Hi guys!

I just wanted to let you know that Andreas Marx was kind enough to provide me with his newest test results. He is currently in Bilbao, Spain at the Anti-Malware Task Force Meeting.

I published the results in Blog (in german) http://blog.chip.de/0-security-blog/security-suiten-2008-im-test-q12008-20080122/

If you have any questions, please feel free to leave a comment beneath the blog-entry.

Greetings from Munich
Valentin

Interesting. Not too many surprises there. A few things I noted though,

1) Why does command do worse than fprot when they are using the same engine?
2) Clam is improving especially it is only signature based
3) Microsoft is also improving (though other tests have already shown it has improved a fair bit since onecare v1). Seems to be very strong signature detection but low heuristics.
4) Eset strong on heuristics but not as good on signature scanning (does that surprise anyone?:P)
5) Just find the fact that VET is on the top of the false positive list and bottom of the detection rate sadistically funny.

{QUOTE-> Interesting. Not too many surprises there. A few things I noted though,

1) Why does command do worse than fprot when they are using the same engine?
<-QUOTE}
They are not. CSAV is still using the old 3 engine, so is equivalent to F-Prot 3. In contrast FPAV 6 is tested here and as shown has a much higher detection rate.

Nice, thanks a lot for posting. Personally I'm very pleased to see the peformance of avast!, their huge signature additions are paying off. Also TrendMicro is in the detection elevator, best detection of the top 3 brands (Symantec, McAfee, TrendMicro)!

English Translation:

That is really a beautiful surprise. In my p.o. box nevertheless actually just the all-newest virus scanner test results arrived. The results come directly of Andreas's Marx and its test laboratory AV test those do not want I you naturally not to withhold. Security Suiten conditions 7 January 2008 under Windows XP SP2 (English) were tested. With all products it concerns the optimum version (not however the beta) The test categories read as follows: - signature-based test of 1 million Malware Samples from the last 6 months (thus no outdated viruses) - False positive test with 65,000 clean files - pro-active recognition with: + 3.500 samples in retrospective test (the signatures are not called one week updated and it looked which new Samples be still recognized now) + 20 active Samples for the behavior-based test - response times (based on 55 Samples in the year 2007) - root kit recognition (12 active Samples) First once the total valuation:

I'm a little lost... can someone please inform me; If there are 1 million malware samples used, why do some AVs detect more than a million?

I'm surprised Avast done so well and Antivir had so few FPs.
Not surprised Antivir and Kaspersky have amongst the fastest response times.
Suprised with WebWasher getting only 2 FPs
Wouldnt have expected AntiVir to get + for Proactive Detection and F-Secure to get ++

good job avira antivir & avast

i read many things about antivir many sites and its excellent

{QUOTE-> 4) Eset strong on heuristics but not as good on signature scanning (does that surprise anyone?) <-QUOTE}

I'm a bit technically challenged, so can someone explain what this means?

The results of NOD in all Categories frighten me much. Whats happens here ? :o

Only 2 fps from drweb?

Am I reading this right?:o

{QUOTE-> I'm a bit technically challenged, so can someone explain what this means? <-QUOTE}
Eset did a poor job of detecting threats with signatures (which are issued in daily updates) and good in heuristics, which is a method to detect possible viruses.

{QUOTE-> Eset did a poor job of detecting threats with signatures (which are issued in daily updates) and good in heuristics, which is a method to detect possible viruses. <-QUOTE}

Hmmm, okay. Thanks Xenephobe.

I also see Symantec in the list. Does anyone know which version has been tested (where can I find this)? Is this the same as a Corporate version?

{QUOTE-> Eset did a poor job of detecting threats with signatures (which are issued in daily updates) and good in heuristics, which is a method to detect possible viruses. <-QUOTE}
Not good enough to help its overall detection score, unfortunately. Do you mean to say that the testers turned off Eset's heuristics for this test?

Some vital information is missing as far as I'm concerned: no info concerning the testbed used as for the signature test for example. Is plain adware included for example? Smart people can come up with more questions like that I' sure ;)

All in all, personally I'd like to see far more info about the test conditions before jumping to a conclusion.

That said: for the moment although lacking needed info: congrats to the ones who did score very well.

regards,

paul

{QUOTE-> ...Do you mean to say that the testers turned off Eset's heuristics for this test? <-QUOTE}

...and there's the first smart question ;) Has been tested out-of-the box, has there been tested after tweaking?

Keep them coming those questions, ladies and gents! ;)

What I find a bit strange is that NOD32 always scores lower in AV-Test.org tests compared to the AV Comparatives'...
I guess it's also a matter of how things are being tested. I do hope these AV-Test results will be expanded with version numbers of the specified products though. Those seem to be missing.

Doesnt make me feel good about spending $40 on NOD32. Should have kept Avast for free. :'(

{QUOTE-> What I find a bit strange is that NOD32 always scores lower in AV-Test.org tests compared to the AV Comparatives'...
I guess it's also a matter of how things are being tested. <-QUOTE}

Bolded part: Bingo! Plus: what sort of samples have been tested?

regards,

Paul

{QUOTE-> Doesnt make me feel good about spending $40 on NOD32. Should have kept Avast for free. :'( <-QUOTE}

One should not jump to conclusions without knowing all the needed facts. And this does not in particular goes for NOD32, but for all Antiviruses tested ;) .

regards,

paul

Overall detection of NOD 32 is not good though it has very good heuristics.
They must add a lot of signatures like Avira and others.

{QUOTE-> ...and there's the first smart question ;) Has been tested out-of-the box, has there been tested after tweaking?

Keep them coming those questions, ladies and gents! ;) <-QUOTE}


But is there anyone here who can answer such questions , Paul ? ;)

{QUOTE-> One should not jump to conclusions without knowing all the needed facts. And this does not in particular goes for NOD32, but for all Antiviruses tested ;) .

regards,

paul <-QUOTE}

Hi Paul,

to make things easier. Here is the original e-mail from Andreas:

All products (in the "best" available Security Suite edition) were last updated on January 7, 2008 and tested on Windows XP SP2 (English).

First, we checked the signature-based on-demand detection of all products against more than 1 Mio. samples we've found spreading or which were distributed during the last six months (this means, we have not used any "historic" samples.) We included all malware categories in the test: Trojan Horses, backdoors, bots, worm and viruses. Instead of just presenting the results, we have ranked the product this time, from "very good" (++) if the scanner detected more than 98% of the samples to "poor" (--) when less than 85% of the malware was detected.

Secondly, we checked the number of false positives of the products have generated during a scan of 65,000 known clean files. Only products with no false positives received a "very good" (++) rating.

In case of the proactive detection category, we have not only focussed on signature- and heuristic-based proactive detection only (based on a retrospective test approach with a one week old scanner).
Instead of this, we also checked the quality of the included behaviour based guard (e.g. Deepguard in case of F-Secure and TruPrevent in case of Panda). We used 3,500 samples for the retrospective test as well as 20 active samples for the test of the "Dynamic Detection" (and blocking) of malware.

Furthermore, we checked how long AV companies usually need to react in case of new, widespread malware (read: outbreaks), based on 55 different samples from the entire year 2007. "Very good" (++) AV product developers should be able to react within less than two hours.

Another interesting test was the detection of active rootkit samples.
While it's trivial for a scanner to detect inactive rootkits using a signature, it can be really tricky to detect this nasty malware when they are active and hidden. We checked the scanner's detection against 12 active rootkits.


regards
Valentin

These massive tests are interesting at best.

Over 1 million new threats in the last 6 months I find extremely hard to believe

just how many of these are real threats that are circling around?

so I wouldn't worry Paul, about your beloved nod32. ( especially not on these huge tests anyway )

;)

{QUOTE-> Only 2 fps from drweb?

Am I reading this right?:o <-QUOTE}

65 000 is quite a small number compared to av-comparatives' number of at least 10 million.

I've never seen 10mil in a test at av-comp but whatever, Antivir is kicking ass.

{QUOTE-> 65 000 is quite a small number compared to av-comparatives' number of at least 10 million. <-QUOTE}
65k is not small, far from it

if ibk does use over 10 million, he should be slated for his method of lowering the ratings.

{QUOTE-> 65 000 is quite a small number compared to av-comparatives' number of at least 10 million. <-QUOTE}


I am not sure where you fabricated this number from, but IBK's largest test set was the latest On Demand in August of 2007 and that test set was a total of 808,344. I am not sure a test set that large could even be tested, by the time you verified that each sample was valid and functional, the test would be irrelevant, it would take more than a few years to collect, sort and verify such a large test set.

Same Test-Results as ever. The known "good" AV's missing a few samples, the other a few little more.
Good to know that Freebees like Avast making their Job and you not to have spend some money for Security Software, because Nobody need such Placebos to lull the Mind.

{QUOTE-> I am not sure where you fabricated this number from, but IBK's largest test set was the latest On Demand in August of 2007 and that test set was a total of 808,344. I am not sure a test set that large could even be tested, by the time you verified that each sample was valid and functional, the test would be irrelevant, it would take more than a few years to collect, sort and verify such a large test set. <-QUOTE}
he means the fp test.

{QUOTE-> Hi Paul,

to make things easier. Here is the original e-mail from Andreas <-QUOTE}

Vielmals Dank (Many thanks) Valentin, your contributions are appreciated.

As for this test from Andreas Marx performed on request by the German Chip.de (your employer), there still is some explaining to do.

First: can you confirm no adware/spyware has been part of the testbed used? In case those have been part of the testbed, it will shed quite a different light on this test.

Second: in January 2008, Marx publicy proclaimed his organization received 5,490,960 new malwares - say five and a half million new ones in 2007. At the same time Marx stated, this number included a vast amount one and the same ones, different encrypted and/or repacked. The problem is obvious: no way to check how many real new samples have been received. Curious even more, since F-Secure came up with quite some different numbers over here (http://www.f-secure.com/weblog/archives/00001351.html) - 500,000 new samples in 2007. Combining these numbers, Marx indeed has been hyping - putting it mildly.

Third: as for this test, the issue mentioned right above is of real importance. Marx stated using over million new malwares gathered last six months. Now, combining my second and this third comment does at the least raises questions - and even more then that. Logic demands, at the least the one million samples used by Marx are a) hyped and by no means "new malware" for most of the part b) consequently, the test is flawed.

For the record: personally I couldn't care less which Antiviruses do end on top. I use at least ten of them. I do care about solid testing though. As far as my information goes, this does not seem the case as for this particular test. Then again: I do invite you to prove me wrong ;) .

regards,

paul

Paul these large tests are flawed for the reasons you have given, they give zero clarification whether a av is good to the most important person, the customer.

touche Paul.:thumb:

{QUOTE-> since F-Secure came up with quite some different numbers over here (http://www.f-secure.com/weblog/archives/00001351.html) - 500,000 new samples in 2007. <-QUOTE}Seeing as F-Secure uses the Kaspersky engine amongst others, this figure tallies with the database record count of Kaspersky products at the time. That figure is somewhere over 527,000 now.

As we know, signature counts vary from vendor to vendor so this isn't a true reflection on how many computer viruses there are, especially when you consider the number of variants of one particular strain.

You can Test in thousand Ways and the Results are more or less always the same. It's really a hyper thing, but the user will be Infected, because Nobody show him how to get
a "really" secure PC.

@ Paul
If you have to use 10 Antivirusses -What's wrong?

{QUOTE->
@ Paul
If you have to use 10 Antivirusses -What's wrong? <-QUOTE}
Maybe nothing is wrong. Perhaps he likes to see how they work.

{QUOTE->

@ Paul
If you have to use 10 Antivirusses -What's wrong? <-QUOTE}

You can't be a true Wilders member unless you are running at least half a dozen antiviruses, hips, behavior blockers, firewalls...etc!!!! ;D

{QUOTE->
For the record: personally I couldn't care less which Antiviruses do end on top. I use at least ten of them. I do care about solid testing though. As far as my information goes, this does not seem the case as for this particular test. Then again: I do invite you to prove me wrong ;) .
<-QUOTE}

Just to put things into perspective: Neither my employee nor I did request those results.But I am glad, that I got those results. All I know is, that Andreas Marx is currently in Spain, attending some Anti-Malware Task Force conference. My guess: AV-Test.org did test for the conference and didn't want those result go to waste.

To answer your first question: I will ask Andreas wether ad/spyware was included or not.

Now my very personal opinion:
I care about solid testing as well. That's why I gather as much information as possible, try to review lots of results and talk to people in my blog, in forums and at conferences like BlackHat and DefCon.

I don't know if Andreas over-hypes the numbers. How could I? But I wouldnt trust F-Secure either. (or any other Anti-Malware-Company for that matter.)

The biggest problem I have, is depending on externals sources for testing anti-malware-engines. That is because I have no way to gather a decent sample set. (Which should be always up to date.)

Question: Why does it matter if those samples are repacked or not? Don't repacked samples simply reflect the current situation? Just to make myself clear: Let's asume there were only 20 samples. 10 are the same malware but repacked, 10 are completely different. Scanner A detects all of the repacked samples, but only one the others. Scanner B detects only one repacked, but all of the others. Is Scanner B really better than Scanner A?

Last but not least: The ranking in my reviews of security software do not base only on pure detection rates. There are a lot of different issues which are important to our readers like: Does a security suite slow the system down? Are the alerts (firewall AND anti-virus) really understandable to non-tech humans?

Posting the results happend only for one reason: To engage discussions like this. My blog-entry ends with the following words: "My interpretation of the data is going to follow in a seperate blog-entry. I am curious: What program do you use? What is your opinion of the results?"

Thanks
Valentin

I'm doing all the other things, like hardening,very strong configured out my PC,alternative Browser with strong settings,too,contolling my clicking Fingers.
I use only a sandbox and an On-Demmand Scanner in Combination with well known Download-Sites.But that is here off Topic and my question was off Topic, too.

Most things of this we debate in the chip.de Forum ,too, and we debate about Valentins rewies, too, and a lot of people stand not behind this rewies and the Virusscanner Mindset, because its only money making and left the user in a false security feeling.

{QUOTE-> You can't be a true Wilders member unless you are running at least half a dozen antiviruses, hips, behavior blockers, firewalls...etc!!!! ;D <-QUOTE}

That is precisely what is wrong here. The concept that more is better. It's more-that's all.

{QUOTE-> I've never seen 10mil in a test at av-comp but whatever, Antivir is kicking ass. <-QUOTE}

It consistently does so and has done so for a good amount of time. There are many imitators- but Avira is the real deal.

congratulations to Avira. They rock again.

{QUOTE-> It consistently does so and has done so for a good amount of time. There are many imitators- but Avira is the real deal. <-QUOTE}
its funny you should use the word imitators Bunk,

there are 'very few' avs that aint an imitator.

most either use someone elses technology, or simply copy's it and calls it their own.

personally, id prefer a test of <1000 samples, of real-world threats and were manually checked for validity, then tested against the selection of AV's available, rather than 1 million un-tested samples, would this be easier and less time consuming, i dont know.

1) Marx is not overhyping the numbers. (see point 3, then you know why number of signatures do not equals to variants or multiple instances of same e.g. polymorphic malware)
2) IBK never said anything about 10 millions or any other number. beside that, ibk is one of the few testers which submits all false alarms to the vendors after the test in order that they can fix them.
3) when Marx says over 1 million of new samples of last 6 months, he means files with different md5. at e.g. f-secure they count the number of signatures; 1 signature may be able to cover 10000 of variants. when it said last 6 months, it could also be some samples which appeared for the first time already many years ago, but which he got somehow during the last 6 months again. there is lot of malware currently out there, keeping in mind that new variants etc. may be created automatically every second and be a potential risk for users (= its not malware which exists only in labs and which does not pose any risk in real world). you may just get one of those variants tomorrow, but you want to be protected against all variants, no matter if you get it in 10 minutes or in 12 minutes.
4) Marx probably did a very detailed report, but maybe Chip just summarized and published basic data without any details, so do not slap Marx for that. ask chip instead if they can give more details, in order that chip sees that users want and need the details (version, version number, signature dates, settings, size of various subsets, etc.).
5) Looking on how many new malware circulates and may be a risk fo users, many vendors are or are going to include behaviorbased protection technologies, in order to try to block malicious actions at least very shortly before you could get infected, e.g. when the malware is executed. that's why behaviorbased tests are needed to be done, along with the current on-access/on-demand tests.
5) I am still in Spain too, be back tomorrow. tired.

{QUOTE->
2) IBK never said anything about 10 millions or any other number. <-QUOTE}
this i knew, or at least thought so.

so 2 FP's in a 65,000 FP-test is pretty darn good.

well, i think so.

and would not label it as 'Many FP's'

same goes for practically all of them, with the exception of Fortinet maybe ;)

Within the antivirus testing tips report of May 2007 released by av-comparatives, it states that the set of clean files should number at least 10 million. That is where I am basing it off from.

{QUOTE-> Within the antivirus testing tips report of May 2007 released by av-comparatives, it states that the set of clean files should number at least 10 million. That is where I am basing it off from. <-QUOTE}
yep, right you are.

it does say that, but i wonder if IBK uses 10 million+ for his tests.

no matter how many thousand, or million or whatever.... the amounts that are getting detected are practically NOTHING and no ratings should be lowered.

ratings SHOULD be lowered. but this year i will change a bit some things, and it will be easier to get higher scores (or in other words, FP's will not have much influence, as i do not think that there will be many FP's anymore).

ok, i will re-phrase.

ratings SHOULD be lowered, but if 30, or 40 or whatever is the amount for a 10 million test set (or even less than 1 million), they shouldnt.

AV-test have simply said they used 65,000 in their FP test, is there any particular reason why you IBK, dont disclose the info?

{QUOTE->
4) Marx probably did a very detailed report, but maybe Chip just summarized and published basic data without any details, so do not slap Marx for that. ask chip instead if they can give more details, in order that chip sees that users want and need the details (version, version number, signature dates, settings, size of various subsets, etc.).

5) I am still in Spain too, be back tomorrow. tired. <-QUOTE}

Hi and thanks for your insight. I am sorry but CHIP (or better I) did not get more details. But I already sent an email to Andreas Marx.

And most important: Have fun in Spain :-)

So according to the overall results an average ,not techy user who sees the results thinks that avg and avast offer more complete protection than kaspersky,nod 32.I am quite surprised to see that even people on these site don't question this,since in my opinion this is not true.I hope that most people don't belive those test(not the metodology,or the doubt of the results ,i'm sure they are 100% accurate,but theiyr reflection to the real world(internet in this case :-))not the virus lab.

don't worry we all know these are just tests

{QUOTE-> ok, i will re-phrase.

ratings SHOULD be lowered, but if 30, or 40 or whatever is the amount for a 10 million test set (or even less than 1 million), they shouldnt.

AV-test have simply said they used 65,000 in their FP test, is there any particular reason why you IBK, dont disclose the info? <-QUOTE}

because number of files do not contain as much info as you may think, it depends from the kind of files. it makes a difference if 10 millions of files are used consisting of various kind of files (like txt files, pictures, videos like on a normal PC) or if only 10000 files are used but they are all programs likely to trigger a false alarm and were somehow "preselected".

i'v never seen a recent test where m:-[ c:-[ a:-[ f:-[ e:-[ e:-[ gets over 95%. :(

{QUOTE-> because number of files do not contain as much info as you may think, it depends from the kind of files. it makes a difference if 10 millions of files are used consisting of various kind of files (like txt files, pictures, videos like on a normal PC) or if only 10000 files are used but they are all programs likely to trigger a false alarm and were somehow "preselected". <-QUOTE}
sorry IBK, but im still confused about why the ratings are dropped. ???

the figures of fp's are not alot, and if rumors are true... that you use alot more than 65k in your set of clean files, it just seems very... erm ... petty.

yeah / no, maybe? ;)

Thanks for the heads up, Valentin.

I like the results ;D

{QUOTE-> I'm surprised Avast done so well and Antivir had so few FPs. <-QUOTE}
No surprise for at least one year avast belongs to the leading avs straight behind AntiVir ;-)

BitDefender & Avira -- verrrry impressive!

DrWeb & VBA32 - sob

NOD - hmmmm

@IBK - my sincere thanks for your very illuminating & commendably impartial comments in this thread. You brought light to the dimness.:thumb:

{QUOTE-> BitDefender & Avira -- verrrry impressive! <-QUOTE}

It sure looks like BitDefener is getting better and better

{QUOTE-> 5) Just find the fact that VET is on the top of the false positive list and bottom of the detection rate sadistically funny. <-QUOTE}
eTrust-VET ++
++ = sehr gut (0 False-Positives)

there are quite different between av-test & av-comparatives results for Nod32 & Avast??? :dry:

{QUOTE-> there are quite different between av-test & av-comparatives results for Nod32 & Avast??? :dry: <-QUOTE}
Methodology and malware samples used make a difference :)

{QUOTE-> eTrust-VET ++
++ = sehr gut (0 False-Positives) <-QUOTE}
That's immediately the only positive thing about the program

What does not surprise me is that different test sets will generate different test results.

What does surprise me is when Wilders members claim that Antivir (FREE) is a better AV than Avast FREE, based on for instance AV-comparatives test.

In these claims they do not take into account that the free version of Antivir misses the Anti Spyware fingerprints (same applies to AVG). So when Antivir Free would be compared against Avast Free using a testset containing a lot of anti-spyware/malware, then Antivir problably would score considerably lower, beacuse Avast free includes the AS/Malware fingerprints.

The discussion on Wilders Forum would not focus on the added value of buying Antivir Paid, but on the validity of the test. Help :isay:

{QUOTE-> eTrust-VET ++
++ = sehr gut (0 False-Positives) <-QUOTE}

Yea as in no fps but low detection too hehe

{QUOTE-> What does not surprise me is that different test sets will generate different test results.

What does surprise me is when Wilders members claim that Antivir (FREE) is a better AV than Avast FREE, based on for instance AV-comparatives test.

In these claims they do not take into account that the free version of Antivir misses the Anti Spyware fingerprints (same applies to AVG). So when Antivir Free would be compared against Avast Free using a testset containing a lot of anti-spyware/malware, then Antivir problably would score considerably lower, beacuse Avast free includes the AS/Malware fingerprints.

The discussion on Wilders Forum would not focus on the added value of buying Antivir Paid, but on the validity of the test. Help :isay: <-QUOTE}
AV-Comparatives tests AntiVir Premium.

{QUOTE-> AV-Comparatives tests AntiVir Premium. <-QUOTE}

Thanks, that is my point: from Avira's site (free=classic, paid = premuim):

http://www.free-av.com/

{QUOTE-> Thanks, but that is my point: from Avira's site (free=classic, paid = premuin):

http://www.free-av.com/ <-QUOTE}
Sorry, I'd misread your post and thought you meant only basing it on AV-Comparative's results.
But yes, Avira Free doesn't have spyware/adware protection. Their nagscreen really likes to remind you. :P

What does it exactly mean if NOD scores lower on 'signature detection'? That too few signatures are added or that the signatures in their updates aren't good enough (not detecting the viruses properly)?

{QUOTE-> Sorry, I'd misread your post and thought you meant only basing it on AV-Comparative's results.
But yes, Avira Free doesn't have spyware/adware protection. Their nagscreen really likes to remind you. :P <-QUOTE}

Yes, but with Vista (file) security options or XPFSE (Fajo XP File Security Extention) it is easy to by pass. Another great tool to compensate in XP Home for policy editor is ACLView of native computer systems.

{QUOTE-> What does it exactly mean if NOD scores lower on 'signature detection'? That too few signatures are added or that the signatures in their updates aren't good enough (not detecting the viruses properly)? <-QUOTE}
{QUOTE-> Signature - The small piece of data used by an antivirus program to recognise a virus is called its signature. Antivirus program datafiles may therefore sometimes be known as signature files. <-QUOTE}
Source: http://www.itservices.manchester.ac.uk/antivirus/whatis/glossary/

Having a low signature detection isnt necessarily bad. Antiviruses may emphasis on Heuristics more than on signatures which can also aid detecting malware.

Thats why its better to look at overall detection rather than just signatures.

{QUOTE-> Second: in January 2008, Marx publicy proclaimed his organization received 5,490,960 new malwares - say five and a half million new ones in 2007. At the same time Marx stated, this number included a vast amount one and the same ones, different encrypted and/or repacked. The problem is obvious: no way to check how many real new samples have been received. <-QUOTE}

These are the wild fantasy figures of Antony "At Least 1 Scanner Identifies Every File In My Collection As A Virus" Petrakis.

Not even a team of 500 full time virus researchers can confirm five and a half million samples as malware in 1 year.

It is impossible unless VirusP is working with AV-Test.org and he gave Marx the 5,490,960 real new samples. :)

{QUOTE-> Curious even more, since F-Secure came up with quite some different numbers over here (http://www.f-secure.com/weblog/archives/00001351.html) - 500,000 new samples in 2007. Combining these numbers, Marx indeed has been hyping - putting it mildly. <-QUOTE}

I will much rather believe F-Secure than Andreas "Hype Is My Middle Name" Marx.

{QUOTE-> Third: as for this test, the issue mentioned right above is of real importance. Marx stated using over million new malwares gathered last six months. Now, combining my second and this third comment does at the least raises questions - and even more then that. Logic demands, at the least the one million samples used by Marx are a) hyped and by no means "new malware" for most of the part b) consequently, the test is flawed. <-QUOTE}

Please direct me to a "not flawed" test by Andreas Marx.

Such a test exists only in his own megalomanic mind. 8)

i change today my antivirus
i remove dr.web antivirus
and i put avira antivir antivirus premium
i love the good detection

{QUOTE-> i change today my antivirus
i remove dr.web antivirus
and i put avira antivir antivirus premium
i love the good detection <-QUOTE}
Smart choice.;)

{QUOTE-> Curious even more, since F-Secure came up with quite some different numbers over here - 500,000 new samples in 2007.
I will much rather believe F-Secure <-QUOTE}
Marx is not hyping at all when he says 1 million samples in 6 months. Marx wrote somehwere he gets ~2300 new samples per hour, so 1 million in 6 months looks very low (would be 1,6 millions in 1 month).
You also misunderstood what F-Secure wrote. F-Secure did not write that they found 500000 new samples in 2007, they said that they reached 500000 sigantures in the period of 1986-2007. In 2007 they added ~250000 signatures. As said, number of signature or virus records has not much to do with how many malware (variants) are out there.

{QUOTE->
I will much rather believe F-Secure than Andreas "Hype Is My Middle Name" Marx. <-QUOTE}As I said previously, those figures relate to the signature count, which when broken down will be much higher than that. It's the methodology of the count that determines how much they, Kaspersky or indeed any other AV vendor say are in their records. As far as F-Secure/Kaspersky is concerned, the actual malware count is much, much higher than 500,000 if one computes the variants separately.

{QUOTE-> @ Paul
If you have to use 10 Antivirusses -What's wrong? <-QUOTE}

I don't have to and I don't have all of them running on various systems. I do have licensed copies, merely for testing on different systems. Comes with the territory ;)

regards,

Paul

{QUOTE->
It is impossible unless VirusP is working with AV-Test.org and he gave Marx the 5,490,960 real new samples. <-QUOTE}

Antony Petrakis has ZERO affiliation with AV-test.org and Andreas Marx. Guaranteed :)

Secondly, the numbers of malware that are being described by Marx do not seem erroneous to me if we consider the fact that the F-Secure blog article was referring to a different thing (plus 1 signature may cover thousands of infected samples) and that there are many "variants" (repacked versions) of the same malware.

The test is at least moderately valid IMO. This time they covered more aspects than just the detection rate on-demand which is a good thing. The only real standout for me this time was AVG (which was better than KAV and I was not expecting this); others remained pretty much as they should :)

{QUOTE-> Just to put things into perspective: Neither my employee nor I did request those results.But I am glad, that I got those results. All I know is, that Andreas Marx is currently in Spain, attending some Anti-Malware Task Force conference. My guess: AV-Test.org did test for the conference and didn't want those result go to waste. <-QUOTE}

Thanks for the explantion Valentin. That said: guessing is just fine. I for one would like to see the excel sheets coming with all the specs - the common and usual way. There's simply no other way to examine and come to a final conclusion.

{QUOTE-> To answer your first question: I will ask Andreas wether ad/spyware was included or not. <-QUOTE}

Thanks. Andreas Marx has been a contributing member from this board; I do invite him to sign up as a member once more and provide the necessary info and comments.

{QUOTE-> Now my very personal opinion:
I care about solid testing as well. That's why I gather as much information as possible, try to review lots of results and talk to people in my blog, in forums and at conferences like BlackHat and DefCon. <-QUOTE}

I do applaud you for that.

{QUOTE-> I don't know if Andreas over-hypes the numbers. How could I? But I wouldnt trust F-Secure either. (or any other Anti-Malware-Company for that matter.) <-QUOTE}

Now, here's the essence concerning all this: all of us simply don't have access to essential information from the testing organization. Consequently, in the end we all are in the dark here. Here;s my point: testing organizations should never merely provide results. In case they do want to go public, needed info has to be provided as well so interested ones can make a judgement based on all the facts. On top of that, revealing test results should come from the horses mouth directly. In my humble opinion Marx would have done a far better job going public after the meeting in Spain.

{QUOTE-> The biggest problem I have, is depending on externals sources for testing anti-malware-engines. That is because I have no way to gather a decent sample set. (Which should be always up to date.) <-QUOTE}

External sources in effect are - at the least in an ideal world - independent, very skilled organizations specialized in testing software in combo with malware in this context. I do agree that can be an issue indeed. av-test.org/Marx unfortunately does have a history here. Without going into specifics, I do remember at least one controversy between test(s) performed and made public and at least one security software company questioning the way of testing and consequently the result coming from that. And - they we're right. Now, this is not intended as an "av-test.org/Marx bashing". At the most, question marks can and have been all over the web.

{QUOTE-> Question: Why does it matter if those samples are repacked or not? Don't repacked samples simply reflect the current situation? Just to make myself clear: Let's asume there were only 20 samples. 10 are the same malware but repacked, 10 are completely different. Scanner A detects all of the repacked samples, but only one the others. Scanner B detects only one repacked, but all of the others. Is Scanner B really better than Scanner A? <-QUOTE}

It does matter in a testing environment. It does matter to know wether or not testing has been performed out-of-the-box or software being tweaked to the maximum. It does matter wether samples are or are not detected while executed, instead of being dormant.

{QUOTE-> Last but not least: The ranking in my reviews of security software do not base only on pure detection rates. There are a lot of different issues which are important to our readers like: Does a security suite slow the system down? Are the alerts (firewall AND anti-virus) really understandable to non-tech humans? <-QUOTE}

That's a personal choice I'll have to respect. focussed on security; those issues are of far minor importance - at least in my book.

{QUOTE-> Posting the results happend only for one reason: To engage discussions like this. My blog-entry ends with the following words: "My interpretation of the data is going to follow in a seperate blog-entry. I am curious: What program do you use? What is your opinion of the results?" <-QUOTE}

I do understand. Nothing wrong with a solid discussion ;) . Then again: as stated above, without all the needed info coming from the horse mouth, it does end up in a crippled discussion.

All the best,

Paul

http://sunbeltblog.blogspot.com/2008/01/latest-antivirus-test-results-from.html

{QUOTE-> 1) Marx is not overhyping the numbers. (see point 3, then you know why number of signatures do not equals to variants or multiple instances of same e.g. polymorphic malware) <-QUOTE}

We may and do have a different opion here, IBK ;)

{QUOTE-> 2) IBK never said anything about 10 millions or any other number. beside that, ibk is one of the few testers which submits all false alarms to the vendors after the test in order that they can fix them. <-QUOTE}

That's good to know, but outside the scope from this specific thread.

{QUOTE-> 3) when Marx says over 1 million of new samples of last 6 months, he means files with different md5. <-QUOTE}

My point exactly. Different md5's in essence does not say that much. Hexing a sample in a very minor way results in a different/new md5. Fact remains, it still is one and the sampe sample.

{QUOTE-> at e.g. f-secure they count the number of signatures; 1 signature may be able to cover 10000 of variants. <-QUOTE}

Again: my point exactly. In my humble view, that's a fine way in determining real new malware, vs. bloating about variants being brand new discovered samples. Fact remains: they are variants, no more, no less. Hyping numbers with this in mind is as far as I'm concerned just that: creating a hype.

{QUOTE-> when it said last 6 months, it could also be some samples which appeared for the first time already many years ago, but which he got somehow during the last 6 months again. there is lot of malware currently out there, keeping in mind that new variants etc. may be created automatically every second and be a potential risk for users (= its not malware which exists only in labs and which does not pose any risk in real world). you may just get one of those variants tomorrow, but you want to be protected against all variants, no matter if you get it in 10 minutes or in 12 minutes. <-QUOTE}

It could well be indeed. ITW-revived and hexed samples can be a threath indeed. Heuristics do come into play here.

{QUOTE-> 4) Marx probably did a very detailed report, but maybe Chip just summarized and published basic data without any details, so do not slap Marx for that. ask chip instead if they can give more details, in order that chip sees that users want and need the details (version, version number, signature dates, settings, size of various subsets, etc.). <-QUOTE}

Wrong approach. Marx performed the test - Marx should provide all needed ins and outs needed for all interested ones to come to a fair conclusion - before just drop the results to any third party. In case Chip is to blame, that's merely because they have been eager to go public without having anything to backup the test results.

{QUOTE-> 5) Looking on how many new malware circulates and may be a risk fo users, many vendors are or are going to include behaviorbased protection technologies, in order to try to block malicious actions at least very shortly before you could get infected, e.g. when the malware is executed. that's why behaviorbased tests are needed to be done, along with the current on-access/on-demand tests. <-QUOTE}

In essence, that's a good and needed decision - if only marketing-wise.

{QUOTE-> 5) I am still in Spain too, be back tomorrow. tired. <-QUOTE}

I do hope you have recovered in the meanwhile, and have had a safe and sound trip back home ;)

regards,

paul

{QUOTE-> Marx is not hyping at all when he says 1 million samples in 6 months. Marx wrote somehwere he gets ~2300 new samples per hour, so 1 million in 6 months looks very low (would be 1,6 millions in 1 month). <-QUOTE}

IBK, no offense intended! - but please define "samples". Please provide a link as for where Marx did make that statement. Apart from that: I for one would like to have some real proof from that statement. It's an easy one to state - it's quite a different story to back it up. Then again: Andreas Marx is very welcome (once more) to revive his membership over here and provide info first hand ;)

regards,

paul

{QUOTE-> http://sunbeltblog.blogspot.com/2008/01/latest-antivirus-test-results-from.html <-QUOTE}

Alex is providing kind of "old news" here - even the PDF files don't provide anything new. It has been and still is up to Andreas Marx to provide the needed goods ;) .

regards,

paul

{QUOTE-> IBK, no offense intended! - but please define "samples". Please provide a link as for where Marx did make that statement. Apart from that: I for one would like to have some real proof from that statement. It's an easy one to state - it's quite a different story to back it up. Then again: Andreas Marx is very welcome (once more) to revive his membership over here and provide info first hand ;)

regards,

paul <-QUOTE}
*Maybe* this post and the thread in which it was posted (which contains a few more quotes from Marx) might put some insight into this:

http://www.wilderssecurity.com/showpost.php?p=1011379&postcount=102

@Paul: source -> powerpoint presentation about dynamictesting from marx, page 4 ("Our AV lab is receiving about 2,000 to 2,500 new unique malware samples per hour!"). That paper is not yet on marx website (but he usually puts the papers on his website after some time), but i read this also on some german magazine website at the begin of january (but dunno remember yet the url). i only state what i read and hear, for details or interpretations of what someone means i am not the right person to ask, as i am not related in any way with marx.

{QUOTE-> Here;s my point: testing organizations should never merely provide results. In case they do want to go public, needed info has to be provided as well so interested ones can make a judgement based on all the facts. <-QUOTE}

Yep, but

In a scientific world your test method is as important as your test result. So scientifically Paul is right. But this is a very aesthetic and old school thinking.

In daily practice popular TV programs do not even bother to mention their test method anymore. They do not provide observations and evaluation criteria in depth, only their interpretation/personal opinion. The problem with interpretation is, you either believe the source or not (who says so). This is common practise and one of the reason why PCMag test/reviews for instance are bashed by enthousiasts at Wilders, but noob readers will take their opinion as true, because they trust the source.

Now in the latest years the consumer feedback reports are very popular. When you are looking for a new digital camera, you can find sites which rate them based on results in tests and personal experiences of individual customers. They just reflect the consumer opinion.

Now Paul, instead of behaving old school with a (scientifically) correct argumentation, face the way the internet changes consumption and information handling: go new age.

Provide some stickes/polls with Antivirus and HIPS (all sort of security aps) where posters are allowed to enter an opinion. When you look at www.twekers.net people can only post evaluations when they earned good vibes (for instance posts at wilders). Tweakers has found a nice mechanisme to keep negative trolls out (not able to evaluate a supplier).

Paul you are right, but it ddoes not going tochange the way test organisations are publishing test results of security aps. They need air time, scoops and headline references. They willl become less scientific, So let's innovate Wilders FORUM (with consumer evaluations: for instance you got an infecton using AV of the brannd 'nuts' or brand 'monkey'

Lusher already propsed a poll, http://www.wilderssecurity.com/showpost.php?p=1164955&postcount=62

{QUOTE-> When you are looking for a new digital camera, you can find sites which rate them based on results in tests and personal experiences of individual customers. They just reflect the consumer opinion. <-QUOTE}

Correct. Let's continue with your example. Just assume that someone who was using a Canon Powershot A<number here> gets his hands down on a Canon Rebel Xti (400D). I can gurantee you that he will write that this is the best camera on earth. (Because he compared it directly to his previous one) Does his opinion make that the best camera for a professional photographer? For sure not, because if he goes Canon Line then he'll pick a EOS 1 with some proper L-Lenses (The red ones). The difference is here: *THIS* guy knows already exactly what *HE* needs, because he's working in that field. HOWEVER; all the readers with no "clue" will start telling their neighbors there's nothing better than a 400D with standard lenses until they see some "better" results. Got the message? ;D

{QUOTE-> Correct. Let's continue with your example. Just assume that someone who was using a Canon Powershot A<number here> gets his hands down on a Canon Rebel Xti (400D). I can gurantee you that he will write that this is the best camera on earth. (Because he compared it directly to his previous one) Does his opinion make that the best camera for a professional photographer? For sure not, because if he goes Canon Line then he'll pick a EOS 1 with some proper L-Lenses (The red ones). The difference is here: *THIS* guy knows already exactly what *HE* needs, because he's working in that field. HOWEVER; all the readers with no "clue" will start telling their neighbors there's nothing better than a 400D with standard lenses until they see some "better" results. Got the message? ;D <-QUOTE}

Yes, but therefore you should make it like who saved your (censored), what package did not protect you from infection.

Dear inspector clouseau this is correct. Pshychologist have proven that before you are buying something you might rate A versus B as 49% to 51%. Shortly after the purchase this will shift to 43% to 57% and three months later it will be 30% versus 70%. So even taking this distortion into account, people are seriously looking at those user experience sites.

So although I just told a arguments against my statement (meaning user experience are unreliable and only related to their own previous experience), daily practise add prrof to my statement: lets innovate wilders security with experience polls (like lusher suggested)

It goes even more beyond this... Let's ask a very straight forward question. Would you admit to other people that you bought crap? (Besides Family Members...) Ofc you try to avoid that because it makes you look "stupid" 'coz they assume u were not evaluating/researching it before you bought it. Thus, you try to "promote" your PERSONAL selection even with the fact that you know it is NOT perfect as you would like to have it. I'll tell you something...

*IF* i would ever believe in PUBLIC made (by different, unknown people) tests i'd be driving around with a "LEXUS OWNERS CLUB" sticker on my car, even if it's not a lexus.

{QUOTE-> "LEXUS OWNERS CLUB" sticker on my car, even if it's not a lexus. <-QUOTE}

BTW - Looks like a Subaru. :P

good to see you back posting IC,

so are you in agreement of Paul or not? :blink:

and whats your general idea about such huge tests?

{QUOTE-> BTW - Looks like a Subaru. :P <-QUOTE}

Could be, i found that picture in some discussion where they wrote that this sticker attracts womans. As long as the windows are black and no door opens there is for most of the drivers quite a good chance that this actually might work for a few sec.

How about viagra? ;D

Back on topic, even though my F-PROT was not on the ++ side, it sure is improving. Keep up the good work!

{QUOTE-> It goes even more beyond this... Let's ask a very straight forward question. Would you admit to other people that you bought crap? . <-QUOTE}

YES, I once bought new oversized pitons in my racer. It just did not work out. Because I shared this info, my dealer found a few cheap race exhausts, which might be a solution but were of a different model. I bought them and I am very very very very very very very very happy now,

{QUOTE-> Thus, you try to "promote" your PERSONAL selection even with the fact that you know it is NOT perfect as you would like to have it. <-QUOTE}

NOOP, and it does not work that way in general. There is a satisfaction threshold which turns dissatisfied consumers into real trolls and determined product bashers.

There is applicable formula which skips out the average bandwith and only takes the very very satisfied users and the disapointed users into account. When a 10 was great and below a 6 is unsatisfactory. The 5 to 8 ratings should be skipped on average.

But let's switch to a consumer behavioral forum where marketeers and psychologist take part in the discussion, not on Wilders Security.

{QUOTE-> so are you in agreement of Paul or not? :blink:
<-QUOTE}

As you prolly noticed paul is still alive and posting that means i didn't have my argument with him *yet*. ;D

But i can confirm (or lets better call it backup) that you can easily reach such number of samples within 6 months. Sure, you will have huge amounts of the SAME or at least VERY SIMILAR virus group (example: Tibs) *BUT* (and that is the important point (!) they are from a point of binary DIFFERENT from each other (poly layer etc). There are hundred thousands of new backdoors (technical note... we shouldn't call them *NEW*, but "Variant") of all "RMPITB" Trojans/Backdoors such as Hupigon's. To give you some idea... Last month alone 1820 DIFFERENT Password Stealers for the Online Game LINAGE. Go figure. One Game - 1820 malwares in ONE month. All chinese binaries.

Ok If these test are totally Honest and accurate, How does avast score a higher percentage then nod or drweb with no heuristic In place other then there email scanning? and If these test where all repeated again with all the Exact same settings and procedure would the test reveal the exact same results.Please dont get me wrong I have always liked avast and thought of it as a quality well rounded program and always seems to be getting better.I am Just curious How such strong heuristic scanners as nod and drweb can fall behind Avast pecentage wise.

i really do question the 99% or whatever AV's, about what they are really adding to their database. ::)

{QUOTE-> "RMPITB" Trojans/Backdoors <-QUOTE}
And "RMPITB" means what? Thanks and I'm glad to see you posting again :)

{QUOTE-> @Paul: source -> powerpoint presentation about dynamictesting from marx, page 4 ("Our AV lab is receiving about 2,000 to 2,500 new unique malware samples per hour!"). That paper is not yet on marx website (but he usually puts the papers on his website after some time), but i read this also on some german magazine website at the begin of january (but dunno remember yet the url). i only state what i read and hear, for details or interpretations of what someone means i am not the right person to ask, as i am not related in any way with marx. <-QUOTE}

Fair enough, Andreas ;)

regards,

paul

{QUOTE-> As you prolly noticed paul is still alive and posting that means i didn't have my argument with him *yet*. ;D <-QUOTE}

Grin ;D

{QUOTE-> But i can confirm (or lets better call it backup) that you can easily reach such number of samples within 6 months. Sure, you will have huge amounts of the SAME or at least VERY SIMILAR virus group (example: Tibs) <-QUOTE}

No argument here.

{QUOTE-> *BUT*(and that is the important point (!) they are from a point of binary DIFFERENT from each other (poly layer etc). <-QUOTE}

In essence: this is true in various cases.

{QUOTE-> There are hundred thousands of new backdoors (technical note... we shouldn't call them *NEW*, but "Variant") <-QUOTE}

Variants indeed ;)

{QUOTE-> ...of all "RMPITB" Trojans/Backdoors such as Hupigon's. To give you some idea... Last month alone 1820 DIFFERENT Password Stealers for the Online Game LINAGE. Go figure. One Game - 1820 malwares in ONE month. All chinese binaries. <-QUOTE}

I for one won't argue that. The overall issue concerning testing as well as revealing all needed info coming with it still holds.

{QUOTE-> Yep, but

In a scientific world your test method is as important as your test result. So scientifically Paul is right. But this is a very aesthetic and old school thinking.
<-QUOTE}

...and as far as I'm concerned, we'll stick to the approach mentioned above. Just call me old fashioned ;) . We're not in the "consumer business" and the tactics coming with that. In case people do look for the easy way out: "most votes do count, whatever the reason", they are on the wrong spot over here anyway.

regards,

paul

Sorry for the offtopicness but i just noticed the experts are back.

Welcome back Paul and Inspector Closeau :D

{QUOTE-> i really do question the 99% or whatever AV's, about what they are really adding to their database. ::) <-QUOTE}
Just because they got 99% in one test does not mean it protects you 99%, there are other tests and plus, how likely is it that these are indeed the samples you get infected with in the wild? Oh and coolio, if your saying you salute m:D c:D a:D f:D e:D e:D , i am honoured.;D

Does this thread have something to do with Nod32 having a relatively poor showing, because if it was McAfee or something like that nobody would care.

{QUOTE-> Does this thread have something to do with Nod32 having a relatively poor showing, because if it was McAfee or something like that nobody would care. <-QUOTE}
Its been like that for a while, get used to it :) .
If kaspersky or nod32 get a bad score then all hell breaks loose.
If they did good then everyone would be saying congrats to eset instead of accusing the results of being bad.

Exactly, who cares about norton or mcafee when theres nod32 or kaspersky........;)

Its the food chain of antiviruses.

{QUOTE-> Does this thread have something to do with Nod32 having a relatively poor showing, because if it was McAfee or something like that nobody would care. <-QUOTE}
actually yes, nod did do quite bad in (beaten by m:D c:D a:D f:D e:D e:D :P :P :P ) this thread but still, mcafee is a big company and some people do care about what they get. ;)

what i find funny is, how they always refer to the 1%, as if they were unlucky.

regardless of how good IBK and Marx think they are, im not buying it, that there are good high numbers of junk files, non-executable files, corrupted files, memory dumps etc.

however, IBK is kind enough to send off the files to the vendors which is great, and yes i aint saying drweb is perfect.... a few thousand are always added from the DVD's, but also... much is also discredited for not being useful by drwebs own AV LAB.

these high tests which are sorted using automatic tools, and 'what if's' are just not reliable for the real threats that are circling the internet, regardless of whether Marx wants to state the million 'varients' are all from the last 6 months.

when i constantly see drweb fail these tests, it makes me wonder what actual junk many of the AV's are adding, especially the files drweb have checked and verified for themselfs to be useless, many detect them. This is why i wonder about what junk the 99% av's are adding, crapware to their database. (let me guess, its these AV's that have lots of signatures per day arriving, a large MB database with slower downloading updates, go figures, but the customer, you and I will always think these are genuine threats.

Cartoonboys latest thread is a perfect example of a real world threat, that most AVs cant handle properly. Deleting the archive is not good enough for prevention/cleanup or whatever you want to call it.

There are many imitators in the AV market, companys that either use someone elses technology or simply copies it, and calls it their own, and there are companys which always develop their own technology.

of course, i could go on for days and days with this matter, the same topic seems to pop up everytime one of these large-tests arrives. I too, also understand why Paul has entered into the argument, because of Nod32's poor showing aswell, & i also understand why alot of people dont enter the argument, because if their AV shows 'good', they live a happy existence on this board, and besmirchs anyone who challenges to the results, even if reasons are given.

end of rant for now, i shall let Paul have a go ;)

but im sure something else will come to mind, in due course.

peace ;D

{QUOTE-> ...
these high tests which are sorted using automatic tools, and 'what if's' are just not reliable for the real threats that are circling the internet, regardless of whether Marx wants to state the million 'varients' are all from the last 6 months.

when i constantly see drweb fail these tests, it makes me wonder what actual junk many of the AV's are adding, especially the files drweb have checked and verified for themselfs to be useless, many detect them. This is why i wonder about what junk the 99% av's are adding, crapware to their database. (let me guess, its these AV's that have lots of signatures per day arriving, a large MB database with slower downloading updates, go figures, but the customer, you and I will always think these are genuine threats. <-QUOTE}
i don't know if you were trying to say this but in me opinion, these people should be concentration on adding proper detections, not adding old and gone and no threat viruses into their databases, but thats marketing. they need this to get money for old protection...

{QUOTE-> Marx is not hyping at all when he says 1 million samples in 6 months. Marx wrote somehwere he gets ~2300 new samples per hour, so 1 million in 6 months looks very low (would be 1,6 millions in 1 month).
You also misunderstood what F-Secure wrote. F-Secure did not write that they found 500000 new samples in 2007, they said that they reached 500000 sigantures in the period of 1986-2007. In 2007 they added ~250000 signatures. As said, number of signature or virus records has not much to do with how many malware (variants) are out there. <-QUOTE}


How on earth can someone or a group get through that many submissions?

OK, you get 2,300 samples in an hour, how do you check them to see if they are malware or not? By 'hand'? By this I mean actually investigate the code or is it run through some kind of scanner?

My point is, unless each one is looked at individually by someone expert in detecting whether a sample is actually malware what are you relying on to tell you if it's malware or not?

To me who has no knowledge of how this is done it looks humanely impossible for people to go through that amount of samples verifying each one which leads me to the following question-

IN a sample size of tens of thousands to a million, are all of these verifiably malware? Could a percentage be false positives, corrupted or otherwise inert?

Thanks in advance.

JJ

In the end what does it matter. None were a 100 percent. It just goes to show, no matter which you use, you still need to add to each some backup.;)

{QUOTE-> In the end what does it matter. None were a 100 percent. It just goes to show, no matter which you use, you still need to add to each some backup.;) <-QUOTE}

It matters to the companies and people who buy their products. If samples in a test, any test, are not all verifiable malware then what can you say about the results of that test?

If anti virus company (A) adds any old tat and calls it a definition but anti virus company (B) only adds verified malware then any test that includes a load of tat samples is going to skew the results in favour of anti virus company (A). (not purposley)

Which brings me back to my question of who verifies all these samples and how do they do it!

@Joliet Jake: I do not get 2000+ samples per hour.

Yes and no. Look at Computer Associates, ranks always near the bottom, but focuses on the corporate enviroment and it one of the largest around. I dont think they sit by twiddling their thumbs waiting on tests to be published. Same for Panda, in the middle but still focuses on selling their products to companies. I think sells to the lone individual is small in the scope of profits. But I cant disagree with you either. My statement was more inline with us, the individual.

Dont focus on the percent achieved, but the large number missed. And that is what is scary, even for GData and the others. It just says dont think by buying number one, your ass is covered.

{QUOTE->

Which brings me back to my question of who verifies all these samples and how do they do it! <-QUOTE}
automated tools, but i aint sure how they do it, and i doubt you will find that info.

{QUOTE-> @Joliet Jake: I do not get 2000+ samples per hour. <-QUOTE}

Yeah I know, it was Marx. Sorry I quoted your post and should have made it clear in my post.

My post was a more general one asking how all this is done rather than being directed at any individual. ;)

{QUOTE-> automated tools, but i aint sure how they do it, and i doubt you will find that info. <-QUOTE}

Who 'writes/configures' the automated tools? Can an automated tool tell you if a new sample is malware or not with accuracy?

For me, until I know how these things are done how can I trust the conclusions of any test?

{QUOTE-> Who 'writes/configures' the automated tools? Can an automated tool tell you if a new sample is malware or not with accuracy?

For me, until I know how these things are done how can I trust the conclusions of any test? <-QUOTE}
I am sure there isnt a text book written on the proper procedures for testing. Therefore you are left with that old guiding principal of "trust". You and only you can decide who you trust and whatever their measurement and procedures are for testing. I trust IBK, others may disagree. It is a crap shoot and your question is very valid, but unfortunatly one that will never get answered to the satisfaction of all.;)

{QUOTE-> I am sure there isnt a text book written on the proper procedures for testing. Therefore you are left with that old guiding principal of "trust". You and only you can decide who you trust and whatever their measurement and procedures are for testing. I trust IBK, others may disagree. It is a crap shoot and your question is very valid, but unfortunatly one that will never get answered to the satisfaction of all.;) <-QUOTE}

Damn!

Nah, I just wonder how so many samples can be verified accurately. Surely to goodness someone on here knows it's done.;D

My original post was not about IBK (although I did quote his post it was the huge sample number a month that got me thinking), but about how that many samples could possibly be checked.

{QUOTE->
For me, until I know how these things are done how can I trust the conclusions of any test? <-QUOTE}
simple, you cant.

ive always said they should be a guide-only.

i do like IBK's tests though, mainly for his presentation/reports, and shall look forward to the next one :thumb:

but, relying on these as a detection test? ive never done that, as i realllllly dont like these massive tests, but hey, thats just my personal opinion.

i do find them interesting, but quite useless for the people who purchase licences for AVs, because....

fact is, people look at these results and decide their fate when trying/buying their antivirus, we know everyone does this right?

and on these massive tests & the way they are performed etc, i find this extremely misleading.

edit: --- none of this is a personal jibe at IBK are Marx, just what i think about these big tests ;)

{QUOTE-> Its been like that for a while, get used to it :) .
If kaspersky or nod32 get a bad score then all hell breaks loose.
If they did good then everyone would be saying congrats to eset instead of accusing the results of being bad.

Exactly, who cares about norton or mcafee when theres nod32 or kaspersky........;)

Its the food chain of antiviruses. <-QUOTE}

I am used to it, I thought that I would say something about it. There are a lot of fan boys with the AV's. Its amazing as it is very hard to really know what is better protection. No wonder the mods had to ban A vs B threads.

{QUOTE->
Who 'writes/configures' the automated tools? <-QUOTE}

Some of the tools are written by people working at AV companies and other tools are written/coded by the testers themselves.

{QUOTE-> Can an automated tool tell you if a new sample is malware or not with accuracy? <-QUOTE}

Yes and no. They do identify and remove lots and lots of corrupted files, but thousands still remain after the tools are done with their checking. At that point, I know that testers at least make some effort to check samples themselves, but obviously that is a tedious and difficult job so every sample cannot be checked. In any case; I know that at least for AV-comparatives; the resultant number of corrupted files in the final test set are not very significant with regards to the detection rate of various AV products (and there will be a paper next month on AV-comparatives which will show you just how significant the differences would be).

{QUOTE-> much is also discredited for not being useful by drwebs own AV LAB. <-QUOTE}

I would not place too much trust in what Dr.Web says. After all, one needs to realize that they need to keep their customers having trust in their product......But dunno. To be honest, until AV-comparatives' paper is released in February; one cannot take Dr.Web's ramblings about the AV-comparatives test set as truth.

{QUOTE->
when i constantly see drweb fail these tests, it makes me wonder what actual junk many of the AV's are adding, especially the files drweb have checked and verified for themselfs to be useless, many detect them. This is why i wonder about what junk the 99% av's are adding, crapware to their database <-QUOTE}

Granted some AVs do add crap; but from my submission experiences I know very well that many, many vendors other than Dr.Web also do not add "crap". Just because Dr.Web suddenly is scoring somewhat low does not mean other AVs are adding crap and this crap is what is making them score well. Like I said; any inferences or conclusions made from Dr.Web's comments on test sets can only be verified after the paper from AV-C has been released, which will show the impact on the statistics due to the corrupted files.

AV-test is a different story; I do not know much about how they are handling their test set. :-\

{QUOTE->
There are many imitators in the AV market, companys that either use someone elses technology or simply copies it, and calls it their own, and there are companys which always develop their own technology. <-QUOTE}

Ahh, famous Daniloff quote ;D

But we never did know who those five were who developed their own technology (apart from Dr.Web of course)....:)

{QUOTE-> I am used to it, I thought that I would say something about it. There are a lot of fan boys with the AV's. Its amazing as it is very hard to really know what is better protection. No wonder the mods had to ban A vs B threads. <-QUOTE}

Well, maybe we don't know what better protection is, but some avs , according to tests, make even HIPS pale. ;D

Anyway, always interesting watching so many people getting interested in these tests. I guess this is why such tests occur.

P.S.: I believe in Jotti's. Makes tests pale. ;D

the corrected results for e.g. Dr.Web in the August test is 89,94%. ranking and awards remained unchanged for all products.
will try to compose and release the document during next weeks.

{QUOTE-> And "RMPITB" means what? Thanks and I'm glad to see you posting again :) <-QUOTE}

Means (from a vendors view) "Royal Major Pain In The Butt" Trojans.

Folks, keep in mind that those AV Tests (no matter from whom!) only gives you a briefly OVERVIEW. A OVERVIEW supposed to be including *ALL DIFFERENT USERTYPES* To get your own "perfect" AV Test the approach would be as follows:

You write down in a paper:

1. Your Operating System (That the tester knows what platform he has to test)

2. All your installed Software (That the tester knows what types of additional application data you can use) Example: If you DON'T have Excel/Word or something similar installed the chance is much lower that you get infected by a XLS (Excel) file that contains a virus since you have no application to "activate" this virus. You'd have this virus on your system but it would be "harmless" on your system. Not nice, especially if u intent to share that file but still *YOU* won't be affected by it.

3. Most of the Malware comes via Internet Surfing / Emails / Exploits
That said the tester needs to know *YOUR* Internet behavior. For someone who does daily P2P downloads the "optimal" test looks COMPLETELY different from the test the tester had to perform for a normal office workstation. Another example: If you play World of Warcraft you'd be pissed to maximum when you find out that your av missed a WoW trojan and your gaming account got hacked and your character is naked and nearly 2 years of raiding time in instances are "gone". That wouldn't be such a big drama on another machine were no WoW is running. THAT BOILS DOWN TO THE (ONLY VALID ONE!) CONCLUSION: The IMPORTANT virus is *ALWAYS* the virus that affects your own system in a negative way.

AND NO ANTIVIRUS TESTER IN THE WHOLE WORLD CAN DETERMINE THAT IN AN OVERALL TEST FOR *YOUR* SYSTEM. Period. Those tests are made to cover "as much as possible" users, but they DON'T reflect the best av program for *YOUR* personal use!

You have ofc a higher chance that a program that covers more viruses in overall detection also detects this specific virus you have to deal with. BUT (and that is no joke!) sometimes a av program that scores medium results in such tests would be the better choice for *YOUR* personal requirements.

If you play MMOG (Online Games such as WoW etc) your best choices would be Microsoft / F-Prot and 2 other av programs. As for Microsoft and F-Prot i can confirm that. I do know MS guys from the lab which are playing WoW (They play alliance ;D) and i know who from our viruslab plays it ;) And yes, i play myself a Blood Elf Rogue in Gladiator Set ;D So it's most likely that we encounter such malware (and spend attention to it!) as soon as we hear/see something. We do not put highest priority on it, but it gets included since several employees have a "personal" interest in it :D RISING Antivirus from china otoh has a terrible good detection with LINEAGE trojans. No wonder, that is in china more popular then WoW and most of the trojans are written in china/korea for it.

FIND A WAY TO SUM UP YOUR BEHAVIOR/SYSTEM and find the suitable AV for it! That's YOUR job and not the antivirus testers!

:thumb:

@ Inspector Clouseau

The corollary to what you say, is if you really don't need it, don't put it on your system, because its just another avenue of attack. This is particularly true for media players like Quicktime and Real Media.

Its also pretty hard to identify which AV's protect online games (or whatever) particularly well. Not everyone has your sources of information. My guess would be the big names do real well on MS Office related stuff, as they are aimed at the mainstream customer.

{QUOTE-> Means (from a vendors view) "Royal Major Pain In The Butt" Trojans. <-QUOTE}
LMAO ;D

Alex of Sunbelt has written a blog post about the growth of malware, which might be interesting to those who made comments earlier in this thread disputing the figures:

http://sunbeltblog.blogspot.com/2008/01/growth-of-malware.html

He puts over the point well thus:{QUOTE-> It's worth noting that these numbers are also increasing because of variants -- i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it's not like there's over 5 million unique pieces of malware. There are many that are variants of the same piece of malware. <-QUOTE}One or two of you have asked how such samples can be gathered and checked:{QUOTE-> Like most companies, we’re processing gigabytes of malware daily. Our automated systems like our Sandbox help; but in the end, manpower plays a key role in being ahead of the game. There’s the HUMINT aspect, like hunting down new malware and tracking IPs and locations of the bad guys; but also reverse engineering and specialized code and signatures created for difficult malware. And, there's difficult coding needed to deal with rootkits and the like. <-QUOTE}

It's all part of the security-hype and commerce. If they were really interested in the consumer an-sigh, they would send the whole bunch of viruses and samples to the "security-vendors" were some months later we all would be safe against the full 100% of them.

Their ultimate goal is not getting you secure, it is selling "security".

{QUOTE-> It's all part of the security-hype and commerce. If they were really interested in the consumer an-sigh, they would send the whole bunch of viruses and samples to the "security-vendors" were some months later we all would be safe against the full 100% of them.

Their ultimate goal is not getting you secure, it is selling "security". <-QUOTE}
av-comparatives do send the samples to the vendors.

avast detected more than 99 % ! what a pleasant surprise :D :D :D

Considering it's pure signature engine, it's results are certanly outstanding.

Is anyone surprised by Trend Micro's performance? I've always found it to be inferior to other quality AV's.

{QUOTE-> Is anyone surprised by Trend Micro's performance? I've always found it to be inferior to other quality AV's. <-QUOTE}
Work is finally paying off, TrendMicro made quite some improvements to it's engine and released quite big signature updates (steady around 500 a day).

{QUOTE-> Work is finally paying off, TrendMicro made quite some improvements to it's engine and released quite big signature updates (steady around 500 a day). <-QUOTE}

Yes, but it still slows down your machine much more than other AVs with higher detection ratings.

{QUOTE-> Yes, but it still slows down your machine much more than other AVs with higher detection ratings. <-QUOTE}
Actually the scanengine is quite speedy. Also since version 2007 they included a whitelisting system, containing many Windows systemfiles for example.

{QUOTE-> Yes, but it still slows down your machine much more than other AVs with higher detection ratings. <-QUOTE}

It didnt slow down at all on neither my comp, nor my parents (3 ghz p4, 1 gb ram). Actually it runs very well :thumb:

{QUOTE-> Actually the scanengine is quite speedy. Also since version 2007 they included a whitelisting system, containing many Windows systemfiles for example. <-QUOTE}

I did not say the scan engine slowed you down. The entire program takes up a lot of memory compared to other top AVs such as Avira and Kaspersky. I have used and tested Trend Micro since it was developed, and it is bloated like Norton was a few years ago. There are better choices.

{QUOTE-> I did not say the scan engine slowed you down. The entire program takes up a lot of memory compared to other top AVs such as Avira and Kaspersky. I have used and tested Trend Micro since it was developed, and it is bloated like Norton was a few years ago. There are better choices. <-QUOTE}
agreed.

{QUOTE-> For sure not, because if he goes Canon Line then he'll pick a EOS 1 with some proper L-Lenses (The red ones). The difference is here... <-QUOTE}

If he takes Canon, he isn't a PROFESSIONAL photographer. Today it is Nikon that rocks among Full Frame dSLR cameras, tomorrow after a couple of months it will be Sony (Minolta based) dSLR FF cameras that rocks. Because of body based image stabilization, Sony takes sharp pictures without a tripod with any lens available. ;D

Best regards,
Firefighter!

{QUOTE-> Is anyone surprised by Trend Micro's performance? I've always found it to be inferior to other quality AV's. <-QUOTE}
i keep my eyes on the prevx daily chart on their homepage, and trend does terrible.

http://www.prevx.com/

{QUOTE-> i keep my eyes on the prevx daily chart on their homepage, and trend does terrible.

http://www.prevx.com/ <-QUOTE}

Pretty bad when CA out preforms them.

this chart tells me that Microsoft is doing not bad in comparison to the others

{QUOTE-> this chart tells me that Microsoft is doing not bad in comparison to the others <-QUOTE}

I'm guessing that this is because there is a corporate application for MS in security software (forefront). MS has never been hugely successful in consumer electronics (zune, xbox) but anything that has a corporate use is developed well (office, windows etc).

Thanks to Firecat, CSJ and of the course The Inspector for illuminating posts. :thumb:

your welcome jake,

my posts are usually the entertaining ones :D

{QUOTE-> Yes, but it still slows down your machine much more than other AVs with higher detection ratings. <-QUOTE}


I didn't experience any slow downs when TM 2008 was running. It's just that it took a lonnnnng time to load. I got tired of watching the little spinning icon do its thing every time I started up. That was my experience with it anyway.

Hi Paul and everyone else here,

Andreas Marx sent me some answers on friday.

1. One Mio. samples were used for the on-demand detection test. The samples had unique MD5 checksums but were not unique programs.

2. There was no ad/spyware used.

And here are some link Andreas sent me which probably backup his big sample numbers.

http://news.zdnet.co.uk/security/0,1000000189,39292422,00.htm?r=1
"The numbers are going through the roof," said Hypponen on Friday.
"We're getting 17,000 samples [of malware] a day, and our database uses 30TB of hard-drive space. The job is getting harder and harder.
Small companies will be overwhelmed unless they get really clever."

And here is an interesting link from McAfee:
http://www.avertlabs.com/research/blog/index.php/2008/01/25/many-facets-of-av-testing/

Greetings,
Valentin

{QUOTE-> I didn't experience any slow downs when TM 2008 was running. It's just that it took a lonnnnng time to load. I got tired of watching the little spinning icon do its thing every time I started up. That was my experience with it anyway. <-QUOTE}

That was part of my point. A lonnnnnnnnng time to load is too long. Again, better choices exist. NOD32, and Avira load fast as hell and do not slow down your computer. Try em'-you'll like em'.

{QUOTE-> 1. One Mio. samples were used for the on-demand detection test. The samples had unique MD5 checksums but were not unique programs. <-QUOTE}If I superimpose sample counts provided by AV-Test.org but appearing (http://sunbeltblog.blogspot.com/2008/01/growth-of-malware.html) at Alex Eckelberry's Sunbelt blog (http://sunbeltblog.blogspot.com/) with unique signatures in the Kaspersky database,

197258

they basically convey the same message. Scaling factors and apparent growth rates differ somewhat, but both are quite high and accelerating. Determining whether AV companies are losing ground is fraught with difficulty. However, if your examine detection trending behavior using the results of the www.av-comparatives.org (http://www.av-comparatives.org/) for both the on-demand and retrospective tests:

197241
197242

it doesn't appear that the battle is being lost as yet. Note - values shown are the average of two successive test results starting in 2004 and ending with the latest values published in 2007. The simple paired moving average scheme was used to emphasize longer term directional trends.

From a user's perspective, I tend to focus on two points: I download content from the Internet and am not about to rely exclusively on my own opinion as to whether a specific file is malware or not. I prefer to rely on the expert analysis system provided by a classical blacklist AV. I really don't see this changing in the near term even if smaller vendors start to find themselves overwhelmed by volume.
As a guard against the potential issue of being overwhelmed by volume, there's clearly a number of directions that a vendor and a user can go. On the vendor side, for example, Kaspersky has incorporated a proactive detection HIPS-like module while others have focused on a middle ground of heuristic detection. On the user side there are a number of competing strategies, but it's important to appreciate that if a truly overwhelming onslaught of malware appears on the horizon, it will swamp any signature based approach. Therefore, cascading this style of solution (e.g. AV + AS + AT, etc), which still remains a popular approach, is unlikely to directly address the real problem if/when malware volume overload occurs. Users do need to actively look beyond signature based schemes, and there are a number of options currently available (HIPS, virtualization/sandboxing, restriction policies, etc.). I tend to not recommend these alternate approaches as the sole option used because of the previous point.
Blue

{QUOTE-> Determining whether AV companies are losing ground is fraught with difficulty <-QUOTE}

IMHO, not at all. The figures you gathered are in %. Given a constant value of the percentage of found virii through time basically means that the absolute value of missed malware samples increases with time. With the acceleration of the creation of new malicious code, the expansion of this gap also accelerates...

We can see on your graph that for some antivirus, the detection percentage increases over time... But does it increase as fast as the creation of new malware code? I personnaly don't think so...

{QUOTE->
We can see on your graph that for some antivirus, the detection percentage increases over time... But does it increase as fast as the creation of new malware code? I personnaly don't think so... <-QUOTE}

Maybe you should read his coments again.: From a user's perspective, I tend to focus on two points:

He sums up pretty well what a user needs to do.

{QUOTE-> IMHO, not at all. The figures you gathered are in %. Given a constant value of the percentage of found virii through time basically means that the absolute value of missed malware samples increases with time. With the acceleration of the creation of new malicious code, the expansion of this gap also accelerates...

We can see on your graph that for some antivirus, the detection percentage increases over time... But does it increase as fast as the creation of new malware code? I personnaly don't think so... <-QUOTE}It's actually a lot more complicated than that.

You're correct that as the absolute number of circulating malware samples increases, at a fix percent detected, the absolute size of the pool of "undetected" samples increases. To put some numbers around that, with 99% detection and a total pool of 1 million malware samples, that would be 10,000 "undetected" samples with linear scaling for larger or smaller pools. If it were 5 million samples, that's 50,000 "undetected" samples. Yes, those are large numbers of files.

However, how do you get infected? You either decide to execute some malware or you have your system configured so that some series of steps that you execute allow the malware to be executed.

That increasing pool of malware is embedded in an enlarging pool of valid content - and both are very rapidly increasing in size, so it's not clear that actual probabilities that you'll sample the malware has increased. If valid content were growing faster than malware content, it would actually have a dilutive effect. Let's take the cases mentioned above. If the 1 million sample/10,000 undetected case existed in a content world populated 100 million items, you have a 0.01% chance of picking a piece of malware at random. If the 5 million/50,000 case existed in a content world populated with 5 billion items, the probability of randomly sampling one of those 50,000 "undetected" samples has actually dropped by an order of magnitude to 0.001%. That's with random sampling. In the real world these numbers are biased according to your personal usage profile/style. I really don't know how it balances out overall, but my point is that you really can't casually look at absolute numbers.

Now, it's clear that some distribution channels are currently preferred for malware (P2P, free offering (legitimate as well as illegal cracked sources), etc.), and probabilities for exposure could be rather high in those domains and they could be genuinely increasing (as could the "typical" domain). Operationally, this is a self-correcting situation.

However, that really doesn't change my two primary points.

Blue

Isnt that what I just said.:blink: ;)

{QUOTE-> Isnt that what I just said.:blink: ;) <-QUOTE}I believe so. I just put some numbers around it. :)

Blue

{QUOTE-> That was part of my point. A lonnnnnnnnng time to load is too long. Again, better choices exist. NOD32, and Avira load fast as hell and do not slow down your computer. Try em'-you'll like em'. <-QUOTE}



I've used both Avira and NOD32. I liked one, but had some problems with it. I didn't like the other. I'm using KIS 7 now with no slow downs.

{QUOTE-> I've used both Avira and NOD32. I liked one, but had some problems with it. I didn't like the other. I'm using KIS 7 now with no slow downs. <-QUOTE}

KIS works well if you don't mind it placing object identifiers that permeate your hard drive from their iSwift technology. I mind it a lot- so I would never use Kaspersky.

This technology will be gone with the new v8 so maybe time for some new perspectives?

{QUOTE-> This technology will be gone with the new v8 so maybe time for some new perspectives? <-QUOTE}

Perspectives change when the reason for them changes and that has not happened yet. When Version8 fixes the issue, we may have a new rationale.

Isn't Kaspersky v8 still supposed to have the object identifiers, only reprogrammed so that they do not interfere with chkdsk?

{QUOTE-> Isn't Kaspersky v8 still supposed to have the object identifiers, only reprogrammed so that they do not interfere with chkdsk? <-QUOTE}

I woulnd't put that past Eugene.

{QUOTE-> I did not say the scan engine slowed you down. The entire program takes up a lot of memory compared to other top AVs such as Avira and Kaspersky. I have used and tested Trend Micro since it was developed, and it is bloated like Norton was a few years ago. There are better choices. <-QUOTE}

Definitely agreed. Trend is one of the slowest of the lot after McAfee.

{QUOTE-> This technology will be gone with the new v8 so maybe time for some new perspectives? <-QUOTE}
Definitely not. At least for me.
Used v. 6 + 7 for a yr. and a half.
After the chkdsk problems then a reformat, even if they make the best product in the world, kis will never see the likes of any computer I own..ever! >:(

{QUOTE-> Isn't Kaspersky v8 still supposed to have the object identifiers, only reprogrammed so that they do not interfere with chkdsk? <-QUOTE}

I don't know, but if that's the case, my "perspective" will stay the same (I won't use the friggin' program).

{QUOTE-> It's actually a lot more complicated than that.

In the real world these numbers are biased according to your personal usage profile/style. I really don't know how it balances out overall, but my point is that you really can't casually look at absolute numbers.
Blue <-QUOTE}

This is so true (blue)

Let me illustrate my evolution of securing my son's PC

a) AV
b) AS
c) Thrown in a outbound FW
d) skip the AS and replace by HIPS


Now the best measure security measure I took was
e) Stop backing up his data drive, so he loses his homework when he willingly allows a cracked program to install
f) Replaced HIPS by behavior blocker (PRSC auto quarantaine)


Result: no PC crashes since a year, most dominating factor = THE USER!

Terrific idea, LOL :)

If I'm correct then AVK 2008 uses both the Kaspersky and Avast engine, if this is correct then why does AVK have a "poor" rating on rootkit detection, while both Kaspersky and Avast have a "good" rating on detecting rootkits??

{QUOTE-> If I'm correct then AVK 2008 uses both the Kaspersky and Avast engine, if this is correct then why does AVK have a "poor" rating on rootkit detection, while both Kaspersky and Avast have a "good" rating on detecting rootkits?? <-QUOTE}
Active rootkit detection and removal depends on the effectiveness and strength of the AV drivers of the individual program as well as the engine and database used. So the most likely answer here would be that AVK's drivers aren't quite as good as KAV's.

Hi again,

{QUOTE-> it would actually have a dilutive effect. <-QUOTE}

Very interesting! And very true. I didn't finish my reasoning and ended up wrong.
We might then be in a paradoxical world where safe user are safer and not so safe user less safer...

so this clever remark:
{QUOTE-> most dominating factor = THE USER! <-QUOTE}

Nevertheless, to come back to numbers and figures, all you said Blue is acceptable as long as you don't receive any malware : the overall probability to get hit may decrease over time, due to this diluting factor. As soon as you get hit, i.e., any given malware has a chance to challenge your antivirus,... well, that's a totally different story.

BTW, when I finished my previous post ad re-read your post, I realized how close conclusions might be. And I was too lazy to edit and soften my post.

Thanks for sharing your thougts

{QUOTE-> Active rootkit detection and removal depends on the effectiveness and strength of the AV drivers of the individual program as well as the engine and database used. So the most likely answer here would be that AVK's drivers aren't quite as good as KAV's. <-QUOTE}

This is a very good point and should be almost stickied somewhere.

People tend to compare AVs purely by engine basis most of the times, thinking "so, it uses engine from X, so it must be 100% equal". Apparently not so.

{QUOTE-> Active rootkit detection and removal depends on the effectiveness and strength of the AV drivers of the individual program as well as the engine and database used. So the most likely answer here would be that AVK's drivers aren't quite as good as KAV's. <-QUOTE}

Active rootkits are not gonna be a problem anymore when avast! 4.8 is released mwahahaha ;)8)

{QUOTE-> Active rootkits are not gonna be a problem anymore when avast! 4.8 is released mwahahaha ;)8) <-QUOTE}
Famous last words.

{QUOTE-> Active rootkits are not gonna be a problem anymore when avast! 4.8 is released mwahahaha ;)8) <-QUOTE}
Time will tell.....:)

Gents, please keep on topic. Feel free to open different threads discussing issues not directly related to this test.

On a side note: Firecat, I'll take it you'll leave it up to Alwil first to announce officially the ins and outs coming with the new Avast version, rootkit handling included. Thanks.

regards,

paul

Man, I take a break from this site, and like clockwork--another AV-Test.org t