Type detecting test
Figure 2. Each product receives a score for finding an infecting file.The conditions for participation in our tests are listed in the Section II. The products were updated and frozen on March 28, 2012. The following 24 up-to-date products were included in these tests:
- Bitdefender Total Security 2012
- AVG Internet Security 2012
- Symantec Endpoint Protection 12.1
- ESET NOD32 Smart Security 184.108.40.206
- Microsoft Essential Security 2.1.1116.0
- McAfee Virus Scan Enterprise 8.8
- Avira Antivirus Professional 10.2
- G Data Total Core 2012
- Trust Port Total Protection 2012
- Avast Internet Security v7.0
- Outpost Security Suite Pro 7.5
- Kaspersky Internet Security 2012
- Trend Micro Titanium Maximum Security 2012
- Panda Global Protection 2012
- K7 Ultimate Security 2012
- eScan Internet Security 11.0
- Adware Total Security 2011
- Norman Security Suite 220.127.116.110
- Bullgaurd 12.0.217
- Comodo Internet Security Pro 2012
- Dr. Web 18.104.22.16840
- Sophos Endpoint Security 10.0
- ZoneAlarm Extreme Security 2012
- Webroot Secure Anywhere 22.214.171.124
Nowadays, almost all products run with the highest protection settings by default; some, however, may automatically switch to the highest settings once infections begin to occur. Due to this, and in order to ensure comparable results, all products were tested with their default settings. Also, several products make use of cloud technologies, which require an active Internet connection, but as mentioned in previous section, in this test there was no Internet connection.
Here, seven infected projects named Prj-1 to Prj-7 are shown. For each project, the tests results tables containing the detection malware details of various products are listed in Table I to Table VII.
According to results, each product gives a different name to the malware. Despite some existing organizations such as CVE that provide a dictionary of common names for publicly known information security vulnerabilities , there is no unique name for each malware.
Based on the results, which are listed in Table I to Table VII, the infected/infecting files are
Although there are more infecting files, like MRXCLS.sys and MRXNET.sys ( and ), those are not listed here because they exist on the infected system, and here we checked only the infected projects on a clean isolated system (see Section III). Also, based on descriptions and reports published on some web pages such as Symantec (, ), ESET, McAfee ( to ), Kaspersky ( to ), Trend Micro (, ) and Avira ( to ) we can say those six files certainly have Stuxnet or are created by it.
CLICK IMAGE TO ENLARGE
On the other hand, four isolated projects were tested and none of them had the six infected/infecting files which are listed before. All infected/infecting files which are found by security products can be found on the roots below, respectively:
For comparison, three kinds of tests were performed—type-detecting test, malware counting test and name-detecting test. For the type detecting test, each product will get a score if it detects an infecting file (Fig. 2). For malware-counting test, the number of detected malware was used (Fig. 3). And in the last test, a name comparison is done because the users must know if their files are infected by Stuxnet (Fig. 4).