wizard
March 21st, 2002, 09:18 PM
Exclusive for wilders security forums. :)
Last week I visited the German CeBit and of course I took a look for a lot of anti virus companies. One of them was DialogueScience, Inc. from Russia. As a ‘gift’ I got a special trial version that does not have any of the minor limitations of the official trial version which can be downloaded from their website. So I tested it for a few days now and thought it would be a good idea to write a short review.
DrWeb32 is an anti virus software from Russia that is widely unknown over the internet. The development of DrWeb started in the early 90s and during the mid-90s DrWeb get some 'underground fame' for having one of the best heuristic detection for DOS viruses.
From 1998 things changed. With more and more windows installations a lot of new viruses and malware were introduced: Of course Windows viruses (Win32), macro viruses, backdoor trojans and worms. During that time DrWeb developed a new version for Windows called DrWeb32. Some of the earlier releases produced a lot of false positives. After another year of developing the actual version 4.27c has become a very strong anti virus solution.
DrWeb32 consists only of three parts: The on-demand scanner DrWeb32, the on-access scanner called Spider and a scheduler. DrWeb32 works on all Windows versions including WinXP. The software is easy to use for someone to already had experience with other anti virus software.
The main feature of DrWeb32 is the memory scanning technology which seems to be quite unique: Like most anti trojan programs do the whole process memory is scanned for viruses. So DrWeb32 is one of those anti virus programs that could detect viruses or worms like Code Red without problems in memory. Also viruses or trojans which are compressed with exe-packers could detected. This is a very strong feature but regarding the latest tests from the German test site Rokop-Security DrWeb32 is good but still not as good as an anti trojan software and so I would recommend extra anti trojan protection to use with DrWeb32.
The other main feature is the heuristic. Famous for good results at old MS DOS times the heuristic of DrWeb32 detects now macro viruses, scripting malware and of course all kinds of Windows viruses. Since version 4.27 two more heuristic modules were introduced. One for worms written in Visual Basic (the programming language not Visual Basic Scripting which is used for worms like the love letter). The other module is for the heuristic detection of backdoor trojans written in Visual Basic.
One negative aspect and overall big minus for DrWeb32 is that the heuristic found some harmless programs as infected. So the ‘tuning’ of the heuristic still has to be improved.
So how is the detection of DrWeb32. Regarding the latest tests from http://www.avtest.org DrWeb32 is not the best but comes close to the results of the top products. In the February issue DrWeb32 earned a Virus Bulletin award for 100% ITW detection. Also in that test DrWeb32 was the only program who gained 100% detection of the polymorphic testset. The polymorphic testset that was used in February tests was very difficult because it contains one of the most complex viruses called Zmist. Zmist is a virus that uses instead of polymorphic technologies so called metamorphic technology. The difference between both technologies is that the virus body of polymorphic stays the same but gets newly encrypted every time it copies itself to another file. Metamorphic means that the whole virus code changed each time it copies!
DrWeb32 uses the same technology for email protection than Kaspersky Anti Virus: it scans the emails and email databases. So a special POP3-scanner is not needed. I could not find out which email programs are supported but it works perfectly with TheBat!.
Spider the on-access component of DrWeb32 knows three different levels of on-access scanning. The default option is ‘smart’ which optimises the scan speed. But it can be chosen between ‘run and open’, ‘ create and write’ or both. Also Spider allows to scan emails, archives and packed executables. Another point is the option ‘Virus activity control’. This means Spider checks the system and reports suspicious behaviour. So there is another chance to catch unknown viruses. Spider is resource friendly does not need much memory to run.
DrWeb32 for who? DrWeb32 is no anti virus software for beginner. The reasons are that the support and also the information on their website shows that they are not perfect in English language. Also that the heuristic reports some harmless files as infected can be confusing. An advanced user should not have problems with that.
Overall I must say that DrWeb32 is becoming more and more ‘secret tip’ for anti virus software. A trial version can be downloaded from http://www.dials.ru
wizard
Last week I visited the German CeBit and of course I took a look for a lot of anti virus companies. One of them was DialogueScience, Inc. from Russia. As a ‘gift’ I got a special trial version that does not have any of the minor limitations of the official trial version which can be downloaded from their website. So I tested it for a few days now and thought it would be a good idea to write a short review.
DrWeb32 is an anti virus software from Russia that is widely unknown over the internet. The development of DrWeb started in the early 90s and during the mid-90s DrWeb get some 'underground fame' for having one of the best heuristic detection for DOS viruses.
From 1998 things changed. With more and more windows installations a lot of new viruses and malware were introduced: Of course Windows viruses (Win32), macro viruses, backdoor trojans and worms. During that time DrWeb developed a new version for Windows called DrWeb32. Some of the earlier releases produced a lot of false positives. After another year of developing the actual version 4.27c has become a very strong anti virus solution.
DrWeb32 consists only of three parts: The on-demand scanner DrWeb32, the on-access scanner called Spider and a scheduler. DrWeb32 works on all Windows versions including WinXP. The software is easy to use for someone to already had experience with other anti virus software.
The main feature of DrWeb32 is the memory scanning technology which seems to be quite unique: Like most anti trojan programs do the whole process memory is scanned for viruses. So DrWeb32 is one of those anti virus programs that could detect viruses or worms like Code Red without problems in memory. Also viruses or trojans which are compressed with exe-packers could detected. This is a very strong feature but regarding the latest tests from the German test site Rokop-Security DrWeb32 is good but still not as good as an anti trojan software and so I would recommend extra anti trojan protection to use with DrWeb32.
The other main feature is the heuristic. Famous for good results at old MS DOS times the heuristic of DrWeb32 detects now macro viruses, scripting malware and of course all kinds of Windows viruses. Since version 4.27 two more heuristic modules were introduced. One for worms written in Visual Basic (the programming language not Visual Basic Scripting which is used for worms like the love letter). The other module is for the heuristic detection of backdoor trojans written in Visual Basic.
One negative aspect and overall big minus for DrWeb32 is that the heuristic found some harmless programs as infected. So the ‘tuning’ of the heuristic still has to be improved.
So how is the detection of DrWeb32. Regarding the latest tests from http://www.avtest.org DrWeb32 is not the best but comes close to the results of the top products. In the February issue DrWeb32 earned a Virus Bulletin award for 100% ITW detection. Also in that test DrWeb32 was the only program who gained 100% detection of the polymorphic testset. The polymorphic testset that was used in February tests was very difficult because it contains one of the most complex viruses called Zmist. Zmist is a virus that uses instead of polymorphic technologies so called metamorphic technology. The difference between both technologies is that the virus body of polymorphic stays the same but gets newly encrypted every time it copies itself to another file. Metamorphic means that the whole virus code changed each time it copies!
DrWeb32 uses the same technology for email protection than Kaspersky Anti Virus: it scans the emails and email databases. So a special POP3-scanner is not needed. I could not find out which email programs are supported but it works perfectly with TheBat!.
Spider the on-access component of DrWeb32 knows three different levels of on-access scanning. The default option is ‘smart’ which optimises the scan speed. But it can be chosen between ‘run and open’, ‘ create and write’ or both. Also Spider allows to scan emails, archives and packed executables. Another point is the option ‘Virus activity control’. This means Spider checks the system and reports suspicious behaviour. So there is another chance to catch unknown viruses. Spider is resource friendly does not need much memory to run.
DrWeb32 for who? DrWeb32 is no anti virus software for beginner. The reasons are that the support and also the information on their website shows that they are not perfect in English language. Also that the heuristic reports some harmless files as infected can be confusing. An advanced user should not have problems with that.
Overall I must say that DrWeb32 is becoming more and more ‘secret tip’ for anti virus software. A trial version can be downloaded from http://www.dials.ru
wizard