tested via anti-malware.ru, regarding detection of rootkits.

196537

nod32 is once again shocking me, but for the wrong reasons.

especially as this is their NEW software version.

doesnt shock me, at all. Wonder how Avira would do, their rootkit detection is good.

{QUOTE-> doesnt shock me, at all. Wonder how Avira would do, their rootkit detection is good. <-QUOTE}
aviras detection has been good for a while, we all know that jeff.

they did test the 1.0 rootkit detectio from avira which is currently beta I THINK, it scored well as expected.

Way to Goooooooooooo Kaspersky This product never seems to Amaze me It goes from strength to strength :-* :thumb: :thumb: :thumb:

Well done to the other products -drweb,f-secure, symantec

Eset isn`t Doing so well neither lol ;D ;D ;D ;D ;D ;D ;D Think they might of forgot to put the rootkit detecter in it :P :P :P

Eset has never had great detection, regardless of what others want you to think. It does excel in other areas though.

{QUOTE-> Eset has never had great detection, regardless of what others want you to think. It does excel in other areas though. <-QUOTE}

SECOND That 1

Has Eset put some time and effort into rootkit detection?

Doesn`t Look like it

Maybe The rootkit scanner Was drunk from the christmas party or was Just Very tired And Sleepy lol

What's the difference between Avira Rootkit Detection and the rootkit detector within Avira AV? Does Avira plan to integrate Avira Rootkit Detection 1.0 within the AV?

It already is there, when you do a system scan, the rootkit detection runs first then the AV. It is fairly seemless.

when you click on configuration choose expert, over on the right will be a bx to tick for rootkit scan first.

Does it have the same capabilities as the stand alone Rootkit Detection?
Thanks.

yes;)

{QUOTE-> Doesn`t Look like it

Maybe The rootkit scanner Was drunk from the christmas party or was Just Very tired And Sleepy lol <-QUOTE}

Well if they haven't put much effort into it then it wont be expected to be very good. Maybe Eset should have a look into developing an anti-rootkit module.

{QUOTE-> Well if they haven't put much effort into it then it wont be expected to be very good. Maybe Eset should have a look into developing an anti-rootkit module. <-QUOTE} They already have one. It's called 'anti-stealth technology'. According to the test, it can be improved.

{QUOTE-> They already have one. It's called 'anti-stealth technology'. According to the test, it can be improved. <-QUOTE}

Yep thanks, I've found a brief article in their knowledge base describing it.

{QUOTE-> Eset has never had great detection, regardless of what others want you to think. It does excel in other areas though. <-QUOTE}

Do you mean Eset has had bad detection of rootkits specifically or just in general?

What happened to rootkit revealer?

{QUOTE-> Eset has never had great detection, regardless of what others want you to think. It does excel in other areas though. <-QUOTE}
There's a very big difference between detecting a rootkit when it's just a file on a drive, and when it's active and loaded into memory, even when they're the exact same rootkit variant. Doing the former just requires you to have a signature to detect the rootkit, just like any other malware. Detecting the same rootkit when it's active means you need to have advanced technologies to query and obtain low-level uncorrupted information from the OS. Nothing to do with detection rate here.

Also, keep in mind that the score of anti-virus products for the PoC rootkits is essentially meaningless. A PoC is not malware, though some vendors may choose to detect it as riskware. There's no absolute standard that says that anti-virus vendors need to detect PoC code.

Anti-rootkit utilities, though, should ideally score as high as possible for it. Unlike anti-virus products, they're not designed to distinguish which hidden files/processes/reg entries are real malware, and should ideally be able to report all such hidden data to the user.

Well done Dr Web.
They are getting better and better I see

{QUOTE-> Well done Dr Web.
They are getting better and better I see <-QUOTE}
Drweb always seem to always do well at anti-malware, it puzzles me.

The last 2 tests have all been positive aswell

Removal: gold award
hueristics: silver award

Nice... Avira and Kasperksy are the best antiviruses for these type of threats.
NOD32 is at the bottom of the list, as they used us in the last period.

nod32 are very good at marketing, and charge a high price for that.

i do like nod32, but its completely over-hyped, and its purely because of av-comparatives and VB.

apart from fantastic hueristics, i dont see anything 'great'

so i would not label this antivirus as the best antivirus of 2007, or 2006.

i would have no problems using nod32 myself, but the hype is too much.

sorry nod fans :)

---------
nod used to be known as a very light, zero bugs kinda program.
this year, nod have lost all that.

I am wondering again why Kaspersky's rootkit detection is higher than F-Secure. AFAIK the detection abilities of all products using the Kaspersky engine was supposed to be the same with the exception of the newer, better heuristics on KAV 7.0 compared to the clone AVs. F-Secure isn't bad at all, but still I was not expecting this.

AVG Anti-Rootkit does a fairly good job as well. This bodes very well for the upcoming AVG 8 products :)

{QUOTE-> I am wondering again why Kaspersky's rootkit detection is higher than F-Secure. AFAIK the detection abilities of all products using the Kaspersky engine was supposed to be the same with the exception of the newer, better heuristics on KAV 7.0 compared to the clone AVs. F-Secure isn't bad at all, but still I was not expecting this. <-QUOTE}
Thats got to do with strength of the AV (drivers) when detecting live rootkits.
When the rootkit isn't live (hasn't infected the computer), then F-Secure should detect it.

Also, I think there's a bit of a time-lapse between when Kaspersky issues signature and F-Secure

{QUOTE-> There's a very big difference between detecting a rootkit when it's just a file on a drive, and when it's active and loaded into memory, even when they're the exact same rootkit variant. Doing the former just requires you to have a signature to detect the rootkit, just like any other malware. Detecting the same rootkit when it's active means you need to have advanced technologies to query and obtain low-level uncorrupted information from the OS. Nothing to do with detection rate here. <-QUOTE}
Some folks seem to forget this.
If you're going to depend on your AV to detect and clean "live" rootkits, you're playing a risky game. AFAIK, the only reliable signature scanner against rootkits is SUPERAntiSpyware.

{QUOTE-> Some folks seem to forget this.
If you're going to depend on your AV to detect and clean "live" rootkits, you're playing a risky game. AFAIK, the only reliable signature scanner against rootkits is SUPERAntiSpyware. <-QUOTE}
i'll take my chance ;)

Obviously, you don't need to panic Chris, I'm sure that your chances of encountering a rootkit trying to install itself in your system is very very low. But, don't buy the marketing speech (i.e. we detect and remove rootkits in a blink, don't be afraid).
Almost all malware cleaning forums don't use AVs to detect and remove rootkits. There must be a reason behind this behaviour, don't you think?

{QUOTE-> Obviously, you don't need to panic Chris, I'm sure that your chances of encountering a rootkit trying to install itself in your system is very very low. But, don't buy the marketing speech (i.e. we detect and remove rootkits in a blink, don't be afraid).
Almost all malware cleaning forums don't use AVs to detect and remove rootkits. There must be a reason behind this behaviour, don't you think? <-QUOTE}
im extremely comfortable with what i have, for protection of rootkits.

{QUOTE-> Specific features of Dr.Web anti-virus for Windows 4.44 are Windows Vista support and efficient rootkit protection implemented as Dr. Web Shield™, a component of the anti-virus scanner. The component is a driver that provides access to virus objects that hide in the kernel of the operating system. <-QUOTE}
there are alot of AVs who claim to do something, that actually dont.

this is not the case, with drweb.

{QUOTE-> im extremely comfortable with what i have, for protection of rootkits.


there are alot of AVs who claim to do something, that actually dont.

this is not the case, with drweb. <-QUOTE}
I wouldn't be sure of those claims. Informal tests show that few AVs are able to detect and remove completely installed rootkits and this varies from sample to sample.
But DrWeb may have a really good scanning engine to get unadulterated information from the OS. Time will show.

{QUOTE-> I wouldn't be sure of those claims. Informal tests show that few AVs are able to detect and remove completely installed rootkits and this varies from sample to sample.
But DrWeb may have a really good scanning engine to get unadulterated information from the OS. Time will show. <-QUOTE}
informal tests?

Tests realized by malware hunters/VXers. The methodology is pretty simple: scan the inactive sample to see if the AV has a signature for that sample, then install it and do a full system scan with that AV and specialized tools (as a control).

I wasn't aware of SAS's rootkit detection. I guess I will have to run it more often.

{QUOTE-> Tests realized by malware hunters/VXers. <-QUOTE}
cant be trusted. (on any level)

{QUOTE-> I wasn't aware of SAS's rootkit detection. I guess I will have to run it more often. <-QUOTE}
SAS 4.0 improvements:
{QUOTE->
* Up to a 30% increase in scanning speed
* Direct Disk Access (DDA) technology bypasses all of the Windows API/Kernel to detect and remove difficult spyware
* Additional repairs for Windows Vista and Windows XP including Control Panel Access Restore
* Improved detection of packed/compressed threats
* Termination protection - you can allow Task Manager to terminate the application if something hangs - something other applications don't allow
* Enhanced detection and removal of in-memory threats
* Improved hardware detection and logging to reduce re-activation problems
<-QUOTE}
{QUOTE-> cant be trusted. (on any level) <-QUOTE}
These tests doesn't need huge zoos or statistic precision. You just need some random (working) samples and that's all. If AV xxx detects runtime2.sys archived in a malware folder but doesn't detect it when it's loaded in a real system, then AV xxx doesn't detect that rootkit sample when it's subverting the OS.

I am using the free 3.9 version which I can assume doesn't have this capacity. It really doesn't mention it anywhere in this comparison (http://www.superantispyware.com/superantispywarefreevspro.html).

I used to run it more often but all it ever detected was cookies. Now I might run it once every two months or so.

{QUOTE-> I am using the free 3.9 version which I can assume doesn't have this capacity. <-QUOTE}
The 3.9 version is already very good at detecting/removing RKs. SAS 4.0 will be even better (one step ahead of the bad guys)

Well that test is the first one I have seen where NOD32 is on the bottom. Explain why AV Comparatives give NOD32 the #1 spot of 2 years.

http://www.av-comparatives.org/

{QUOTE-> SAS 4.0 improvements: <-QUOTE}
Even that isn't a guarantee.

What (specific threats) were actually tested in these tests is unknown (to my knowledge), meaning what are the malware and rootkits tested against? Simulators or actual threats? What if the tests were run every week against the latest threats, would the numbers (results) fluctuate?

The bottom line in all of this is that no single product can, or ever will, be able to prevent, detect or remove everything on a given day. Every company has their own methods for dealing with threats, detection and of course rootkits. Some will catch certain theats and others will catch different threats.

You should NOT rely on a single application to protect yourself in today's Internet.

{QUOTE-> What (specific threats) were actually tested in these tests is unknown (to my knowledge), meaning what are the malware and rootkits tested against? Simulators or actual threats? What if the tests were run every week against the latest threats, would the numbers (results) fluctuate?
Internet. <-QUOTE}

Malware
Trojan-Spy.Win32.Goldun.hn
Trojan-Proxy.Win32.Wopla.ag
SpamTool.Win32.Mailbot.bd
Monitor.Win32.EliteKeylogger.21
Rootkit.Win32.Agent.ea
Rootkit.Win32.Podnuha.a

POC
Unreal A 1.0.1
RkDemo v1.2
FuTo
HideToolz

http://www.anti-malware.ru/index.phtml?part=tests&test=antirootkits1

{QUOTE-> Malware
Trojan-Spy.Win32.Goldun.hn
Trojan-Proxy.Win32.Wopla.ag
SpamTool.Win32.Mailbot.bd
Monitor.Win32.EliteKeylogger.21
Rootkit.Win32.Agent.ea
Rootkit.Win32.Podnuha.a

POC
Unreal A 1.0.1
RkDemo v1.2
FuTo
HideToolz

http://www.anti-malware.ru/index.phtml?part=tests&test=antirootkits1 <-QUOTE}

Ok, so the rootkits used were demos/simulators, not the actual infections.

Does it not make sense to boot up a live cd and scan from there instead if you suspect that you have a rootkit?

{QUOTE-> Well that test is the first one I have seen where NOD32 is on the bottom. Explain why AV Comparatives give NOD32 the #1 spot of 2 years.
http://www.av-comparatives.org/ <-QUOTE}
AVComparatives rates AVs depending on On-Demand detection rate and detection rate of 0-day malware. Also, the in malware in AV-Comparatives has not been executed (which is easier to detect than detecting rootkits which have been executed.)

This test is about detecting live (executed/embedded rootkits) which are harder to detect and remove

{QUOTE-> Ok, so the rootkits used were demos/simulators, not the actual infections. <-QUOTE}
As far as I can see, it's a mix of both.

{QUOTE-> But, don't buy the marketing speech (i.e. we detect and remove rootkits in a blink, don't be afraid). <-QUOTE}
Contradicted yourself in post 35
{QUOTE-> Almost all malware cleaning forums don't use AVs to detect and remove rootkits. There must be a reason behind this behaviour, don't you think? <-QUOTE}
Because no AV detects all malware. Scanning you computers for days using different AVs (which may or may not detect the rootkit) is a waist of time if you can do it in a few minutes using specialized removal tools and you're certain it'll be detected and removed if its a no AVs detect.
Also installing lots of AV's will slow down the computer if its not removed properly and lead to more computer troubles

{QUOTE-> The bottom line in all of this is that no single product can, or ever will, be able to prevent, detect or remove everything on a given day. Every company has their own methods for dealing with threats, detection and of course rootkits. Some will catch certain theats and others will catch different threats.
<-QUOTE}
I think this says it all... (although some are better overall than others). All these tests still give an indication to show this and aid users to see which protects/detects/removes better.
And one should not use a single test as an indication of what AV's stronger than another... should use many as an indication (as IBK always said) :)

{QUOTE-> tested via anti-malware.ru, regarding detection of rootkits. <-QUOTE}
Lool, the test is biassed, russian test, russian nr.1... I´d like to see a test more neutral.. In Germany Gmer is considered Nr.1.

The tests are biased because they are Russian, cmon, surely you can't be serious?

I dislike tests that don´t include all possibilities, all kind of publicly rootkits and malware available today must be included, not secret pocs. So this test can be in no way objective and all-embracing.
Only a fool can take this serious, still awaiting a neutral all-embracing official test.

Show me a test with at least 20-40 malware/rootkit samples then I will consider it more serious.

{QUOTE->
Almost all malware cleaning forums don't use AVs to detect and remove rootkits. There must be a reason behind this behaviour, don't you think? <-QUOTE}

Selection effect. Those rootkits that CAN be removed by automated means have usually being removed that way already, so what is left are the ones that need manual removal....

It's like noticing that everyone alive has ancestors who managed to have offspring..... It's a miracle!!!

{QUOTE-> SAS 4.0 improvements:


These tests doesn't need huge zoos or statistic precision. You just need some random (working) samples and that's all. If AV xxx detects runtime2.sys archived in a malware folder but doesn't detect it when it's loaded in a real system, then AV xxx doesn't detect that rootkit sample when it's subverting the OS. <-QUOTE}
Sorry for off-topic, but where can I download SAS 4 for tests? No clue on their website.

{QUOTE-> Sorry for off-topic, but where can I download SAS 4 for tests? No clue on their website. <-QUOTE}
Register and log into their support forum. Category is Superantispyware 4.0 Pre-Release. Download from sticky thread.

{QUOTE-> Register and log into their support forum. Category is Superantispyware 4.0 Pre-Release. Download from sticky thread. <-QUOTE}
Thank you!

thanks for the SAS sticky & on rootkits if I get anymore paranoid from the hazards from the net I might as well shut it off. You just can't keep everything off your computer...

I fail to see how Kaspersky is that much better than NOD32 Antivirus because of these results with rootkits, especially when on real malware Kaspersky's score of 4.5/6 puts it in 5th place, and the best in this test, Rootkit Unhooker, is free.

yes 4.5/6 for that, but what did nod32 get?

Drweb scored 5/6 ;) and is also free via cureit

{QUOTE-> and is also free via cureit <-QUOTE}
Does CureIt! include the same anti-rootkit drivers as the installed version?

{QUOTE-> yes 4.5/6 for that, but what did nod32 get?

Drweb scored 5/6 ;) and is also free via cureit <-QUOTE}

IMO it doesn't matter what ESET NOD32 Antivirus got because it is an Antivirus and I use Antivirus to look for viruses (surprise, surprise!), not rootkits.

Following your logic I could rely on Kaspersky solely and still have 1 rootkit on my system.

Following my logic I could use NOD32 Antivirus which is smaller and scans faster, while using Rootkit Unhooker (5.5/6) which is a FREE application from the OS developer and have one less rootkit. :thumb: 8)

{QUOTE-> IMO it doesn't matter what ESET NOD32 Antivirus got because it is an Antivirus and I use Antivirus to look for viruses (surprise, surprise!), not rootkits. <-QUOTE}
I suppose you also install anti-trojan, anti-worm, anti-adware, anti-spyware, and anti-script scanners on your computer. ::)

{QUOTE-> I suppose you also install anti-trojan, anti-worm, anti-adware, anti-spyware, and anti-script scanners on your computer. ::) <-QUOTE}


Forgive me if I do not properly acknowledge your attempt at being humorous, but Rootkit Unhooker is a single 94Kb file which is NOT installable.

For me, the inconvenience of running this tiny utility is preferable to the possibility of leaving the rootkit which Kaspersky cannot detect on my system.
;)

{QUOTE-> Forgive me if I do not properly acknowledge your attempt at being humorous, but Rootkit Unhooker is a single 94Kb file which is NOT installable.

For me, the inconvenience of running this tiny utility is preferable to the possibility of leaving the rootkit which Kaspersky cannot detect on my system.
;) <-QUOTE}
That's a very wise decision. So I suppose you also run all those other tools on your PC.

And oh, let's not forget to add an anti-keylogger to the list, btw.

{QUOTE-> That's a very wise decision. So I suppose you also run all those other tools on your PC.

And oh, let's not forget to add an anti-keylogger to the list, btw. <-QUOTE}

Sir, as I have no compelling desire to have a high post count, the only comment I will make regarding your statement is that this thread is about the results of a rootkit test; when another thread opens regarding "other tools" and anti-keyloggers I will be happy to comment further.

Hmm, I do like nod but drweb say an antivirus that can't defend against rootkits is a useless expensive toy.

it is no excuse to say you can use something
else.

{QUOTE-> I use Antivirus to look for viruses (surprise, surprise!), not rootkits. <-QUOTE}
If "antivirus" softwares only detected viruses, they wont get far these days seeing as most, (if not all) "antivirus" softwares can be considered as anti-malware software, detecting trojans, worms, dialers, keyloggers, spyware, adware etc.

Why would you be looking for a product which only detects viruses and not the others if all competitors will do far more?
Most people look for products which are "jack of all trades, master of all"... all-rounders rather than specify on one thing... and other products can match that one thing its specifying in

(I'm not saying NOD only detects viruses by the way!)

Of course, everyone has different opinions and have different POV (Points of views) as to what we expect/want from products :)

{QUOTE-> Hmm, I do like nod but drweb say an antivirus that can't defend against rootkits is a useless expensive toy.

it is no excuse to say you can use something
else. <-QUOTE}

drweb is of course free to try to position their product as best by highlighting its strengths and emphasizing the weaknesses of the competition.

However, it is undeniable that a virus and a rootkit are two fundamentally different things, and the name of ESET's product is NOD32 Antivirus.

Apparently I was deluded in thinking there was a logical reason why:
1. Bitdefender has Bitdefender Antivirus and Bitdefender Total Security.
2. Norton has Norton Antivirus and Norton 360.
3. F-Secure has F-Secure Antivirus and F-Secure Client Security, etc.

Case in Point:
Comodo released a firewall product called Comodo Firewall Pro.
In version 2.4, this product was what its name indicated it to be, a firewall.
In version 3.0, Comodo added HIPS features to their firewall product.
This version is still called Comodo Firewall Pro, however, it is no longer a firewall, but a HIPS product.

Now I would like to take the liberty to replace drweb with Comodo in your comment to highlight its inherent fallacy:
{QUOTE-> Hmm, I do like Kerio Personal Firewall but Comodo say a firewall that can't defend against process terminations is a useless expensive toy.

it is no excuse to say you can use something
else. <-QUOTE}
:)

Built on the award-winning ThreatSense® engine, ESET NOD32 Antivirus proactively detects and disables more viruses, trojans, worms, adware, phishing, rootkits and other Internet threats than any program available.

I dont know but that blue portion sounds mighty bold.::)

{QUOTE-> Why would you be looking for a product which only detects viruses and not the others if all competitors will do far more?
<-QUOTE}

My point is that I expect my AV product, first and foremost, to be excellent at viruses; whatever other abilities it may have to detect other forms of malware are bonuses; nice bonuses yes, but still bonuses.

It might sound appealing at first to have an omnipotent product, but generally things don't work out best that way, such as was the case with the battleship.

In any case, 4.5/6 is a 75% success rate, and when I was in school 75% was a C grade, and for myself and my peers, a C grade on a report card meant some form of future punishment.

Basically, I don't consider a C grade an indication of doing "far" more.

{QUOTE->
In any case, 4.5/6 is a 75% success rate, and when I was in school 75% was a C grade, and for myself and my peers, a C grade on a report card meant some form of future punishment.
<-QUOTE}
Actually I was rewarded for that letter.;)

{QUOTE-> Built on the award-winning ThreatSense® engine, ESET NOD32 Antivirus proactively detects and disables more viruses, trojans, worms, adware, phishing, rootkits and other Internet threats than any program available.

I dont know but that blue portion sounds mighty bold.::) <-QUOTE}

You see rootkit and expect that means that they are saying they are better at detecting "more...rootkits and other Internet threats than any program available".

We refer to that as selective quoting.

I don't use selective quoting, so I see that they are saying when you take all malware as a whole, they are the best.
Of course, this is all marketing hype, so getting into semantics over this quote is quite silly.
;)

{QUOTE->
We refer to that as selective quoting. <-QUOTE}
We refer to this as, "The Gospel" from where I come from and expect it to be reality.

It looks like this whole thread has turned into a personal oneuppance

{QUOTE-> Actually I was rewarded for that letter.;) <-QUOTE}

Congratulations!

{QUOTE-> It looks like this whole thread has turned into a personal oneuppance <-QUOTE}

I thought my position was clear, in that just like how I expect my firewall to be good at firewalling and anything extra is a bonus, I expect my AV to be good at antivirus and anything else is a bonus.
I have no particular affection for NOD32; when my subscription runs out, I may very well switch to Kaspersky or Dr. Web.

Some like all-in-one products, some don't.

Some judge their AVs on rootkit detection, some don't.

i dont understand the dribble you are saying,

an antivirus is supposed to only scan for viruses?

as Jeff said, it mentions it in the product description to scan for other threats including rootkits.

what would you say about eset security suite, same AV with firewall and spam, is this not supposed to scan for rootkits or other threats either, its certainly not got 'antivirus' in the title.

{QUOTE-> Apparently I was deluded in thinking there was a logical reason why:
1. Bitdefender has Bitdefender Antivirus and Bitdefender Total Security.
2. Norton has Norton Antivirus and Norton 360.
3. F-Secure has F-Secure Antivirus and F-Secure Client Security, etc. <-QUOTE}

bitdefender total security is the antivirus + backup / tuneup utilties etc (hence a more TOTAL security package), same for norton 360.

F-secure client security is the same as the home version, but lighter and aimed at buisiness users, so it has Cisco support, and a central mangagment, the antivirus is the same!

{QUOTE-> i dont understand the dribble you are saying,
<-QUOTE}

Then I guess it is pointless for me to continue.

Best Regards.

{QUOTE-> Then I guess it is pointless for me to continue.

Best Regards. <-QUOTE}
im glad you caught on sooo quickly, thanks for your input :)

Its amazing what a bunch of nonsense this thread has produced. Nearly no technical discussion and at the expense of a bunch of fan boy jubilation.

Anyone around notice that gmer did the best of those tools that are still being developed, and does anyone understand why?

Interesting, thanks for the test post. :thumb:

{QUOTE-> Interesting, thanks for the test post. :thumb: <-QUOTE}
your welcome :)

{QUOTE-> Its amazing what a bunch of nonsense this thread has produced. Nearly no technical discussion and at the expense of a bunch of fan boy jubilation.

Anyone around notice that gmer did the best of those tools that are still being developed, and does anyone understand why? <-QUOTE}


im not sure why, didnt it score 5.5 on the malware, same as rootkit unhooker?

havnt tried GMER, but i have tried rootkit unhooker, and there is NO WAY an average user would be able to use that, so maybe its the same as that, not really something that would be used on a large scale unless simplified.

CSJ,

Clean your glasses, according to the chart at the start of this post, gmer did score 5.5 on malware, it missed the second test by .5 point, but beat everything but rootkit unhooker.

Just because the average guy can't use it is no reason to dismiss this kind of utility, although it may be reason to dismiss some of the resident HIPS and firewalls that are popular around here.

{QUOTE-> CSJ,

Clean your glasses, according to the chart at the start of this post, gmer did score 5.5 on malware, it missed the second test by .5 point, but beat everything but rootkit unhooker.

Just because the average guy can't use it is no reason to dismiss this kind of utility, although it may be reason to dismiss some of the resident HIPS and firewalls that are popular around here. <-QUOTE}
clean yours,

i never dismissed it in the slightest.

{QUOTE-> clean yours,

i never dismissed it in the slightest. <-QUOTE}


You need to see The Doctor.

Is the website where this test was originally published only available in Russian? I don't seem to find a button on in to get access to an English version or so.

I'd like to check if they also tested G DATA, which is a double engine scanner that usually performs very well in comparative tests (using Kaspersky and Avast technology).

{QUOTE-> You need to see The Doctor. <-QUOTE}

Just one?

{QUOTE-> Hmm, I do like nod but drweb say an antivirus that can't defend against rootkits is a useless expensive toy.

Now I would like to take the liberty to replace drweb with Comodo in your comment to highlight its inherent fallacy: <-QUOTE}Good idea.. drweb is oldschool tool that needs to be replaced or is only useful as secondary scanner.

Most oldschool scanners have the same problem like windows and the universe itself: It is already built, if you want to make fundamental changes you must start by 0.. but that is a hard thing if you are already established. Comodo was fresh thing that "earth-quaked" the whole zombified security scene especially because their products are for free, of High-Q and fast reaction. Loool. Fresh wind always good. Beside Gmer and RkU were fresh too and showed how non-commercial stuff won against all those bolden moneydriven enterprises. In the end the whole story looks like a big comedy scenario.
{QUOTE-> Its amazing what a bunch of nonsense this thread has produced. Nearly no technical discussion and at the expense of a bunch of fan boy jubilation.

Anyone around notice that gmer did the best of those tools that are still being developed, and does anyone understand why? <-QUOTE}Hehehe, totally true. exactly my opinion... loool

{QUOTE-> In the end the whole story looks like a big comedy scenario. <-QUOTE}

The best line in the entire thread.

I salute you. :thumb:
:)

Real security on MS PC platforms won't appear until MS releases a new OS environment that says goodbye to backwards compatibility and the default administrator(root) access.

{QUOTE-> Comodo was fresh thing that "earth-quaked" the whole zombified security scene especially because their products are for free, of High-Q and fast reaction. <-QUOTE}
For what it's worth, the antivirus and HIPS are awful. Haven't tried the firewall, so I won't comment on it.

{QUOTE-> For what it's worth, the antivirus and HIPS are awful. Haven't tried the firewall, so I won't comment on it. <-QUOTE} ???
I realize my comment is OT, but if you haven't tried the firewall, it's hard to understand how you would have an opinion on the HIPS, since they don't make a standalone HIPS...

{QUOTE-> ???
I realize my comment is OT, but if you haven't tried the firewall, it's hard to understand how you would have an opinion on the HIPS, since they don't make a standalone HIPS... <-QUOTE}
Simple. I ignored the firewall and pretended it didn't exist.

{QUOTE-> Simple. I ignored the firewall and pretended it didn't exist. <-QUOTE}

I think that during installation there is an option to not "install" the HIPS component.
Since I didn't see an option to not install the firewall component, I don't think that by simply ignoring the firewall you will be able to arrive at a sufficiently objective conclusion regarding its HIPS capabilities.

Of course, since I have been wrong before, I may very well be wrong again. :)

{QUOTE-> I don't think that by simply ignoring the firewall you will be able to arrive at a sufficiently objective conclusion regarding its firewall capabilities. <-QUOTE}
An astute observation. You'll have also observed, of course, that I've already mentioned I have no knowledge of its capabilities and hence refrained from commenting on it.

{QUOTE-> An astute observation. You'll have also observed, of course, that I've already mentioned I have no knowledge of its capabilities and hence refrained from commenting on it. <-QUOTE}

Typo.

Post already edited.

So how does the firewall influence the HIPS?

{QUOTE-> So how does the firewall influence the HIPS? <-QUOTE}

I don't know if it does.

I remember reading at matousec that they tried to disable the anti-malware component of Zonealarm just to test the firewall and they couldn't.

Isn't there a possibility that the firewall component can't be fully disabled to test the HIPS?

IAC, some people like the HIPS, and even think it is better than standalone HIPS such as SSM.

Personally I think all currently available HIPS are immature.

{QUOTE-> I don't know if it does.

I remember reading at matousec that they tried to disable the anti-malware component of Zonealarm just to test the firewall and they couldn't.

Isn't there a possibility that the firewall component can't be fully disabled to test the HIPS? <-QUOTE}
:ouch: ... nevermind.

{QUOTE-> IAC, some people like the HIPS, and even think it is better than standalone HIPS such as SSM. <-QUOTE}
It makes more noise. A LOT more, a decent portion of them useless. For some people, that's what it takes to make them happy.

{QUOTE-> :ouch: ... nevermind. <-QUOTE}
I think most likely you came to the correct conclusion, but after seeing some quite inexplicable software designs, I just can't be sure anymore... :-\
{QUOTE-> It makes more noise. A LOT more, a decent portion of them useless. For some people, that's what it takes to make them happy. <-QUOTE}

IMO you can chalk that up to it still being very much work in progress...

Now I understand why the moderators go to such lengths to eliminate "versus" threads.

Since all of these security products do such a shoddy job, the comparison exercise is pointless.

{QUOTE-> Quote:Originally Posted by SystemJunkie
In the end the whole story looks like a big comedy scenario.

The best line in the entire thread.

I salute you. <-QUOTE} :D :D :D
{QUOTE-> Personally I think all currently available HIPS are immature. <-QUOTE}True too! At least Comodo brought up a fresh breeze.

Beside something I found incredible was the fact that RkU was the first tool on this planet that showed us Shadow SSDT.. such a shame.. why did that stay in the hidden for so long!! I nearly don't get away about this there. Two years ago I told already about the win32k.sys thing but nobody was concerned about.
{QUOTE-> Now I understand why the moderators go to such lengths to eliminate "versus" threads.

Since all of these security products do such a shoddy job, the comparison exercise is pointless. <-QUOTE}True words the whole security story is a shame, we need by far more pro´s.

I wonder if anyone can answer a question about any or all of the anti-virus, ant-rootkit, anti-whatever tests that are being done?

It is without question that the malware selected is only a small subset of actual malware in circulation. In any scientific paper that I've read when a subset is used there always is included a section of statistical significance (eg- if there are a total of 100 rootkits in existence, and 4 are used for the test: Product A detects 3/4 or 75%, whereas Product B detects 2/4 or 50%. Although 75% is alot more than 50%, given the small sample size this difference has no significance whatever).

So in the absence of statistical evaluation in this particular test, and the nastiness of some of the posts here, shouldn't this Thread be Closed?

ou could look at it that way, but if a product struggles to get the small sample set, what chances has it for the world wide web amount?

That's why percentages are used.

Like how well DrWeb performs in AV-C?

The smaller the sample set, the more inaccurate the overall results. I'm sure you know perfectly what cruelsister is talking about, Chris. No need to play dumb.

I'm not playing du b solcrift and I do know what he is talking about....

but sample sets sooo large offer absolutely Zero! Information to know if product A will protect a user or not, yes they are credible tests I'm not disputing that,

why do tests on smaller tests offering real threats give differnt scores, not just for drweb but for the majority?

You think its just luck, or pick of the draw?

Sorry for typos, not
on my computer.

{QUOTE-> but sample sets sooo large offer absolutely Zero! Information to know if product A will protect a user or not <-QUOTE}
And you think a test with 6 virii will?

{QUOTE-> why do tests on smaller tests offering real threats give differnt scores, not just for drweb but for the majority?

You think its just luck, or pick of the draw? <-QUOTE}
Since small tests are statistically meaningless, both, probably.

you could say the same for both, this is why I never rely on tests.

But you and me both know, many ppl on here do.

Hello,
{QUOTE-> And you think a test with 6 virii will? <-QUOTE}
it depends of different things, for example the unhooking test of nicm with 7 samples was really good, even with just 7 samples...

{QUOTE-> Hello,

it depends of different things, for example the unhooking test of nicm with 7 samples was really good, even with just 7 samples... <-QUOTE}
An entirely different matter altogether. nicM was testing the ability of HIPS to defend against specific intrusion techniques.

The reason why this is not even remotely applicable to AV testing should be obvious.

re,
{QUOTE-> An entirely different matter altogether. nicM was testing the ability of HIPS to defend against specific intrusion techniques.

The reason why this is not even remotely applicable to AV testing should be obvious. <-QUOTE}
you miss the point; the quantity does not make the quality. You don't need 1xxx rootkit to know the ability of an av to detect them.

{QUOTE-> re,

you miss the point; the quantity does not make the quality. You don't need 1xxx rootkit to know the ability of an av to detect them. <-QUOTE}
Assuming those 1xxx rootkits behave exactly the same and have the exact same code, then no, I guess not.

But don't they come one at a time? If so, that one is what the AV has to combat. The other 100K are not of interest at that particular time.

I do realize that a large sample size is more reliable over all, but if the one it misses is the one that attacks me, what do I care if it would have blocked 50K others?>:(

As for the test, I'll just limp along and hope my applications keep me safe.;D

Regards,
Jerry

{QUOTE-> But don't they come one at a time? If so, that one is what the AV has to combat. The other 100K are not of interest at that particular time. <-QUOTE}
The problem is: how do you know which one.

{QUOTE-> I do realize that a large sample size is more reliable over all, but if the one it misses is the one that attacks me, what do I care if it would have blocked 50K others?>:( <-QUOTE}
Actually, that's exactly why you want a large sample set. The larger the set, the more accurately the test reflects how likely a product is going to block any one sample that attacks you.

{QUOTE-> The problem is: how do you know which one.

You don't, but the one that infects is the only one you care about at any time. If it hits you, your failure rate is 100%.


Actually, that's exactly why you want a large sample set. The larger the set, the more accurately the test reflects how likely a product is going to block any one sample that attacks you. <-QUOTE}

I agree with that, but would not ignore the one that it missed if that were the one that attacked me.

It is true that if an AV detects 99% I would rather have it than one that detects 89%. But if I have the 99% it can miss 1% of the malware. Have we not said that no AV can detect 100%?

My only point is that although the test samples were few, that does not disqualify the test. It just makes it less important due to that small sample size. But even then there were those that detected more than others.

There are those who say that the test is not any good due to the small number of samples, but there is still a ranking according to the detection rate.

Regards,
Jerry

{QUOTE-> you could say the same for both, this is why I never rely on tests. <-QUOTE}

That's why I believe that a good security policy should implement, in order of importance:

1. A sound backup strategy
2. Separate operating environments for different tasks.
3. Antivirus, antispyware, firewall and other "security" software.

{QUOTE-> It is true that if an AV detects 99% I would rather have it than one that detects 89%. But if I have the 99% it can miss 1% of the malware. Have we not said that no AV can detect 100%? <-QUOTE}
Just because you were attacked by that 1% of the malware that antivirus X does not detect, doesn't mean it's test results are inaccurate.

You need to distinguish between what a test is and is not telling you. It's telling you the percentage of malware can detect. It is NOT telling you which malware you will get attacked by; this is absolutely nothing at all to do with tests, they were never designed to do this right from the very beginning, and I'm not sure why you're even bringing it up in a discussion about tests.

{QUOTE-> My only point is that although the test samples were few, that does not disqualify the test. <-QUOTE}
Actually, yes, it does.

Claiming anything about the performance of a solution due to its detection rate in a test of six samples is nothing short of ludicrious. For all we know, a solution that scored 100% might be able to detect only those six samples and nothing else, while a solution that scored 0% might be able to detect everything else save for those six. Such a test is not less important - it's entirely worthless, since nothing remotely useful can be inferred from its results one way or another.

{QUOTE-> Claiming anything about the performance of a solution due to its detection rate in a test of six samples is nothing short of ludicrious. For all we know, a solution that scored 100% might be able to detect only those six samples and nothing else, while a solution that scored 0% might be able to detect everything else save for those six. Such a test is not less important - it's entirely worthless, since nothing remotely useful can be inferred from its results one way or another. <-QUOTE}

LOL, I remember the first posts I read here: some members listed all the "security" software they were currently using in their signature, even distinguishing between realtime and on-demand apps.

It reminded me of those military dictators with all those medals on their uniforms.

Somehow, it seemed that the focus for some shifted from the quest for true security to how clever they are to be able to make all these different apps from different vendors work together seamlessly.

Thinking about all these security tests, a similarity came to me.
They remind me of IQ tests.
IQ tests indicate potential, but provide no guarantee of anything whatsoever!

{QUOTE-> Somehow, it seemed that the focus for some shifted from the quest for true security to how clever they are to be able to make all these different apps from different vendors work together seamlessly. <-QUOTE}

Reminds me of my old habits. ;D

Pile them all in one big heap and if theres no BSOD or performance bite, hey must be good to go. Then let the malware try to navigate thru all that, which of course without HIPS they probably could slip a sliver or two through. Did seem the Logical approach at one time but there is a point where so much is just simply too much, but today with so much better advancements in security technology in the form of Virtuals, Sandboxes, ISR's, HIPS, and so forth, it only takes a choice few to sit secure behind REAL SHIELDING anymore.

{QUOTE-> Reminds me of my old habits. ;D

Pile them all in one big heap and if theres no BSOD or performance bite, hey must be good to go. Then let the malware try to navigate thru all that, which of course without HIPS they probably could slip a sliver or two through. Did seem the Logical approach at one time but there is a point where so much is just simply too much, but today with so much better advancements in security technology in the form of Virtuals, Sandboxes, ISR's, HIPS, and so forth, it only takes a choice few to sit secure behind REAL SHIELDING anymore. <-QUOTE}

Yeah, wow.
Thanks for the insight.

EDIT: Yeah, but how necessary is "REAL SHIELDING" for the average user?

{QUOTE-> Thinking about all these security tests, a similarity came to me.
They remind me of IQ tests.
IQ tests indicate potential, but provide no guarantee of anything whatsoever! <-QUOTE} Exactly 8) ;D

{QUOTE-> in security technology in the form of Virtuals, Sandboxes, ISR's, HIPS, and so forth, it only takes a choice few to sit secure behind REAL SHIELDING anymore. <-QUOTE} That sounds nice but not if your whole system was already blue-pilled or vbootkit´ed before. (remember you can never be sure, there are millions of possibilities) Then all shields are in vain. Naturally you can reset to zero after reboot but the things you do in the net will be caught no matter if virtualized or not.

{QUOTE-> Yeah, wow.
Thanks for the insight.

EDIT: Yeah, but how necessary is "REAL SHIELDING" for the average user? <-QUOTE}

EXTREMELY IMPORTANT!!!


It's the so-called "average user" who is by nature very vulnerable to the state of mind that they have an AV + Windows Firewall and so everything will be just fine. Push and press then carry on mentality while the missed intrusive files begin their mischief on disrupting and/or disabling the normal components of the operating system.

But of course you already know that, right?

{QUOTE-> EXTREMELY IMPORTANT!!!


It's the so-called "average user" who is by nature very vulnerable to the state of mind that they have an AV + Windows Firewall and so everything will be just fine. Push and press then carry on mentality while the missed intrusive files begin their mischief on disrupting and/or disabling the normal components of the operating system.

But of course you already know that, right? <-QUOTE}
There are users who do perfectly fine with just an AV and Windows Firewall, and there are those who don't.

Doesn't this already give you a hint that user education is what really counts, not how many security apps one can squeeze into their forum sig?

What good is user education AFTER THE FACT?

I'm speaking of newer exploits, not to mention Windows own limitations. Surely not even you are so naive to believe that just those basic coverages are secure.

I will tip a nod in favor if they run LIMITED, (LUA), XP speaking of course.

{QUOTE-> What good is user education AFTER THE FACT? <-QUOTE}
The same good it is for everything else. To prevent it from happening again. Of course, educating the user before they get infected is also a desirable option.

Too many people confuse security programs for security. You can give fifty of the best guns in the world to a shitty marksman, and he'll be able to do jack squat with any and all, other than feel good with the fact that he's armed to the teeth.

{QUOTE-> I'm speaking of newer exploits, not to mention Windows own limitations. Surely not even you are so naive to believe that just those basic coverages are secure. <-QUOTE}
Actually, I do. So do plenty of other people, and they have no problems remaining clean.

{QUOTE-> LOL, I remember the first posts I read here: some members listed all the "security" software they were currently using in their signature, even distinguishing between realtime and on-demand apps.

It reminded me of those military dictators with all those medals on their uniforms. <-QUOTE}

Indeed.

{QUOTE->
Somehow, it seemed that the focus for some shifted from the quest for true security to how clever they are to be able to make all these different apps from different vendors work together seamlessly. <-QUOTE}

Focus has shifted? As far as I know it as always being like that.

The only thing is that in the past, people differentitated between products classes less, so people only tried to get say firewall + AV working.

Then people discovered Antispyware, classic hips, sandbox, behavior blocker, virtualization etc....

So now most people try to juggle all this together.....

{QUOTE-> Claiming anything about the performance of a solution due to its detection rate in a test of six samples is nothing short of ludicrious. For all we know, a solution that scored 100% might be able to detect only those six samples and nothing else, while a solution that scored 0% might be able to detect everything else save for those six. Such a test is not less important - it's entirely worthless, since nothing remotely useful can be inferred from its results one way or another. <-QUOTE}

Statistically you are correct, but if you get infected by one of the six your AV is 0 protection to you. The odds of a meteorite falling on me is 1 in many millions, but if one does it is 100% for me.

I am happy to know what mine won't detect. However, I would not use a certain AV or change as a result of such a test. I would not rank AVs based on such a test, but if I get infected by the one it missed I don't care about the 100K it would have caught.
That is the reason I only depend upon IBK and AVC.

Anyway I'll leave it at that.

Regards,
Jerry

as RKU and GMER are definitely best in AR area ...

sadly not latest versions were used (i bet both will be like 7.9 ;D

I think some may have missed my point about the lack of statistical signifigance in Malware tests.

The point I was trying to make was the absolute data from these tests are pretty meaningless by themselves. As no test will have all the malware of one type, or all the types of malware in existence the fact that Product A stops 99% and Product B stops 93% yields no usable information since depending on the sample size the uncertainty may be upwards of 25-40%.

In my opinion the only generalization that we can draw would be by checking a number of different tests, checking which products consistently score high, than using any of top 5 with the prettiest GUI.

Any further argument about this product is better is nothing but an exercise in fulility (especially as few products are gonna catch zero day anyway).

Go with the prettiest.

{QUOTE-> Go with the prettiest. <-QUOTE}
NOD32 v3 takes the cake in this regard.

Any further recommendations? I know Symantec looks rather pretty as well, but I'm unable to use it, for various reasons.

Good point- I amend- Go with the prettiest without the blue screens.