Malwaretestlab 9 Killdisk Virus vs 25 Security Software

Test Result:

This test measures defense power of security/backup softwares standing out against the 9 killdisk malware.

The test is covering 25 security/backup softwares.

92 killdisk malware was collected for the test. And 9 of them was selected as a random. Malware information and result of scan is shown list below.

Windows XP which was updated on 14.04.2009 was used for the test. (in the VmWare virtual machine)









25 security softwares which was taken from different category was selected for the test.

in VmWare, malwares and softwares worked free of problems, it was controlled.

[u]Tested Software[/u]

HDD Virtualization
· Disk Write Copy Professional Edition
· Hdguard
· COMODO DiskShield 1.0.51539.35 BETA
· Returnil Virtual System Premium Edition
· Shadow Defender
· Shadow User Pro 2.5
· Windows SteadyState 2.5

· RollBack Rx Professional 9.0.2694141964


· BufferZone Pro 3.10.88 DefenseWall 2.55
· GeSWall 2.8.3 Professional Edition
· Sandboxie 3.36.04
· Virtual Sandbox™ 2.0 Build 209

Behavior Blocker
· AVG Identity Protection 8.5.649
· Mamutu
· ThreatFire
· NovaShield 2.5.33

· Online Armor
· Outpost Firewall Pro 6.5.4. (2525.381.0687)(Specify Security Level:Normal)
· Outpost Firewall Pro 6.5.4. (2525.381.0687)(Specify Security Level:Advanced)
· COMODO Internet Security 3.9.95478.509 (Default)
· COMODO Internet Security 3.9.95478.509 (Defense+ Settings Disk Checked)
· Malware Defender 2.2.0

· Gdata Behavior Blocker Module (AV disabled)

Maybe DiskShield will acquired in next version of CIS.

Another reason why CIS default configuration should be “Proactive Configuration”, which would pass all those tests.

If the direct disk access false positive bug was fixed then it could be added to the default configuration.

Those who install CIS without the AV can choose the proactive configurations even during install.

* COMODO Internet Security 3.9.95478.509 (Defense+ Settings Disk Checked), the test was used as info. Default settings were used for the test results.
  • Outpost Firewall Pro 6.5.4. (2525.381.0687)(Specify Security Level:Advanced); while setting up Specify Security Level:Advanced/Normal options are being asked. And user is directed for Advanced option. So, Advanced option was accepted as default setting.

This test was not a test of AV heuristic/detection but a test of Sandboxing/HIPS that apparently included a zoo sample (C917581C38C3A33C8239D2D819F32494) whose chances of failing detection are not mentioned.

!ot! Did you send a PM to egemen? He is a Security expert, CIS lead developer and programmer as well.

Maybe there is a less evident explanation for this but I understand from many of your posts in these forums you wish to increase the specificity of Disk Monitoring for a not explicitly stated set of API.

I have not but I have reported the bug enough times.

If you write to a file using normal windows API you get a pop-up. It you block the pop-up the disk write is not blocked. It must be a bug and I would consider it a false positive.

!ot! Sorry it did not occur to me that it was unpractical for you to contact egemen himself anyway it is not clear from the many posts you producted so far what is your definition of True Positive (and related APIs) to increase the Sensitivity of disk monitoring.

I gather that if you have correctly outlined a FP scenario you ought to be able to confirm likewise a True positive scenario as well to the point you can clearly state whenever different API are involved (or not).

This is the reason I hoped you would have already sent a thoroughly detailed PM to egemen himself as he s a Security expert, CIS lead developer and programmer, despite you feel inclined to claim it a bug.

I am a programmer and accustomed to using windows API for reading/writing files. I have never used what I would call direct disk access and would not want to experiment with it as it would be very dangerous. I assume it would involve writing directly to sectors on the disk.

If what the developers call direct disk access is merely writing to a file using normal file API then defence+ is not blocking it.

I asked you to confirm if the same API set were involved for all possible types of Direct Disk access. Besides I cannot imagine a more fruitful scenario if you PM egemen who is a programmer, security expert and CIS lead developer and send him a detailed and thorough feedback. It is not unlikely that egemen actually tested scenarios you did not.

I assume this is what you call direct access. As Direct keyboard access involves normal API too I’m somewhat unable to understand your point but I guess egemen would be plenty able to.

Actually you never confirmed what you would call direct disk access API-wise.
It is not that you confirmed that direct disk access is not indirectly involved in some types of file access nor AFAIK you explicitly confirmed what APIs would be theoretically needed for direct disk access.

eg: your bugreport basically states that blocking direct disk access do not apparently affect any visible operation (but it doesn’t point out what API call/arguments trigger the direct disk access alert nor if the same API calls could not possibly be used for direct disk access).

You confirmed that you are a programmer, you confirmed you have written about that few times already but alas I wouldn’t have been able to guess it was so unpractical for you to write a single PM to egemen and address it programmer to programmer.

Besides you could be the only one able to correctly represent your viewpoint to CIS lead developer, wouldn’t you?

Nevermind then. Though I still hope you’ll PM egemen, I already gathered you are inclined to call it a bug even in this topic.

Please forgive me and forget I even asked about that.