Just for a laugh, I downloaded sub7 to see how SAS responded - and to my horror, it does not detect it! i scanned server, editserver and subseven - and nothing!

What is sub7???

-{ Quote: "What is sub7???" }-

Subseven - the worlds best known trojan - old and easy to detect.

Before you check MBAM does not detect this either .

I removed this from a girlfriend's computer in 1999 .

If this actually has a live source still please post it or PM it to me .

If the only way to contract it is to download a malware archive and install it then I am not interested .

If I remember correctly this also patched exe files , if that is the case here you should be testing it against antivirus software .

If you fellows won't include out of circulation threats in your detection database (And why is that? Because they take up too much room?), would you consider creating an option in your program where users can download an auxiliary "antique detection database" wherein we are protected against threats from 1999?

I am hearing quite a lot from developers saying something got past a security program because it is old. Well, isn't that essentially a vulnerability in your software?

In other words, you once had the threat detection covered, then you said, let's drop it because it is hardly ever seen? What is the problem with keeping the threat detection in place?

-{ Quote: "Before you check MBAM does not detect this either .

I removed this from a girlfriend's computer in 1999 .

If this actually has a live source still please post it or PM it to me .

If the only way to contract it is to download a malware archive and install it then I am not interested .

If I remember correctly this also patched exe files , if that is the case here you should be testing it against antivirus software ." }- thanks for the info i have learned over time to not jump the gun over things like this i use both AS and kinda had the filling it was AV related and not AS related.

-{ Quote: "If you fellows won't include out of circulation threats in your detection database (And why is that? Because they take up too much room?), would you consider creating an option in your program where users can download an auxilary "antique detection database" wherein we are protected against threats from 1999?

I am hearing quite a lot from developers saying something got past a security program because it is old. Well, isn't that essentially a vulnerability in your software?

In other words, you once had the threat detection covered, then you said, let's drop it because it is hardly ever seen? What is the problem with keeping the threat detection in place?" }-

Got past a scanner when you downloaded it from an old archive <> got by a scanner after an exploit dropped it yesterday , not even close .

Its about effective time management and not lieing to our customers . Padding defs with millions of obsolete defs is not honest and does not protect the user .

Answer this honestly . I take a month off from real time research and instead research malware from 1998-2002 . I , in that month , add detection for millions of variations of infections from that time period . Next I make a big deal about how MBAM detected millions of threats and even have screenshots of us detecting 99% of samples from that time period . At the end of that month would I be a dishonest bastard trying to exploit information to make a $ ? I think so . Would our users be protected from malware that came into existance in that month , not a chance .

Don't worry though , I will not be doing that .


EDIT :

We do not delete old defs BTW .

-{ Quote: "Got past a scanner when you downloaded it from an old archive <> got by a scanner after an exploit dropped it yesterday , not even close .

Its about effective time management and not lieing to our customers . Padding defs with millions of obsolete defs is not honest and does not protect the user .

Answer this honestly . I take a month off from real time research and instead research malware from 1998-2002 . I , in that month , add detection for millions of variations of infections from that time period . Next I make a big deal about how MBAM detected millions of threats and even have screenshots of us detecting 99% of samples from that time period . At the end of that month would I be a dishonest bastard trying to exploit information to make a $ ? I think so . Would our users be protected from malware that came into existance in that month , not a chance .

Don't worry though , I will not be doing that .


EDIT :

We do not delete old defs BTW ." }-
Can't argue with that really. As a user, I would prefer you work on defs for malware which I have a higher probability of catching.

Its unforgivable that something like SAS does not detect this. The argument that its an old trojan does not stand up.

In my opinion, this goes to show that dedicated malware scanners are a waste of time and much less able to detect these nasties than mainstream AVs.

I have seen review after review where SAS gets poor reviews or where it is beaten by several other scanners. It seems that if anyone remarke on its poor performance they get attacked with some argument about the test having faults.

Im sure SAS has some wonderful scanning technologies etc, but the fact it fails to spot this trojan has made me loose all faith in it. What else doesnt it detect?

My license expires in about 30 days. Why should I bother renewing it?

I would like to see a test where a normal AV like Kaspersky, F-Secure or Norton is pitched against dedicated AMs in detecting non viral nasties. Based on my experience of SAS, I know which ones I would put my money on

if a person looks at post #4 it's not detected because it's the job of your AV not the job of AS/AM in that case would it not be the same ? why did the AV not detect it.
-{ Quote: "If I remember correctly this also patched exe files , if that is the case here you should be testing it against antivirus software" }-

F-Secure detected it. Strictly speaking, its NOT the job of an AV to detect this since it is a trojan and NOT a virus.

you was protected no harm no foul i fill no less secure if my AS does not detect some thing but my AV did thats why i have them both.;D

-{ Quote: "you was protected no harm no foul i fill no less secure if my AS does not detect some thing but my AV did thats why i have them both.;D" }-

You are missing the point. The only function of AMs is to detect trojans and non viral malware. They are not doing this properly.

No i'm not missing the point i just fail to see the point your trying to make. can you name one AV,AS,AM,AT or any Anti what ever that catches 100% of every thing new or old.if SAS did not stop it but your AV did whats the problem??? ;D
-{ Quote: "They are not doing this properly" }-

Jesus, Im sick of idiots. Look SAS is an AM - it should detect TROJANS like one of the most famous in the world - SubSeven - but it does not. Its database is inadiquate.

No, I cant name any AT that detects 100% of nasties. The fact is that SAS should detect SubSeven as every AV in the world does when it is not their job to do so.

You, my friend are a prime example of the idiots who come up with the same pathetic arguments supporting badly performing AMs.


-{ Quote: "No i'm not missing the point i just fail to see the point your trying to make. can you name one AV,AS,AM,AT or any Anti what ever that catches 100% of every thing new or old.if SAS did not stop it but your AV did whats the problem??? ;D" }-

It is not that hard to make a scanner that catches 95% of legacy malware and takes 3 hours to do a scan while missing all the malware that came out within the last week .

Antimalware is about blocking what you have the ability to be infected by with normal computer use today .

Reading through this thread I get the feeling that some people might think SpyBot is better than SAS and MBAM because it has better defs for malware that existed years before SAS and MBAM existed .


A simple search on HJT forums will quickly show that SAS and MBAM are used to disinfect computers , not SpyBot even though all three can scan and remove for free .

"It is not that hard to make a scanner that catches 95% of legacy malware and takes 3 hours to do a scan while missing all the malware that came out within the last week "

Completely false and illogical argument.

1) AVs detect viruses AND malware (inc legacy) etc, yet dont take that long to scan.
2) AMs are made by small businesses that employ very few people and dont have the resources to add defs or analyse malware, whereas the AV cos employ hundreds of people and so have the resources to do this.

Explain to me how it is that the main AVs detect more non viral malware than AMs and also detect thousands of viruses that the AMs dont, and yet scan as fast.

Im 99% sure a major AV like F-Secure will pick up new threats faster than any AM and be better at detecting them.

Its arguments like yours that help make my mind up - AM software is a waste of time.

Let's keep the discussion on an even keel without personal potshots and stay on the topic. "SAS not detcting Sub7??"

Wilders is not the place it was. Quality of members has dropped.

-{ Quote: "Wilders is not the place it was. Quality of members has dropped." }-

People like you are why I stay up till 4 AM working on defs for MBAM , thanks for the motivation . :thumb:

You may be upset that an old infection got by a new scanner but I bet that both MBAM and SAS have detections for new malware that every scanner you do have faith in miss .

-{ Quote: "People like you are why I stay up till 4 AM working on defs for MBAM , thanks for the motivation . :thumb:

You may be upset that an old infection got by a new scanner but I bet that both MBAM and SAS have detections for new malware that every scanner you do have faith in miss ." }-

From what I have seen, you add defititions based on what people think is nasty because they dont like the vendor (see thread on EE) and not on weather the app is actually malware.

You stay up til 4 to make money, the same as me. If I were you, I would give up as you and SAS dont seem to be doing too well.

Hop on google and start telling everyone that they are wrong , you have a long list so you had better get started . :thumb:

Me , ill get back to making MBAM great , sorry we cant see eye to eye .

The bottom line is, I wont be giving SAS any more of my money and I wont purchase an altrtnative AM. I have F-SEcure at the moment and will use this until the new version of KAV comes out - as I have a license for this, but the current version is too slow, but new version is fine.

AM = waste of time. End of argument

-{ Quote: "Hop on google and start telling everyone that they are wrong , you have a long list so you had better get started . :thumb:

Me , ill get back to making MBAM great , sorry we cant see eye to eye ." }-

What on earth are you talking about? Tell "everyone" they are wrong.

Its you who are wrong and the few who believe in your snaik oil. Shouldnt take me more than 5 minutes.

-{ Quote: "
Its arguments like yours that help make my mind up - AM software is a waste of time." }-.....for you.

As for me, I understand the limitations of the smaller companies, and therefore accept their business model of providing protection for current malware within the scope of their model for the software. As long as it is understood, then users can plan their security software layout appropriately. I have learned from my brief time here at Wilders that one security app cannot "do it all".

This thread has brought to light interesting information as to how some software developers approach their business, which helps in understanding those software and how different approaches are taken.

I don't care that SAS or MBAM do not detect this old-timer trojan. I will use them for their strengths, and find other products that fill in the spaces. We should be thankful for the efforts put forth by all the private developers out there, past, present and future, otherwise......well, who knows.

Keep up the good work dudes (you know who you are) :thumb:

if one was to do some searching on sub7 they would see that AV was and still is whats recommended to stop it not AM people have just jump the gun and laying blaming on apps that are not evan recommended to stop it. {a idiot I maybe but I'm a informed idiot};) :argh:

-{ Quote: "Keep up the good work dudes (you know who you are) :thumb:" }-

Agreed, well done Kaspersky, F-Secure etc...

-{ Quote: "Agreed, well done Kaspersky, F-Secure etc..." }-

Absolutely. I meant all those guys out there working to fight the bad guys. They all bring something to the arena, and each individual contributes something unique.

A couple of OT and generally useless posts removed. Let's keep it civil folks.

Blue

ok 1st you say it's AM place to stop it and not AV than you attack people with pm's:dry: and on the board when they tell you it's always been detected with AV/FW and than give Hi5 to AV for detecting it??? when they alway have. Sub7 is a (back door trojan) a 2 part trojan at that. the victim has to d/l something first hints why AV stops it than the controller [remote user] can do there thing hints why a FW can stop it. and to why AM do not include it is because it's old for 1 and AV have always detected it and a FW will stop it. there is nothing to be lost about the information is there on the net!! just look for it.

Again, you have lost me - explain to me, why SAS, a dedicated AM / AT scanner fails to find this? Forget everything else, explain why it does not detect it when all AVs do.
-{ Quote: "ok 1st you say it's AM place to stop it and not AV than you attack people with pm's:dry: and on the board when they tell you it's always been detected with AV/FW and than give Hi5 to AV for detecting it??? when they alway have. Sub7 is a (back door trojan) a 2 part trojan at that. the victim has to d/l something first hints why AV stops it than the controller [remote user] can do there thing hints why a FW can stop it. and to why AM do not include it is because it's old for 1 and AV have always detected it and a FW will stop it. there is nothing to be lost about the information is there on the net!! just look for it." }-

http://www.castlecops.com/p1094317-pLEASE_HELP_ME.html

You can see MBAM here finding and correcting both the current clock hijack and ID hijack .

AV and FW have 0 ability to handle this sort of damage , that is why antimalware is needed .

If any other scanner has a fully automated fix for this I would love to hear about it .

-{ Quote: "Again, you have lost me - explain to me, why SAS, a dedicated AM / AT scanner fails to find this? Forget everything else, explain why it does not detect it when all AVs do." }-

Do you use an AV?

-{ Quote: "Again, you have lost me - explain to me, why SAS, a dedicated AM / AT scanner fails to find this? Forget everything else, explain why it does not detect it when all AVs do." }-lol there is nothing to explain AV are what detects it they have the sig in there data bank and evidently it has some virus property's do to it being used mostly by script kitty's and i'm not saying no AM/AT scanners do not detect it just some do not included it in there data bank but that's not saying they do include all the variants of it. Sub7 is old i would rather be protected from the new malware that AV do not detect than be protected from old trojans that AV do detect.and if my FW can stop the remote part of Sub7 i have nothing to worry about.

-{ Quote: "What on earth are you talking about? Tell "everyone" they are wrong.

Its you who are wrong and the few who believe in your snaik oil. Shouldnt take me more than 5 minutes." }-


Hi ChrisP

As a former specialist in helping global users in a security forum for a number of years track down innumerous types of from the easy to most notorious malware ever conceived, i truly sympathize with your utter frustration.

I would like to offer you an alternative you may or may not be interested in but i can guarantee that it would go a long way in helping you stave off anything that either AS's miss or AV's, and thats a good quality dependable HIPS.

The only drawback is they require some personal attention to fine tune and set to monitor areas of potential intrusions, the good part is they STOP! ANYTHING DEAD IN THEIR TRACKS by aborting their intentions UNTILL YOU FIRST have had a chance to conduct a Google Search on what that file is whether it be offending, possibly dirupting, or safe enough to allow you to let it then proceed as normal or not.

Another alternative is Faronic's Anti-Executable that stops executables in their tracks too. I use both as a security net along with Returnil but i am on the same page as you, i want and expect a combination to intercept and dismiss anything that can prove disrupting to your good machine.

EASTER

-{ Quote: "No i'm not missing the point i just fail to see the point your trying to make. can you name one AV,AS,AM,AT or any Anti what ever that catches 100% of every thing new or old.if SAS did not stop it but your AV did whats the problem??? ;D" }-

The problem is that anti-malware developers deliberately don't add old malware samples to there database because they don't feel these old malwares are a security risk to the mainstream user.

So one might say that the longer an anti-malware vendor is on the market, the more definitions they have = the safer you will be from getting infected.

-{ Quote: "So one might say that the longer an anti-malware vendor is on the market, the more definitions they have = the safer you will be from getting infected." }-

Malware does not have a time machine so once where it comes from dies or has changed enough that old definitions cant detect it any more those defs do nothing to protect you .

Why would detecting something that does not exist protect you ?

-{ Quote: "Malware does not have a time machine so once where it comes from dies or has changed enough that old definitions cant detect it any more those defs do nothing to protect you .

Why would detecting something that does not exist protect you ?" }-

Although I agree with you to some degree, I'm also having a hard to figure out who must have the final decision in determining if a certain piece of malware is obsolete or not.

Also you mentioned adding definitions based on the day to day surfing habits of current internet users.... but not all users browse and use the internet in the same way. And just because certain malware may be old, that doesn't mean there is a 100% change that it will not cause any problems for current internet users.

But I do understand your statement that the smaller anti-malware companies have limited manpower, and that this manpower is better used to add protection for currently spreading malware.

I'm chiming in awfully late... But from my (brief) reading of this thread this is what I'm gathering (from the vendor's viewpoint)...

1) Old/Obsolete/Non-Widespread malware does not affect a majority of users.
2) New/Widespread malware does (or has the potential to) affect a majority of users.
3) Therefore, the focus will be in what can/will affect the majority of users.

It would seem to me that the vendor is not looking so much at completeness as much as it is looking for relevance to *today's* threats. And yes, yesterday's threats can become today's threats... But when/if that happens I'm sure it'll be taken care of.

-{ Quote: "Although I agree with you to some degree, I'm also having a hard to figure out who must have the final decision in determining if a certain piece of malware is obsolete or not.

Also you mentioned adding definitions based on the day to day surfing habits of current internet users.... but not all users browse and use the internet in the same way. And just because certain malware may be old, that doesn't mean there is a 100% change that it will not cause any problems for current internet users.

But I do understand your statement that the smaller anti-malware companies have limited manpower, and that this manpower is better used to add protection for currently spreading malware." }-

If it has the ability to infect a computer today then it is current .

If there is nothing you can do to catch it other than download an old malware archive intentionally then its old .



You are not understanding my definition of old , it has nothing to do with when the malware came into existence . Old only refers to when the malware STOPPED existing as in no matter what you download , where you surf and what you share you wont come into contact with it .

-{ Quote: "And yes, yesterday's threats can become today's threats... But when/if that happens I'm sure it'll be taken care of." }-

Correct .

There is a LOT of research involved with this and if something long dead were to come back to life it would be current .


We maintain a dead list that is checked a few times a week , just in case .

Oke, if you look at it that way, then I guess you have a point.

The moment old malware becomes current again, you add it to the database.