Testing Antivirus in Linux: An Investigation on the Effectiveness of Solutions Available for Desktop Computers Giuseppe Raffa Technical Report RHUL–ISG–2021–3 10 March 2021 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom Student Number: 100907703 Giuseppe Raffa Testing Antivirus in Linux: An Investigation on the Effectiveness of Solutions Available for Desktop Computers Supervisor: Daniele Sgandurra Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that I have read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences, and in accordance with these regulations I submit this project report as my own work. Signature: Giuseppe Raffa Date: 24th August 2020 Table of Contents 1 Introduction.....................................................................................................................7 1.1 Motivation.......................................................................................................................................7 1.2 Objectives........................................................................................................................................8 1.3 Methodology...................................................................................................................................8 1.4 Outline.............................................................................................................................................9 2 Background....................................................................................................................10 2.1 The Linux Operating System.........................................................................................................10 2.1.1 Brief History..........................................................................................................................10 2.1.2 Linux Desktop Environments................................................................................................10 2.1.3 The Linux Security Model.....................................................................................................11 2.2 What Is an Anti-virus Software?...................................................................................................14 2.3 Anti-virus Software Evasion Techniques......................................................................................16 2.4 Virtualization Fundamentals..........................................................................................................17 2.5 Related Work.................................................................................................................................19 3 Anti-virus Testing within a Virtualized Environment...............................................24 3.1 Test Environment Configuration...................................................................................................24 3.1.1 Virtualization Software..........................................................................................................24 3.1.2 Guest Systems........................................................................................................................25 3.2 Tested Anti-virus Programs...........................................................................................................26 3.2.1 ClamAV.................................................................................................................................26 3.2.2 Comodo.................................................................................................................................26 3.2.3 Dr Web...................................................................................................................................27 3.2.4 ESET NOD32........................................................................................................................27 2 3.3 Excluded Anti-virus Programs......................................................................................................27 3.3.1 AVG for Linux.......................................................................................................................27 3.3.2 Avast AV for Linux................................................................................................................28 3.3.3 Bitdefender Anti-virus Scanner for Unices............................................................................28 3.3.4 Chkrootkit..............................................................................................................................28 3.3.5 ClamTK.................................................................................................................................28 3.3.6 F-Prot AV for Linux...............................................................................................................29 3.3.7 Rootkit Hunter.......................................................................................................................29 3.3.8 Sophos Anti-virus for Linux..................................................................................................29 3.3.9 Zoner......................................................................................................................................29 3.4 Test Methodology..........................................................................................................................29 3.4.1 theZoo....................................................................................................................................30 3.4.2 VirusShare..............................................................................................................................30 3.5 Test Conditions..............................................................................................................................30 3.6 Test Results....................................................................................................................................32 3.6.1 Detection Rate.......................................................................................................................32 3.6.2 Regression Effects.................................................................................................................35 4 Anti-virus Testing with VirusTotal..............................................................................36 4.1 On-line Malware Scanning Services.............................................................................................36 4.1.1 Jotti........................................................................................................................................36 4.1.2 VirusTotal...............................................................................................................................36 4.2 Bulk Scanning Methodology.........................................................................................................37 4.2.1 Preliminary Experiment.........................................................................................................37 4.2.2 VirusTotal API-based Python Scanner...................................................................................37 3 4.2.3 VirusTotal API Limitations....................................................................................................40 4.3 Test Results....................................................................................................................................41 4.3.1 VirusTotal AVs Performances................................................................................................41 4.3.2 File-level Analysis.................................................................................................................43 4.3.3 Comparison with Locally-installed AVs................................................................................44 5 Anti-virus Testing with Metasploit..............................................................................47 5.1 What Is Metasploit?.......................................................................................................................47 5.1.1 Payloads.................................................................................................................................47 5.1.2 Encoders................................................................................................................................48 5.2 Test Environment Configuration...................................................................................................49 5.2.1 Kali Linux Virtual Machine...................................................................................................50 5.2.2 VirtualBox Internal Network.................................................................................................50 5.3 Test Methodology..........................................................................................................................51 5.3.1 Malware Samples Generation................................................................................................51 5.3.2 Malware Samples Validation.................................................................................................52