Below is an antivirus test performed by... well, someone on the Internet, since I don't know him/her personally. The original text is in Chinese, and I've done my best to translate it into English. It makes for quite an interesting read, actually - in summary, the author of the test claims that his/her test results show that AntiVir flags malware only via the type of packer used to encrypt them, and not by actually identifying the malware itself.

I'm actually interested in what the more venerable members of the forum think of this article. The samples used will be provided upon request to the more established members of this community, should they wish to verify the test results themselves. Anyway, without further ado:


---

NOD32 users will be aware of the program's powerful heuristics, low false positive rate and low resource usage, but many have complained that NOD32 is ineffective against Internet-borne trojans. Many of you will wonder why NOD32 has the greatest heuristics in the world when AntiVir consistently displays better detection rates on various virus-exchange forums: I will tell you why.

First of all, NOD32 employs a combination of static + dynamic heuristics. Many of you are clear on what static heuristics is, so I will focus on the explanation of dynamic heuristics. Dynamic heuristics is actually using a virtual environment to execute the file and then determine if the file displays malicious behavior, which makes it a technologically superior technique compared to static heuristics, with higher detection rates and lower false positives. By using a combination of both heuristics methods, NOD32 drastically increases detection rates while maintaining FP (false positive) rates at very manageable levels, a readily apparent result for NOD32 users.

Secondly, while AntiVir displays a very admirable performance on various virus-exchange forums, a closer look reveals that most of its detections are HEUR/Crypted and TR/Crypt.XX.Gen. This calls for suspicion: with almost 700,000 virus signatures in its database, why does AntiVir identify malware with such generic names while NOD32 can give an accurate malware name? I have hereby conducted a test, which will reveal the secret of AntiVir's detection rate and why it reports malware by such names.

First of all, a normal, non-malware file which has been encrypted by UPX
http://www.nod32club.com/forum/UploadFile/2007-3/200732412303421430.png

The same file, packed with UPX + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412403489797.png

The same file, packed with NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412452285821.png

The same file, packed with NSPACK + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412475050863.png

The same file, packed solely with UPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412525088032.png

The same file, packed with EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732412573850010.png

The same file, packed with EXESTEALTH + NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241303187193.png

The same file, packed with EXESTEALTH + NSPACK + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241333697379.png

The same file, packed solely with NSANTI
http://www.nod32club.com/forum/UploadFile/2007-3/20073241383751111.png

The same file, packed with UPX + EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732413162569187.png

This is the end of the test with the normal file. The next test proceeds with a malware file, and the scan results are displayed in this screenshot
http://www.nod32club.com/forum/UploadFile/2007-3/200732413371241656.png

The malware file, packed with NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732413401768717.png

The same malware file, packed twice with NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732413462576370.png

The same malware file, packed with ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241353646397.png

The same malware file, packed with ASPACK + EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732413573286141.png

The same malware file, packed with ASPACK + EXESTEALTH + NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241404998771.png

The same malware file, packed solely with UPX
http://www.nod32club.com/forum/UploadFile/2007-3/200732414342411561.bmp

The same malware file, packed with UPX + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241485442995.png

The same malware file, packed with UPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241412712196.png

The same malware file, packed with NSANTI
http://www.nod32club.com/forum/UploadFile/2007-3/200732414145016680.png

The same malware file, packed with ASPACK + NSPACK + EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732414173618456.png

In conclusion, it is obvious that as long as you add the same types of packers, either to the clean file or the malware file, AntiVir will flag them using the same names, and those who understand what "crypt" means will know that AntiVir is simply reporting the type of packer used to pack the file. In the test, AntiVir continued to flag the sample even though it was often rendered corrupt by adding the packers, indicating that AntiVir flags the type of packer used without taking into account whether the file can be executed. I will make the bold conclusion here that, behind AntiVir's vast signature count, is simply a lot of hot air. At the same time, we see AntiVir and other antivirus software using heuristics to flag a file, which misleads people to think that AntiVir is flagging the file via heuristics when it is actually only detecting the packer. This is a very unfair act, and should not be compared to NOD32.

Yes,i agreed
The heuristic detection built in NOD32 is far more smarter than that of AntiVir

{QUOTE->
behind AntiVir's vast signature count, is simply a lot of hot air
<-QUOTE}
I agree with you *lol*
~~await Avira's response

Yeah, lets wait.;) Wonder how say, Micropoint (http://www.micropoint.com.cn/download/) would stack up.::)

I don't think Micropoint is a heuristics antivirus software

I dont know solcroft, me thinks your Chinese (http://bbs.kpfans.com/redirect.php?fid=28&tid=42108&goto=nextoldset) is pretty good.:)

{QUOTE-> I dont know solcroft, me thinks your Chinese (http://bbs.kpfans.com/redirect.php?fid=28&tid=42108&goto=nextoldset) is pretty good.:) <-QUOTE}
Hrm. I dunno. I just happen to be bi... tri... quad... penta... erm... something-lingual. ;D

{QUOTE-> Hrm. I dunno. I just happen to be bi... tri... quad... penta... erm... something-lingual. ;D <-QUOTE}


Right>:(

touché bigc ;)

completly flawed test,

since it was tested through jotti, in my own experience these are not accurate to what the software can actually detect, same goes for VT, although that is better then jotti.

Solcroft , really good review . ;)

I look forward to Stefan's comment on this, at first glance it appears to be nothing more than agenda-driven BS.

I knew about AntiVir's "crypt" detections for quite a while now, but some of the results for other AVs are really surprising. Hmm...Even BitDefender, which supposedly has a brilliant static unpack engine, is not detecting the repacked files?

Would it be possible that the files got corrupted during the process of repacking?

i doubt bitdefender would only detect ONE of the real-malware compared to nods SIX (drweb was FOUR btw)

either way, jotti is poor.... so this is not accurate at all.

{QUOTE-> Would it be possible that the files got corrupted during the process of repacking? <-QUOTE}
Yes. Per stated in the article. And to HiTech, I'm only taking credit for translating it. ;D

In China，no body can install them to test，so they can use vt and jotti to test

Actually, AntiVir offers a free version of its product. Why can't you install it?

Because I want to test not only nod32 and avira，but also other AVS

{QUOTE-> i doubt bitdefender would only detect ONE of the real-malware compared to nods SIX (drweb was FOUR btw)

either way, jotti is poor.... so this is not accurate at all. <-QUOTE}
Yes,I think Dr.web is better than nod32

{QUOTE-> And to HiTech, I'm only taking credit for translating it. ;D <-QUOTE}

Oh , not necessary . I already finished my Chinese and English lessons and I got A+ on my exams . :P

erm, i didnt say that

just stating i dont like jotti for testing, or VT either... although vt is more accurate than jotti, its still not 100%, far from it.

{QUOTE-> although vt is more accurate than jotti, its still not 100%, far from it. <-QUOTE}

Why do you think so . VT uses always the latest signatures as well as the best protection settings for each program . I find its results reputable .

Well , Jotti is a little bit debatable ;)

{QUOTE-> erm, i didnt say that

just stating i dont like jotti for testing, or VT either... although vt is more accurate than jotti, its still not 100%, far from it. <-QUOTE}
Yes,I think so.Because they can't detect accuratly.For example,Kaspersky has Proactive defense，but jotti and vt can't detect.

why,

countless viruses detected by my dr.web, are 'not found' on virustotal for the same AV, so not reliable at all.

its good only for a guide, or an idea to check for FP's, thats it.


edit: and jotti is even worse in this matter.

{QUOTE-> NOD32 = best heuristics on Earth <-QUOTE}

...and as we know in the entire Solar system. :D

Some Antivirus softwares' engines are old in the VT

{QUOTE-> Some Antivirus softwares' engines are old in the VT <-QUOTE}

Just because their vendors have chosen so . Kaspersky , for example , uses v4 because they believe nothing has changes in detection . If KAV choose , they can force VT use engine 6 but they think v4 will detect the same as v6 (with the same defs).The same applies for all vendors.And Virus Total is off-topic for this thread,I believe :thumb:

i dont think it is, jotti / VT... same thing, both unreliable, makes it right into topic.

always good for a 2nd opinion to check FP's, nothing more, flawed test.

nod probably does have the best heuristics out there, as their software is sooooo dependant on heuristics for its detection.

Ok , as you like it . Virus Total has always been reliable , at least for me

{QUOTE-> Just because their vendors have chosen so . Kaspersky , for example , uses v4 because they believe nothing has changes in detection . If KAV choose , they can force VT use engine 6 but they think v4 will detect the same as v6 (with the same defs).The same applies for all vendors.And Virus Total is off-topic for this thread,I believe :thumb: <-QUOTE}
I think KAV6 can detect more than KAV5

{QUOTE-> nod probably does have the best heuristics out there, as their software is sooooo dependant on heuristics for its detection. <-QUOTE}

Good，I think so.

1. Why the hell it's AntiVir vs NOD32 when NOD32 sucks ballz here in all areas regardless!?
2. Jotti is using Linux versions which are very different from Windows versions of scanners
3. Whats wrong with detection of crypters if you generate very low rate of false positives while gaining enormous detection rate? It's not like we have another QuickHeal here... Sure it misdetect some but so does NOD32 and all the others...
4. I really wonder how "innocent" was the file in the first part of the test...
5. Waiting for Stefan and IC (and IBK)...

I agree with RejZoR. Of course Avira flags packers sometimes instead of malware itself but its detection rates are very high and they really don't have so many FPs like before. This test has little relevance IMO.

{QUOTE-> NOD32 sucks ballz here in all areas regardless!? <-QUOTE}
"sucks ballz" in a good way or a bad way?

rothko, is there something good in "sucking ballz"? ;D

{QUOTE-> rothko, is there something good in "sucking ballz"? ;D <-QUOTE}
well that's why i asked - it's not my cup of tea, i prefer coffee, but other's may well see it as a good thing - all fine- but here it doesnt really express whether NOD32 is a good or bad

{QUOTE-> well that's why i asked - it's not my cup of tea, i prefer coffee, but other's may well see it as a good thing - all fine- but here it doesnt really express whether NOD32 is a good or bad <-QUOTE}
"suck balls" = bad in this sense

i.e. RejZoR was saying that NOD32 performed just as badly anyway (if not worse), so why the hell is there even an AVIRA vs. NOD32 discussion....

Yes, rothko, I know what you mean. I also find it curious to see NOD labeled in this fashion. So I am joining you in questioning RejZoR: c'mon RejZoR, you can't be thinking that NOD is that bad... :(

EDIT: oh, maybe he meant in signatures aspect...

In the last proactive test on av-comparatives Antivir scored slightly higher than nod32, with very low false positives.

Nod32 uses dynamic heuristics/emulation, Antivir doesn't... Antivir has done well to fine-tune the heuristic to the level it's at now - high(est?) proactive detection with low false positives. This seems to grate on some people leading to the creation of threads like this.

Still waiting for one of the experts to comment but I don't think Antivir specifically detects any packer, unless maybe if you went into the configuration and selected to detect "unusual runtime compression tools"...

What makes me suspicious is that no source is given and that the writer (the "translated" text) sounds like an ESET marketing person and seems to know alot about how the ESET scan engine works internally.
I have my doubts about the used samples aswell.

Some points:

The number of signatures in AntiVir has nothing to do with the heuristic or generic detection. Actually we plan to dramatically increase the number of gens and kick out all signatures that are covered by the gens.

There is "Crypt" or "Crypted" in the detection name for obvious reason. There are a "few" other heuristic and generic rules without "Crypted", if the tester would bother to look.

Who defined that detection by dynamic code analysis is the only allowed way to detect malicious files? Of course it is an advanced and reliable method, but it has it's limitations aswell. And why bother with unpacking several layers of packers/cryptor (which can be VERY time consuming) when those packers are used 99% by malware authors only and for cracks or keygens otherwise?

What advantage has the user if the 25.000th variant of Zlob is identified by it's "correct" name?

Does the user really care how the malware is technically detected?

Someone noticed Mal/Packer, Packer/*, Bloodhound.Morphine, New Malware.n and similar detections? I guess someone missed a trend.

The heuristics of NOD32 is not really that good. What really ***rocks*** is their variant detection. Which is faaaaaaaar more efficient! Great job! The "tester" seem not to be able to notice or understand this.

Now back with me to produce more "hot air"...

good answer Stefan. Now a little question... is Avira planning to add variant detection also ?

First we will add emulation/generic unpacking.

"NOD32 = best heuristics on Earth"
Does that mean it has no false/positives ?

{QUOTE-> What makes me suspicious is that no source is given and that the writer (the "translated" text) sounds like an ESET marketing person and seems to know alot about how the ESET scan engine works internally. <-QUOTE}

You may be on to something there, Mr. Kurtzhals. :)

The website http://www.nod32club.com is affiliated with Version-2 software, which is the official distributor for Eset in China and Hong Kong. Considering this affiliation, it is very well possible that the guy who posted this was an Eset marketing person, as this type of marketing, I believe, is slightly common in China.

Frankly, I wouldn't be surprised if it was proven to be an Eset marketing person, but I'd rather give Eset the benefit of the doubt. Waiting for the "damage control".

I'm also seeing some other similarities. For example, there is one borderline-FUD on Eset's global/EU website in the "compare Antivirus products" page.

See here: http://www.eset.com/products/compare-NOD32-vs-competition.php

"Unified Anti-Threat Engine - protects against viruses, spyware, adware, rootkits, identity theft"

Eset - Yes, while Symantec, McAfee, Kaspersky etc. = NO ("multiple components required in a large suite"). This is just plain lying. Kaspersky has only one engine, as does Symantec. McAfee may be dividing into two engines, but the fact is that Symantec and Kaspersky have their unified Anti-threat engine in place. The other tests shown are fine, except maybe for the VirusTotal one (because I cannot see the test results anywhere, if anyone knows do show me :)). But I won't bash Eset for the VirusTotal thing.

The other parts of Eset's AV comparison tables are fine, but this one para was plain snake oil. As such, NOD32 is a great product, and I do like it (I hold a license), but this comes across to me as "sleazy" marketing.

{QUOTE-> Who defined that detection by dynamic code analysis is the only allowed way to detect malicious files? Of course it is an advanced and reliable method, but it has it's limitations aswell. And why bother with unpacking several layers of packers/cryptor (which can be VERY time consuming) when those packers are used 99% by malware authors only and for cracks or keygens otherwise?

What advantage has the user if the 25.000th variant of Zlob is identified by it's "correct" name?

Does the user really care how the malware is technically detected?

Someone noticed Mal/Packer, Packer/*, Bloodhound.Morphine, New Malware.n and similar detections? I guess someone missed a trend. <-QUOTE}

I do not understand this. Are you saying that it is perfectly OK to detect malware based on their packers? There is the risk of false positives in such a method, and also it is a sort of "easy way out"...:-\

{QUOTE->

The heuristics of NOD32 is not really that good. What really ***rocks*** is their variant detection. Which is faaaaaaaar more efficient! Great job! The "tester" seem not to be able to notice or understand this.

Now back with me to produce more "hot air"... <-QUOTE}

I agree, it seems the tester's main intention was to downplay AVIRA.

{QUOTE-> "NOD32 = best heuristics on Earth"
Does that mean it has no false/positives ? <-QUOTE}

No it means the OP probably has an agenda. ;)

Actually lots of variant detections aren't exactly an advanced variant detection anyway. I've noticed that quiet often, though they do detect lots of new variants. BitDefender is usually a good indicator.

For example you scan some malware, BitDefender detects it as Worm.Bagle.BQ, NOD32 detects it as Win32/Bagle.BQ (both detections are made up).
Now you repack the sample with some packer and detections will follow like this...

"GenPack:Worm.Bagle.BQ" for BitDefender and "a variant of Win32/Bagle.BQ" for NOD32. This is a nice indicator that NOD32 also flags just repacked versions as new variant. Well technically it is a new variant but it would be better to indicate the name like this "Win32/Bagle.BQ (repacked)" or something like this.
However like Stefan said, users don't really care how it's named as long as it works. And i can say that as a long term avast! user which is probably quiet known for it's Win32:Trojan-Gen detections. Ok, for me it maybe does matter if i know the malware type but for most users it's not important at all.

Firecat, if you never ever saw a legal user application encrypted with packer x, why not report it? Who cares if there is a Zlob, Hupigon, Banker, ... below?
As long as the malware doesn't execute on the customers computer, (s)he doesn't care if it's the 25.000th or the 25.001th variant of Zlob.

BTW, AntiVir just doesn't report the plain packer, except for the optional PCK/. There are always additional checks to prevent reportings on legal applications. Actually, corporate customers are interested in even "more paranoid" detection!

Sounds to me like someone is desperately grasping for marketing stuff. Sorry, I don't have time for that. I need to add more "hot air" to protect our customers.

{QUOTE-> Firecat, if you never ever saw a legal user application encrypted with packer x, why not report it? Who cares if there is a Zlob, Hupigon, Banker, ... below?
As long as the malware doesn't execute on the customers computer, (s)he doesn't care if it's the 25.000th or the 25.001th variant of Zlob.

BTW, AntiVir just doesn't report the plain packer, except for the optional PCK/. There are always additional checks to prevent reportings on legal applications. Actually, corporate customers are interested in even "more paranoid" detection!

Sounds to me like someone is desperately grasping for marketing stuff. Sorry, I don't have time for that. I need to add more "hot air" to protect our customers. <-QUOTE}
Thanks for explaining that more clearly to me. I'll agree with you, as long as FPs are not made, its just fine to detect malware in this way. :)

{QUOTE-> Actually, corporate customers are interested in even "more paranoid" detection! <-QUOTE}
:o :o
BTW, ESET is going to release a gateway AV (alongside the suite and mobile AV), so more paranoid engines are to come.

Hello!:) I think there is a problem with the Avira's enginee on jotti.com . From about an hour AntiVir haven't reported anything. Not even a variant of Parite(.B) which in the past used to identify it. I sent an email to the administrator of the site advising him to solve this problem as fast as he can, since an usual user can make a very bad impression on this product after this incident.

1. Regarding a variant of
There's nothing wrong with naming something "a variant of". It all boils down how was the original sample distributed. If it was UPX packed and it gets repacked for example by ASPACK than it's indeed a variant. Reason is being that the file looks completely different from a binary point of view, even if it performs exactly the same actions. So nothing wrong with calling repacked versions "a variant of".

2. Packer Detections
There are 3 types of packers: Whitelist Packers, Greylist Packers and Blacklist Packers.

Whitelist Packers are mainly used by non-malicious applications. (However, that doesn't mean that malware isn't using them) Example: UPX

Greylist Packers are packers which are not really common for "industrial use" they are mostly used for cracks and maybe "strange" freeware/shareware and malware. Example: Exeprotector

Blacklist Packers are packers which are mainly used only for malware. Of course you can pack a clean program with a blacklisted packer but you shouldn't be suprised if a lot of antivirus apps flagging it. Example: Several patched Morphine versions, NSANTI Combinations and so on.

Flagging white-listed packers is ridiculous. Even if you only report a suspicious. A whitelisted packer should never ever been flagged regardingless of the heuristic level.

Flagging greylisted packers is very risky and leads to a lot of false positives.

Flagging blacklisted packers is basically "ok", however it's always better to take some other heuristic flags into the conclusion before flagging such files.

2.1 Combinations of Runtime Packers

Similar to point 2 there are so called blacklisted combinations of runtime packers. UPX + Yoda for example.

I know IC, i just pointed out that not all "a variant of" are an actual modified sample but also just repacked one (which is as we both said performing the exactly same actions, just different from binary standpoint).

{QUOTE-> ...and as we know in the entire Solar system. :D <-QUOTE}

Yes and even Voyager 1 is carrying one install file,copyed somehow from the Earth, for alliens to test it!

@ solcroft

Good topic for a thread !

I've seen quite a few HEUR/Crypted detections when scanning hundreds of real nasties with AntiVir for nearly a year. But most of the detections it's acheived are 100% positively accurate and it correctly identified them as genuine malware. I have only had a very small number of FP's in all this time with all that malware, and that's with heuristics set on high.

I would rather see an Anti flag a file as suspicious, even if it turned out to be a FP. Because not flagging it, if it turned out to be malware could be disasterous for people.

These days more and more malware is getting packed, and some with generally lesser well known, or previously used, or new types. So flagging anything that appears as if it might be malware due it's being packed makes perfect sense, just in case it's a nasty.

The facts though speak for themselves regardless of any packing detection/heuristics talk.

AntiVir consistantly outperforms Nod, and most if not all the others, in all the recent tests, and has done for some time now. Also if you check sites such as http://www.castlecops.com/f269-Malware_Listserv.html which receives numerous daily uploads of new malware, you will be able to see that AntiVir is far ahead in already having definitions for most of these, when a lot of the others detect absolutely nothing.

So i'm afraid Nod does not have the best heuristics either, if it did it would be detecting many more than it does.

When you consider that such a fine all round product as AntiVir can be had for free, or a very reasonble price for the pay version, it's outstanding !


StevieO

I really do not trust this test at all. Utilizing Jotti is not an accurate way of testing since it uses the linux version of products and even if you use virustotal, it's still not perfect.

{QUOTE->
What advantage has the user if the 25.000th variant of Zlob is identified by it's "correct" name?
. <-QUOTE}

If AntiVir couldn't remove it, the "correct" name would be a bit handy in finding a removal tool.

Reputable products don't need sleezy marketing. They perform very well without a slice of sushi. You just identified yourself. :P

{QUOTE-> If AntiVir couldn't remove it, the "correct" name would be a bit handy in finding a removal tool. <-QUOTE}
True, but if you had Antivir from start, it would never infect unless you ran it anyway.
If what Stefan Kurtzhals says is exact (99% etc), that kind of packer would never be used by me or you, or anyone really. Flag it malware. It's better that way for everyone.

{QUOTE-> Below is an antivirus test performed by... well, someone on the Internet, since I don't know him/her personally. The original text is in Chinese, and I've done my best to translate it into English. It makes for quite an interesting read, actually - in summary, the author of the test claims that his/her test results show that AntiVir flags malware only via the type of packer used to encrypt them, and not by actually identifying the malware itself.

I'm actually interested in what the more venerable members of the forum think of this article. The samples used will be provided upon request to the more established members of this community, should they wish to verify the test results themselves. Anyway, without further ado: <-QUOTE}

pffffffffft,NOD32 fan boy :(

{QUOTE->

Does the user really care how the malware is technically detected? <-QUOTE}

I think this is the answer for this thread.

We also had somebody here who made software that detect files by their name and nothing else. Everybody was against him but on the end does the user really care how the malware is technically detected :)

{QUOTE->

AntiVir consistantly outperforms Nod, and most if not all the others, in all the recent tests, and has done for some time now. Also if you check sites such as http://www.castlecops.com/f269-Malware_Listserv.html which receives numerous daily uploads of new malware, you will be able to see that AntiVir is far ahead in already having definitions for most of these, when a lot of the others detect absolutely nothing.

So i'm afraid Nod does not have the best heuristics either, if it did it would be detecting many more than it does.



StevieO <-QUOTE}

Well I do not think you are right here or you did not read this post completly.

If we unpack and retest these files from Castlecops we could see total different results just because AntiVir is, by this test, flagging many packers as suspicius.

On the other side I like their point of view and what Inspector explained. This is right way because their main task is to protect users that do not even know what packers are :)

I totally agree with that but on the other side I do not like when somebody talking trash about software that detects malware by analysing its name because these people are also using very similar trick to detect malware :)

{QUOTE-> Well I do not think you are right here or you did not read this post completly.

If we unpack and retest these files from Castlecops we could see total different results just because AntiVir is, by this test, flagging many packers as suspicius.

On the other side I like their point of view and what Inspector explained. This is right way because their main task is to protect users that do not even know what packers are :)

I totally agree with that but on the other side I do not like when somebody talking trash about software that detects malware by analysing its name because these people are also using very similar trick to detect malware :) <-QUOTE}
Agreed

I think more than heuristics this is about good a unpacker system like the one from KAV, on those tests KAV could detect all the real malware packed except the last one. And we all know that KAV heuristics are not the best... mmm
but this will change for version 7. ;D

Is it only me who finds this creation of new variants as a "test" morally questionable? Thanks to performing the evaluation using jotti he has created additional work for vlabs, as if they didn't have enough to do without "testers" creating even more crap variants.

If he did it in his own home, ran the scanners himself, and afterwards got rid of his newly created variants without ever releasing them to the public (which an upload to online scanners certainly counts as) I might have overlooked the "new variant creation" fact in this specific case. But like this... do we really need testers to contribute to the already heavy workload vlabs have to deal with nowadays?

{QUOTE-> Is it only me who finds this creation of new variants as a "test" morally questionable? Thanks to performing the evaluation using jotti he has created additional work for vlabs, as if they didn't have enough to do without "testers" creating even more crap variants. <-QUOTE}
Thinking the same thing.

{QUOTE-> Is it only me who finds this creation of new variants as a "test" morally questionable? Thanks to performing the evaluation using jotti he has created additional work for vlabs, as if they didn't have enough to do without "testers" creating even more crap variants.
<-QUOTE}

Yub. That's by the way one sub-topic of the av tester workshop.
Usually the words of such "testers" are: If the malware authors can create in this way new malware we can do that too. That is (as you see here) a common thought between hobby testers. But let's speak frankly there are several 100k files which are indeed malicious and nobody detects them. Nope, not even YOUR favorite AV application. Doesn't matter if it's KAV, NOD32 or Bitdefender. Everyone has a huge backlog (and now please read this careful!) compared to undetected files and NOT compared to other competition!

And nobody in the av industry has the time or resources to waste time on unneccesarry things which are not posing any real threat since they are so called "test-samples".

Does this mean the av industry isn't good enough? They only need to put the right priorities! And that's why it is also important that the testers understanding what is important and what not. If you detect a single malware which is available only one time in the whole world and OTOH let a important virus pass which infects or is running on several other 1000's machines than you have failed your mission. You have put your priorities then wrong! Of course this single user will walk around tell other people "only AV xyz detected my malware" and maybe 15% of the people who read this will switch the av based on this, but that doesn't mean it has a better real world protection.

thanks IC, now that I can understand.:)

{QUOTE-> First we will add emulation/generic unpacking. <-QUOTE}
thanks for the answer. I can't wait. ;D

I understand that there is a combined way to find malware, one is by a technical rule, the other is common sense. You can say priority, the white,grey and black packer is a common sense, it is not very exact. The rule in heuristics also is based on common sense and statics. So don't argue which combined way is better, is all depend on you.
Symantec is use technical rule more than common sense, so with less heuristics, much detection is reliable.
Antivirs combined more common sense, it gives you more chance to find malware.
But I had to remind every antivirs company, work hard to find more reliable and technical rule to fight against malware. Don't let the users to make the decision when they see the suspicious. This is only useful to our experienced users. For most of the common users, it is a nightmare, only they think is that the malware writer is take the initiative.