New Virus Test by GEGA IT-Solutions (av-test.org) [Archive]

Firefighter

April 6th, 2003, 09:55 AM

Before someone says this test a fake, I have to clarify that the test was very well statistically controlled, and when it is so, there is no room to say that test biased.

There were somewhat high skewness on the right side but the reason was clear. There were too many Kaspersky "clones", I mean programs that had the same engine as KAV. When I removed the others but KAV and Command also, because of the F-Prot engine, the histogram pattern was even better than at first.

The top 10 were very good against trojans too, only RAV detected 96.43 % and the others over 99 %.

Look at the rankings, statistics and the picture below!

av-test.org AV-test 3-2003

Total 71627 Viruses ZOO:

01. 71598 99,9595 % F-Secure Anti-Virus 5.41
02. 71584 99,9400 % AntiVirenKit (AVK) 12
03. 71551 99,8939 % Kaspersky AV 4.0.5.37
04. 71548 99,8897 % eScan 2003 10.1******
05. 71533 99,8688 % McAfee VirusScan Home 7.0.1.6000
06. 71530 99,8646 % Power AV XP 11.0
07. 71396 99,6775 % Norton AV 2003 9.05
08. 71274 99,5072 % Reliable AV (RAV) 8.6.104
09. 70946 99,0492 % F-Prot for Windows 3.12c
10. 70912 99,0018 % Command AV 4.74
------------------------------------------ 99% ^
11. 70907 98,9948 % ZK Freedom 4.1
12. 70056 97,8067 % Sophos Anti-Virus 3.65
13. 69921 97,6182 % PC-cillin 2002 9.03.1359
14. 69819 97,4758 % MKS Vir 2.0
15. 69802 97,4521 % BullGuard 3.1
16. 69750 97,3795 % BitDefender 6.5
17. 69495 97,0235 % eTrust (CA Engine) 6.0.1
------------------------------------------ 97% ^
18. 68895 96,1858 % Norman Virus Control 5.50
19. 68693 95,9038 % AntiVir Personal Edition 6.17
20. 68461 95,5799 % Panda AV Platinum 7.03
21. 68215 95,2364 % Avast 4 Home 148
------------------------------------------ 95% ^
22. 67651 94,4490 % Ikarus 5.09
23. 65956 92,0826 % Nod32 1.34.2
24. 65666 91,6777 % DrWeb 4.29b
25. 65387 91,2882 % eTrust (Vet Engine) 6.0.1
------------------------------------------ 90% ^
26. 60052 83,8399 % AVG 6.0.437
27. 58073 81,0770 % VirusBuster 4.0.13
28. 55525 77,5197 % Hauri ViRobot Expert 4.0
29. 53567 74,7860 % Ahnlab V3 Pro Deluxe 2002 5.0.2
30. 50450 70,4343 % Quick Heal 6.0.8
31. Failed*** Proland Protector 7.2

Histogram Mar-1-2003 av-test.org AV-test 3-2003

Total number of scanned objects 71 627

General Statistics: (Ungrouped sample data)
Pts Plotted = 30 Offscale Pts = 0
Mean = 94.01543 Std Dev (Sample) = 8.12537
Kurtosis = 4.67101 Skewness = -1.68375
3 Sigma Limits: 69.63934 TO 118.39153

Process Capability Indices: (based on +/- 3 sigma)
Process Capability = 48.7522
USL = 100.
CPU = 0.24551
Z (USL) = 0.73653
23.07% will be over the USL value of 100.
Based on standard normal distribution (derived from sample values).

Histogram Mar-1-2003 av-test.org AV-test 3-2003; "clones" removed

Total number of scanned objects 71 627

General Statistics: (Ungrouped sample data)
Pts Plotted = 25 Offscale Pts = 0
Mean = 92.8723 Std Dev (Sample) = 8.46055
Kurtosis = 3.86964 Skewness = -1.45844
3 Sigma Limits: 67.49065 TO 118.25394

Process Capability Indices: (based on +/- 3 sigma)
Process Capability = 50.76329
USL = 100.
CPU = 0.28082
Z (USL) = 0.84246
19.98% will be over the USL value of 100.
Based on standard normal distribution (derived from sample values).

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

edsod

April 6th, 2003, 10:59 AM

-{ Quote: " quoting: JacK link=board=24;threadid=8294;start=0#53869 date=1049632926]

In fact, what matters is on access and on demand ITW detection
What's the use scanning for virus which never lelft the laboratories ?

" }-

I agree with this and maybe my previous question was naive or for something that for you is self-evident but
someone of you guys with more experience can answer it
(blackcat's question is also relevant).
;D

Technodrome

April 6th, 2003, 11:58 AM

-{ Quote: " quoting: Smokey link=board=24;threadid=8294;start=0#53870 date=1049633398]
But the surprising winner of the test is: BitDefender... ;D
" }-

Not in detection contest.

Technodrome

Firefighter

April 6th, 2003, 01:24 PM

To Wilder's "antivirus" site administrators!

We have seen recently 4 different large av-tests from 3 independent testers (Saso Badovinac, 2 x VirusP and av-test.org 3-2003). When it is time to update your av-rankings on the Wilder's "antivirus" site?

I think if there were a clear top 5 or 6 to detecting what ever in those tests, there is something to count in the future! :o

"The truth is out there, but it hurts"

Best Regards
Firefighter!

JacK

April 6th, 2003, 01:40 PM

-{ Quote: " quoting: edsod link=board=24;threadid=8294;start=0#53875 date=1049641176]
-{ Quote: " quoting: JacK link=board=24;threadid=8294;start=0#53869 date=1049632926]

In fact, what matters is on access and on demand ITW detection
What's the use scanning for virus which never lelft the laboratories ?

" }-

I agree with this and maybe my previous question was naive or for something that for you is self-evident but
someone of you guys with more experience can answer it
(blackcat's question is also relevant).
;D
" }-

Hello,

As for Blackcat's question, you will find the answer in the result.

A lot of AV get 100 % détection for ITW virus on access and on demand.

Paul Wilders

April 7th, 2003, 10:45 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=15#53896 date=1049649886]
To Wilder's "antivirus" site administrators!" }-

One of them here ;)

-{ Quote: "We have seen recently 4 different large av-tests from 3 independent testers (Saso Badovinac, 2 x VirusP and av-test.org 3-2003)." }-

Yup - I've seen the tests.

-{ Quote: "When it is time to update your av-rankings on the Wilder's "antivirus" site?" }-

As always: we do rely on our own tests. As soon as those have been performed, and the results are reason to change our ratings, we'll do so.

-{ Quote: "I think if there were a clear top 5 or 6 to detecting what ever in those tests, there is something to count in the future! :o" }-

Thanks for your thoughts on the matter.

-{ Quote: ""The truth is out there, but it hurts"" }-

..only on rare ocassions ;D

regards.

paul

Firefighter

April 8th, 2003, 03:57 AM

To Everyone from Firefighter!

Here are the false positives results of that av-test.org 3-2003 test. If there are errors in the table, Please correct me!

False positives from 20 000 clean files:

1.*** 0 0,000 % eTrust AV (CA engine)
2.*** 2 0,010 % McAfee VirusScan Home
3. 3 0,015 % Ahnlab Expert V3 Pro Deluxe 2002
*** 3 0,015 % Norton AV 2003
5.*** 4 0,020 % Norman Virus Control
*** 4 0,020 % PC-cillin 2002
7.*** 5 0,025 % Reliable AntiVirus (RAV)
*** 5 0,025 % Sophos Anti-Virus
----------------------------------------------------------------------- 0,025 %
9.*** 7 0,035 % eScan 2003
*** 7 0,035 % F-Prot 3.12c
*** 7 0,035 % Kaspersky 4.0.5.37
*** 7 0,035 % Power AV XP
13.*** 8 0,040 % eTrust AV (VET engine)
14.*** 9 0,045 % Hauri ViRobot
9 0,045 % ZeroKnowledge Freedom
16.*** 10 0,050 % Command AV
--------------------------------------------------------------------- 0,050 %
17.*** 14 0,070 % AntiVirenKit 12
18.*** 16 0,080 % Avast 4 Home
*** 16 0,080 % AVG 6.0
*** 16 0,080 % F-Secure Anti-Virus 5.41
*** 16 0,080 % QuickHeal
22.*** 19 0,095 % Antivir PE
---------------------------------------------------------------------- 0,100 %
23.*** 24 0,120 % Panda AV Platinum
24.*** 44 0,220 % BitDefender
25.*** 53 0,265 % VirusBuster
26.*** 56 0,280 % DrWeb 4.29b
27.*** 57 0,285 % NOD32
28.*** 58 0,290 % BullGuard
--------------------------------------------------------------------- 0,300 %
29.*** 92 0,460 % Ikarus Virus Utilities
30.***216 1,080 % MKS Vir

On the Wilder's "free tools" site was a warning about Avast 4 Home's and AntiVir's many false positives. How about then with NOD32 or DrWeb 4.29b compared to these two? About DrWeb 4.29b the result was no surprice for me but I can't remember any warnings about NOD32's false positives there on the Wilder's site!

Can someone say how NOD32 could have so many full 100% results in VirusBulletin, when it is so sensitive to false positives? As I remember right, it was not the first time I have seen results like this! :o

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

spy1

April 8th, 2003, 09:15 AM

False positives are something I can live quite well with - what I can't live with is real malware being missed (something I've never had a problem with during my use of NOD32 for the last two years).

As long as you don't have your AV set up to automatically start "fixing" things upon an alert, a false positive is nothing more than an annoyance that needs to be cross-checked via an online scan or two of some sort to verify its' validity - followed by notification of the AV vendor if it does, indeed, turn out to be a false positive (in which case eSet also excels due to the rapidity in which they respond to such notification).

I appreciate all the work you've put into this, Firefighter. Pete

Firefighter

April 8th, 2003, 09:37 AM

To Spy1 from Firefighter!

I'm not sure what do you mean with "real" malwares. In that av-test.org 3-2003 test 70 % of those 30 av-programs were capable to detect totally over 95 % of all objects (viruses, trojans, backdoors etc.). Still there is something that irritates me. Programs like DrWeb 4.29b or NOD32 are not within that 70 % and they were quite poor against other malwares than viruses, which in my mind have better to keep outside of my PC. :o

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

spy1

April 8th, 2003, 10:04 AM

Firefighter - I'm really not sure how many times it is has to be stated that NOD32's primary purpose/reason for being is virus detection.

I don't expect it to excel at detecting anything else (I have an AT specific program on here - a specific anti-worm/script defense program, specific programs for spyware of various types - see sig).

With the current rage being "one program does it all", about all I see coming from that is

(a) a massive duplication of effort for all parties involved

(b) dilution of the primary purposes for which the programs were designed to start with (read: missing more things that they were designed to deal with to start with)

(c) increased system-wide vulnerability resulting from any exploit targetted at a specific brand of "do-it-all" software

(d) program bloat for all software involved in the current "do-it-all" rage.

I could go on, but I'm pretty sure it would be pointless. You either subscribe to the "specialization" theory - or you don't.

The only "truth" out there that can hurt is that there will likely never be one program out there that can "do it all" perfectly.

I'm outta here. Pete

Paul Wilders

April 8th, 2003, 10:46 AM

I second that, Pete.

A dedicated ITW antivirus is designed to do just that; coping with In The Wild viruses. "Zoo viruses" are of no importance; they aren't "out there", thus no threath. Layered defense is what it all comes down to. For that reason I always have been a firm believer in using separate top notch security apps for different purposes: a top notch ITW antivirus, a top notch antitrojan, etc. This way, at least one isn't totally defenseless when some sort of malware has targetted just one installed security app succesfully.

regards.

paul

RaLX

April 8th, 2003, 10:47 AM

Well, I second Firefighter opinion because Viruses, Trojans, Backdoors, etc... are all Malware that I think can be detected by a Top AV Software, and test like this reflects the true possibility of do that, i.e. KAV (and KAV based AV's), McAfee and even ZK Freedom AV (Command AV based) do it very well!.

Paul Wilders

April 8th, 2003, 10:51 AM

RaLX,

Since for example KAV/AVP is always top priority for malware designers to target, you surely are putting all eggs in one basket - something my mother always told me not to do ;).

regards.

paul

RaLX

April 8th, 2003, 11:11 AM

That example will apply for all kind of top software, if a virus designer wants to attack any top AV your AntiTrojan won't notice that attack because only detect trojans... :-\

xpert

April 8th, 2003, 11:49 AM

..but at least you haven't lost all your defenses - which in your case, you will have ;D

xpert

Douglas

April 8th, 2003, 12:33 PM

I was in the US Marines in the 70s. I was a "Field artillery fire controllman", which meant that I did the mathematical computations necessary to tell the artillerymen exactly how to fire their artillery. I didn't do the computations necessary and then run out to fire the guns. Nor did I do intelligence work. Nor was I a sniper. Almost everything in the military is based on specialization and layered defence. Do your one job and do it to the best of your ability.
Coming to Wilders, I learned that that is the approach of the admins and mods here, and it has served me very well. I have never been caught by a trojan, virus, or any other type of malware. So, I really appreciate their philosophy.

BTW, I don't know if my analogy is valid. It just seems like a good one. :)

Regards,
Douglas

octogen

April 8th, 2003, 01:09 PM

I also agree with the layered defense approach! I thought that was an excellent analogy, Douglas! It reflects my line of reasoning for using the layered approach!

spy1

April 8th, 2003, 01:26 PM

RaLX - Let's consider your scenario for a moment, shall we?

The keys here are time-frame, awareness, delivery mechanism, layered secondary defenses and properly set-up email programs.

Awareness - My AV program (among others) runs resident in the SYSTRAY. How long do you think it would take me (or anyone else) to notice that the icon was gone? Or (more importantly) that my AV wasn't firing up correctly at start-up? (This is the primary reason I do not let XP hide "inactive" icons!).

Delivery mechanism - If you're starting with a clean system prior to an attack which knocks out the AV, how is a virus going to get in - AV or no AV? ( we're talking about a totally "security"-patched OS, remember ). Barring "sudden-brain-death-syndrome" (SBDS) on the computer operator's part, the answer is - it's not. Because

your layered secondary defenses are still functioning! AT/Anti-Worm/Hostile Script programs are still up and running. Mailwasher is still there letting you preview your email, Benign is still wiping out anything that you let through in an email that isn't really what you thought it was,

your properly configured, updated - patch-wise/version-wise - non-"Preview" enabled, email program that's running in the "Restricted" Zone is still there doing its' thing.

If you d/l something off the Net, you'll know if something's wrong when it won't scan ( before it's opened and can do any harm).

The layers actually go even deeper - I haven't even touched on "file checking" programs, that'll let you know instantly if something's amiss (changed) - sandboxes, browser add-ons, firewall add-ons/features, host-file use (that'll all help keep you out of trouble should your AV fail).

But I think you get my drift. Pete

Firefighter

April 8th, 2003, 01:56 PM

To everyone from Firefighter!

Maybe it's pure waste to talk about layered defense because too many from here are in the different parties in this issue.

There is still one thing where I want to have our opinion. If you have a specialised av to in the Wild viruses (NOD32 or DrWeb 4.29b etc.), how do you handle those very rarely emerged viruses, which apparently are not in NOD32's or DrWeb's virusbase, but which are sure in Kaspersky engined av:s, McAfee, F-Prot engined av:s or RAV for instance and in this case maybe in Norton's? :o ???

PS. To Douglas, you had just the same duty area as I, when I was in the Finnish "Royal Heavy Field Artillery". Navy sucks! ;D

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

spy1

April 8th, 2003, 02:04 PM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=30#54146 date=1049824605]
There is still one thing where I want to have our opinion. If you have a specialised av to in the Wild viruses (NOD32 or DrWeb 4.29b etc.), how do you handle those very rarely emerged viruses, which apparently are not in NOD32's or DrWeb's virusbase, but which are sure in Kaspersky engined av:s, McAfee, F-Prot engined av:s or RAV for instance and in this case maybe in Norton's? :o ???
" }-

I don't have to handle them, Ff - I'll never see them.

If anyone did see them in the wild, they'd be added to NOD's database.

That's why I have the program set to check for updates every hour I'm online. Pete

Firefighter

April 8th, 2003, 02:10 PM

To Spy1 from Firefighter!

As I understood right, someone has infected with the in the Wild virus first, before it has been listed on.

Why then not me? ;D

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

spy1

April 8th, 2003, 02:40 PM

You're the statistician, Ff - Why don't you tell me the odds against either you or I being the one (out of millions) to get hit with a new piece of malware first, before it's deffed? Or even the odds against being one of the first thousand to be affected thusly?

It would probably be more likely that a passing comet would emit a lightning bolt that would hit you while at the top of your golf swing on your birthday. Pete

Firefighter

April 8th, 2003, 03:10 PM

To Spy1 from Firefighter!

Does it make any harm to add those 5000, or something like that, objects in NOD32's or DrWeb's database, then they may be as good as KAV, McAfee, F-Prot or RAV against in the Zoo viruses?

Both NOD32 and DrWeb are still capable to detect at least 66 000 objects just now?

Remember that some 70 % of av-producers are now capable to detect some 95 % of those nasties! :o

At least that may calm the majority of av-users a little bit! ;D

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Pieter_Arntz

April 8th, 2003, 03:15 PM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=30#54155 date=1049829017]
Does it make any harm to add those 5000, or something like that, objects in NOD32's or DrWeb's database

At least that may calm the majority of av-users a little bit! ;D

" }-

Yep. When they are downloading the definitions. ;)

Seriously Firefighter. Adding the ZOO viruses will not protect you against the new viruses.

The truth is ot there, running .... hiding.

Regards,

Pieter

RaLX

April 8th, 2003, 03:52 PM

To Spy1 from RaLX:

The scenario wasn't proposed by me, I just stated that the multilayered defense proposed have almost same weakness that a single top AV detecting 99%+ malware out there.

To Everyone from RaLX:

Here's a good question that I found on dslreports by "StraitShoot"

-{ Quote: "NOD32 is great with 100% ITW, according to Virus Bulletin and even the AV test from Hamburg we are all discussing. It is a bit of a mystery why it doesn't "heuristcally" find the all the zoo viruses... but I don't think any AV would...
I'm really not concerned with the zoo viruses anyway. If they get released from the zoo, they become ITW, anyways...
I'd have to be really lucky to get one those suckers while they are "zoo" viruses..." }-

The question is good because what makes difference in the behavior of a virus ZOO and ITW?

octogen

April 8th, 2003, 05:06 PM

Especially when you consider the track record NOD32 has at detecting heuristically a fair amount of the notorious, now "in-the-wild" viruses like "I Love You", Melissa (spelling?), Bugbear, etc.

Which brings to mind questions:

What exactly is a zoo virus? Do "in-the-wild" viruses in a sense start out as zoo viruses? If so, what makes them behave differently in the wild?-just like RaLX asks.

Optik

April 8th, 2003, 07:12 PM

To Firefighter from Optik:

If the world had more *virus experts* like you, viruses would rule the world.

sniff

April 8th, 2003, 09:20 PM

-{ Quote: "What exactly is a zoo virus?" }-

Simply put: a newly designed virus - known, but not "available" for third parties. Most of them are offered to antivirus companies - merely for the technique used.

-{ Quote: "Do "in-the-wild" viruses in a sense start out as zoo viruses?" }-

99.99% of the cases: not at all. Those nasty designers who really want to cause havoc, will release their new malware as sneaky as can be. "Zoo" is merely a marketing ploy in this context. Like talking about an existing new car model on shows - it's there alright, but it isn't available at all. Scare mongering. Seems like people fall for this ploy...

sniff

The Snowman

April 9th, 2003, 01:14 AM

The topic has been the subject of conversation for countless years......rarely does everyone agree on the proper approach.

Personally, I could not more strongly agree with Spy1 and the layered approach. Where did the notion come from that an anti virus program is suppose to also be an anti trojan program??? I certainly prefer leaving "each to their own"

The Snowman

Firefighter

April 9th, 2003, 03:53 AM

To everyone from Firefighter!

Very many in here are trying to say that program's like NOD32 or DrWeb are specialised against viruses.

For me a specialist, like a surgeon, is very accurate in his job. Now it seems to be so that those "specialists" are like cowboys shooting everything that moves and misses a lot. My specialist is a sniper which can recognize the target and is capable to eliminate it.

Because of NOD32's or DrWeb's 4-30 times larger false positives ratings than F-Secure's or McAfee's for instance, an average user of NOD32 (or DrWeb) is forced to check the possible infection from those "common quys", like Kaspersky, McAfee, RAV or F-Prot for example. So who is at last the real specialist in this case?

Among those "usual av-programs" are very good heuristics programs too like F-Secure or McAfee! You can check it from Heureka 2 test. So the heuristics is not the main reason in this case. ::)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

jan

April 9th, 2003, 04:36 AM

Hi all,

>New Virus Test by GEGA IT-Solutions (av-test.org)

The results are surprising and we are looking into the test methodology.

Thanks for the info.

rgds,

jan

Douglas

April 9th, 2003, 08:47 AM

To Firefighter from Douglas,

From my own experience with DrWeb (8 months),with heuristics enabled, I've only gotten about 4 or 5 false positives. That's after downloading an average of 4-6 programs a week. They have all been marked by DW as "possible" trojans. So I just use TH to doublecheck.
I know that's not a scientific result, but for me, the average user, it's been no big deal at all.

Thanks for the effort you put into those tables.

Regards,
Douglas

Technodrome

April 9th, 2003, 11:12 AM

More then 2 years of using NOD32 and I’ve never encounter any false positive. Trust me FF I am more then an average user.

Technodrome

Firefighter

April 9th, 2003, 11:29 AM

To Douglas from Firefighter!

You said that those false positives are still very exceptional. You may have right,
but so are finally the real infections too.

Let's assume that NOD32 and DrWeb are on somewhat the same line considering the false
positives. So the fact is that they are both far away that accurance to detect real
viruses that Kaspersky powered av:s, McAfee, F-Prot or RAV do. There are too many false
positivises in those detections the "specialists" are doing.

We have seen 3 recently published in the ZOO av-test now and here is one more to the list.

Virus Test Center (VTC); University of Hamburg

Computer Science Department: AntiVirus Scanner Tests December 2002; Win 2000 (+ Win 98)

Published January 29, 2003

Link:

http://agn-www.informatik.uni-hamburg.de/vtc/

AGN in the Zoo test (chapter 17.) is a summary of six categories:

File Viruses - 21 790 objects
File Malware - 8 001 objects
Macro Viruses - 7 306 objects
Macro Malware - 450 objects
Script Viruses - 823 objects
Script Malware - 117 objects

Detected Missed False + Name
(%/38 487) (% / 327)

99.5167********* 186****** 2 0,611 % F-Secure
99.3842********* 237****** 5 1,529 % Kaspersky 3.0
99.3556********* 248****** 1 0,306 % G-Data AntiVirenKit 10
98.0435********* 753****** 0 0,000 % McAfee VirusScan
96.9470********* 1 175****** 2 0,611 % F-Prot DOS
96.9418********* 1 177****** 2 0,611 % F-Prot Win
96.7158********* 1 264****** 2 0,611 % Command AntiVirus
95.1048********* 1 884****** 0 0,000 % Inoculate AV 6.0
93.9902********* 2 313****** 0 0,000 % Norton AV
93.6732********* 2 435****** 1 0,306 % RAV
93.5900********* 2 467****** 5 1,529 % Norman VirusControl
93.2627********* 2 593******29 8,869 % DrWeb 4.26
90.1447********* 3 793****** 0 0,000 % Avast v.3.0
85.5328********* 5 568******11 3,364 % Ikarus AV
80.4220********* 7 535****** 0 0,000 % Data Becker AV
76.9974********* 8 853****** 0 0,000 % AVG 6.0
63.2681*********14 137******0 0,000 % Protector AV
17.6163*********31 707******0 0,000 % VirScanPlus (R.Roth)
11.6273*********34 012******3 0,917 % MR2S

After these 4 tests I am quite convinced about that which AV:s are capable to detect
almost all in the ZOO viruses and are making so few false positives as possible. Only
RAV is an exception in this last test above, but it has got a new scanning engine
after that which you can see in those recently published VirusBulletin's tests
(personally VirusBulletin's tests are not the number ONE available in my opinion,
for pure statistical reasons and lack of NOD32's false positives, but you can make
your own conclusions). ::)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Technodrome

April 9th, 2003, 11:43 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=45#54268 date=1049902146]
Let's assume that NOD32 and DrWeb are on somewhat the same line considering the false positives." }-

No, you can't assume that. NOD32 and DrWeb are 2 totally different products.

Technodrome

Firefighter

April 9th, 2003, 11:55 AM

To Technodrome from Firefighter!

I understand that they are quite different, but now I mean only the false positive rates in this issue, when they were almost equal in the av-test.org test 3-2003.

An other similarity is that they both have not so large virusbase as many other does! DrWeb has
also enough large VB 100 % Awards in a row now, that it is possible to rank as stable process by statistical rules. ::)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Technodrome

April 9th, 2003, 12:34 PM

These files need to be analyzed by AV vendors. After that they should say if they were a false positives or not and why. SOPHOS that uses no heuristic at all had 5 false positives.

Technodrome

Firefighter

April 9th, 2003, 02:27 PM

To Techodrome from Firefighter!

Even I can make mistakes, but I admit that. My weakness is that I believe on figures too easy. But as a finn, I don't believe anything before I have seen those things with my own eyes.

At first I have to say that MKS Vir 2.0 and Ikarus have too large figures in the false positive test and that you can see without more detailed study.

When I made the Histogram analysis with the rest of the av:s, the statistics showed like this below.

Histogram Mar-1-2003; av-test.org AV-test 3-2003

Total number of inspected clean files 20 000

General Statistics: (Ungrouped sample data)
Pts Plotted = 28 Offscale Pts = 0
Mean = 17.10714 Std Dev (Sample) = 18.34109
Kurtosis = 3.45559 Skewness = 1.39535
3 Sigma Limits: -37.91612 TO 72.13041

Process Capability Indices: (based on +/- 3 sigma)
Process Capability = 110.04652
LSL = 0.
CPL = 0.31091
Z (LSL) = -0.93272
17.55% will be under the LSL value of 0.
Based on standard normal distribution (derived from sample values).

It seems to be so that the results of the statistics were almost ideal. But that's not the whole truth. We have to see the Histogram pattern also.

When we are now looking at the shape of the bars, it seems to be so that there are two different samples.

This kind of pattern, according to Histogram analysis, is quite common for two different processes. In this case that means there are two kind of products, albeit we call them all antiviruses, but the purpose is different.

That study does not mean that the results are wrong, but it is now possible! ???

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

adiel

April 9th, 2003, 09:27 PM

this nod32 thing remind me of something..
when i first posted something against nod32..all the members came pounding at me.."you traitor..how dare you say anything against nod32"

i still believe and say that nod32 is nothing but an over hyped(just here) product..its not so good.

Paul Wilders

April 9th, 2003, 09:57 PM

-{ Quote: " quoting: adiel link=board=24;threadid=8294;start=45#54319 date=1049938058]
this nod32 thing remind me of something..
when i first posted something against nod32..all the members came pounding at me.."you traitor..how dare you say anything against nod32"" }-

There is a slight difference between disagreeing and calling someone a "traitor" - you (no one actually) has ever been accused of that.

-{ Quote: "i still believe and say that nod32 is nothing but an over hyped(just here) product..its not so good.
" }-

Your opinion is noted - enjoy the antivirus you prefer better. That said: stating as of why exactly would be prefered above "believes" ;).

regards.

paul

Firefighter

April 10th, 2003, 03:19 AM

To Technodrome from Firefighter!

You said that you haven't had any false alarms with NOD32 during last 2 years. So what, be happy that you are so lucky.

Karl on 26:th February 2003 in his article "Help with NOD false positives" or Zouave on 4:th March 2003 in his/her article "Another false alarm" were not so lucky as you. Those two articles you can see on the front page in the Official NOD32 Forum here in the Wilder's Forum.

So it happened repeatedly even on the front page. I haven't been on the other AV's Official Forums very often, but for example on McAfee's official Forum, there were none happenings like this. I don't say that McAfee is a good model example, because everybody knows what kind of mammoth it is, but still in this case.

I believe it will help us all, despite of our favourites, to recognize honestly the weak points of all av-programs! ;)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Technodrome

April 10th, 2003, 08:48 AM

FF;

There are many reports of false positive from McAfee, Norton, Kaspersky etc. Do google thing and see for yourself. ;)

Technodrome

spy1

April 10th, 2003, 10:58 AM

Yo, Ff - What exactly are you trying to accomplish here?

All AV's suffer from false positives (and you're never going to be able to properly quantify the counts because the various AV manufacturers sure aren't going to provide you with the info!).

All AV's miss this, that or the other when you start throwing in variables like ITW/zoo, testing based on this or that OS only for a particular test-set, whether trojans/worms/spyware get detected or not, etc.

I'm rapidly reaching the conclusion (based specifically on what you've been posting) that all the tests (including your statistical analysis') are basically meaningless (given all the variables involved).

Not to mention the fact that some of the programs that (by looking at your charts) one would consider to be "superior" (McAfee in particular, Norton, too) are generally well-known resource hogs, huge in comparison to the others, don't un-install well and in some cases don't work right on people's systems regardless of what they do to try and make them work!

I suppose you'll be trying to factor those conditions into your next chart? (Hint: Give it up.)

You can play with the numbers all you want - but you'll never reach a meaningful, universally-applicable guideline for which AV product everyone should use because you'll never have all the information available you need to make that kind of a recommendation!.

Tell you what - I'll just let you know when NOD misses something, okay? THAT'S the only kind of thing that would make someone question whether or not they're running the "right' anti-virus for them - whichever anti-virus program it may be. Pete

Firefighter

April 10th, 2003, 02:42 PM

To Spy1 from Firefighter!

You wrote that I have given all the variables involved. It's only because I counted manually those figures from several different tests and it was so faster for me.

But again to the meaning of all variables within. That's the universal way to make statistical calculations and graphics, because in a real world everything affects to the final outcome. We can never count all the causes in that issue, why the outcome is that what it is.

When we are making statistical calculations and graphics, only then when the outcome isn't somewhat the same as normal distribution or a bit skewed normal distribution, we can say that there is a certain, main "cause" to this kind of behaviour! These rules are universal and av-programs are one part of this universe.

If you have studied all my posts, you know my opinion about Norton or McAfee. Still I never had said that those programs are very poor in detecting viruses. If you want to know my top 3 favourites, they are KAV, RAV, DrWeb. But they are still only av-programs, and that's hopefully not the whole life for me.

Sometimes there are situations when you can't use some programs. For example now my resident is McAfee VS 7.0 Pro. But so what, it's only one program among others. I'm here only for "learning english".

I don't dislike anybody here, but sometimes it feels so that although this is "Other AntiViruses Forum", here is still some kind of "NOD secret police" watching you (I'm joking). Hopefully we can stand opinions different from us. No hard feelings! ;)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Tinribs

April 10th, 2003, 02:55 PM

Many forums have a reputation for being biased towards one particular product or another, whislt here you will find many Nod32 users there are also users of many different products.
The implication that Wilders.org staff and regulars are blinkered is an unfounded accusation and frankly not true, if you head over to DSLR forums you'll believe they are the 'Norton av secret police' which obviously isnt true.

I'm happy using my particular product and whilst its good to read about various tests the data can always be misinterpreted to highlight any view you or anyone else wishes to see.

If another product suits me better then I shall consider using that but I and most others here are certainly not narrow minded when it comes to such matters.

:)
Kev

Firefighter

April 10th, 2003, 03:15 PM

To Tinribs from Firefighter!

I know that I am here often alone with my opinions, but that doesn't matter. I know also that here are many who are thinking somewhat like me. So what?

I really like to be at first opposite to everyone. It's sure more evolving than that you say always: "Yes, Yes, I like that, you are thinking just like me!" ;D

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

Tinribs

April 10th, 2003, 04:25 PM

Theres nothing wrong with having your own opinions FF, in fact your posts are quite refreshing (if often confusing) I fear you maybe are getting too involved, I would like to know the last time you recieved a real virus either via email or via download??

No program is going to be 100% perfect, all programs have good points and bad, that may be false positives,resource impact,less than stella detection etc, but if someone is happy using it then thats all that matters and its the individuals choice.

Its no secret I choose Nod32 as my main av, I'm more than happy with its speed,its very lite system impact and its detection ability. I have used many other programs in my time and each had ups and downs, but for me and my pc Nod32 suits me fine, others mileage may vary but whatever they choose its there decision and good luck to them, but no matter how many graphs you posts or tests you analyse for skewness and whatever it will not find you a perfect antivirus program.

:)
Kev

kdcdq

April 10th, 2003, 05:42 PM

I have tried to remain open-minded as I have watched this AV test thread grow & grow & grow, but now I feel it is time for me to speak my mind as well.

What started out as a simple reporting of AV test results by Technodrome has evolved in to various personal attacks, AV products likes & dislikes, and IMHO various graphs & statistics that, while interesting, do little to prove and/or disprove which AV product tested by GEGA is "best" & "worst" :(. Gentlemen, let's try to get back to the basics here.

The important thing about all of this is that one should choose reliable/tested AV products that you like & trust and that work and look like you want & need. One size does not fit all....

KDCDQ, Security Freak

Vampirefo

April 10th, 2003, 07:48 PM

Interesting thread indeed, I use McAfee 7.02.6000 I have used McAfee a long time, but Back when I first got XP, my version of McAfee wouldn't work right.

So I got McAfee 6, it was just horrible, to much bloat locked up my XP often, I exchanged e-mails with support for about 1 month, no satisfaction.

So I decided to test different AVP's KAV was my first choice, but I found it locked up my PC worse than McAfee. I tested many AVP's finally settled on NAV 2002, it work perfectly with my setup.

I was very happy with NAV for a while, until, I started testing packed viruses, and Trojans, my fondness soon faded, So my search began again.

Again I tried KAV, still locked up my XP, I tried other AVP's none sooted me, then I tried F-Secure, It seemed to work great, until I did an update, then all Hell broke out, My XP was running slower than a Snell, Mouse freezing, XP lock ups they would last between 10 to 20 seconds. Slow reboot, Slow Startup, The PC just dragged.

I got a e-mail from McAfee support, asking me to Demo Version 7, I declined, but they wrote me again and assured me, this version was completely XP compatible, So I reluctant tested it. Version 7 worked great, and still does.

So finally I am back with the AVP, I started with, and truly enjoy McAfee, For me it's the best AVP out there, and if you notice a lot of tests lately also have noticed the power of McAfee, it's right up there in the top 5 as it should be.

Gavin - DiamondCS

April 11th, 2003, 01:53 AM

No time to read the whole thread ! But one thing I know about KAV is that they have extremely good generic detection of some common trojan families. For the type of trojan in question you cant beat it, and considering ITW is what matters, the chances of KAV catching for example a new SDBot someone has set up with P2P spreading is better than most :)

I mean detections like

Backdoor.SDBot.gen
Backdoor.mIRC-Based
Backdoor.ServU-Based
Backdoor.VNC-Based

This is just one of the reasons I like their scanner :) SDBot is open source, as are mIRC based trojans (GT Bot). Anything that uses their engine I assume also gets these, so those are powerful scanners..

Firefighter

April 11th, 2003, 04:21 AM

To everyone from Firefighter!

Some of us are trying to say that those calculations and graphics don't prove anything about that which av-program is really the best one. I absolutely agree that, but have I said otherwise in my posts?

The whole thing in my calculations and graphics was that the other av-tests except VirusBulletin were far away from that they were biased to some certain product. That doesn't mean that Virus-Bulletin is then biased to one certain product and that's why I studied VB tests quite few times now.

It is extremely exceptional, that those test results were evaluated with Histogram analysis before they were published. But when those results were approved by Histogram analysis, it proves only that under those circumtances, the final result was just like the one published, nothing else and that's it. The rules were the same for all of those av-producers and we have to accept that.

Like Technodrome very often says, there is no av-program, which is best in all situations and that applies to NOD32 too! So what? I, for instance, have used (too) many av-programs lately and all of them were so good against viruses that over 90 % of the average users should be satisfied to that.

We all have our favourites and that's very good, otherwise the world should be extremely boring. I know that certain programs are very good in many fields of infections, but still it might be so that for me some program doesn't fit. So what? I can always choose an other one. ::)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Bertrand

April 13th, 2003, 04:39 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=45#54403 date=1050002102]
To Tinribs from Firefighter!

I know that I am here often alone with my opinions, but that doesn't matter.

I really like to be at first opposite to everyone.
" }-

My first visit here, and probably my last.

Most contributors are sensible, but you argue for the sake of arguing.

<No need for insults, thank you>

If you wish to contradict methods used providing the correct ones and/or reasons why the used methods don´t live up to your standards would be the way to go.Pieter

Technodrome

April 13th, 2003, 09:20 AM

-{ Quote: " quoting: Bertrand link=board=24;threadid=8294;start=60#54665 date=1050223156]
My first visit here, and probably my last.

Most contributors are sensible, but you argue for the sake of arguing.

<No need for insults, thank you>" }-

You could always ignore this kind of posts!

Technodrome

edsod

April 13th, 2003, 09:50 AM

Sometimes these kind of posts ARE USEFUL because
after all this arguing many sides of the truth are revealed... (I hope not as in the story
"The Blind men and the Elephant")
:)

Smokey

April 13th, 2003, 10:11 AM

-{ Quote: "-{ Quote: " quoting: Bertrand link=board=24;threadid=8294;start=60#54665 date=1050223156]
" }-

My first visit here, and probably my last.
" }-

You're welcome, your contribution is in any case not very significant.

Pieter_Arntz

April 13th, 2003, 10:29 AM

-{ Quote: " quoting: Smokey link=board=24;threadid=8294;start=60#54701 date=1050243078]
You're welcome, your contribution is in any case not very significant.
" }-

Something about a black kettle comes to mind here, Smokey. :P

Pilli

April 13th, 2003, 11:19 AM

Quote: My first visit here, and probably my last.

Funny I thought a forum was a place for open debate or as a place to increase our knowledge including problem solving.
As individuals we all have a point of view, sometimes this can be wrong or misguided but through valid arguments & discussion many issues are resolved or a kind of consensus is formed from which a judgement (by the reader) can be made.
Agreed personal comments do not add to objective argument but it takes all types, fortunately on this forum it rarely, if ever, gets out of hand. ;D

Firefighter

April 13th, 2003, 03:45 PM

To everyone from Firefighter!

Now I maybe understood why the BitDefender 6.5 was the "winner" in this av-test.org test!

BitDefender was the only program that was able to scan all archives (-1), compressed program files, Embedded MS Office OLE objects and password protected files plus it has quite good in the Wild detection too.

Correct me if I read the results wrong!

The only minus with the scanning capabilities was that, it couldn't warn on password-protected archives? ::)

"The truth is out there, but it hurts!

Best Regards,
Firefighter!

Technodrome

April 13th, 2003, 04:09 PM

From bitdefender.com :

In competition with Norton Antivirus, Kaspersky, Panda Antivirus Platinum, F-Protect, Norman Virus Control, RAV and eTrust Antivirus, BitDefender brought two home PC protection solutions: BitDefender Professional and BitDefender Home Edition, the first revealing as an extra an Application Firewall and a superior network fortification.

Both products have excelled in intuitive behavior and stunning effectiveness, but most of the votes were earned by BitDefender Home Edition, which had the gain of a lower price.

The evaluation criteria were:
- user-friendly interface
- detection of main virus categories
- operating systems supported
- price list
- virus definitions number (over 72 000)
- archives’ scanning
- detection of viruses associated with Office documents
- false alarm minimizing
- best behavior under Windows 9x and Windows XP

"

Technodrome

bellgamin

April 14th, 2003, 01:41 AM

Amen to what Pilli said.

IMHO, FF is a great benefit to these forums. Also Mr Blaze.

With no Tabasco, scrambled eggs are boring.

Regards......bellgamin
~~~~~~~~
Stop winking at me, you're making me nervous. ::)

Firefighter

April 14th, 2003, 08:42 AM

To everyone from Firefighter!

I am embarrassed to this flattering, I can only humbly thank you for the support. And for those who are not so intererested in my writings, I'll try only to keep the issues arguing, sometimes even quarrelling, never the human beings. ::)

No hard feelings to all of us! ;D

"The truth is out there, but it hurts"

Best Regards,
Firefighter!

Firefighter

April 15th, 2003, 03:49 PM

To everyone from Firefighter!

Here is a list (not all) of some of those programs that were tested by av-test.org 2003.

When the "winner" was BitDefender and it's capability was to scan almost what so ever, here are some other programs too ranked by the ability to scan those file extensions mentioned in the test.

This is also an answer to Notageek, when he asked why McAfee couldn't scan some files.

It seems to be so that all the best in this ranking are very good in small company's office -use?!!!

Archives*** Compressed***MS Office Embedded MS Office Password AV-Program***
Scan*** Program files*** OLE obj.* Protected OLE obj. Name
[24]*** [13]********* [51]********* [8]

23****** 13****** *** 51******** 8*** BitDefender 6.5

23****** 04********* 51 ********* 8*** Panda AV Platinum 7.03

24 13 39 8 AntiVirenKit (AVK) 12

18 05 51 8 PC-cillin 2002 9.03

11****** 09********* 51** ***** 8*** eTrust AV (ca) 6.0

24****** 13****** *** 33******** * 8*** Kaspersky AV 4.0

18 13 38 8 F-Secure 5.41

22****** 07****** *** 33******** 8*** McAfee VirusScan 7.0.1

18****** 04********* 38 ********* 8 *** Command AV 4.74

16****** 09****** *** 32******** 8*** DrWeb 4.29b

17****** 10****** *** 27********* 7 *** RAV 8.6

17****** 05********* 30 ***** **** 8*** Sophos AV 3.65

16****** 02****** *** 33********* 7 *** Norton AV 2003 9.05

09****** 01****** *** 07********* 8 * NOD32

14****** 03****** *** 00********* 7 *** Avast 4 Home

Now it's quite clear why BitDefender Pro 6.5, and not for example RAV 8.6, was the winner of those Awards below!

I

The European IT Oscar goes to BitDefender

Bucharest, Romania - September 23, 2002 - BitDefender, a European technological leader in antivirus security software and services, today announces its nomination as a Winner to the greatest European competition for IT excellence and innovation: The European Information Society Technologies Prize. The contest proved technical superiority of BitDefender Professional, a recently launched brand in the computer antivirus industry, placing it in the European privileged group of technological leaders.

II

BitDefender is the first winner from Eastern-Europe

4-6 November 2002, Copenhagen, Denmark: SOFTWIN's technologies proved to be the best antidote against new computer malware. BitDefender Professional was nominated as the first East-European Winner at The European IST Awards ceremony, among the best High-Tech products of Europe.

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Jonas

April 16th, 2003, 03:12 PM

FireFighter,

Like all scientific endevors, one study does not prove anything rather it presents its result which may or may not support a hypothisis. Perhaps you or someone else may choose to follow scientific doctrine and replicate a study exactly to test for both internal validity and external validity. When i say replicate i don't me do your own, or similar i mean exact product with exactly the same patches and virus defs on exactly the same files and computer rig. Many people try to use traditional scientific principles on such things, i view anti-virus as more of a social science where their are a sea of unidentified lurking variables effecting performances. thanks for the graphs.

P.S. I won't be happy til i see a regression model with a great PRE ;D

Peace all and thanks for an interesting and informative thread!
Jonas

kdcdq

April 16th, 2003, 05:25 PM

Hello Firefighter,

Thanks for your latest post (Reply #74 on: April 15, 2003, 02:49:00 PM) that actually presents really USEFUL test results statistics!! I mean that sincerely....

KDCDQ, Security Freak

"The truth is out there, but it is often difficult to find."

JimIT

April 16th, 2003, 07:49 PM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=60#54967 date=1050436140]It seems to be so that all the best in this ranking are very good in small company's office -use?!!!

Firefighter!
" }-

Interesting to me were the placings of eTrust and Sophos--eTrust for it's relatively strong showing in a "business use" environment as you mention, FF--and also Sophos' lackluster showing, relative to others, considering Sophos is *really* business oriented.

eTrust seems to be targeting the secondary and post-secondary school market, also, so their placement is noteworthy. I know a security guy who just rolled out eTrust in his high school SD, and is very happy with the product.

Wildman

April 21st, 2003, 12:29 PM

??? I am glad to see that perhaps McAfee has got it's act together. There are however some of us that will always have doubts about McAfee. The past performance of this company and it's products have been louzy. One test does not clear this doubt. It will take a long time before I will say McAfee is to be trusted with my virus protection.

Thanks (Danke)

Wildman

xor

April 21st, 2003, 06:28 PM

-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#56044 date=1050942561]It will take a long time before I will say McAfee is to be trusted with my virus protection.

Thanks (Danke)

Wildman
" }-

i think you mean your AVPE again ;D

Wildman

April 21st, 2003, 11:35 PM

:P

Isn't it surprising how many people use AVPE? Hey what a shock we don't pay for it either. Now how much did I pay for that no good McAfee?, and to think AVPE is said to be just as good as McAfee or Norton (Not my words alone either). Now why would anyone want free virus protection that is said to be just as good as McAfee or Norton?

Thanks (Danke)

Wildman

Smokey

April 26th, 2003, 04:01 AM

-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#56044 date=1050942561]
??? I am glad to see that perhaps McAfee has got it's act together. There are however some of us that will always have doubts about McAfee. The past performance of this company and it's products have been louzy. One test does not clear this doubt. It will take a long time before I will say McAfee is to be trusted with my virus protection.

" }-

You can now quiet faith on mcafee, what in the past have happened is
not important, the present count, and at this moment mcafee is an excellent
AV. :)

Wildman

April 27th, 2003, 01:59 PM

-{ Quote: " quoting: Smokey link=board=24;threadid=8294;start=75#56880 date=1051344106]
-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#56044 date=1050942561]
??? I am glad to see that perhaps McAfee has got it's act together. There are however some of us that will always have doubts about McAfee. The past performance of this company and it's products have been louzy. One test does not clear this doubt. It will take a long time before I will say McAfee is to be trusted with my virus protection.

" }-

You can now quiet :P what in the past have happened is
not important, the present count, and at this moment mcafee is an excellent
AV. :)
" }-

Buyer beware!!

Thanks (Danke)

Wildman

Straight Shooter

April 27th, 2003, 05:29 PM

-{ Quote: " quoting: Smokey link=board=24;threadid=8294;start=75#56880 date=1051344106]
-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#56044 date=1050942561]
??? I am glad to see that perhaps McAfee has got it's act together. There are however some of us that will always have doubts about McAfee. The past performance of this company and it's products have been louzy. One test does not clear this doubt. It will take a long time before I will say McAfee is to be trusted with my virus protection.

" }-

You can now quiet faith on mcafee, what in the past have happened is
not important, the present count, and at this moment mcafee is an excellent
AV. :)
" }-

Really? Have you tried uninstalling it?

Because of it's unpackers, I tried McAee Internet Security on a Win XP Pro Gateway (New)..
It ruined my regsitry when I tried to uninstall it , and I had to restore my computer from a clone I made just before I installed McAfee (Smart)

Good luck!

Wildman

April 28th, 2003, 01:04 PM

;) Apparently one more reason to flush McAfee! Told you it would be a long time before McAfee could be trusted. There are just to many horror stories about McAfee.

Thanks (Danke)

Wildman

??? ::) :P :o

wizard

May 1st, 2003, 06:11 PM

-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#57463 date=1051549486]There are just to many horror stories about McAfee." }-

And don't ask how many horror stories exists about AntiVirPE. ;) Overall I don't like McAfee either but their virus scan engine is one of the best that is currently available and far ahead of the free product you always mention here. 8)

wizard

Wildman

May 2nd, 2003, 07:58 PM

::) Why do I read on other BB sites that AVPE is as good as McAfee or Norton? I would hope that a product one pays money for would work well. In the past McAfee has not been one of thoes products.

Wizard tell us what your hang up with AVPE is.

Thanks (Danke)

Wildman 8) :P ;D :-*

wizard

May 3rd, 2003, 05:56 AM

-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#58232 date=1051919908]
::) Why do I read on other BB sites that AVPE is as good as McAfee or Norton? " }-

Because the people who are telling you this often don't have a clue what they are talking about. McAfee for example has one of the most powerfull unpacking engines besides the famous Kaspersky one. Also McAfee has quite a good heuristic. Both important features are missing in AntiVirPE. And don't even ask if AntiVirPE is capable to deal to deal with highly complex polymorphic malware: McAfee and NAV are way ahead of AntiVirPE. But you will find all this details/examples if you dig into the mentioned tests. :)

-{ Quote: "Wizard tell us what your hang up with AVPE is. " }-

Not intressted to repeat that discussion again with you. Just refer back to the last one and you will find plenty of examples why I think AntiVirPE is not a preferable av solution.

wizard

frank

May 3rd, 2003, 12:03 PM

Everyone is entitled to use whichever AV they like. But, Bitdefender won best overall. End of story.
This means best detection, get it? It doesn't necessarily mean it runs well on my system, it sure does looks pretty, etc.
So many AV people get defensive if their own AV has poor results in a test, that they have to fall back on other aspects of their AV, completely ignoring cold hard facts right in front of their face.
Fine, start a new thread, and do an independant test on AV system resources or UI's. I look forward to it. Pictures not a must, but are appreciated.

P.S. Thanks to Technodrome and Firefighter for actually posting figures.

Wildman

May 3rd, 2003, 12:11 PM

??? O.K. I'll admit I don't understand all the techinical stuff. Wizard why don't you tell us what you think a good virus protection program should do. Please tell us in simple terms, that all can understand. Also tell us what you think is the best pay protection program and what you think is the best free protection program. I am willing to listen, but please keep it simple.

Thanks (Danke)

Wildman :-\ 8)

Tinribs

May 3rd, 2003, 12:15 PM

Theres no point asking that question really, you'll get different opinions from different people, best to just read the threads, read some impartial reviews and try out a program to see if works well for you. :)

wizard

May 4th, 2003, 08:19 AM

-{ Quote: " quoting: Wildman link=board=24;threadid=8294;start=75#58329 date=1051978315]
??? O.K. I'll admit I don't understand all the techinical stuff. Wizard why don't you tell us what you think a good virus protection program should do. " }-

For me the key features of an av software are:

- extremly high detection rate
- heuristics (to find unknown viruses)
- the ability to deal with highly complex virus types
- easy update function with small updates (don't want to download the whole program all the time again ;))
- unpacking engine (if the av program should be used as AT program as well)

Therefore I use KAV 4 as my main antivirus programs (with NOD32 as backup scanner). But sometimes you also have to consider other aspects as well. Especially if you don't have that much knowledge about computers. For example:

I had to find an antivirus program for my mother a few weeks ago. The only thing my mother knows about PC is how to switch it on and work with one or two applications. So for that I needed a program that has a more than average detection rate, is easy to use and easy to update. Of course the program should detect (packed) backdoor trojans as well because my mother only wanted to pay for one program.

I looked around on the market and I found AntiVirenKit (AVK). In Germany it can be bought at http://www.gdata.de. But as other threats in this subforum show there are distributors in other countries as well.

-{ Quote: "Also tell us what you think is the best pay protection program and what you think is the best free protection program. I am willing to listen, but please keep it simple." }-

I said it often before at the moment I think none of the available free programs is really recommandable. But if somebody could not afford to buy a commercial products than the choice will be either F-Prot for DOS or AVAST.

Other good commercial products in my opinion are at the moment: KAV, F-Secure, RAV, DrWeb and NOD32.

Besides my views on av products you want to have also a look on http://www.wilders.org/anti_viruses.htm for some short reviews.

Hope that helps, if not let me exactly know what you don't understand. :)

wizard

controler

May 4th, 2003, 11:46 AM

Hello

Can someone tell me if where e-mail scanning falls in these tests?
IS it included in the results.
I would love to see the results of e-mail scanning included.
Again, a word about Mc afee. I have tried it many times over the years
and had system conflits everytime. Onced when I was trying it out
it took controler of all my EXE files. In other words, any EXE file
had to go through Mc Afee before being executed. I decided to see how the uninstall worked and after uninstalling Mc Afee, I lost all ability to use any EXE files at all. IF they have improved their program
a lot since then, I would give it a try again. To me , I don't care how many Viri a program finds if it also causes unacceptable system conflicts.
The last time I tried Mc Afee was less than a year ago and it was not a pretty site.
Maybe I will give it a try again just before I reformat.

Please post some E-MAIL only results

Thank You

rodzilla

May 9th, 2003, 04:38 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=0#53872 date=1049637354]" }-

> Before someone says this test a fake, I have to clarify that the test was very well statistically controlled, and when it is so, there is no room to say that test biased.

ROFL

Firefighter

May 9th, 2003, 07:25 PM

To Rodzilla from Firefighter!

Before you are dying to your laugh, I have to say that my kids have got an infection again. I have one infection in my floppy disk, that NOD32 couldn't find, but my F-Secure is too strong to be a fool.

It was a trojan JS.Deme. Yes a trojan, but TrojanHunter, PC DoorGuard and Trojan Remover couldn't find it. It is not very good when possibly only TDS 3 is the only AT that could find it. We all don't like that kind of uncomfortable programs!

Before that it was W32.SdDrop.3, what NOD32 couldn't detect, but now after 2 weeks of that infection, yes it could! F-secure detected that of course immediately!

There are somewhere a kind of things, that some may think that they are hype! ;)

"The truth is out there, but it hurts!

Best Regards,
Firefighter!

Primrose

May 9th, 2003, 09:49 PM

It would be nice to send that JS.Deme to NOD so they can put it in their data base..but for some reason I am thinking your detection of it by F-secure is wacky :) especially on a floppy disk. :D If TDS did find it...they can keep it. :-*

Straight Shooter

May 10th, 2003, 01:27 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=90#59480 date=1052522718]
To Rodzilla from Firefighter!

Before you are dying to your laugh, I have to say that my kids have got an infection again. I have one infection in my floppy disk, that NOD32 couldn't find, but my F-Secure is too strong to be a fool.

It was a trojan JS.Deme. Yes a trojan, but TrojanHunter, PC DoorGuard and Trojan Remover couldn't find it. It is not very good when possibly only TDS 3 is the only AT that could find it. We all don't like that kind of uncomfortable programs!

Before that it was W32.SdDrop.3, what NOD32 couldn't detect, but now after 2 weeks of that infection, yes it could! F-secure detected that of course immediately!

There are somewhere a kind of things, that some may think that they are hype! ;)

"The truth is out there, but it hurts!

Best Regards,
Firefighter!
" }-

Never mind NOD32, if it's a trojan, it doesn't bother me.. But TrojanHunter, that is a letdown....

Would you happen to know if McAfee can detect it, if you know..and also AVK Pro?

In the meantime, I would send the sample to ESET. C'mon now Firefighter, be nice! LOL...

wizard

May 10th, 2003, 03:55 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=90#59480 date=1052522718]It was a trojan JS.Deme. Yes a trojan, but TrojanHunter, PC DoorGuard and Trojan Remover couldn't find it." }-

JS = scripting malware. But as far I am aware non of the mentioned is searching for JS scripting malware. They are more focused on backdoor-trojans only.

-{ Quote: " It is not very good when possibly only TDS 3 is the only AT that could find it. We all don't like that kind of uncomfortable programs!" }-

TDS-3 should not detect this kind of malware either. But for most types of JS-malware (known and unknown) there is a quit easy way for protection: Use a different browser than IE or start learning to configure the IE correctly. An infection with a JS-type of malware is most likely to happen if you visit not trustable sites without proper security settings in your browser.

BTW it was just hard for me to find some detailed information about JS.Deme. Did you spelled it right?

wizard

Jooske

May 10th, 2003, 05:23 AM

Quote from Firefighter:
>It was a trojan JS.Deme. Yes a trojan, but TrojanHunter, PC DoorGuard and Trojan Remover couldn't find it. It is not very good when possibly only TDS 3 is the only AT that could find it. We all don't like that kind of uncomfortable programs!<

FF i hope for you with this remark you did not mean to say TDS would be an uncomfortable program, would you?
It needs some experience with it to know the more advanced tools then the one or two button clicks for a full system scan and daily updates, but once you get used to it you know to be more in the drivers seat on your system then any other known product will bring or allow you, let alone av/at scanners.

Please be so kind as to send your sample of the infection to submit@diamondcs.com.au and they will tell if it is in the references maybe with another name or the code is detected anyway --which is very likely as lots of nasties use the same kind of code patterns.
Thank yuou very much FF, i would suggest you do d/l and install TDS yourself and evaluate the product. For your questions and instructions, like FanJ's very nice basic configuration plan with screenshots for new users you must certainly be able to try it for yourself in your own circumstances on your own system and make yourself comfortable with it.
Come over at the DCS forums and we'll be glad to help you with your questions over there.
I'm not hijacking this thread, so it's not appropriate to go into any further discussions and help with DCS / TDS in this thread.
I might open a thread for you or this part to continue this part of the discussion over there.
I wish you good experiences with TDS and a very clean and secure system in whatever way you want to take care of that.

Primrose, i think you mean "they can keep the sample" and you did not mean their product, did you? As i thought you are quite familiar with TDS yourself..?
I never mind if it is found with TDS or WG which is more special for scripts among others, as most users have them both installed anyway :)

Oh, i just realized a very suitable thread is there already, please be invited to join and learn!
http://www.wilderssecurity.com/showthread.php?t=8490;start=0#lastPost
See you there!

ghj290

May 10th, 2003, 05:44 AM

It was NOD's poor performance with archives and e-mail scanning/cleaning that turned me off it I'm afraid. While I'm an experienced PC user the other people that use this PC aren't and I'm afraid NOD just wasn't "automatic" enough. Great for experienced users though.

Trev

wizard

May 10th, 2003, 06:45 AM

-{ Quote: " quoting: ghj290 link=board=24;threadid=8294;start=90#59517 date=1052559872]
It was NOD's poor performance with archives and e-mail scanning/cleaning that turned me off it I'm afraid." }-

But both features are more 'nice to have' instead of being really important for virus protection.

wizard

ghj290

May 10th, 2003, 08:01 AM

-{ Quote: " quoting: wizard link=board=24;threadid=8294;start=90#59522 date=1052563557]
-{ Quote: " quoting: ghj290 link=board=24;threadid=8294;start=90#59517 date=1052559872]
It was NOD's poor performance with archives and e-mail scanning/cleaning that turned me off it I'm afraid." }-

But both features are more 'nice to have' instead of being really important for virus protection.

wizard
" }-

They are "nice to have", and for the more advanced PC user, as you say, not really that important. But although I am, or like to think of myself as, an advanced PC user (Been doing network installations and system design since 1987) two other people that use this PC are of the "I just want to use the PC, not learn about it" variety.
As an example, my wife e-mails a long time friend several times a week, one day (while I was running NOD) she received an e-mail from said friend with an attachment, NOD Flagged the attachment as containing a virus and my wife selected to let NOD "clean" it. She then went ahead and opened the, supposedly, cleaned attachment (I can't remember what virus it was sorry) blissfully unaware that infact NOD hadn't "cleaned" it.
When I returned home luckily she told me what had happened and I ran Fprot and cleaned the system, and informed her friend, and everyone in my and her address books to do the same. Had she failed to mention the NOD warning I would possibly have be looking a re-install whereas had NOD's e-mail cleaning been as effective as many of it's competitors the attachment really would have been cleaned.
Don't get me wrong, if I was the only user of this PC I would still be running NOD quite happily, I just don't think it's "fire and forget" enough for the less PC literate out there.

Trev

Jooske

May 10th, 2003, 08:15 AM

Now i'm sure everybody wants to know which infection was in your attachment and NOD32 was unable to clean.
Can you tell us please?

Technodrome

May 10th, 2003, 08:38 AM

Many viruses are complex, unfortunately cleaning is impossible sometimes.

Have another antivirus product cleaned or deleted this virus?

Technodrome

Firefighter

May 10th, 2003, 09:57 AM

To everyone from Firefighter!

I'm sorry, if I was too hostile yesterday. Maybe I'm human too and yesterday wasn't my day?

About the floppy, you were right. Because english isn't my first language, I tried to mean a disket. It is a disket where I restore all our infections found in the internet, mostly infected by my kids and KaZaa!

They turn even the firewall off when they surf!!!

Unfortunately I have now only one PC, so the risk is in this PC too.

But now to the infection, I mean F-secure's Trojan.JS.Deme. It was found in my second PC, when I had that also. RAV resident scanner found it and named it JS.Noclose.gen*, but when I tryed to scan that with McAfee online scanner, I couldn't load the scanner at all.

By the way, RAV is now capable to find F-secure's Worm.P2P.SdDrop.c too, when it couldn't find that some weeks ago, although all my infection files in my restore disket were in exe extension. The name of the KaZaa worm is in the RAV database, Win32/HLLW.SdDrop.C.

In my mind it is too late, when a potential infection is free in the net some weeks. There is not such a phenomenon as "real in the Wild". All infections from internernet are more or less in the Wild! Can anyone imagine how often people really are giving feedback of their infections. I think it is less than 20% of all cases.

And finally about TDS3. If TDS is too complicated for me, so it is, and that's it. No hard feelings! Maybe the custromer is right? :o

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Jooske

May 10th, 2003, 10:28 AM

Can you be so kind to send your samples to submit@diamondcs.com.au anyway? why not zip the whole diskette content and attach all that so they can find out for themselves what TDS would have missed?
Thanks in advance!

Strange for me, if it's one or two button clicks with program A or program B to have a drive or partition scanned, i don't see the difference in complication only in possible scan results.
If i need an bread i don't go to the liquidstore and not to the carpenter for a knife to slice it, i mean i just look for the best places to find the tools to do the job to be done.
If i have a possible virus i probably start an av/at scanner or a special AV scanner, but how do i know what it is without a scanner at all?
Or an not daily updated scanner is about half as bad, as it's at least false sense of security.

If TDS is too complicated for the two buttonclicks the customer could read the thread to get educated what to do for the two buttonclicks and what more is possible, step by step.
But a customer needs to be teachable to get informed.

wizard

May 10th, 2003, 10:42 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=90#59552 date=1052575032]It is a disket where I restore all our infections found in the internet, mostly infected by my kids and KaZaa!" }-

Using KaZaa! is currently the best change to get infected.

-{ Quote: "They turn even the firewall off when they surf!!!" }-

With such initial position: Disabled firewalls and downloading software out of sources that are not trustfull your chance to stay infection free tends towards 0. No available av products (even if it is the best one) would protect you if you (and your kids) continue with such careless behaviour.

I suggest to start learning about user right management if you have a NT-based Windows OS to ensure that your kids are not voilating you security policies.

wizard

Primrose

May 10th, 2003, 10:44 AM

Hugs Firefighter,
Do not be concerned about Deme...I was waiting for everyone else to post and see what they knew about that bad rascal.. :D :D ..I do have a copy of what they do call it by that name...but it is neither a trojan..or a virus..it is just silly malware...that when you do clean your temp files and your cache it all goes away.

You see that is one of the problems now days with all of the vendors and developers...they all refuse to get together in a consortium and use a single naming convention for exploits.

Because of this, users are confused if the run multiple security products or the hang around security forums wondering how many different names a single exploit can have in this world or when it is modified and gets in the wild again..just what name it really will be in the new edition.

Be Well my friend...I do enjoy your posts and wish you and the family well,

Regards,
John

PS. If I were a developer I would not bother to put Deme on my hit list.

Firefighter

May 10th, 2003, 11:43 AM

To Jooske from Firefigter!

I'm not so good to convert infected exe files. I turned my F-secure resident scanner off and tried to make an archive of that JS.Deme infection, but my F-secure still immediately comes to the game to play with me. It even removed my only exe file of that infection. The same happened to all my infected exe files, when I used an unprotected disket. :(

I have only one russian PDG Archivarius (actually estonian, but the programers are russians) compressed file of it. That program is free to every PC DoorGuard 3 user, but I still haven't got a registration key of them. I have emailed about that, but no answer. I can't speak russian, but the net site was in english as the program too. Very strange and I can't even uninstall that f...ng program, which is now only a 30 days shareware! ???

"The truth is out there, but it hurts"

Best Regards,
Firefighter!

Firefighter

May 10th, 2003, 12:08 PM

To Wizard from Firefighter!

I have 3 kids, age between 14 -17 years. When I am going to say something about surfing, there are at least 6 middle fingers up and everyone says I need a quick update! Go to hug mammy instead of that you are going to say something about using the net. ;D

That is a thing I named the salt of life. We have downloaded the whole Windows XP three times this year to our PC again. ???

When I am using passwords in my Outpost, after one week they have found that somehow! Because the PC is only an entertainment machine, I'll give up! :P

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Technodrome

May 10th, 2003, 06:26 PM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=105#59572 date=1052581380]
I have only one russian PDG Archivarius (actually estonian, but the programers are russians) compressed file of it. That program is free to every PC DoorGuard 3 user, but I still haven't got a registration key of them. I have emailed about that, but no answer. I can't speak russian, but the net site was in english as the program too. Very strange and I can't even uninstall that f...ng program, which is now only a 30 days shareware! ???

" }-

Pick any you like...Its free! ;)

http://www.webattack.com/freeware/downloader/fwzip.shtml

Technodrome

Firefighter

May 11th, 2003, 03:58 AM

To Technodrome from Firefighter!

Thanks very much! It was the best site I've seen recently! I couldn't even imagine how many zip tools there are free nowadays. :D

There is only one problem left, how to get rid off that Archivarius program, because it is not so easy to remove. After uninstalling that program, all packed objects are still in Archivarius format! >:(

Archivarius is by the way quite good zipper, when it understands 23 different formats of zipping and uninzipping, but I don't want to pay those 10 $, because they said that it is free to all them who have purchased PC DoorGuard 3! :o

Best Regards,
Firefighter!

illukka

May 12th, 2003, 12:37 AM

get jv16power tools www.vtoy.fi/jv16/shtml/jv16powertools.shtml and use the uninstall feature there.. it will rid your pc of all its registry marks

Firefighter

May 12th, 2003, 04:53 AM

To illukka from Firefighter!

Thanks for you! ;)

I succeeded to remove that program yet and those Archivarius format files stayed in my PC, because my Ultimate Zip program couldn't manage that kind of formats. Now I have a better Zipper, thank's to Technodrome's excellent link! ;D

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

rodzilla

May 12th, 2003, 06:29 AM

-{ Quote: " quoting: Firefighter link=board=24;threadid=8294;start=90#59480 date=1052522718]" }-

> To Rodzilla from Firefighter!

> Before you are dying to your laugh,

I laugh at you because you try so hard to prove that you're not a lamer that you convince people that you are one!

> I have to say that my kids have got an infection again. I have one infection in my floppy disk, that NOD32 couldn't find, but my F-Secure is too strong to be a fool. It was a trojan JS.Deme.

So what ???

NOD32 is not an anti-Trojan program!

How many times do you have to be told this before you cease bringing your totally unrelated Trojan codswallop into antivirus threads ?

=====

Yesterday I had the disruptive troll "Vampirefo" banned from the Eset forums (his own big mouth got him banned from Wilders altogether only a few minutes later) and someone asked me if you will be next to be banned.

The short answer is "You won't" ... at least, not by me ... and not (as far as I know) by any other moderator. You're a horse of a different color from Vampirefo. He was an incurable lamer, whereas you have the potential to learn from your mistakes ... if you'll listen.

Your main "lameness" is down to the fact that you take far too much notice of know-nothing wannabes who tell you that Virus Bulletin tests are weak/inefficient/paid for/whatever, which leads you into placing great faith in the accuracy of the charts and graphs you create from "other" AV tests ... but the bottom line is that Virus Bulletin is the #1 antivirus product tester in the world, and no-one with half a clue about the AV/VX scene will disagree. (I'm on record as saying this for more than a dozen years, btw ... since long before I became involved with NOD32.)

Ask yourself "why", if Virus Bulletin tests are such "crap", the VB100% is the award every antivirus vendor strives to win!

I guess it would be an ego boost to have your "findings" widely accepted by the AV industry ... but they never will be unless you start off with good raw material. Your mathematical charts and graphs are (for the most part) meaningless drivel, because they're based on corrupted raw material. Most Wilders regulars know this ... and someone will always take you to task over them.

Take, for example, your latest series of little masterpieces in this thread. You wasted your time producing them because you were working with flawed raw material right from the start. The day is fast approaching when you will have to admit your mistakes publicly, and human nature being what it is, people will laugh at your embarrassment. I won't. I'll feel a little sorry for you, because you're not a "real" lamer ... you just seem to be trying your best to make yourself look like one.

(Just a few rambling words of advice ... no personal insults intended.)

Metallica

May 12th, 2003, 06:56 AM

Makes you wonder what miracle-machine keeps running with 47 viruses and Poopscan and NOD installed. ;D
Most of them slow down noticeably after installing two spywareprograms.

Firefighter

May 12th, 2003, 03:00 PM

To Rodzilla from Firefighter!

I thought that the time, "Ein Reich, Ein Volk, Ein Stimme aber mein Geld", is over now, but it seems to be rising again! If you really are the one who can say what to write here, why not write that by yourself and lay on the beach reading them?!!! Some might say that empty barrels are the noisiest ones.

Yes, I was really joking again, but it hurts a lot again!

When I was at school, we learned the definition of systematic failure. It is not so bad when in the test bed there are things that really are not all kind of malwares at all, because the rules are the same to everyone. It does not matter when the winner gets 99,95 % or only 90.00 %, the only thing that counts is the placing in that game.

The specialists are those who are capable to know everything about nothing. Does someone know where is an AV that is capable to detect only 100 % of viruses which all has the first letter Z (as Zero)? A joke again. No hard feelings!

When I wrote about my PC infection (for me, as an average PC user and maybe very careless one), there is no difference what kind of malwares (= the term that RAV is calling about all kind of bad things) there really are, all that kind of stuff are forbidden. I have said earlier that my F-secure named those malwares "Worm.P2P.SdDrop.c." and "Trojan.JS.Deme". Is there something wrong when my F-secure was capable to detect them and not NOD32?

I am still learning something here. I am using Trojan Remover 1.1.1. and PC DoorGuard 3.0.0.6. as my AT:s at the same time, because they are enough simple even for me. I have also to admit, that even with Kaspersky engine there might be some failure situations, so those two AT scanners don't make any harm to me, and two is better than one. Trojan Remover hasn't even monitor scanner, so they don't make any problems to me.

When you said that all AV-producers are willing to have VB 100 % Award, That's true! Because that Award is so heavily advertised. After you statement you may agree, that Norton is the best AV ever, because in almost every Magazine test, it is the only winner. I still believe more about Universities than other testers, whose financial background is unknown to me.

When we are looking at my professional issues as a Quality man, you may be the one who thinks that ISO 9001 certificate is the only that tells how good supplier you have. The truth in this case is more or less reverse. Once a supplier has got it's ISO 9 001 certificate, it is the best evidence of that, there are big problems ahead waiting for you.

I have to admit that also, that I was wrong in the beginning, when I said that there were less than 10 000 in the Wild checked objects in VB. But later I counted those objects manually from that link,

http://www.virusbtn.com/old/comparatives/WinXP/2002/test_sets.html

from the VB June 2002 acrobat online publication, and my manually counted result was in my histogram graphic bars too. But that have to add in those some 20 652 checked objects, that for me it seems to be so that there were even tens of variants of one certain virus, when there was certain last number of viruses in one sample after the virus name. I counted those all together. So this av-test.org 3-2003 test has much more malwares of any kind that there never had been in VB in one months test. If I quess some number, I'll be very surprised, if the virus names were over 5 000 in the VB test.

So if you managed to detect all 5000 virus names, it is totally different task to find some 71 000 malwares! So when NOD32 is not so good in av-test.org this year, it is quite understandable, that it has been so rarely seen in those av-test.org tests. Everyone of us can imagine that if some test has 71 627 scanned objects, there is plenty of room to different variants, before there are some 10 000 left.

About the false positives in av-test.org test, I can say only that, the rules are the same to everyone. F-secure, for instance, has some more false positives when we are looking at Kaspersky's results. But was it Technodrome, that said F-secure has Orion heuristics scanning engine? Maybe that's why it was much better than KAV in the Heureka 2 test about heuristics. BitDefender and especially DrWeb were very good in that Heureka 2 test too. Both those made also many false positives in av-test.org test. It seems to me, that it is quite inevitable, when you have a good heuristics engine, you'll make false positives too. McAfee was the only exception that has very good heuristics in Heureka 2, but didn't make many false positives in the av-test.org tests? That irritates me a bit, is the heuristics engine any good?

I'm writing this with my toes, because someone smashed my hands with a baseball bat, or how it was some months ago?!!!!!

Yes a joke again, but it is important to know who is the customer and who sells some product? No hard feelings to everyone!!!

I thought these are AV-products, about which we are talking about, and not someones personal characteristic's! I think it is better to purchase our own mirrors again! ;)

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

Trevor Marsh

May 13th, 2003, 11:08 AM

-{ Quote: " quoting: rodzilla link=board=24;threadid=8294;start=105#59991 date=1052736236]
-{ Quote: " quoting: Jooske link=board=24;threadid=8294;start=90#59533 date=1052568916]" }-

> Now i'm sure everybody wants to know which infection was in your attachment and NOD32 was unable to clean. Can you tell us please?

I notice that "Trev" didn't respond.

A suspicious man might think that was because his story was codswallop. :)

I always get a laugh out of these anonymous "NOD32 missed a virus on my (insert appropriate relative here)'s computer" posters ... they never give you the name of the allegedly missed virus. I recall one PoopScan shill on CNet claiming NOD32 missed 47 viruses on his PC. I doubt that anyone, no matter how foolish and gullible they were, would believe that an AV program which hasn't missed one ItW virus in more than five years of VB100 testing would mysteriously miss 47 viruses on one PC. :) :)

" }-

I didn't respond because I have been working away for the last few days and therefore not had access to these forums. So don't make assumptions. If you had also taken trouble to actually read my post you would have seen that I don't remember what it was, and also I never said that NOD missed it, just that it said it had cleaned it from the e-mail when it hadn't. There are serveral posts in the NOD forums concerning NOD's ability to clean infected e-mails, so that is nothing new. Please, if you are going to reply to a post then make sure that first you actually read the post you are replying to.
Lastly, I didn't in anyway "take a pop at NOD", I just said that for me, it didn't do what I wanted, I even stated that if I was the only user of this PC then I would still be runing NOD as, for an experienced PC user, it's one of the best AV's available. So don't be too quick to jump to NOD's defence, it might not be necessary, there might not be anything to defend.... >:(

rodzilla

May 13th, 2003, 12:57 PM

> To Rodzilla from Firefighter!

> I said also that my F-secure named those malwares "Worm.P2P.SdDrop.c." and "Trojan.JS.Deme". Is there something wrong when my F-secure was capable to detect them and not NOD32?

Read my lips .... "NOD32 IS NOT A TROJAN DETECTOR!"

What F-Secure (or any other program) does or doesn't do with Trojans will not change that.

Eat the apple, and try comparing oranges with oranges.

> When you said that all AV-producers are willing to have VB 100 % Award, That's true! Because that Award is so heavily advertised.

Wrong! Everyone wants to win the VB100 award because it is the #1 award in the antivirus industry.

> I still believe more about Universities than other testers, whose financial background is unknown to me.

You are very close to learning that at least one "University" test is not worth the bandwidth it consumes and the paper on which it's printed.

> So when NOD32 is not so good in av-test.org this year, it is quite understandable,

Yep ... I understand exactly why NOD32 was not so good in av-test.org this year. :)

> About the false positives in av-test.org test, I can say only that, the rules are the same to everyone.

Many of the so called "legitimate" detections in that test were false positives, because many of the files apparently detected as viruses by "some" antivirus programs were not viruses.

> "The truth is out there, but it hurts!"

I hope you find some of it soon! :)