Jeroen1000
April 16th, 2010, 02:53 AM
I have always liked the ability to select multiple categories so that you can, for instance, detect 'potentially unwanted applications' like cracktools , network sniffers, Remote administration tools, ...
I find it useful that Remote Administrator gets detected if a specific category is enabled. Will PrevX implement category based detection in the not so distant future or is this unlikely to ever happen?
But then Joe got me thinking on something he said:
-{ Quote: "Not necessarily, although that is a valid point as well, but assuming that AVC's collection is perfectly free of false positives, we still do not agree with the testing methodology. Upwards of 2/3rds of samples today live for less than 24 hours, the rest dying quickly thereafter - detection of samples that are 6+ months old to 15 years old is almost entirely useless. We can add detection for 100% of old samples if we really wanted to, but the only added value will be to scoring better in AV tests and we have enough to do working with staying ahead of malware authors creating new threats :)" }-
I'm not good at thinking up scenario's but here goes:
Alice gets infected by a nasty piece of malware M. She doesn't know this, but it isn't detected yet by any vendor. She takes an image of her computer after cleaning it up or something. PrevX cleans this nasty a few hours later and no harm done (hopefully). 1,5 years later she restores her image because the PC crashed but detection for that piece of malware may be removed from PrevX? Is that what you are saying Joe? The reason for its removal was simple: it died off in the wild . . .
This would kind of explain why there are no categories. You'd never know what was in them at any given time.
I find it useful that Remote Administrator gets detected if a specific category is enabled. Will PrevX implement category based detection in the not so distant future or is this unlikely to ever happen?
But then Joe got me thinking on something he said:
-{ Quote: "Not necessarily, although that is a valid point as well, but assuming that AVC's collection is perfectly free of false positives, we still do not agree with the testing methodology. Upwards of 2/3rds of samples today live for less than 24 hours, the rest dying quickly thereafter - detection of samples that are 6+ months old to 15 years old is almost entirely useless. We can add detection for 100% of old samples if we really wanted to, but the only added value will be to scoring better in AV tests and we have enough to do working with staying ahead of malware authors creating new threats :)" }-
I'm not good at thinking up scenario's but here goes:
Alice gets infected by a nasty piece of malware M. She doesn't know this, but it isn't detected yet by any vendor. She takes an image of her computer after cleaning it up or something. PrevX cleans this nasty a few hours later and no harm done (hopefully). 1,5 years later she restores her image because the PC crashed but detection for that piece of malware may be removed from PrevX? Is that what you are saying Joe? The reason for its removal was simple: it died off in the wild . . .
This would kind of explain why there are no categories. You'd never know what was in them at any given time.