At Part 5, F-Secure Stopped when dealing with an Adware, Popups weren't stopping, and F-Secure couldn't do a thing.

From Mrizos:

"This Thing is bloated, does nothing, doesn't block any process"

http://www.youtube.com/watch?v=OUTWqHIFzM8

203250

I read that as well. I really did not expect that

Me neither...acting like that with adware...:-\

Was so close to purchasing this software, but had a feeling something just wasn't right now I know.

When I said the same earlier on this forum, that "F-Secure can't detect/block Spyware and it allowed my PC to be infected". I got flamed.

Now its clearly proven, that F-Secure is flawed and its self-protection is easily susceptible. Its scan engine may be good, but its of no use when malware can get past and disable protection.

Now I will let my EGO, get boosted by 10x. Feel free to flame me again and bring me down.

-{ Quote: "Its scan engine may be good, but its of no use when malware can get past and disable protection." }-

Really, software like that seems to get nothing but praise on this forum.

Maybe this will alert people to the fact that all av's miss things, and that it is the correct process to at least work on removal, percentage rates may look good on paper, or be a good argument for the fan boys, but in the real world of surfing the net and downloading, these figures tend to mean sod all.

F-Secure's flaw, like many others .. is its removal.

but lets not go-over-the-top as people on this forum usually do, this is only one piece of adware. ::)

-{ Quote: "When I said the same earlier on this forum, that "F-Secure can't detect/block Spyware and it allowed my PC to be infected". I got flamed.

Now its clearly proven, that F-Secure is flawed and its self-protection is easily susceptible. Its scan engine may be good, but its of no use when malware can get past and disable protection.

Now I will let my EGO, get boosted by 10x. Feel free to flame me again and bring me down." }-

I never thought it was good and said that in this forum. It slowed my computers down a lot, and caused several crashes and freezes. Other things are wrong as well as more is revealed.

-{ Quote: "percentage rates may look good on paper, or be a good argument for the fan boys, but in the real world of surfing the net and downloading, these figures tend to mean sod all." }-
If these figures mean sod, then why do they (by your own admission) make for good arguments?

-{ Quote: "If these figures mean sod, then why do they (by your own admission) make for good arguments?" }-
thats my opinion, but its a good argument to say 'my antivirus detects 99+% of all malware'

So he gets a machine infected with 1000s of viruses (he says this in part 1 of the video series) and expects AVs to remove them? This is not a good test at all.

It's different(in a positive way)from the traditional tests because now we are able to see how these software act when installed on already infected computers. Errors? Problems installing? Other strange behaviour? Cleaning? .. etc.

Of course it's better to prevent in the first place but the average user is in most cases, not able to take backups everyday and is prepared to reformat the computer if something happens. These users trust the AV-software and believe it does what is advertised, the ability to detect and disinfect.

-{ Quote: "So he gets a machine infected with 1000s of viruses (he says this in part 1 of the video series) and expects AVs to remove them? This is not a good test at all." }-

Hmmm, I guess that you can say that, BUT bear in mind, that he has tested other AV's, who passes the test with bravour....so ;)


Cheers

-{ Quote: "So he gets a machine infected with 1000s of viruses (he says this in part 1 of the video series) and expects AVs to remove them? This is not a good test at all." }-

good test for me because it give you a full image about the AV s Ability on blocking and removing malware.

and most of the AV s that have been tested by him did a good job against these 1000 viruses!!!

-{ Quote: "It's different(in a positive way)from the traditional tests because now we are able to see how these software act when installed on already infected computers. Errors? Problems installing? Other strange behaviour? Cleaning? .. etc.
" }-

Already posted my rants wrt this methodology in PCMag reviews' related threads. This way, you can't even be sure the AV is properly installed.

For boxes infected with thousands of malware specimens, I'd say reformat is the only solution and everything else is just a waste of time... However, at minimum you should boot from a rescue CD and try to disinfect from there first before even attempting to install some AV.

-{ Quote: "It's different(in a positive way)from the traditional tests because now we are able to see how these software act when installed on already infected computers." }-

The problem with cleaning is that once malware is installed, it will have the same privileges as the AV. Theoretically, you can't expect the AV to remove malware at the same privilege level.

-{ Quote: "Hmmm, I guess that you can say that, BUT bear in mind, that he has tested other AV's, who passes the test with bravour....so ;)
" }-

-{ Quote: "and most of the AV s that have been tested by him did a good job against these 1000 viruses!!!" }-

I've cleaned computers where SAS and MBAM had problems removing the malware as well. The PC would just bluescreen when any other AV/AS program ran. It is all really anecdotal evidence though. Again the problem is that they have the same privileges. When a computer is badly infected, you have to scan from outside the infected OS.

I just don't think these kind of tests are really valid because you just cant clean heavily infected systems like that.

-{ Quote: "Really, software like that seems to get nothing but praise on this forum.

Maybe this will alert people to the fact that all av's miss things, and that it is the correct process to at least work on removal, percentage rates may look good on paper, or be a good argument for the fan boys, but in the real world of surfing the net and downloading, these figures tend to mean sod all." }-
Ok, I meant its on-demand scan may be good. But real-time protection has a lot to be desired.

Don't worry, even with this fatal flaw it got many praises here and my statements were rubbed off. Regardless, now there is some supportive evidence, to my argument. Really hope, F-Secure starts a cleanup like what Symantec did with Norton.

-{ Quote: "
I just don't think these kind of tests are really valid because you just cant clean heavily infected systems like that." }-
Buddy, there are a lot of idiots in this world who enticed by p0rn will allow their system to damaged to much higher levels. And yes, they all have been cleaned. If not by a single scanner, with multiple ones.

So in part I agree, any solution can't fully clean a heavily infested system. But then it should atleast block/remove/disinfect some files. 0 (or almost zero) is not a very proud figure.

This test has clearly shown, problems in F-Secure's Real-time protection module. I have witnessed this first hand. It does not block/clean what it attempts and once malware wriggles in. It seems to easily defeat F-Secure self protection.

-{ Quote: "This test has clearly shown, problems in F-Secure's Real-time protection module. I have witnessed this first hand. It does not block/clean what it attempts and once malware wriggles in. It seems to easily defeat F-Secure self protection." }-
So F-Secure failed to clean one piece of adware. Ergo, its cleaning abilities are not 100%. This also means that F-Secure is easily defeated by malware, and does not block what it detects.

I smell an opportunistic troll hounding on this one example to vindicate his unfounded biases.

Also, I guess this also shows how many people actually watched the video. F-Secure didn't seem to have detection for this particular adware, and it was the HIPS that failed to clean the malware off the system. Now if you load a HIPS onto an already infected system, and become flabbergasted because it doesn't remove the malware... I really don't know what to say.

be not had time to watch all the videos yet, but was f-secures rescue cd scanner used aswell?

-{ Quote: "So F-Secure failed to clean one piece of adware. Ergo, its cleaning abilities are not 100%. This also means that F-Secure is easily defeated by malware, and does not block what it detects.

I smell an opportunistic troll hounding on this one example to vindicate his unfounded biases.

Also, I guess this also shows how many people actually watched the video. F-Secure didn't seem to have detection for this particular adware, and it was the HIPS that failed to clean the malware off the system. Now if you load a HIPS onto an already infected system, and become flabbergasted because it doesn't remove the malware... I really don't know what to say." }-
opportunistic troll ;D
Thanks for the lovely complement.... :thumb:

I would just like to say, that I stated F-Secure's inability in this forum from my personal experience long before the test. Then I received similar cynicism, now there is more proof I feel vindicated of sorts.

F-Secure in my experience failed to stop an malware in real-time. When infected, the malware used to crash F-Secure whenever I started a scan. After I reported this to F-Secure Support, it came to view that I was infected. And the file in question had not been quarantined successfully.

Now in Matt's test there seems to be a similar anomaly. Real-time scanner isn't fully able to stop ad-ware and self-protection seems to be compromised.

Thats just my view....

-{ Quote: "F-Secure in my experience failed to stop an malware in real-time" }-

same with my friend when he was testing it ><

i realy dont know but some vendors just want to fill their pockets and it doesnt matter if their product realy work or not!!

i feel sorry for everyone who use this and it dosent know the fact ><

I had no problems with F-Secure but the video really opens the possibility that one more fail in the software.
Unfortunately what I see is that F-Secure has difficulties to improve its product. I sent many suggestions to F-Secure in the last year and they always say "thank you, we'll verify" but what I see is that they usually ignore everything. We, users, need to wait a lot to see changes. It's a lot different with Kaspersky Labs, that seems to work and improve its software every day and listen to user's opinion. I'm using F-Secure for more than 1 year with no problems about detection. I get and receive a lot of malwares daily to send to F-Secure labs and I never had an infection in my computer using F-Secure. The heuristic is improved now and I see that it's better than Kaspersky heuristic but F-Secure still has a lot of problems that are usually ignored. The support forum is very lazy and we need weeks to get an answer. The replies of malware samples are slow if the sender is in collectors list (I'm). A lot of things about F-Secure that turn me frustrated. Weeks ago I gave up but I received an e-mail of the team and decided to give one more chance. I'm still using FS but I really don't know for how many time. It's similar with my frustration when I used NOD32 an sent samples do ESET. I don't work with computer science and AV is a hobby for me. I have no commercial relationship with any company. I like to get samples and help improving a good AV software that I think can be better. But when I work a lot and receive no reply (it's not only about samples reply but about all feedback... of suggestions, of improvements...) its very frustrating.

well, I've never had any problems with f-secure, even during my own testing.

-{ Quote: "The problem with cleaning is that once malware is installed, it will have the same privileges as the AV. Theoretically, you can't expect the AV to remove malware at the same privilege level.
" }-

Not necessarily. Hooks can be replaced by another hook, or if the malware isn't capable of hooking at kernel level or injecting itself any deeper in the OS than the user mode. AV's have drivers to counter kernel level hooking(rootkits, etc.)and probably debugging rights and therefore can in some cases disinfect(override)the malware.

.. Please, someone wiser than me correct if I'm wrong here :)

The annoying fact is not that F-Secure couldn't remove the sample, but that it displayed tons of popups, it made anything unusable..:-\

IMHO any av may have a problem with a piece of malware. Example my daughter got vundo on her's it snuck past Nod3, I removed it with F-secure...is one better than the other? NO bottom line is in the case shown F-secure didn't do well on that one sample, that's all , all AVs have a weak point, nothing is perfect...

-{ Quote: "IMHO any av may have a problem with a piece of malware. Example my daughter got vundo on her's it snuck past Nod3, I removed it with F-secure...is one better than the other? NO bottom line is in the case shown F-secure didn't do well on that one sample, that's all , all AVs have a weak point, nothing is perfect..." }-

Yes its all anecdotal. Like I said before, some of the ones hes tested to remove malware, I've used on my friends computers and they didn't work.

-{ Quote: "Not necessarily. Hooks can be replaced by another hook, or if the malware isn't capable of hooking at kernel level or injecting itself any deeper in the OS than the user mode. AV's have drivers to counter kernel level hooking(rootkits, etc.)and probably debugging rights and therefore can in some cases disinfect(override)the malware.

.. Please, someone wiser than me correct if I'm wrong here :)" }-

I'm a little out of my depth here too cuz I don't know understand the windows lower level stuff. My logic is here that if malware is already installed, it has as deep access to windows as any av does and it is there first. So it can do lots of things to prevent an av from functioning properly. Does that make sense?

-{ Quote: "Really, software like that seems to get nothing but praise on this forum.

Maybe this will alert people to the fact that all av's miss things, and that it is the correct process to at least work on removal, percentage rates may look good on paper, or be a good argument for the fan boys, but in the real world of surfing the net and downloading, these figures tend to mean sod all." }-

Gee. maybe software should be design to never let it in the first place. after all if it cant detect it, It sure the hell cant remove it. plain and simple fact is you should stop the infection before it ever got to that stage. its like trying to put a band aid on something that needs stitches. if your AV misses it, Image and restore is the only way to go. to make sure your cut don't get infected once again. But then again some "Fan Boys" hold on to the Removal of a virus as top priority. Even if there favorite AV could not detect the infection in the first place. :dry:

-{ Quote: "The replies of malware samples are slow if the sender is in collectors list (I'm)" }-

Slow? How slow?

-{ Quote: "But then again some "Fan Boys" hold on to the Removal of a virus as top priority. Even if there favorite AV could not detect the infection in the first place. :dry:" }-

Not as a top priority, but it doesn't hurt to have that quality.

I am not saying F-Secure is good or bad, I just feel this test here is really stupid. Once your computer is heavily infected, you don't rely on the av's removal to save your ass. Why? because I can safely say that no one single av could remove all the viruses AND repair your system to a good state. Maybe some av could remove more viruses, some could remove less, but in that case, you'd better go and image your system back. The main function of an AV is real time prevention to keep the viruses away from your computer rather than remove the viruses afterwards, because once infected, your system may be already well destroyed----whether or not your AV can plant itself on that "damaged system" is a question already.
In one word, it's very stupid relying your av to remove 1000 viruses AND repair your totalled system. Gee!!!

-{ Quote: "Slow? How slow?" }-

Days or weeks. It's slow. When I was not a collector in F-Secure system I received reply in some hours. I really don't understand it. If I'm a collector I suppose that I find new malware and that the malware need to be added to detection. I get a lot of new malware directly from creators website sometimes... but I send the samples and need to wait for 1 week to see F-Secure detecting. In 1 week the malware is present worldwidely.
F-Secure has the sample that I sent but it's not detected yet.
It's not only about F-Secure. Most all AV companies are very frustrating about it. Probably Kaspersky and Avira are the two that don't go in that way.

-{ Quote: "I am not saying F-Secure is good or bad, I just feel this test here is really stupid. Once your computer is heavily infected, you don't rely on the av's removal to save your ass. Why? because I can safely say that no one single av could remove all the viruses AND repair your system to a good state. Maybe some av could remove more viruses, some could remove less, but in that case, you'd better go and image your system back. The main function of an AV is real time prevention to keep the viruses away from your computer rather than remove the viruses afterwards, because once infected, your system may be already well destroyed----whether or not your AV can plant itself on that "damaged system" is a question already.
In one word, it's very stupid relying your av to remove 1000 viruses AND repair your totalled system. Gee!!!" }-

I agree about it. The video is being super-estimated. If we search we find a lot of videos showing AVs failing... NOD32, kaspersky, Avira, F-Secure... All fail sometimes.

-{ Quote: "I agree about it. The video is being super-estimated. If we search we find a lot of videos showing AVs failing... NOD32, kaspersky, Avira, F-Secure... All fail sometimes." }-

That's true but instead of giving that amount of popups couldn't it just say that the threat couldn't be removed? Or perhaps the adware was specifically designed for F-Secure?

You are super-estimating the video.
You show something like it and say that F-Secure is a ******** that is no functional and do nothing about protection.
Firstly, we know that no AV detects 100% of malwares. Second, the malware in video is already in the system. It's more difficult to remove an installed malware.
I consider that F-Secure failed not by detection but about the difficulty to remove the installed malware and a lot of pop-ups that it showed.
Despite the failing I say that at least F-Secure tried. Probably many AVs haven't detected the malware.
I see difficulty of F-Secure to change the number of processes the AV uses (despite less resource usage 14 processes scare users) because they created an structure based in these processes. I criticizes other aspects of F-Secure and I think they can improve the AV faster. But get F-Secure and define it as garbage because it didn't remove a sample and put F-Secure in the same level of poor AVs because of one sample and/or one fail is so sensationalistic and nonsense that I have to think if have no other companies behind the "news".
This kind of proclamation coming from users of NOD32/Norton/Dr.Web and other AVs that I consider totally poor is trust-less.
We can see a lot of videos of fails of all AV software. If we want we can create a lot of videos of many AVs with the same purpose.

That's why you have Prevention as your first line of defense, Not detection. ;)

Josh

-{ Quote: "That's why you have Prevention as your first line of defense, Not detection. ;) " }-
The Comodo slogan again. Too bad it isn't of much use unless you know what it is you're preventing.

Actually detection is prevention by itself... If you detect something before you execute it, isn't that prevention? I think it is...

-{ Quote: "That's why you have Prevention as your first line of defense, Not detection. ;)

Josh" }-
No, you have to detect before you can protect. Protection is meaningless if it never detects anything. So you detect first, then protect, or clean.

I'm not sure I agree with that. You want to prevent the stuff from getting on your system in the first place instead of letting it get very close to your PC and stop it at the gates. The change something slips through is eminent.

-{ Quote: "I'm not sure I agree with that. You want to prevent the stuff from getting on your system in the first place instead of letting it get very close to your PC and stop it at the gates. The change something slips through is eminent." }-
I see your point, but how do you know you are protecting against malware if there is no detection. Hence my sig. Works well Avira detects and a reboot with SD protects.

Well I do think I know what you mean but I like to see it in a bit other context.
If you block everything, nothing (and nothing bad) can get executed. You don't need detection either.
If you are going to allow everything you have to rely on your detection system to filter the bad things out. Since those systems don't have a detection rate of 100% you always have the change of being exposed to some kind of danger.

I know a zero tolerance blocking policy isn't much of a usable environment but I think prevention is #1, then comes detection.

"If it doesn't come to your gate, the hole it the gate will be unused".

cant argue with that. As long as either approach works, is what counts.

-{ Quote: "No, you have to detect before you can protect. Protection is meaningless if it never detects anything. So you detect first, then protect, or clean." }-

Detection= Signatures.
Prevention= Behaviour, etc.

How can "detection" detect something if it's not in the baddie list? If an AV doesn't have a signature for example, you're pretty much gone, and NO AV detects everything under the sun. Even testing organizations don't have every malware in the world to test AV's, But this is for another day. :P

-{ Quote: "Detection= Signatures.
Prevention= Behaviour, etc.

How can "detection" detect something if it's not in the baddie list? If an AV doesn't have a signature for example, you're pretty much gone, and NO AV detects everything under the sun. Even testing organizations don't have every malware in the world to test AV's, But this is for another day. :P" }-
But how many times has Aigle shown where protection software lets something pass. In the end, their is no horse and cart as far as first, you just want to make sure you have a horse and cart.;)

All in all layered security is the way forward.

Prevention
Detection
Cure.

-{ Quote: "

I know a zero tolerance blocking policy isn't much of a usable environment but I think prevention is #1, then comes detection.

"If it doesn't come to your gate, the hole it the gate will be unused"." }-

I agree with you, but don't you think that the same result can be obtained using a multi-layered defense especially HIPS-based ?

I think using a good HIPS would be a pretty decent solution :).
Behavior blocking is almost unavoidable.

They can't get enough processes...I think I counted 16. :S

-{ Quote: "Detection= Signatures.
Prevention= Behaviour, etc.

How can "detection" detect something if it's not in the baddie list? If an AV doesn't have a signature for example, you're pretty much gone, and NO AV detects everything under the sun. Even testing organizations don't have every malware in the world to test AV's, But this is for another day. :P" }-

Well, you can have generic signature which doesn't require an exact match.
Then yet again, heuristics don't work if there is no rule for something specific.

-{ Quote: "So he gets a machine infected with 1000s of viruses (he says this in part 1 of the video series) and expects AVs to remove them? This is not a good test at all." }-

this is what I thought as I'm run F-Secure at times , I strongly doubt on a clean machine that F-secure wouldn't keep you clean. OK so it doesn't fully clean a machine trashed by malware I still don't see this as a solid test. Last year my wifes machine had vundo on it, I had to use 4 av's on it to clean it & F-secure was one that helped clean it & in fact found a buried entry that none of the others ( no av names to avoid comparisions) found. Sometimes one av will not find & clean a machine, I have had this a couple times. Once with my wife once with my daughter...

-{ Quote: "this is what I thought as I'm run F-Secure at times , I strongly doubt on a clean machine that F-secure wouldn't keep you clean. OK so it doesn't fully clean a machine trashed by malware I still don't see this as a solid test. Last year my wifes machine had vundo on it, I had to use 4 av's on it to clean it & F-secure was one that helped clean it & in fact found a buried entry that none of the others ( no av names to avoid comparisions) found. Sometimes one av will not find & clean a machine, I have had this a couple times. Once with my wife once with my daughter..." }-
plus your missing the fact that f-secure has already created an internal beta that is better at malware cleaning after the test. how many companies would do that and so fast?

How do you know?

-{ Quote: "How do you know?" }-
link 1 (http://remove-malware.com/announcements/f-secure-resonds/)
link 2 (http://remove-malware.com/announcements/f-secure-development-responds/)

Reading those email replies, F-Secure demonstrates how good customer service can be. :thumb:

Even with all their flaws, F-Secure has a VERY GOOD tech support. I remember, when F-Secure failed to quarantine and got my system infected.

Within 48 hours F-Secure, nailed the problem. Plus had the magnanimity to admit faults in their product. That is something you almost never see, with other companies. :thumb:

F-Secure 2009 may not be all that appealing product right now. But clearly they have the heart and mind in the right place. Its only a matter of time, that they will bring out a killer product.

Just and update guys (an thanks very much for the thread too!!!) F-Secure Dev sent me an email stating that they would have a new build for me to test this week. I'm supposing some of the fixes would address the torrent of popups from their HIPS engine.

Sounds like good news to me

Hi :)

Any news about the update and the improvements ?

Unfortunately it's taking a bit longer to make the build than we originally thought but we're definitely working on it.

--
Patrik
F-Secure Security Labs

-{ Quote: "Unfortunately it's taking a bit longer to make the build than we originally thought but we're definitely working on it.
" }-

Thanks for the Update! Take your time to make it reliable :)
Keep up the good work.