I know this is an old topic but I felt it to be worth discussion anyway. After using F-Secure IS 2008 for a few days and running it through a few samples I made the following observations:

1) There are a small number (insignifcant) of samples detected by KAV but not by F-Secure
2) There are also a small number of samples detected by Kaspersky but F-Secure detects these under a name that matches the F-Prot naming scheme for the malware. I wonder why this is....
3) Heuristic detections are slightly difficult to make head or tail of; besides I have had only 2-3 detections based on Heuristics from F-Secure, the name only said "possibly infected with unknown virus"; so the responsible engine cannot be directly pinpointed :)
4) Ad-Aware technology in F-Secure hardly seems to detect anything at least on my PC :)
5) The scan report only mentions four engines: KAV/AVP, Libra, Orion and Draco (Ad-Aware). Gemini and Pegasus (Norman Sandbox) are not mentioned for whatever reason. Do these 2 engines only work real-time?

While any direct conclusion cannot be obtained by arbitary observations such as the ones above, I think they do provide an interesting food for thought. :)

The most interesting is the F-Prot named detections; F-Secure detects quite a lot of malware under F-Prot's name. I do know that F-Secure has F-Prot's macro virus detections but the names I saw were of more than just macro viruses. So what I am wondering is whether F-Secure's Libra engine still is based on F-Prot and is a "branch" of the F-Prot engine rather than a completely designed home grown engine?

If anyone knows anything about F-Secure's engines; then the info would be appreciated!

5) The scan report only mentions four engines: KAV/AVP, Libra, Orion and Draco (Ad-Aware). Gemini and Pegasus (Norman Sandbox) are not mentioned for whatever reason. Do these 2 engines only work real-time?


I THINK the 2 engines are a part of deepguard. So they would be real-time only.
{QUOTE->
When a program alerts the attention of F-Secure DeepGuard, advanced artificial intelligence checks whether the offending program is malicious and acts accordingly. Any decisions the user makes about applications is remembered.

This minimizes the number of analysis that F-Secure DeepGuard needs to perform and results in a transparent computer experience for the user.

If there are no previous user decision for the program and F-Secure DeepGuard does not recognize the program, the artificial intelligence first runs a scan using the Gemini heuristic scanning engine and the Pegasus sandbox and then interprets the results. The Gemini heuristic scanning engine performs an in-depth analysis of the target program, looking for anomalies and signs of dangerous intent of the scanned program. The Pegasus engine, on the other side, is a sandbox -based heuristic antivirus engine.
<-QUOTE}



http://www.f-secure.com/f-secure/pressroom/protected/prot-3-2006/17-459-3669.shtml

{QUOTE-> Gemini and Pegasus (Norman Sandbox) are not mentioned for whatever reason. Do these 2 engines only work real-time? <-QUOTE}
Hello Firecat,

After trying FSAV with its 14 processes :o running simultaneously, i would say that... yes.

F-Secure also uses the F-Prot enigne which accounts for the similar names on some detections. I forget which engine it is, but it is either the Libra or Orion engine.

I noticed even more peculiarity with F-Secure today. I noticed that several detections based on the Ad-Aware engine showed up real time but never showed up in the on-demand scan. I wonder why the Ad-Aware engine is only working real-time; it is so strange....:-\

BTW I think Libra is the engine based on F-Prot :)

I tested some samples... When I send to Virustotal and FS detects the sample I scan in my computer... If FS don't detect I execute it... I did it many times and the samples were detected in execution...
(It's about heuristic and not about Ad-Adware detections)

{QUOTE-> I tested some samples... When I send to Virustotal and FS detects the sample I scan in my computer... If FS don't detect I execute it... I did it many times and the samples were detected in execution...
(It's about heuristic and not about Ad-Adware detections) <-QUOTE}
Gemini and Pegasus work on-execution....I was talking about on-*access* protection. I saw some alerts from F-Secure for "Trojan.Win32.MatrixHasYou" and "Trojan.Win32.Crypt", both of which are Ad-Aware names. And I didn't have to execute any file to get this detection; F-Secure reported it just as I accessed the folder.

However, using a right click context menu scan (i.e. On-demand scan) results in F-Secure not detecting the samples. :-\

Isn't it the seperate spyware scan that uses ad aware?

testing the latest technical preview at the moment and it contains the latest and new deepguard 2.0

- DeepGuard 2.0
DeepGuard can now make a query over the network as part of the proactive protection, which helps to reduce the amount of user prompting. This also brings improvements in the speed we can respond to new outbreaks of suspicious items, and improved accuracy.

{QUOTE-> Isn't it the seperate spyware scan that uses ad aware? <-QUOTE}
In my FSIS 2008 there is only an option for "quick spyware scan" and "quick rootkit scan". The other scans seem to report both spyware and malware but they do not seem to use the Ad-Aware engine.

So does this "quick spyware scan" option use the Draco engine?

I think so .I will ask