How Good Are Malware Detectors at Remediating Infected Systems?

  • Emanuele Passerini
  • Roberto Paleari
  • Lorenzo Martignoni
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5587)


Malware detectors are applications that attempt to identify and block malicious programs. Unfortunately, malware detectors might not always be able to preemptively block a malicious program from infecting the system (e.g., when the signatures database is not promptly updated). In these situations, the only way to eradicate the infection without having to reinstall the entire system is to rely on the remediation capabilities of the detectors. Therefore, it is essential to evaluate the efficacy and accuracy of anti-malware software in such situations. This paper presents a testing methodology to assess the quality (completeness) of the remediation procedures used by malware detectors to revert the effect of an infection from a compromised system. To evaluate the efficacy of our testing methodology, we developed a prototype and used it to test six of the top-rated commercial malware detectors currently available on the market. The results of our evaluation witness that in many situations the tested malware detectors fail to completely remove the effects of an infection.


Malware malware detection software testing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Symantec Inc.: Symantec internet security threat report: vol. XIII. Technical report, Symantec Inc. (April 2008)Google Scholar
  2. 2.
    Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM conference on Computer and communications security (CCS 2007), pp. 375–388. ACM, New York (2007)Google Scholar
  3. 3.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland 2005), pp. 32–46. ACM Press, Oakland (2005)CrossRefGoogle Scholar
  4. 4.
    Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A Layered Architecture for Detecting Malicious Behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    NovaShield Inc.: NovaShield Anti-Malware,
  6. 6.
    Sana Security: Primary Response SafeConnect,
  7. 7.
    PC Tools: ThreatFire AntiVirus – Behavioral Virus and Spyware Protection,
  8. 8.
    Slashdot: AVG virus scanner removes critical Windows file,
  9. 9.
    Heise Media: Bitdefender and GData delete winlogon system file,–/news/112652
  10. 10.
  11. 11.
    Martignoni, L., Paleari, R.: WUSSTrace – a user-space syscall tracer for Microsoft Windows,
  12. 12.
    Nielson, F., Nielson, H.R., Hankin, C.L.: Principles of Program Analysis. Springer, Heidelberg (1999)CrossRefzbMATHGoogle Scholar
  13. 13.
    Agrawal, H., Horgan, J.R.: Dynamic Program Slicing. In: Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation, White Plains, NY, USA, June 1990, pp. 246–256 (1990)Google Scholar
  14. 14.
    Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005)Google Scholar
  15. 15.
    Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th Annual Conference of the European Institute for Computer Antivirus Research, EICAR (2006)Google Scholar
  16. 16.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Security & Privacy 5(2), 32–39 (2007)CrossRefGoogle Scholar
  17. 17.
    Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Proceeding of the 2007 IEEE Symposium on Security and Privacy, pp. 231–245. IEEE Computer Society Press, Oakland (2007)CrossRefGoogle Scholar
  18. 18.
    Yin, H., Song, D., Egele, M., Kirda, E., Kruegel, C.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS. ACM, Alexandria (2007)Google Scholar
  19. 19.
    Hsu, F., Chen, H., Ristenpart, T., Li, J., Su, Z.: Back to the Future: A Framework for Automatic Malware Removal and System Repair. In: ACSAC 2006, pp. 257–268. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  20. 20.
    Liang, Z., Venkatakrishnan, V.N., Sekar, R.: Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003), pp. 182–191. IEEE Computer Society, Los Alamitos (2003)CrossRefGoogle Scholar
  21. 21.
    Nightingale, E.B., Chen, P.M., Flinn, J.: Speculative execution in a distributed file system. In: Proceedings of the twentieth ACM symposium on Operating systems principles, pp. 191–205. ACM, New York (2005)CrossRefGoogle Scholar
  22. 22.
    Christodorescu, M., Jha, S.: Testing malware detectors. SIGSOFT Software Engineering Notes 29(4), 34–44 (2004)CrossRefGoogle Scholar
  23. 23.
    Bruce, J.: The Challenge of Detecting and Removing Installed Threats. In: Virus Bulletin Conference (October 2006)Google Scholar
  24. 24.
    Morgenstern, M., Marx, A.: System Cleaning: Getting Rid of Malware from Infected PCs. In: Virus Bulletin Conference (June 2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Emanuele Passerini
    • 1
  • Roberto Paleari
    • 1
  • Lorenzo Martignoni
    • 1
  1. 1.Università degli Studi di MilanoItaly

Personalised recommendations