The deplorable four. Testing free antiviruses: Huorong, Preventon, Zoner, and FS Protection

Today, I am going to battle-test four antivirus programs: a British one, a Chinese one (featuring an original engine), a Finnish one, and an exciting Czech project at the beta-version stage. All of them are free and offer extra protection features aside from the basic system scan. Let’s pit the new antiviruses against hordes of trojans and worms I prepared for them!

Test methodology

The antiviruses were tested under maximally similar conditions. A test virtual machine with a clean Windows 10 Pro (1909) was deployed in VirtualBox. I installed all updates (except for problematic ones), set up the automatic logon and network drive mount, and disabled Windows Defender and antivirus of the host OS.

Then I cloned the test VM: one clone for each AV program. The antiviruses were updated directly before the tests. Their default configurations were left unchanged – because most users run them exactly this way (the only exception were settings increasing the detection probability). The real-time protection was on; limitations for file sizes and extensions were disabled to make sure that all malicious objects are scanned.

INFO

The author is grateful to VX Heaven for the provided malware samples.

Below is a brief description of the test suites that included all types of malicious programs:

Main block:

  • 100 backdoors for Windows;
  • 100 NetWorms (IM, IRC, email, P2P, etc.);
  • 100 Trojans (bankers, clickers, downloaders, droppers, etc.); and
  • 100 Adware components.

Supplementary block:

  • 100 backdoors for Linux;
  • 37 RootKITs for Windows;
  • 87 malicious programs whose signatures weren’t identified at the time of the testing. Such programs could be detected only by heuristic analyzers; and
  • 49 malicious code samples for non-x86 processor architectures (MIPS, Motorola MC68K, SPARC, and PowerPC).

The main block was used to test reactions of the antiviruses to typical Windows threats; the supplementary block was used to asses the heuristic and cross-platform security levels.

WARNING

All tests were performed for research purposes only. The required files were downloaded from publicly available resources. The developers of the tested AV software have been automatically notified of the scan results. Neither the editorial board nor the author can be held liable for improper use of information provided in this article.

Huorong Internet Security

Huorong Security is not an ordinary made-in-China antivirus: its developer has been attested by Microsoft as a trusted AV software provider for Windows.

Version 5.0.37.6 dated November 16, 2019 (18.5 MB) was downloaded from the official website. According to the developers, it fully supports all 32- and 64-bit Windows versions from XP to 10.

Huorong Internet Security: main window and language selection

Huorong Internet Security: main window and language selection

After the installation, Huorong Internet Security updated itself to version 5.0.39.2. The program occupies some 40 MB on the hard drive and does not consume much system resources even when all additional protection components are enabled.

These components include a proactive module, web traffic analyzer, host-based intrusion prevention system (HIPS), and firewall. The purpose of the last two components is to reduce the risk that you computer is added to botnet and restrict the malware spread throughout the local network by blocking suspicious traffic regardless of its direction.

Huorong: configuring the antivirus and additional components

Huorong: configuring the antivirus and additional components

Another Huorong component protects your PC against common unauthorized remote access techniques (for instance, it detects and blocks attempts to brut-force the admin password).

Huorong allows to control access levels for applications and enables you to set rules for all programs. It also offers a number of supplementary utilities, including a module blocking attempts to implement known exploits. This function is especially important when it comes to countering advanced persistent threats (APT) and targeted attacks.

Huorong: built-in system analysis and clean-up utilities

Huorong: built-in system analysis and clean-up utilities

Huorong Internet Security uses its own antivirus engine called Cobra. Not much information about it is available online. However, it is known that this engine runs the tested code in an isolated HVM (Huorong VM) environment. So, let’s try it in combat conditions!

Tests

Huorong failed to scan the test folders stored in the network directory. It was just freezing for an indefinite period of time displaying the animation. No progress indicator, no statistics – no information at all.

Then I created the V\ subfolder in the root directory on the C:\ drive and copied the backdoors there. Huorong allowed me to perform this operation, regained consciousness, and started displaying the detected malware in the pop-up window.

Huorong pop-up window

Huorong pop-up window

The program managed to detect only 52 malicious programs out of the 100 (thus, leaving 48 ones on the system partition).

Huorong failed to detect almost a half of the test programs

Huorong failed to detect almost a half of the test programs

The antivirus has identified only 39 trojan samples our of the 100 (accordingly, the remaining 61 were not detected.

With regards to NetWorms, the situation was equally pathetic: Huorong quarantined 48 of them (thus, leaving 52 worms on the loose).

Less than half of the adware elements have been quarantined: 48 out of the 100.

Main test round statistics:

  • Backdoors – 52%;
  • NetWorms – 48%;
  • Trojans – 39%;
  • Adware – 49%.

In other words, Huorong detects only a half of threats of each type. Furthermore, its work is divided into several stages. For each 100-file selection, the antivirus displays the pop-up window thrice and counts the number of malicious programs in the same folder all over again. Huorong is unable to check the entire folder at once; as a results, when it scans one file, others remain unblocked.

The antivirus failed to redeem itself in the supplementary test round. It ignored 22 RootKITs out of the 37 and failed to detect 79 little-known threats out of the 87. Huorong hasn’t identified a single threat for non-x86 processor architectures, and its heuristic and advanced security levels turned out to be not worth a damn.

I expected Huorong to ignore Linux malware for good, but the made-in-China antivirus managed to block 1 malicious program out of the 100. Frankly speaking, it would be better for the developers not to announce the support of Linux systems – in that case, their creation could pass as a mediocre Windows scanner.

Supplementary test round statistics:

  • RootKITs – 40%;
  • Heuristic – 9%;
  • Linux malware – 1%;
  • non-x86 threats – 0%.

Overall, the Huorong performance is very poor. Its other notable defects are:

  • impossibility to check HTTPS traffic (on the other hand, there is no risk of ‘Kaspersky in the middle’-like attacks performed by the antivirus that installs its own certificate); and
  • no cloud scanning mechanisms; as a result, Huorong reacts slowly to new threats (on the other hand, your files will remain yours and won’t be sent to the cloud ‘for scanning’ by the antivirus).

Preventon Antivirus Free

Preventon is a free antivirus supporting all Windows versions: from 32-bit XP to 64-bit Win 10. Its developer is UK-based C/O Security Software. Version 5.5.117 was tested.

The free version is not distributed separately from the commercial one. You install the program, and the 30-day trial period for Preventon Antivirus Premium begins. After a months, the antivirus will ask you to buy a license; if you refuse, you can continue using the free version of Preventon, which expectedly has some limitations in comparison with the commercial one.

Preventon: after a 30-day trial, you can activate the free version

Preventon: after a 30-day trial, you can activate the free version

The free version provides the basis security level: it automatically scans files that you open and allows to check any specific object at any time. Files, folders, and entire partitions can be selected both from the program’s main window and its context menu in Windows Explorer.

Preventon Antivirus settings

Preventon Antivirus settings

Updates are released on a daily basis; however, the database update procedure is poorly designed. Instead of using binary updates, Preventon completely overwrites all databases, and this takes a while: some 8 minutes (!) with a broadband connection.

Tests

Preventon Antivirus Free had no problems scanning the network directory and found 84 backdoors out of the 100. The scan for NetWorms brought a similar result: 86 worms out of the 100. Too bad, the program detected only 58 trojans and quarantined only 52 adware modules out of the 100.

Preventon finished scanning the network folder

Preventon finished scanning the network folder

Interestingly: Preventon counts not the scanned files, but all components it deals with. For instance, if you archive a packed .exe file, the AV will report that it has scanned two or three objects. As a result, its logs often resemble overfulfilled plans: 118 threats detected after scanning 100 files (especially taking that the program failed to identify some of these malicious files).

Main test round statistics:

  • Backdoors – 84%;
  • NetWorms – 86%;
  • Trojans – 58%;
  • Adware – 52%.

The supplementary test round has partially redeemed the antivirus: Preventon quarantined 24 RootKITs out of the 37 (at least, more than half).

Normally, the program spends 10-15 seconds on each directory containing malware of a certain type; however the \HEUR\ test folder containing rare threats collected using the nonsignature analysis was a tougher nut to crack. Preventon spent on it 78 seconds and suspected 52 files out of the 87.

The antivirus blocked 77 Linux threats out of the 100 and 27 malicious code samples for non-x86 processor architectures out of the 49.

Supplementary test round statistics:

  • RootKITs – 65%;
  • Heuristic – 60%;
  • Linux malware – 77%;
  • non-x86 threats – 55%.

Zoner AntiVirus for Windows

This antivirus has been developed by a Czech company called Zoner Software. You cannot use the program without registering a Zoner account. Fortunately, the registration procedure is simple and can be performed using a one-time e-mail address.

Zoner AntiVirus requires you to register an account

Zoner AntiVirus requires you to register an account

Public beta version 1.4.0 for Windows 10 has been tested. According to the developers, it performs the signature and heuristic analysis of files that you open and scans the Downloads folder and home directory of the current user. If the program finds an encrypted archive, it offers to check the folder content and asks you to provide the passwords to it.

The interface is far from perfection

The interface is far from perfection

The interface is so poorly designed that you can not specify a folder for manual scanning. The context Windows Explorer menu lacks this option, too.

Tests

The antivirus kept silence when I was copying the malicious files from the network folder. It remained indifferent when I started opening folders containing the test malware (Backdoors\, Trojans\, etc.) on the system partition.

Zoner ignores the malware

Zoner ignores the malware

The automatic scan hasn’t found anything, while the manual scan could not be run. In the main window, you can check only the Downloads folder and home folder of the current user – but the antivirus failed to detect a single tested file in these folders.

For the sake of experimental integrity, I renamed the malicious files: changed their extensions into .exe – with no effect. Zoner AntiVirus continued ignoring them.

Zoner AntiVirus is a total failure

Zoner AntiVirus is a total failure

Final result: 0% in all categories.

If I weren’t aware of the developer’s reputation, I would suggest that this is a fake antivirus. No possibility to select objects for scanning, no integration with the context menu, nothing…

FS Protection

This free antivirus has been developed by a Finnish company called F-Secure. After the registration, you get a 6-month license and a link to download the program. Testers receive some bonuses, including an automatic subscription for updates and the possibility to send their comments and wishes to the developers.

After the registration, you can download FS Protection for various platforms

After the registration, you can download FS Protection for various platforms

Version 17.8 beta 6 for Windows was tested. To some extent, you control it remotely by logging in to your account and using the web interface on My FS Protection to access the settings of all protected devices.

FS Protection interface

FS Protection interface

Local settings require you to confirm your administrator rights. Overall, the initial impression is good; so, let’s battle-test the program!

Tests

Despite its beta-version status, FS Protection had no problems scanning the network folder. It immediately displayed the detected threats and asked what to do with them (by default, the malicious files are deleted).

FS Protection displays scan results and requests further instructions

FS Protection displays scan results and requests further instructions

Main test round statistics:

  • Backdoors – 84%;
  • NetWorms – 99%;
  • Trojans – 91%;
  • Adware – 88%.

Compared with other tested programs, the result is very good; still, the antivirus has some defects.

For instance, if the infected object is inside an archive or e-mail message, FS Protection can neither delete nor quarantine it. Instead, the program offers to remove the malicious file manually. In addition, the antivirus is unable to handle multilevel encapsulations and only displays warnings it its log.

FS Protection failed to remove some of the detected threats

FS Protection failed to remove some of the detected threats

Supplementary test round statistics:

  • RootKITs – 95%;
  • Heuristic – 64%;
  • Linux malware – 76%;
  • non-x86 threats – 71%.

Overall, FS Protection seems to be a promising project. Its detection level is high enough for most threat types; the program includes plenty of additional tools and is highly customizable. The developers just have to teach their creation to delete nested objects and parse long paths.

Conclusions

In the past years, HackMag authors have tested more than 30 freeware antiviruses, and the general conclusion is disappointing: the majority of such programs are inferior even to Windows Defender (which they disable to avoid conflicts)! In other words, free antiviruses do not supplement the OS protection mechanisms; instead, they often reduce the security level.

In addition, free antiviruses increasingly frequently disrupt the normal operation of the system. They install their own drivers and other low-level components containing various errors and severe vulnerabilities.

And finally, almost all free antiviruses collect information about the user’s preferences. Not only do they poorly detect adware modules, but contain adware themselves!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>