by incorporating additional information. polymorphic worm [10]). Heuristic signatures can also exploit a unique feature of malware. 7. Hence.00 ) 2010 IEEE . The amount of time and computing resources required for scanning increases as the number of signatures increases. malware may also use uncommon or obfuscated implementations of flagged behaviors to evade detection using specific heuristic signatures. matches the signature "B8 02 3 BA ?? ?? CD 21". such as data flow and control flow. Later works [6. mutation engine and virus body. Behavior-based detection has been researched in academia for more than a decade and integrated into commercial AV products in recent years.g. Behavior-based detection has the potential to detect new malware by monitoring system activities. 1. This approach is called anomaly detection. Traditional and heuristic signatures are not resilient to code obfuscation. This encrypted code and the new decryption routine are then inserted into other programs. they used deviations from a program’s expected normal behaviors in terms of their sequences of system call as maliciousness indicators. infect only at midnight).2010. it creates a copy of itself and uses the mutation engine to create a new randomized decryption routine in memory. virus may intentionally delay the decryption process or contain a logic trick (e. new Digital Object Indentifier 10. which remains unchanged even after the code obfuscation. A packer itself is neither malicious nor benign but it can be used to pack malicious or benign files. For example. In addition.

AV-Test. another well-known AV testing organization. 1. Unlike AV-Comparatives.00 ) 2010 IEEE .2010. we test every malware file every day using the daily-updated AVs from the moment we download the malware until it is quarantined.2 Commercial Antivirus Evaluations AV-Comparatives. especially in term of false positives. Antivirus Operation. they release their first dynamic test assessment which was performed manually by four people.187 0018-9162/$ is a well-known AV testing organization.115 distinct malware samples. Some content may change prior to final publication. is an open More recently researchers have shown promising experimental results in terms of detection accuracy and run-time performance. 11] adopted misuse detection. How these solutions will perform in uncontrolled and untested environments. In December which conducts testing every three months on data sets that are frozen before and Virusbtn.This article has been accepted for publication in Computer but has not yet been fully edited. they merely rank detection on a five-point scale from very good to very poor. which instead classifies a program based on behaviors deemed also include evaluations of the AVs’ false-positive rate against legitimate programs. Digital Object Indentifier 10. The testings by AV-Comparatives. our study does not evaluate the AV’s false-positive rate. therefore. have no expected normal behavior. programs are unknown and. 11] and unacceptable false positive rates [3]. our study covers a five-month period and automatically examines 1. Our testing captures an AV protection capability at the moment the new malware is present. Figure 1.1109/MC. Many researchers [4. provides comparative detection results for proactive detection including behavior-based detection and response times to outbreaks. 5. Unlike their testing which lasted only ten days and used 100 test cases. Early behavior-based detection suffers from expensive overhead [4. These results do not provide the details of which threats AVs missed or detected.

Norton. we subject it to an assay of six well-known commercial AV scans: Avast! 4. In the over four months (April – July. In the last few years. 2 Methodology and Setup 2. Additionally. which is typically released in batches.15 (McAfee) Norton Internet Security 2009 version 16. McAfee. For each malware and for each AV. To gather malware for the study. web-based attacks were the most preferred means of malware infection. This feature is available in Kaspersky. virus. Norton and Trend Micro also offer similar services.g.This article has been accepted for publication in Computer but has not yet been fully edited. The files also include various types of malware (e. We select approximately 2.8 Professional version 4. 2. SYS and DLL suffixes. McAfee. A fresh. Kaspersky. We also include some document files (DOC. rootkit.115 unique malicious files.7. we enable an optional feature that anonymously and automatically submits securityrelated information to the AVs’ servers. which allows clients to access their latest file analysis database in the AV’s servers.1250 (Trend Micro) We install the AVs with their default options.5. communicate with a remote server and download other malware).135 (Norton) Symantec AntiVirus version 10.g.1 Malware Collection According to Symantec Threat Report (Volume XV). we proceed to execute the malware file for 3~5 minutes to observe the AV’s response by behavior-based detection. Norton.300 suspicious web pages identified by stopbadware.3 Execution Environment The experiments in the study are conducted using virtual machine (VM) environments in order to isolate and contain the damage caused by malware’s execution.1335 (Avast) Kaspersky Internet Security 2009 (Kaspersky) McAfee Total Protection with Security Center version 9. If a chosen file is later found to be benign. During a daily scan. we remove that file from the data set. 2. This service helps reduce the delay in the virussignature-update distribution. This feature may help reduce the AV’s detection time of unknown malware. worm.1. Certain malware requires Internet access to exhibit their malicious behaviors (e. we repeat the scans every day using up-to-date signatures to determine how many days it takes the AV to successfully detect the file after being collected.7000 (Symantec) Trend Micro Internet Security Pro version 17. and Trend Micro. we perform the update on a daily basis.8. We focus on Windows-compatible malware files with EXE. Trojan. By default. and Trend Micro update several times a day. Files with these suffixes are likely to be malicious because they indicate file types not normally found in web pages. etc).100 unique suspicious files from about 230. In order to control the granularity of the virus-signature update. we download 18. spyware. several vendors have brought in other technology to enhance their AV.1. McAfee.2 AVs For each new malware we collected. 2009). Kaspersky. has a cloud-based service called Artemis. Internet access also allows the AVs to reach their best detection capability. Norton and Trend Micro claim to have behavior-based detection. XLS and PDF).000 files downloaded.0. Kaspersky.1109/MC.187 0018-9162/$26. We are ultimately left with 1. except for the automatic update feature. if a malware file passes an AV’s signature scan. uncorrupted VM with up-to-date signatures is used to Digital Object Indentifier 10. Some content may change prior to final publication.00 ) 2010 IEEE . while Avast. Symantec updates daily. we provide unrestricted Internet access.2010. but the majority of them (75%) are Trojans. About 80% of the malware has an EXE suffix and 10% has a PDF suffix. Among the six commercial AVs studied. McAfee Corp.

3.88% of the malware are not detected by the 30 day. The second stage. carry out the scan in each malware/AV combination each day to prevent other malware interference.187 0018-9162/$26. According to the to monitor network traffic.52%-21. Figure 2 groups the malware sample population by the numbers of days from the first day we download malware to the day the AVs can detect it. 4. 100 90 80 % of Malware 70 60 50 40 30 20 10 0 3-4 Days 2 Days 1 Day Zero Day > 30 days 17-30 Days 9-16 Days 5-8 Days Figure 2.21%-16. occurs when the AVs do not detect malware by signature-based scan and let it proceed to execute. the AVs immediately detect up to 62. VManager [12]. we quantify the effectiveness of the AVs in preventing malware execution. 3 Study Results In this section. Microsoft Office 2003.1109/MC.This article has been accepted for publication in Computer but has not yet been fully edited. as shown in Figure 1. The first stage (quarantine file) begins when the malware enters the system and ends before its execution. we use a VM management program. We thus ensure every VM to be intact and initially uncontaminated. we record the AVs’ responses and any consequences to the malware’s execution based on the log reported by the AVs.2010. Percentage of the malware detected by the AVs at different number of days from zero days.15% of the malware and require days or even weeks to detect the rest. called block program behavior. In this stage. to assist in creating VMs on demand.1. As shown in Figure 2.50% of the malware are detected between 8 and 30 days. 2009) separately in two stages of AV detection illustrated in Figure 1. Since we have to repeat the experiments daily until a malware file is classified as a risk. In this stage. the greater the chance for it to cause damage.00 ) 2010 IEEE . and th 8. are installed in the VMs. Each VM runs Window XP SP2 with Wireshark (wireshark. The longer it takes for the AVs to identify a malware program. we present the results of the five-month study (April-August. VManager creates a new VM with a copy-on-write disk image of the requested base image for every file inspection. Other applications.1 The First Stage: Quarantine File For each AV. We supply a base image for each selected AV (six VMs base images total) to VManager. This experiment assumes that there is no difference in malware execution between systems with and without AV installed. such as Adobe Acrobat and Reader 9. Some content may change prior to final publication. Digital Object Indentifier 10.

From this collection.Win32. To understand how long malware can escape detection. Symantec could detect this malware as well if we change its default heuristic detection setting to be the same as Norton’s. 98. We also observe that having behavior-based detection does not seem to improve the AVs’ ability to quarantine malicious programs before they are executed.Win32. Some content may change prior to final publication.92%. By default.00 ) 2010 IEEE . and 91. each row contains the unique malware variants from the same families in the malware collection. Symantec and Trend Micro detect 96. 95.92%. Trojan-PSW.LdPinch. In Figure 2.Pidief Exploit.Win32.Win32. The AV can take days or months to correctly identify unknown variants.Win32.JS. Avast (no behavior-based detection) eliminates roughly the same number of known malware as Kaspersky. 95.Qhost Trojan.2010.Win32.Virut.CF ten days before Symantec does because a heuristic signature that indicates a morphing or encrypting routine (Suspicious.A) is triggered in Norton. we also scan 260 unique malware files collected from November 11-17. As shown in Figure 3. while Digital Object Indentifier 10. despite all the malware being in circulation for more than 8 months.LdPinch.OnLineGames Trojan-Downloader.LdPinch Trojan-GameThief.Injecter TrojanDownloader. 81. 2009. it cannot immediately detect all new variants in the same family. 2008 using the AVs with the signature update of August 29. As shown in Figure 2. Norton detects ~6% more known malware than Symantec.MH690. Trojan-PSW.Win32.Pdfka Backdoor. Timeline of the unique malware variants in the malware collection in different families from the day they were downloaded until they were detected by Kaspersky.Wuca Backdoor. Avast.smt is downloaded on June 29.WOW TrojanGameThief.Buzus Net-Worm. Norton. In Figure 3.77%.Win32. This discrepancy comes from the difference in default heuristic detection level.Win32. We also compare Norton and Symantec (with and without behavior-based detection) which have the same heuristic detection technology and presumably comparable signature-based detection because they are from the same vendor. Kaspersky. McAfee.gxh Trojan-PSW.1109/MC.This article has been accepted for publication in Computer but has not yet been fully edited.46%.Win32.smt Trojan-PSW.Win32.187 0018-9162/$26.Win32.77%.LdPinch.HareBot Figure 3. the AVs do not detect all of the malware. Even then.Koobface Exploit. A significant shortcoming in signature-based detection is its resilience against malware variants. Norton sets a higher heuristic detection level than Symantec – meaning that heuristic detection in Norton is more sensitive than in Symantec.54% of Malware2008 respectively. although the AV initially detects some variants in the family.Win32. For example. 2009 and is detected immediately. Norton detects the malware W32. For example. McAfee and Norton (with behavior-based detection).Win32.FraudLoad Trojan. Each line represents the timeline for each variant from the date they are downloaded until the date they are detected by Kaspersky.

such as infecting other programs and stealing credentials.Win32. memory and network. 3.52%. such threat may pose medium or high damages. McAfee and Trend Micro.87% of the malware that Kaspersky takes more than 30 days to detect are rated as low. The statistics reported here are the average values of all six AVs. From the experiment. Our results suggest that after executing undetected malware. Some of these malware samples use encrypting or injecting-code techniques which require complex analysis to understand. As seen in Figure 4. System and library files are an attractive target because they are frequently loaded and necessary for other programs to run properly. Several malicious files that are detected after 30 days have medium and high damages. how many of them have malicious child files quarantined by the AVs. For example. However. McAfee blocks 11 malicious programs from automatically starting at system boot-time by adding themselves to the startup folder. All malware in the data set are rated as low risk. Trojan-PSW.1.00 ) 2010 IEEE .g.gxh is downloaded on July 15. it is likely that the system will have additional malware. However.83% produces one or more malicious child files.187 0018-9162/$26. Out of these undetected malware files. or inserted into other benign programs (file infection). They can also be downloaded from remote hosts. AV. install.exe. the AVs with behavior-based detection impose restrictions on certain systemwide changes (e.36% of the undetected malware with malicious child files has malicious child files that are not detected by the AVs. and 0.2. we use risk-level and damage-level information from the malware descriptions provided by Symantec. 12. Note that we consider child files with EXE. 16.2 The Second Stage: Block Program Behavior Malware undetected by signature scan is executed to observe the AV’s responses and the effects on the system due to the execution. We refer to these malware files as undetected malware with malicious child files. 2009. modifying system or library (DLL) files). These copies are sometimes written to files with apparently benign names (e. malware can increase its probability of execution in the system by attaching itself to a wide range of files.14% of the undetected malware files with malicious child files have one or more child files that are detected more than zero days by the AVs.This article has been accepted for publication in Computer but has not yet been fully edited. The result also shows that many malicious samples pose challenges to more than one AV. 53.1 File System We study how the AVs react when the malware attempts to create and modify the file system.83% of the malware is undetected on the first day we collect it. To mitigate file-system intrusions. etc).49% of the undetected malware files with malicious child files have one or more child files that are detected within zero days by the AVs.g.exe.1 Files Malware often leaves one or more persistent copies of its malicious code in the system so that it remains after the system reboots. including user files.2. system files and Windows registry. 2009 but not detected until August 2. Some content may change prior to final publication. We find that AVs typically allow malware to stay in temporary and program folders (with benign or system- Digital Object Indentifier 10. To understand the risk of malware. 87-94% of the malware that each AV takes more than 30 days also take at least another AV more than 30 days to detect.2010. 23. 3. We measure the number of undetected malware generating child files. Risk-level assessment is a combination of infection/spread distribution and damage potential. 3. 42. We focus on three major subsystems: file system. 64. 17%. and what protection the AVs provide to keep system files intact. medium and high-level damage respectively.1109/MC.LdPinch. We call these copies child files. SYS and DLL extensions to be suspicious. Kaspersky prevents three malicious programs from creating/modifying EXE and DLL files in system folders.

The percentage of the malware in the malware collection that is not detected within zero days and also produces one or more malicious child files 3.Virut. This causes several applications to malfunction because they depend on the quarantined files. there is no record of denying registry modification in Avast’s and Symantec’s logs.0\Word\Security\Level) and Microsoft Excel’s key controlling add-ins (Software\Microsoft\Office1.0\Excel\Resiliency\StartupItems). However.IRCBot sets /SOFTWARE\Microsoft\Security Digital Object Indentifier 10. McAfee and Trend Micro block changes to the hosts file (containing the mapping between IP addresses and hostnames).1109/MC. we observe which registry keys malware attempts to modify and the AVs’ corresponding responses. controlling a browser's appearance and security. These keys are often changed by malware. W32. leading to security breaches.g. called registry key. Moreover. there are other keys that malware can alter. From the experiment. Kaspersky. 100 90 80 % of Malware 70 60 50 40 30 20 10 0 Undetected malware (within zero day) with undetected child files Undetected malware (within zero day) with one or more detected child files more than 0 day Undetected malware (within zero day) with one or more detected child files within 0 day Undetected malware (within zero day) with no child files Figure 4. although it seems limited to system and network keys. there are other keys which do not directly weaken system security but can help malware hide the fact of system being compromised. we notice that Avast and Norton sometimes do not quarantine the undetected root program (e. W32.2010. Additionally.2 Registry Registry contains a data structure that organizes configurations. Changing values in registry keys may affect system-wide or application-specific functionality and security.This article has been accepted for publication in Computer but has not yet been fully edited.CF) which continues infecting other files that are detected and quarantined by the AVs.1. such as Microsoft Word’s key controlling macro execution (Software\Microsoft\Office1. The results also suggest that the AVs with behavior-based detection provide protection for registry. In the study.187 0018-9162/$26. and setting local/remote login (\Software\Microsoft\Windows NT\CurrentVersion\Winlogon). while Norton allows these changes.00 ) 2010 IEEE . For example.2. such as automatically starting programs after reboot (\Software\Microsoft\Windows\CurrentVersion\Run). file names). Some content may change prior to final publication. However. It implies that Symantec probably allows programs to alter registry keys and remedy them later if a threat is found. They control important functions. Additionally. Symantec’s log contains the record of registry remediation.

while Kaspersky. Symantec and Trend Micro stop only a relatively small amount of spam generated by malware. Norton and Trend Micro allow 56. 3. downloading other malware. In the study.g.62% of the undetected malware which attempts to modify \Software\Microsoft\Windows\CurrentVersion\Run.93% and 53.This article has been accepted for publication in Computer but has not yet been fully edited. For example. Our experiments show that Norton detects malware sending HTTP Digital Object Indentifier 10. several undetected malware files visit malicious web pages and download malicious images. However. 25. these firewalls are not sufficient to protect against certain threats because they do not examine actual traffic data. McAfee. these threats cannot evade behavior-based detection.1109/MC.3 Network Network connection is one way for programs in the system to communicate with remote hosts as well as for remote intruders to inject malware into the system. McAfee.00 ) 2010 IEEE . the AVs do not always block malware from performing code injection.187 0018-9162/$26. Norton and Symantec detect the malicious images which attempt to create a vulnerable ActiveX object (HTTP MS MPEG2TuneRequestControl ActiveX BO). This suggests that Avast. Norton and Trend Micro block 51 and 74 malicious programs from performing code injection. All AVs have an email scanner to filter malicious emails. Center\[FirewallDisableNotify/AntiVirusDisableNotify/UpdatesDisableNotify] to disable a notification window alerting users of firewall. McAfee’s and Symantec’s logs.2 Memory Malware commonly uses program-vulnerability exploitation and code injection to manipulate running programs to perform malicious tasks (e. we observe which exploitations the AVs detect. McAfee and Trend Micro deny 40. and the AVs’ responses to malicious code injection. Some vulnerabilities may take the AVs days or weeks to detect after publication.2. However.80% to perform the registry-key modification respectively. These two vulnerabilities were published in 2006 and July 2009 respectively. McAfee and Trend Micro detect the web page that attempts to exploit Microsoft Data Access Component vulnerability (Exploit-MS06-014). We study the mechanisms that the AVs use to secure network communication and quantify the amount of malware the AVs prevent from downloading additional malicious files. For example. Similar results also occur for \Software\Microsoft\Windows NT\CurrentVersion\Winlogon. how long it takes for detection. For example. From the experiment. There is no record of code injection detection in Avast’s. Additionally. One way to mitigate the vulnerabilityexploitation problem is to keep both operating system (Windows) and applications up-to-date. The results also show that the AVs do not always protect the important keys. The AVs offer several features to secure network-related applications. One example is that Norton detects HTML files that try to create a vulnerability-prone object (MSIE ADODB.98% and 5.2010. obscuring malware’s presence). antivirus or updates being disabled.38%. Trojan downloader can transfer malicious files using protocols permitted by the firewall (TCP/HTTP). although we find that Norton. The AVs with behavior-based detection also have their own firewall which controls both incoming and outgoing traffic. McAfee and Symantec do not protect other programs against code injection. The empirical results show that additional exploitations are present during the undetected malware’s execution and the AVs’ detection can lag behind even after vulnerabilities are published. Some content may change prior to final publication. 3.2. while the default Windows firewall only monitors incoming traffic.Stream Object File Installation Weakness) and exploit the buffer overflow vulnerability in a browser (HTTP Microsoft IE Generic Heap Spray BO) about 30 days after we initially download the malware (mid August). Norton and Trend Micro have browser plug-ins to protect against browser exploitations and malicious web sites. Kaspersky and Trend Micro allow 21 and 19 malicious programs to perform code injection respectively.

Nonetheless.38%. Some content may change prior to final publication. McAfee’s and Symantec’s logs. The empirical results suggest that regardless of having behavior-based detection.83% of the undetected malware produce one or more malicious child files. and malware downloading malicious PDF and CSS files with executable content. requests to download malicious files. C. malware using an email with links to a copy of itself. Digital Object Indentifier 10. the AVs cannot effectively detect current malware. as opposed to none by the AVs without behavior-based detection.2010. September 15 . On average 53. During undetected malware’s execution. Notes 29. Trend Micro seems to block malicious downloads based on blacklists.. and Mitchell. Moreover. Fredrikson.. Trend Micro blocks web sites that are no longer available. 5230. Trachtenberg. 23. and A.18% of the malware). 2004. 4 Conclusion We study the effectiveness of six commercial AVs (with and without behavior-based detection) in defending against contemporary malware. EuroSys '09. Anil Somayaji . SIGSOFT Softw. 8. 61-74. 78-97 4. p. Lecture Notes In Computer Science. the AVs with behavior-based detection can provide protection against certain system activities. Christodorescu.120. 13. Longstaff. Heidelberg. Jha. users must take precautions before downloading or opening any unknown files. E. MA. April 01 . Hence. Berlin. 34-44. The results show that the AVs with behavior-based detection can prevent a subset of the malware from modifying certain system and network registry values. McAfee. H. 2008. Out of these malware files.03. Pointless tainting?: evaluating the practicality of pointer tainting. J. Thomas A. 2. There is no record of blocking malicious download in Avast’s. such as ICMP flood and TCP SYN flood.17. S. such as not opening emails from strangers or opening unknown web sites. 1996.187 0018-9162/$26. They sometimes prevent malware from performing code injections and malicious downloads (non-executable files (JPG/CSS) with executable content).18% of the malware is undetected and exhibit malicious-web downloads. Slowinska. 2009). It is also likely that undetected malware’s execution will result in additional malware in the system. Kaspersky. Steven A. M. R.. References 1. 74. Additionally. Germany.38% from downloading additional malware. Stinson. New York. vol.1109/MC. A. 2009. Kirda.15% of the malware within the first day the malware files are collected. L. May 06-08. and 71. M. Lippmann.This article has been accepted for publication in Computer but has not yet been fully edited. A Sense of Self for Unix Processes. ACM.88% of the malware are detected after 30 days. Malware is considered to exhibit malicious-web download if at least one AV blocks one or more web sites visited by the malware.00 ) 2010 IEEE . Proceedings of the 1996 IEEE Symposium on Security and Privacy. NY. Testing malware detectors. they can stop 0%-74. Martignoni.51%.49% of the undetected malware with malicious child files generate one or more child files detected immediately by the AVs. the AVs with behavior-based detection raise the bar for system protection. Stephanie Forrest .. 2008). A Layered Architecture for Detecting Malicious Behaviors.52%-21. Eds. They quarantine at most 62. Springer-Verlag. 4 (Jul. the AVs with behavior-based detection can stop undetected malware from downloading malicious files. and an additional 64. 2004). and Bos. To minimize the risk of receiving malware. Norton and Trend Micro prevent 30. and Jha. 3. Kaspersky. In Proceedings of the 11th international Symposium on Recent Advances in intrusion Detection (Cambridge. Hofmeyr . Norton and Trend Micro detect denial-of-service attacks. and always keeping the system (both Windows and applications) up-to-date. E. S. In Proceedings of the 4th ACM European Conference on Computer Systems (Nuremberg.54% of the undetected malware with malicious-web download from downloading one or more malicious files respectively.36% produce child files that are not detected by the AVs. but Kaspersky and Norton block web sites that actually deliver suspicious files. Eng. The amount of the undetected malware with malicious-web download is 147 (13. USA.

Moser. and Sekar. Yin. 2006. M. 6. Chaturvedi. SP. H. Dataflow Anomaly Detection. C.. SP. Christodorescu. 7. 48-62 8. Washington. IEEE Computer Society. DC. CA).1109/MC. Jang. 2009.. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (May 21 .00 ) 2010 IEEE .. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (May 20 ... 11. and Kruegel. Reiter. and Kirda. 2004. C.. VManager: Service-aware virtual machine management. 2008. DC.. In Proceedings of the 1st Conference on india Software Engineering Conference (Hyderabad. C. Kruegel. In Proceedings of Recent Advances in Intrusion Detection (RAID). Kruegel. Cha. In Proc. (San Jose. S. I.This article has been accepted for publication in Computer but has not yet been fully edited. Kruegel. E. ACM. NY. Kirda. Apr. In Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington DC. Bhatkar. I. D. C.23.. Truelove. J. CCS '04.. J. 318-329. S. W. 2004). February 19 . E.: Panorama: Capturing system-wide information flow for malware detection and analysis. 2006). Moraru. 5. 231-245 10..187 0018-9162/$26. Sangpetch. Brumley. Mutz. Exploring Multiple Execution Paths for Malware Analysis. 9. Distributed Malware Detection. 2007.. Kim. Gray-box extraction of execution graphs for anomaly detection. D. D. D. S..22. SplitScreen: Enabling Efficient. Jha.. 2007). Mining specifications of malicious behavior. ACM. Digital Object Indentifier 10. New York..29. R. Kirda. 2010. 2005.. H. 2008).. "Polymorphic worm detection using structural information of executables". October 25 . A. Vigna. Washington..24.. Manuel. E. India. In: Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS 2007) (2007) 12.2010. and Andersen. New York. CMU-ECE-2009-09. A. D. Turner. 7th USENIX NSDI. USA. 5-14. Song. E... K. M. NY. Robertson. D. and Song. A. Gao. and G. A. IEEE Computer Society. Some content may change prior to final publication. ISEC '08.