See the article.

http://www.pcmag.com/article2/0,1759,1813927,00.asp

Notes the detection times based on AV updates.

#1 Clam AV
#2 Kaspersky
#3 F-Prot


Pete

Why post the top3?


I'm more interested in this:

Part I: Proactive detections:
AntiVir Worm/Sober.gen
Dr. Web BACKDOOR.Trojan (probably)
eSafe Trojan/Worm (suspicious)
McAfee W32/Sober.gen@MM
McAfee (BETA) W32/Sober.gen@MM
QuickHeal Suspicious (warning)

-{ Quote: "Why post the top3?

QUOTE]

Simple. I didn't want to just post the link, and I didn't feel like typing anymore at the time. ;D

-{ Quote: "Why post the top3?


I'm more interested in this:

Part I: Proactive detections:
AntiVir Worm/Sober.gen
Dr. Web BACKDOOR.Trojan (probably)
eSafe Trojan/Worm (suspicious)
McAfee W32/Sober.gen@MM
McAfee (BETA) W32/Sober.gen@MM
QuickHeal Suspicious (warning)" }-

It is good to see that some of the AVs detect this stuff at the zero-hour.
Having to wait for a definition will always be a little too late and some folks will be infected during that time.

Once again Kaspersky and F-Prot are fast with updating... BitDefender had quick updates too... McAfee detected pro-active (surprising to me)... Too bad no NOD32 results, because I'm curious of their AH would detect this nasty...

At the end I'm again fairly impressed by the Frisk team with their fast respond times... Anyone has information about avast! on this one?

I am sure Nod32 was detecting with Advanced Heuristics.

Don't think they use Nod in their tests. Shame!

Please note though that Norman did NOT detect this e mail worm with its sandbox which suprised me!!



Kind Regards

Jlo

Interesting to note also, besides straight 1,2,3.. rankings, that the first two were only 3 minutes apart, and next two only 2 minutes apart. The spread from #1 to #4 is only 20 minutes, and so on down the line... overall it looks like AVs are keeping up in adding defs pretty quickly, at least in this instance.

1) ClamAV 2005-05-02 16:36 Worm.Sober.P
2) Kaspersky 2005-05-02 16:39 Email-Worm.Win32.Sober.p

3) F-Prot 2005-05-02 16:54 W32/Sober.O@mm (exact)
4) AVK 2005-05-02 16:56 Email-Worm.Win32.Sober.p (KAV-Engine)

From eset website



Virus information

Info: Win32/Sober.O worm
Risk: Very High



Date first captured: 2005-05-02 20:31
Date last captured: 2005-05-11 19:41
Total stopped to date: 755 792
Most active month: 2005-05
Most active date: 2005-05-05
Infection ratio (2005-05-05): 2.039 %

Note: All times and dates are in local time (CET)

NOD32 did detect this Sober variant with the AH heuristics, the test was performed by Andreas Marx (AV-Test) and I think ESET did choose not to participate in his tests.

BTW, Quickheal does detect *everything* as suspicious that is runtime compressed. Take notepad.exe, compress it with UPX and voila... :)

I wish I could write a similar .gen detection for Mytob and Kelvir. :-|

These results are very interesting. However, they represent only a snapshot regarding a single widespread outbreak. What would really be interesting would be to have similar statistics compiled over a period of time for many outbreaks.

-{ Quote: "These results are very interesting. However, they represent only a snapshot regarding a single widespread outbreak. What would really be interesting would be to have similar statistics compiled over a period of time for many outbreaks." }-
Here you go...
http://www.wilderssecurity.com/showpost.php?p=411954&postcount=17
http://www.wilderssecurity.com/showpost.php?p=411955&postcount=18

Noone seems impressed by the open source effort of Clamav. Well, I am. As a matter of fact, I could point the signature update of our corporate clamav mailscanner within a few minutes, had our updates not been scheduled for once every hour. Very good results for Clamav, and not for the first time!

-{ Quote: "NOD32 did detect this Sober variant with the AH heuristics, the test was performed by Andreas Marx (AV-Test) and I think ESET did choose not to participate in his tests." }-

NOD32 regularly appears at AV-Comparatives......

QuickHeal practically has no real heuristics.

McAfee was saved by generic detections - Thats good :)

Good job, Dr.Web :)

I care more about heuristic detections ;)

P.S. I think NOD32 did detect this worm heuristically.

definitely better safe than sorry. ;)

Quickheal has NO heuristics. The "Heuristics" checkbox in the product is just that, a checkbox.

My internal tests showed no heuristics, and when I emailed them about it, I was told I was correct. I was also threatened with legal action if I published any test results from Quickheal. (which were in the 20-30% detection range)

Quite the company there eh?

-{ Quote: "Quickheal has NO heuristics. The "Heuristics" checkbox in the product is just that, a checkbox.

My internal tests showed no heuristics, and when I emailed them about it, I was told I was correct. I was also threatened with legal action if I published any test results from Quickheal. (which were in the 20-30% detection range)

Quite the company there eh?" }-
Quickheal's company is based exactly in the city where my cousin lives. If I wanted I could go and enquire a bit about their product but I chose not to. Quickheal does really not have good detection, this much I know. I'm also not quite sure if QH even has an unpack engine.

MicroWorld is a far, far better company than Quickheal.

-{ Quote: "Quickheal has NO heuristics. The "Heuristics" checkbox in the product is just that, a checkbox." }-

I tested a few collections with the command line version, it has the following
switch:

/DNAScan Do a "heuristic" scan of all files.

This is no heuristics at all, as mentioned before. They simply report all runtime compressed programs as suspicious.

-{ Quote: "BTW, Quickheal does detect *everything* as suspicious that is runtime compressed. Take notepad.exe, compress it with UPX and voila... :)" }-

Hafta say i'll keep praying... ::)
Hopefully they do understand by the time WTF they are doing there :o

-{ Quote: "NOD32 did detect this Sober variant with the AH heuristics, the test was performed by Andreas Marx (AV-Test) and I think ESET did choose not to participate in his tests." }-
Andreas Marx childishly avoids praising NOD32, for reasons that are well known to long-time Wilders readers. He loses more credibility with every test.

-{ Quote: "Andreas Marx childishly avoids praising NOD32, for reasons that are well known to long-time Wilders readers. He loses more credibility with every test." }-
Can you provide me a link? I'm relatively new to Wilders'; and VERY new to NOD32

I love NOD32 and it has protected me well, but I would like to see these reasons, for expanding my knowledge of course. I've been trusting his tests for so long, I need to get my eyes opened :)

-{ Quote: "Andreas Marx childishly avoids praising NOD32, for reasons that are well known to long-time Wilders readers. He loses more credibility with every test." }-

Total nonsense, AV-Test and ESET disagree a little bit on the testing methods, that's all. 99% of the anti virus companies have no problems with the tests from Andreas Marx. There are tests around with much severe flaws, such as VB - and no one complains about them...

You talk about these (http://www.av-test.org/) tests?

-{ Quote: "There are tests around with much severe flaws, such as VB - and no one complains about them..." }-Obviously you have forgot me. Look at my posts 3, 6, 8 and 10 in here about VB ItW tests.

http://www.wilderssecurity.com/showthread.php?p=419788#post419788

They are clearly testing av:s in VB against an ItW list that never exists and the newest ItW samples are about 3 months old.

Best regards,
Firefighter!

-{ Quote: "99% of the anti virus companies have no problems with the tests from Andreas Marx." }-McAfee and Symantec think the tests from Andreas Marx are CRAP! (Ask them!)

-{ Quote: "There are tests around with much severe flaws, such as VB - and no one complains about them..." }-Will you mind explaining those flaws in detail?

-{ Quote: "Noone seems impressed by the open source effort of Clamav. Well, I am. As a matter of fact, I could point the signature update of our corporate clamav mailscanner within a few minutes, had our updates not been scheduled for once every hour. Very good results for Clamav, and not for the first time!" }-

I've been very impressed with Clamwin. I use it as a backup to my regular antivirus. My regular changes every couple of months, but Clamwin is always there as backup. I'm waiting for the day they become a full program with realtime scan. Clamwin is already being noticed, and when they finally get realtime protection, they're going to be noticed even more. I like it and I trust it.

You can find some more response time tests here (PC Mag & PC Welt):

<http://www.av-test.org/sites/references_tests.php3?lang=en&year1=2004&year2=2004>

And here:

<http://www.av-test.org/sites/references_tests.php3?lang=en&year1=2005&year2=2005>

Hi,

Does anyone know whether the script alert products such as WormGuard would have caught this worm? How about RegDefend and ProcessGuard? Would either of these also detected anything? It would be nice to know whether a layered defense is helpful in this case, especially if the AV does not detect the virus proactively.

Rich

sorry wrong thread