List all the tested products.
For those manufacturers that have been tested you can see their relative skills on the malware sample collection I have.
[ AVA | ARC | AVR | BDC | QH | VEX | CLAM | VSTK | DrW | NOD | FP | FSAV | AVK | AVG | HAU | IKA | KAV | McA | MWTI | MKS | NOR | PAN | SOP | TM | VBA | VB | top ]
- ALWIL software avast! antivirus AVA
- Number of descriptions in the database: 40986 out of 45159 live samples ( 90.8 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: avastcmd -a -c -i -t A -r ${LOGFILE} ${WORKDIR}
avastcmd v3.0.0
libavastengine v4.7There seems to be some misunderstandings about this scanner. It is in fact the latest scanner for Linux and one should not make any assumptions based on the version number you see with the windows version.
While not the best product around it does reasonably well in these tests. The latest update of the library took care of the segmentation faults I had with some samples. Their tech support is among the most responsive I have experienced with all of these scanners.
- Arcavir ARC
- Number of descriptions in the database: 36353 out of 45159 live samples ( 80.5 %)
Number of 'in the wild' descriptions in the database: 28 out of 30 live samples ( 93.3 %)
Commandline: find ${WORKDIR} -type f > ${FILELIST}
arcavir --scan -f ${ARCCONF} --heuristic=very-high --arcavir-dat-path=${ARCDIR} --list=${FILELIST} 2>&1 | tee ${LOGFILE}
arcavir: version 1.0.4 for Linux i386, 2006.01.26, build 2006.01.27ARCAVIR is a freeware product.
It seems this is a duplicate of MKS_VIR. Which of the two is the clone is not entirely clear. But I would guess this one is the clone based on their announcement.
- AVIRA Desktop for UNIX AVR
- Number of descriptions in the database: 43477 out of 45159 live samples ( 96.3 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: avira --allfiles -z --heur-macro -ro -r1 -rf${LOGFILE} --alltypes ${WORKDIR}
AntiVir / Linux Version 2.1.7-18This scanner was found under other names as well in the past. The VGREP database list them still as H+BEDV but the name transition has been done quite some time ago now.
- Bitdefender/Linux-Console BDC
- Number of descriptions in the database: 43496 out of 45159 live samples ( 96.3 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: bdc --all --files --arc ${WORKDIR} | tee ${LOGFILE}
BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53)BitDefender Linux Edition v7 is a freeware product.
The results in these test just keep them in the top 5 of the scanners tested. All in all a very nice to have product if you want to add a scanner to your linux system.
- CAT Quick Heal QH
- Number of descriptions in the database: 17807 out of 45159 live samples ( 39.4 %)
Number of 'in the wild' descriptions in the database: 28 out of 30 live samples ( 93.3 %)
Commandline: qhscan ${WORKDIR} -DNAScan -WARE -MIME -ARCHIVE -PACKED -MAILBOX -LIST -REPORT=${LOGFILE}
Quick Heal Ver 8.00 (c) 1993-2005 by Cat Computer Services (P) Ltd.Presently the worst scanner results of all tested products. I am unable to contact someone from technical support in regard to my findings. They might do better in these test if they improve the product at it seems the product hits limits during the scan of a virus collection and fails to test files as a result.
For now I would rather seriously considere dropping this product in favor of one with a more decent score.
- Central Command / Vexira VEX
- Number of descriptions in the database: 31841 out of 45159 live samples ( 70.5 %)
Number of 'in the wild' descriptions in the database: 29 out of 30 live samples ( 96.7 %)
Commandline: vascan -c vascan.ini --all-files --scanning=full --heuristics=high --sfx --action=skip --log=${LOGFILE} --vdb=vexira8.vdb --engine=libvbengine.so ${WORKDIR}
Vexira Scanner 1.2.4 for Linux (2006-01-09)
Vexira Engine: 4.2.18:8 (2006-01-10)It seems this product is cloned by VirusBuster. (It could be the other way around.)
Unfortunatly this product did not rate too well in these tests. They detect only 3/4 of the samples. And they need to take their time to find them. Almost 2 hours to scan the lot.
- Clam AntiVirus CLAM
- Number of descriptions in the database: 31928 out of 45159 live samples ( 70.7 %)
Number of 'in the wild' descriptions in the database: 25 out of 30 live samples ( 83.3 %)
Commandline: clamscan --log=${LOGFILE} ${WORKDIR}
Clam AntiVirus Scanner 0.88.7ClamAV is free software both in the meaning of 'free beer' and 'free speach'.
While ClamAV does not rate top of the bill it is the only true free scanner. If one consideres that this team works on ClamAV beside a normal job or study the results are not bad at all. They have improved their standing in these test considerably over the past two years. But at present I would not trust ClamAV to be the only malware scanner. On the other hand they have the highest rating on phishing attacks as far as I can tell.
At present combining ClamAV and F-Prot results in a cheap Linux solution for home users with a great detection rate if you use amavisd.
- CyberSoft VFind Security Toolkit VSTK
- Number of descriptions in the database: 26005 out of 45159 live samples ( 57.6 %)
Number of 'in the wild' descriptions in the database: 25 out of 30 live samples ( 83.3 %)
Commandline: find ${WORKDIR} -type f | sort |
${VSTKDIR}/uad -s -ssw |
${VSTKDIR}/vfind -ssr |
tee ${LOGFILE}This product is cumbersome to install and run. The scan results are among the worst of the pack with only 2/5 of all samples.
- Doctor Web Ltd, Dr.Web (R) for Linux DrW
- Number of descriptions in the database: 38314 out of 45159 live samples ( 84.8 %)
Number of 'in the wild' descriptions in the database: 29 out of 30 live samples ( 96.7 %)
Commandline: drweb -al -ar -cn -up -fm -ha -log=${LOGFILE} -path=${WORKDIR}
Dr.Web (R) for Linux, version 4.32.2 (2004-11-01) - ESET NOD32 on demand scanner for Linux NOD
- Number of descriptions in the database: 28904 out of 45159 live samples ( 64 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: nod32 --files --arch --mail --sfx --rtp --adware --unsafe --pattern --heur --adv-heur --all --log --log-file=${LOGFILE} ${COLLECTION}
NOD32 on demand scanner module, version 2.70.3Despite the settings used it seems NOD32 is not doing too well. In the past it was claimed that the sample names were the cause of the poor results. But I think --all is the option that should have taken care of that. With only 2/3 of the samples detected I can not recommend this product (at this time).
- F-PROT ANTIVIRUS for Linux FP
- Number of descriptions in the database: 39314 out of 45159 live samples ( 87.1 %)
Number of 'in the wild' descriptions in the database: 28 out of 30 live samples ( 93.3 %)
Commandline: f-prot -ai -archive=5 -collect -packed -server -report=${LOGFILE} -dumb ${WORKDIR}
F-PROT ANTIVIRUS Program version: 4.6.7 Engine version: 3.16.15F-Prot Antivirus for Linux Workstations is free when used by personal users on personal workstations.
Both reasonably fast and with a very good score. It does not detect spyware/adware but it is a very good virus detector.
At present combining ClamAV and F-Prot results in a cheap Linux solution for home users with a great detection rate if you use amavisd.
- F-Secure Anti-Virus for Linux FSAV
- Number of descriptions in the database: 44563 out of 45159 live samples ( 98.7 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: fsav --dumb --archive=on --stoponfirst=off --list ${WORKDIR} | tee ${LOGFILE}
F-Secure Anti-Virus for Linux version 4.52 build 2461You may know these people from their SSH product. But they pack a malware scanner with superb results in these tests. They use multiple engines in their product. The AVP engines catches most of the files but the other two make it a great scanner instead of just a good scanner.
- G Data AVK for Linux AVK
- Number of descriptions in the database: 38882 out of 45159 live samples ( 86.1 %)
Number of 'in the wild' descriptions in the database: 27 out of 30 live samples ( 90 %)
Commandline: bdc ${WORKDIR} --arc --mail --log=${LOGFILE} --all --alev=3
AVK for Linux Console 7.0
Core: AVCORE v1.0 (build 2094) (i386) (Sep 24 2003 14:05:32)This seems to be a clone of BitDefender Linux Edition v7.
- Grisoft AVG for Linux AVG
- Number of descriptions in the database: 24119 out of 45159 live samples ( 53.4 %)
Number of 'in the wild' descriptions in the database: 28 out of 30 live samples ( 93.3 %)
Commandline: avgscan -scan -heur -smart -macrow -arcw -arc -rt -report ${LOGFILE} ${WORKDIR}
AVG 7.1 Anti-Virus Program version 7.1.28This scanner is not doing well in these tests. They detect only about half of the samples. I must doubt some of the awards Grisoft got for they product as these results seem to indicate a mediocre product at best. It is light to the system but propably too light for real life.
AVG on XP screenshot taken on 2006-12-09. - Hauri Virobot HAU
Commandline: virobot --archive -d ${WORKDIR}
ViRobot Linux Server Ver 2.0Another scanner which is showing disappointing results. The test method is not ideal but I do not think the poor rating has anything to do with it.
- Ikarus IKA
- Number of descriptions in the database: 33615 out of 45159 live samples ( 74.4 %)
Number of 'in the wild' descriptions in the database: 27 out of 30 live samples ( 90 %)
Commandline: pscan ${WORKDIR} -ALL -LA -PN -NOLOGO -LEARN- -L:${LOGFILE}
This is the only manufacturer that asked to be included in these test. They do not offer a regular scanner under Linux (yet).
This scanner had trouble with some of the samples. 10 samples had to be removed to complete the scan. The results are average at best. The scanner took quite a while to scan the samples (too long to automate it in fact). With about 4/5 of the samples detected this makes it not a scanner I would recommend.
- Kaspersky On-Demand Scanner for Linux KAV
- Number of descriptions in the database: 40615 out of 45159 live samples ( 89.9 %)
Number of 'in the wild' descriptions in the database: 28 out of 30 live samples ( 93.3 %)
Commandline: kavscanner -o${LOGFILE} -i0 ${WORKDIR}
Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.0.4.0/RELEASE build #3, compiled Jul 5 2004, 16:07:57Kaspersky is still able to keep up their reputation of delivering a fine scanner. Getting a working license for evaluation might be a bit of a problem. But it might just be my bad luck. The older version of the scanners still seems to rank as top quality.
- McAfee Virus Scan for Linux McA
- Number of descriptions in the database: 43174 out of 45159 live samples ( 95.6 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: uvscan --analyze --mime --noboot --norename --program --unzip ${WORKDIR} | tee ${LOGFILE}
Virus Scan for Linux v4.40.0While an old program it is still updated well enough to rate among the top 3 in these tests. They are into this business for quite some time and it shows.
- Microworld Systems eScan MWTI
Commandline: escan --enable-pack --enable-archives --enable-ext-archives --enable-mail-db --enable-plain-mail --enable-heuristic --enable-unknown-vir --log-path ${LOGDIR} --log-only --donot-cross-fs ${WORKDIR}
mv ${LOGDIR}/${DATUM}-*.log ${LOGFILE}
Microworld Systems uses the scanengine from Kaspersky so the results should be pretty similar.
- MKS_VIR MKS
- Number of descriptions in the database: 36331 out of 45159 live samples ( 80.5 %)
Number of 'in the wild' descriptions in the database: 27 out of 30 live samples ( 90 %)
Commandline: find ${WORKDIR} -type f > ${FILELIST}
mks32 --scan -f ${MKSCONF} --heuristic --mks-vir-dat-path=${MKSDIR} --list=${FILELIST} 2>&1 | tee ${LOGFILE}
mks_vir 1.9.6 for Linux i386It seems this is a duplicate of ARCAVIR. Which of the two is the clone is not entirely clear. But I would guess ARCAVIR is the clone based on the Arcabit announcement
- NVCC for Linux 5.70.01 NOR
Commandline: nvcc -u -cl:0 -lf:${LOGFILE} -sb:0 ${WORKDIR}
Unfortunatly this results in an error (Scanning aborted due to error. Error code 0x000f0002.) so this scanner is not tested. I asked Norman to look into this at the end of 2005 and it took them a month to acknowledge the problem. Unfortunatly untill now there is still no known fix present.
- Panda PAN
Commandline: /pavcl ${WORKDIR} -heu:3 -cmp -aex -rpt:${LOGFILE}
Unfortunatly this results in a segmentation fault so this scanner is not tested. I asked Panda to look into this as I have some serious doubts about their RPM build environment.
- Sophos SWEEP virus detection utility SOP
- Number of descriptions in the database: 35525 out of 45159 live samples ( 78.7 %)
Number of 'in the wild' descriptions in the database: 27 out of 30 live samples ( 90 %)
Commandline: /sweep -sc -f -all -nb -p=${LOGFILE} -archive ${WORKDIR}
SWEEP virus detection utility Version 4.05.0 [Linux/Intel] - Trend Micro IWSS commandline scanner TM
- Number of descriptions in the database: 41785 out of 45159 live samples ( 92.5 %)
Number of 'in the wild' descriptions in the database: 30 out of 30 live samples ( 100 %)
Commandline: vscan -c1 -c2 -sd -y20 -a -za -u -l${LOGFILE} ${WORKDIR}
Virus Scanner v3.1, VSAPI v8.100-1002Some notes: Trend Micro still seems to fail to understand how one should install services on a Linux installation. They support only a small set of distributions and that should allow them to do things right and not mess with files manually in the RC tree. But unfortunatly they do mess around quite a bit.
My advise: Do a test install and let it run for some weeks and see if you can find all the weeks spots. Then build a new system that will take in account the odd things their installation will do in violation of the LSB.
- VirusBlokAda Vba32 VBA
- Number of descriptions in the database: 35779 out of 45159 live samples ( 79.2 %)
Number of 'in the wild' descriptions in the database: 27 out of 30 live samples ( 90 %)
Commandline: vbacl ${WORKDIR} -af+ -rw+ -ha=3 -r=${LOGFILE} -ar+ -ml+
VirusBlokAda (Console scanner) Vba32 Linux 3.11.2 / 2007.02.03 04:34 (Vba32.L) Program settings: -r=/home/virus/vba32.lst -sfx -ha=3 -pd+ -af+ -ha+ -ar+ -qu+ -ok+ -ml+ -rw+ - VirusBuster Scanner 2005 VB
- Number of descriptions in the database: 31841 out of 45159 live samples ( 70.5 %)
Number of 'in the wild' descriptions in the database: 29 out of 30 live samples ( 96.7 %)
Commandline: vbscan -c /vbscan.ini --all-files --scanning=full --heuristics=high --sfx --action=skip --log=${LOGFILE} --vdb=vbuster8.vdb --engine=libvbengine.so ${WORKDIR}
VirusBuster Scanner 2005 1.2.4 for Linux (2006-01-09)
VirusBuster Engine: 4.2.18:8 (2006-01-10)It seems this product is a clone of the Central Command product Vexira. (It could be the other way around.) When it looks like a duck, it talks like a duck, it swims like a duck and walks like a duck ..... It propably is a duck.
Unfortunatly this product does not rate too well in these tests. They detect only 3/4 of the samples. And they need to take their time to find them. Almost 2 hours to scan the lot.
