...is out.

http://www.virusbtn.com/vb100/latest_comparative/index

No real shockers, I think. MSE fail, perhaps.

Emsisoft: epic fail. Failure reason: 974 wildlist misses, 1 false positive
:blink:

Vipre failed

Prevention and Digital Defender passed!

-{ Quote: "Vipre failed" }-

But with 2 false positives ;) So no big worries. :)

-{ Quote: "

No real shockers, I think." }-


I was shocked to see so many unknown to me vendors and programs like SGA , SpamFigherVirusFigher , Quihoo , Bkav , Central Command , Prevention , Nifty , etc

OMG , who uses the programs ?

I just emails John Hawes and hope to receive a reply because I suspect a problem with the testing methodology (they are doing tests completely offline with installers and updaters ready to be installed offline?) . Will post again if he answers me.

-{ Quote: "Will post again if he answers me." }-

They are very fast . As I suspected all is done offline .

I can now understand why Panda decided not to participate and I fully support them in this decision!

With updating only signatures (once) , with no update on others proactive modules and behavioural analysis modules , with no internet connection , programs like Norton and Panda are unable to excel.

That is why Norton's results on trojans are so low (97%) . I expected something like 99.99% :) but with no SONAR , with no Insight and other moderns stuff , it is plain signature scanning test .

Very disappointed by VB .

What about Avast 5? :)

It passed.

A2/Ikarus result was rather shocking to me. I assumed failure would be due to false positives and not due to an outrageous amount of sample misses.

Avira, Avast and AVG passed :)

-{ Quote: "I was shocked to see so many unknown to me vendors and programs like SGA , SpamFigherVirusFigher , Quihoo , Bkav , Central Command , Prevention , Nifty , etc

" }-

BKAV is the most popular antivirus program in Vietnam. :)

-{ Quote: "I was shocked to see so many unknown to me vendors and programs like SGA , SpamFigherVirusFigher , Quihoo , Bkav , Central Command , Prevention , Nifty , etc

OMG , who uses the programs ?

I just emails John Hawes and hope to receive a reply because I suspect a problem with the testing methodology (they are doing tests completely offline with installers and updaters ready to be installed offline?) . Will post again if he answers me." }-

Qhioo 360 is the same AV Company where Xiaolin (Malware Defender's Author) got his new job...It uses Bitdefender's engine and it is based on cloud technology. It already passed last VB100 test too.

surprisedly, a well- known antivirus with high detection-rate like a-squared missed a lot of samples.

-{ Quote: "Prevention and Digital Defender passed!" }-


does that include the free versions?

It shows Kaspersky 6 as failing. What still uses that version of Kaspersky.

-{ Quote: "It shows Kaspersky 6 as failing. What still uses that version of Kaspersky." }-
This version is used in the corporate scene.

-{ Quote: "This version is used in the corporate scene." }-
thank you

Was Comodo in the test? Guess not, but I don't want to register :)

Comodo not in the test.:D

-{ Quote: "What about Avast 5? :)" }-


Passed :)

Good to see also the RAP results
http://www.virusbtn.com/vb100/rap-index.xml

Where on avg. Ikarus has done quite well. So this result was probably a one off.

aint a-squared using Ikarus engine?
-{ Quote: "Ikarus

Status: FAIL
Failure reason: 973 wildlist misses
Result history: Ikarus
Product name: Ikarus virus.utilities" }-
:blink:

but anyway im surpised that "1 miss" will lead to "fail" like Kaspersky, MSE and some others...
(some explanation from inside might help, i'm no paid subscriber)

Yikes 973 misses. Thankfully I have alot of layers under Ikarus. I might have to rethink my AV choice.

As always Norton is nowhere in VB RAP.
As always ESET and Kaspersky are great and close to eachother.

MSE also not really good. Seems like AVG is really getting a serious consideration again and if you pick a free one you still should choose one of the 3 A's.

Webroot, Ikarus, Sophos and Check Point (must be a great package together with the ZoneAlarm firewall) quite surprise me.

Ikarus has never had a pass on VB test! And again ESET passed 61 Success / 3 Failure / 5 No Entry! And VIPRE is 1 an 1 with 2 false positives as I use that on all of my VM's!

TH

I guess buying a Trustport license is coming closer for me. At least the usb version. Ikarus great as always, good promotion for Check Point considering the offer tomorrow.

ESET haven't missed a VB test in 8 years...pretty amazing :)


Cheers

Nortor the big losser in the RAP
http://www.virusbtn.com/vb100/rap-index.xml

filelab have a splendid detection for Asia-Pacific antivirus,but in term of the whole world virus sample.it is not good
norman continue become depraved ....

Interesting theory/explanation from Emsisoft dev:

"All 974 wildlist misses were misses of the same family: Virut. Since Virut is polymorphic samples are generated to get a better view at the overall detection. We didn't detect the original sample, therefore not the infected files that were infected by that Virut sample and that's pretty much it. "
???

Anyone tell me what's the different between normal test (Fail or Pass) and RAP test ?.

The Vietnam AV "Bkav" is not bad at all.:argh:

Why Avira Free result is worse than Avira Pro ??? :thumbd: >:(

-{ Quote: "Why Avira Free result is worse than Avira Pro ??? :thumbd: >:(" }-

how bad?

how about avast 5 free vs pro

-{ Quote: "Why Avira Free result is worse than Avira Pro ???" }-

Be glad that they didn't test the v10 which never manages to finish a scan plus would make the testers pull all their remaining hair out with the new ingenious "quick" system scan on every single piece of malware detection. ;D ::)

full scan worked overnight for me with no issues and I like quick scan. Maybe you should reimage your computer and start with a clean image.:dry:

this test was carried on Windows Xp Sp3 platform.
most of popular antivirus software support this OS.8)

-{ Quote: "full scan worked overnight for me with no issues and I like quick scan. Maybe you should reimage your computer and start with a clean image.:dry:" }-

Thanks, but no thanks. The scheduled system scan triggered a DCOM failure followed by a forced reboot on every XP box I tried due the brand new completely broken VSS strategy (why is that VSS service plus bunch of others even started when there's no malware to clean and so nothing to remove and so nothing to shadow-copy in the first place remains another unsolved mystery that noone's answered so far on the Avira forums). My guess would be the infamous hidden object bug that has hit me on every box as well.

oh well, XP huh. Mine are Vista and 7. Well anyway hope it all works out for you at some point.

you know now that I think about it, I still like Vista better then 7. Anyway, kudos to all that passed this test.

-{ Quote: "oh well, XP huh. Mine are Vista and 7. " }-

Well, Vista never touched any of my boxes and I preffered not to risk a damage to the perfectly working W7 box after the XP experience w/ the upgrade. ::) Whatever, XP SP3 is where they carry out the testing anyway.

-{ Quote: "how bad?
" }-
This :what:
-{ Quote: "how about avast 5 free vs pro
" }-
Avast free result is same with avast pro

A shame Panda is not in, especially would like to see the difference between Panda Cloud and avast, AVG, Avira.

-{ Quote: "A shame Panda is not in, especially would like to see the difference between Panda Cloud and avast, AVG, Avira." }-
We would like to be in these tests, but unfortunately they are performed in an isolated environment without Internet connectivity. We have expressed our interest to VB about being included in these tests as soon as the methodology is upgraded to reflect more real-life scenario. I am confident that VB is working hard to improve this aspect of the test. In their defense this is no easy task either.

Nice results for some, sadly i can't see the other part since i have no subscription ;D

It's bit confusing to talk about RAP and VB100 Award in the same thread. :what: Or are they the same thing?

-{ Quote: "We would like to be in these tests, but unfortunately they are performed in an isolated environment without Internet connectivity. We have expressed our interest to VB about being included in these tests as soon as the methodology is upgraded to reflect more real-life scenario. I am confident that VB is working hard to improve this aspect of the test. In their defense this is no easy task either." }-

But why Panda is not seems to be confident in such scenarios ?

I'm surprised Webroot is doing that well. Does anyone have any details ?

Sunbelt's score (VIPRE ?) is third rate.

Too bad we can't access the details without a subscription.

-{ Quote: "But why Panda is not seems to be confident in such scenarios ?" }-

Panda is a cloud app, cloud apps depend on the internet, mystery solved. Panda keeps the vast majority of its signatures on its servers, allowing you to not have to update them all the time and have your disk filled with them. Confidence isn't the issue, it's the way the app works that is the issue.

I was just going to answer something very similar. Thanks dw426 :)

EDIT: I would add to dw426's comment that malware today (and also the malware being tested here) *also* depends on the Internet. So there's not much point in testing Internet-driven malware in non-connectivity, isolated labs. Products today are very complex. They look at and evaluate entry vectors, communication with the outside, different heuristic levels per vector, behavioural analysis also depending on traits including Internet communication, on-access drivers include more dynamic checks than the on-demand, etc. Testing in an offline environment only looks at a small portion of what a product really is capable of.

I am sure that, as more AV products add cloud-scanning to their mix of detection & protection technologies, these types of methodologies will evolve as well.

-{ Quote: "Anyone tell me what's the different between normal test (Fail or Pass) and RAP test ?." }-


VB's RAP (Reactive and Proactive) testing provides deeper insight into products' ability to keep up with the flood of new malware emerging around the world, as well as their proactive detection capabilities - putting heuristic and generic technology to the test.

I know, this wont help a much.

Virus Bulletin is RIPPING 150 dollars for subscription (one year)! :thumbd:

-{ Quote: "Panda is a cloud app, cloud apps depend on the internet, mystery solved. Panda keeps the vast majority of its signatures on its servers, allowing you to not have to update them all the time and have your disk filled with them. Confidence isn't the issue, it's the way the app works that is the issue." }-

I agree. But i don't think so that database definitions are too much big...that they will fill up your HDD enormously. What in case if somebody loose Internet Connection after getting hit? Then surely offline signature will come in effect, but if you don't have proper signature database then you will surely gonna affected.

-{ Quote: "With updating only signatures (once) , with no update on others proactive modules and behavioural analysis modules , with no internet connection , programs like Norton and Panda are unable to excel.

That is why Norton's results on trojans are so low (97%) . I expected something like 99.99% :) but with no SONAR , with no Insight and other moderns stuff , it is plain signature scanning test .

Very disappointed by VB ." }-
Its always been like this. Guess people only really scrutinise the tests when their AVs do bad. Actually, didn't Norton Pass this one?

I think what the real concern with these results are that they should be detected on-demand regardless of other proactive measures as they are ITW (so removal may also be important).
Of-course, Panda is a different case.

Overall, I still not a fan of this test and never care about the results.

-{ Quote: "Anyone tell me what's the different between normal test (Fail or Pass) and RAP test ?." }-
Old/Normal VB100 test - On-Demand/Access tests against the Wildlist sample - sample of apparently the most prevalent malware on the internet. 100% detection and 0 FPs required to get the pass and sticker.

RAP - On-Demand/Access (might be done on different operating systems throughout the year, not sure) and checks proactive/reactive detection. Very different to VB100. See here (http://www.virusbtn.com/vb100/vb200902-RAP-tests) for explanation. I'm not 100% sure about all the details of it either, but is a better test than VB100 IMO.

-{ Quote: "What in case if somebody loose Internet Connection after getting hit? " }-
In the vast majority of the cases you would be connected when getting hit (except for network/usb type of infections, for which we have offline cache and other measures). But if you look at Internet-driven malware, as most of this test does, you would need to be connected to be infected in the first place.

-{ Quote: "Then surely offline signature will come in effect, but if you don't have proper signature database then you will surely gonna affected." }-
Here you're talking about a different thing. This is more related to disinfection. These types of routines are included within the local cache, so it shouldn't be much affected.

Hi dawgg!

-{ Quote: "Its always been like this. Guess people only really scrutinise the tests when their AVs do bad. Actually, didn't Norton Pass this one?
" }-

Yes , Norton and Symantec Endpoint protection did pass the test . But in order to to pass their test , it is only necessary to detected on-access all in-the-wild samples and get no FP on the clean sample . For the big vendors , this is an easy task.

For the first time in the history Symantec includes Norton Antivirus , too . They have always included just Endpoint Protection (the business product) because VB magazine is generally read by technical people.

I was talking about the trojan and worm test (an extra part which results are not counted and is different from the in-the-wild detection) . I was saying that in offline environment where there is just on-demand and on-access scan - with no on-execution , no in-the-cloud , no HIPS or behaviour analysis , products like Norton Antivirus 2010 and Panda 2010 can't shine . No internet with old updates is no real-world . The current strategy actually works fine for Avast , for ESET and for Symantec EP , but not for Norton , Kaspersky , Panda . As you see Norton's and Symantec's results are pretty much the same but Symantec EP has no in-the-cloud , for example.

Norton Insight and so on don't detect threats, that is just reputation based. So I quite understand the way of testing. The fact a system is not infected doesn't mean (in this context) that Norton detected a threat.

It looks like Checkpoint got the highest overall scores on the RAP test according to the chart. So what product is that? Is it ZoneAlarm Antivirus, or is it a business product? If the latter, how did ZAAV do? I believe it uses the Kaspersky AV engine (or used to).

-{ Quote: "It's bit confusing to talk about RAP and VB100 Award in the same thread. :what: Or are they the same thing?" }-

NO they are not the same test, wich is why I started this thread but it got closed by JR unfortunately ??? .
http://www.wilderssecurity.com/showthread.php?t=270022

-{ Quote: "Norton Insight and so on don't detect threats, that is just reputation based." }-

No quite right .

When I was writing Norton Insight , I meant Norton Insight Network .

217131

No , it is not true that it is just a reputation system . Insight Network gathers reputation and just like Panda's Collective Intelligence can make definition automatically based on some factors. If you are active malware hunter or tester and you actively test Norton , you'll see than some threats are detected by Norton only when the Insight Network scan is performed (a.k.a cloud-scanning) . When file with known Bad reputation is detected , it is called Reser.Reputation.1 and this is only Insight Network detection not present in the defintions. When Norton detects threat as Suspicious.Cloud , it tries to connect to Norton servers for further cleaning information. The conclusion is that products with modern innovative technologies based on cloud computing can protect the computer when offline but their protection/detection capability is dramatically improvent when the computer is online

-{ Quote: "It looks like Checkpoint got the highest overall scores on the RAP test according to the chart. So what product is that? Is it ZoneAlarm Antivirus, or is it a business product? If the latter, how did ZAAV do? I believe it uses the Kaspersky AV engine (or used to)." }-

It's ZoneAlarm Antivirus exactly. ZoneAlarm used Kaspersky AV engine in ver 7.0. I don't sure about newest version of ZA because I stopped using ZA for a long time ago. :)

-{ Quote: "Norton Insight and so on don't detect threats, that is just reputation based. So I quite understand the way of testing. The fact a system is not infected doesn't mean (in this context) that Norton detected a threat." }-

Well, in my case, I don't quite understand this way of testing:

"The fact a system is not infected doesn't mean (in this context) that Norton detected a threat."

Isn't it what is this all about?. Isn't it the real point of antivirus protection: not being infected?.

When you run a full scan of your computer and your antivirus tells you "four trojans", is it a victory?. No, a detection on a full scan is only the testimony of a security system's failure. Why is it still the most important part in most of the antivirus test?. It should be the less important one.

Having top detection at full scan is good and all the antivirus that make it high at the ranks deserve recognition. But the testing companies deserve a good spank for insisting on this.

What's the point in testing stripped down versions of security software in artificial enviroments. Not updating for weeks?. Come on......who cares. Who cares if detections are reactive, proactive, reputation based........I pay for a CLEAN system and that's all that I want.

Testing AV: Why VB Tests are still relevant (http://avien.net/blog/?p=479)

-{ Quote: "NO they are not the same test, wich is why I started this thread but it got closed by JR unfortunately ??? .
http://www.wilderssecurity.com/showthread.php?t=270022" }-
The award is similar to av-comparatives a snapshot of current builds.
RAP seems to me an average of the last 6 month - so it has more meaning for
me than the award.
RAP was mentioned here earlier so why not discuss it here?

-{ Quote: "Testing AV: Why VB Tests are still relevant (http://avien.net/blog/?p=479)" }-

So, basically, because some AVs fail and those are the ones to avoid. That's why those tests are useful. But, why are (or have been) they the most important?. Maybe because they are the less difficult to perform.

-{ Quote: "But, why are (or have been) they the most important?" }-
i do not see anywhere the words "the most important".

-{ Quote: "i do not see anywhere the words "the most important"." }-

I was speaking in general, not criticizing the article.

As Brummelchen pointed out, RAP results have more importance and should be discussed.

To Emsisoft's defence, IDS was obviously switched off (which would have blocked the threats). Just checking their forum, a moderator posted that the text of the results also state:

-{ Quote: "With some data finally in, some truly superb results were observed, with all sets completely demolished, the RAPs especially looking set for a top-of-the-table score. Sadly, in the WildList set a batch of Virut samples were not detected – which would have been enough to deny Emsisoft a VB100 award even had its on-access component been fully operational – and a single false alert in the clean sets also denies it the chance to take up a prime position on our aggregate RAP charts. Despite these teething problems, we expect to see a-squared becoming a force to be reckoned with in the near future." }-

It seems the April 2010 RAP results look good for Vipre: http://sunbeltblog.blogspot.com/2010/04/vbs-rap-on-vipre.html

http://www.sunbeltsoftware.com/alex/gblog/rap_detections_2_thumb1.jpg

What I don't understand, Ikarus is a top rated product in RAP report Oct-Apr but scored with 0 Success / 8 Failure in VB100 ???

-{ Quote: "What I don't understand, Ikarus is a top rated product in RAP report Oct-Apr but scored with 0 Success / 8 Failure in VB100 ???" }-


FP's my son. FP's. :P

-{ Quote: "It looks like Checkpoint got the highest overall scores on the RAP test according to the chart. So what product is that? Is it ZoneAlarm Antivirus, or is it a business product? If the latter, how did ZAAV do? I believe it uses the Kaspersky AV engine (or used to)." }-

It is Zone Alarm Security Suite. Yes it uses the Kaspersky engine. Same as Kaspersky enterprise editions that is currently the same engine as 2010. Impressed by ZA indeed... Both ZA and Kaspersky fails the April VB100 on XP due to 1 wildlist miss.

Wonder what makes ZA better... probably the HIPS (called ZA OS firewall)?

Fax

-{ Quote: "It is Zone Alarm Security Suite. Yes it uses the Kaspersky engine. Same as Kaspersky enterprise editions that is currently the same engine as 2010. Impressed by ZA indeed... Both ZA and Kaspersky fails the April VB100 on XP due to 1 wildlist miss.

Wonder what makes ZA better... probably the HIPS (called ZA OS firewall)?

Fax" }-
The old Kaspersky engine failed.
Kaspersky's new engine which Kaspersky v2010, corporate workstations (possibly also other corporate products) and ZA uses (may depend on version) passed.

Also, VB's does not look at other antivirus abilities such as HIPS.

Reason why ZA failed and Kaspersky 2010 passed could be because of ZA version used or default settings. Other than that, I do not think there is a time-lag between when Kaspersky releases updates and ZA does, thought they were pretty much the same.

-{ Quote: "It seems the April 2010 RAP results look good for Vipre: http://sunbeltblog.blogspot.com/2010/04/vbs-rap-on-vipre.html

http://www.sunbeltsoftware.com/alex/gblog/rap_detections_2_thumb1.jpg" }-

Indeed.

In my earlier post I referred to the average RAP, but they seem to have made much progress.

Perhaps, just perhaps, they will be tested in av-comparatives ...

-{ Quote: "Indeed.

In my earlier post I referred to the average RAP, but they seem to have made much progress.

Perhaps, just perhaps, they will be tested in av-comparatives ..." }-


As far as I know, that is currently the plan. We had been waiting for the VIPRE 4.0 release before entering and we should be in one of the next tests.

-{ Quote: "The old Kaspersky engine failed.
Kaspersky's new engine which Kaspersky v2010, corporate workstations (possibly also other corporate products) and ZA uses (may depend on version) passed.

Also, VB's does not look at other antivirus abilities such as HIPS.

Reason why ZA failed and Kaspersky 2010 passed could be because of ZA version used or default settings. Other than that, I do not think there is a time-lag between when Kaspersky releases updates and ZA does, thought they were pretty much the same." }-

I think you are missing the point.
ZA and Kaspersky (Version 6 revision 4) failed for the same reasons

Status: FAIL
Failure reason: 1 wildlist miss
Product name: Kaspersky Anti-Virus 6 for Windows Workstations
More: April 2010 in full (http://www.wilderssecurity.com/vb100/archive/2010/04)
Review: Kaspersky Anti-Virus 6 for Windows Workstations on Windows XP (http://www.wilderssecurity.com/virusbulletin/archive/2010/04/vb201004-comparative)

Both use the same engine that is the same as KAV 2010 (= same signature). Probably a different set of AV-DAT was used or the heuristic settings of the enterprise version is different than the retail version (note that KAV 6 MP4 was released after KAV2010)

-{ Quote: " Also, VB's does not look at other antivirus abilities such as HIPS." }-

I am referring to the RAP test where ZA is better than Kaspersky. Something else than the AV engine is tested otherwise it would not explain the better performance of ZA.

Fax

Take quotes from emisoft Forumand I completely agree with that thinking.

Eugene Kaspersky said:
..the tests conducted by VirusBulletin (an industry publication) - I am sure that if I didn't include this, readers would ask why the tests and the resulting VB100% award hadn't been mentioned. Sadly, these tests are far from perfect. The test standards were developed in the mid-1990s and have barely changed since then. Antivirus products are tested using a collection of files infected by ITW viruses. The award is given on the basis of the test results. However, the ITW collection only contains between two to three thousand files - fewer malicious programs than appear in the wild in the space of a single month. Therefore, a VB100% award doesn't necessarily mean that a product really provides protection against all types of malware. It simply means that the product copes well with VirusBulletin's ITW collection, nothing more.

Doctor Web sees the issues of the comparative testing as follows:
1. Testing of an anti-virus for VB100% is based on In-the-Wild set of viruses which includes only malware capable of replicating itself which surely narrows the list of malicious programs used for the testing. As estimated by Doctor Web the In-the-Wild collection includes only 10 per cent of the total number of malware modern anti-viruses protect against.
2. The above-mentioned criterion applied to In-the-Wild collection leaves out the large segment of the present-day malware – Trojans. The same applies to one of the gravest IT security issues of last 4-5 years, so called rootkits. No matter how good an anti-virus is at detecting Trojans which outnumber viruses manifold, mo matter what are its rootkit counteraction capabilities it will only get the VB100% upon a successful detection of several thousands of samples from the In-the-Wild collection. Alas, VB100% used as an ultimate benchmark by some marketing specialists and industry experts won’t show a user if an anti-virus is really efficient against Trojans.
3. In order to address new challenges Dr.Web is developing as all other AV products. AV vendors have to deal with new technologies of virus-writers on daily basis which makes constant bringing of innovations into an anti-virus a must. And here regular updates of a virus database are not enough. The testing for VB100% doesn’t compare technical innovations of anti-viruses developed to counteract malicious programs that are never included the In-the-Wild collection.
4. It’s not a routine scan of a collection of files that shows how good an anti-virus is. It is a malicious attack when malware is attempting to get to a computer or a computer has already been infected. Recent years saw numerous proposals to create tougher conditions for testing anti-viruses and assess them by their ability to cope with an active infection. An anti-virus can show astounding results detecting samples from In-the-Wild collection but users will never know if it is the same perfect when malware is running in the RAM and controls the system rather than stored on a hard drive. Neither the test compares curing capabilities of anti-virus products.

The public only sees the raw results. Vendor so-an-so failed the test and missed so many infected files. One has to register with VB and pay for a subscription to obtain the full testing report. Will the average PC user, spend $175 USD yearly for VB's testing results? I think not. Instead they will rely solely on the very misleading publicly available raw data.

VB should not be using the term failed, when it comes to the VB100 award. Vendor so-and-so did not receive the VB100 award, because they did not detect 100% of the virus samples with 0 False Positive detections. You detect 100% of virus samples with 1 FP, you fail. You detect 99.99% of virus samples with 0 FP, you fail. Making only raw results publicly available without further explanation is doing everybody a huge disservice, vendors and end-users alike.