Saturday, June 16, 2012

Sophos Virus Removal Tool 2.0


A recent post on Sophos's Naked Security blog celebrated the updated Sophos Virus Removal Tool 2.0 (free), noting that for 27 percent of users it found threats other antivirus products missed. That may well be, but in my own testing Sophos alone did a really terrible cleanup job.

Off to a Bad Start
Typically you'll grab a free cleanup-only tool when malware on the PC prevents installation of a full-scale desktop antivirus. It's perhaps telling that the use-case described in the Naked Security post involves running Sophos after another antivirus. With another product doing the heavy lifting, Sophos might well find leftover malware scraps.

Unlike Emsisoft Emergency Kit 2.0 (free, 3.5 stars), another free, cleanup-only antivirus, Sophos needs to be installed before you can use it. Installation is quick and easy, when it works. However, one of my test systems can only run in Safe Mode because a ransomware threat totally takes over if it boots into normal Windows. Sophos can't install in Safe Mode and hence didn't clean this system at all.

The product's main window is just a welcome screen with a button to start scanning. Automatic updates will come this fall; in the meanwhile users should just download a new copy before each use.

Sophos scans memory for active malware first. If it finds any threats it pauses and reports what it found. When you click to continue, it cleans up the threat in memory and proceeds with the scan. In some cases a reboot is needed to clean the in-memory threat, and the scan restarts automatically after reboot.

At least, that's what is supposed to happen. On four test systems, Sophos could not remove the in-memory malware. When that happens, the scan is over. There's no option to proceed with cleanup. Product Manager Shai Gelbaum explained "we had a few incidents with fast file infectors where scanning memory while malware was resident infected all the files we touched." That may be the case, but I haven't seen any other antivirus that totally abandons scanning if it can't remove in-memory malware.

Another test system displayed a different kind of problem with in-memory malware. Sophos detected it, offered to clean it, and requested a reboot. After rebooting, Sophos detected the malware, offered to clean it, and requested another reboot. I let it go through this cycle six times before concluding that it really, truly was not ever going to finish a scan.

So, for one reason or another, Sophos couldn't do anything at all to clean up half of my twelve malware-infested test systems. That's certainly a bad start.

On the systems where it managed to finish a scan, Sophos detected 81 percent of the threats and would have scored 4.7 points for cleanup. The highest score achieved using my current malware collection was 5.6 points by Emsisoft.

Under my previous malware collection, Norton AntiVirus 2012 ($39.99 direct, 4.5 stars) managed 7.1 points, Webroot SecureAnywhere Antivirus ($39.95 direct, 4.5 stars) took 6.9, and the free, cleanup-only Comodo Cleaning Essentials (free, 4.5 stars) managed 6.8 points.

4.7 points would be an okay score for Sophos, but that doesn't factor in the systems where Sophos couldn't complete a full scan. Including all twelve systems, Sophos detected 53 percent of threats, the lowest detection rate among products tested with my current malware collection. Its score of 3.0 points barely escapes being the lowest ever. That dubious honor goes to Anvi Smart Defender (free, 1 stars), with 2.9 points.

For a full explanation of my malware removal testing techniques, see How We Test Malware Removal.

Related Story

jessie james osu basketball dale sveum jets broncos thursday night football johnny jolly johnny jolly

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.