AV-Comparatives ~ Protection-Test Overview March-June 2012

[malexous]

http://www.av-comparatives.org/

[JoeBlack40]

Wow,Bifdefender placed first...and GData with 2 engines is right behind it.Well done and congratulations Bitdefender!

[trjam]

congrats to Bitdefender, or anything that has it inb it.

[treehouse786]

whats up with WSA? pretty sure the old PrevX 3.0 would have fared better even though it had a quarter of the bells and whistles WSA has.

[Amin]

Quote:

Originally Posted by JoeBlack40

Wow,Bifdefender placed first...and GData with 2 engines is right behind it.Well done and congratulations Bitdefender!

Bitdefender reached the place it deserves.

[malexous]

Quote:

Originally Posted by treehouse786

whats up with WSA? pretty sure the old PrevX 3.0 would have fared better even though it had a quarter of the bells and whistles WSA has.

Even Webroot Internet Security 7.0 performed better in protection in previous reports.

[The Seeker]

Quote:

Originally Posted by treehouse786

whats up with WSA? pretty sure the old PrevX 3.0 would have fared better even though it had a quarter of the bells and whistles WSA has.

A detailed explanation can be found here.

[treehouse786]

Quote:

Originally Posted by The Seeker

A detailed explanation can be found here.

wow what a load of tosh, so their defense from this result is that WSA is better at removing threats and that the samples were added soon after the test? unfortunately for them the other companies added the samples before the test.

that was a painful read.

seems like i was right to drop WSA as in testing it seemed to be highly buggy. maybe WSA bugged out in this test as that is a dreadful result, cant see the old prevx team missing so many samples so i put it down to a bug (hopefully).

[PrevxHelp]

Quote:

Originally Posted by treehouse786

wow what a load of tosh, so their defense from this result is that WSA is better at removing threats and that the samples were added soon after the test? unfortunately for them the other companies added the samples before the test.

that was a painful read.

No, it's that you're still protected even if you're the first user to see a threat across the user base.

[Thankful]

Quote:

Originally Posted by PrevxHelp

No, it's that you're still protected even if you're the first user to see a threat across the user base.

If your system has been compromised, how are you protected?
No vendor is able to completely undo system changes done by malware as evidenced by AV-Test.org removal scores.

[PrevxHelp]

Quote:

Originally Posted by Thankful

If your system has been compromised, how are you protected?
No vendor has been able to completely undo system changes done by malware as evidenced by AV-Test.org removal scores.

AV Test first infects the system, then installs the product. It doesn't handle the case where the threat entered while the product was installed or disabled. During that time within WSA, it's transparently sandboxing the process so that it can take it out as soon as it rechecks with the behavior data. If this was tested with WSA, we would score 100% every time (not to mention the generic identity security which also blocks threats from stealing information in the meantime - a surprising number of threats in these AV-C tests are Zeus Trojans which are generically blocked from doing any harm by WSA).

[King Grub]

Quote:

Originally Posted by PrevxHelp

If this was tested with WSA, we would score 100% every time

Of course you would.

[PrevxHelp]

Quote:

Originally Posted by King Grub

Of course you would.

We're working on getting a firm to specifically publicly test these aspects of the product. I know we've done demos for some of our Business clients but I don't think any of them have been recorded. The results are dramatically clear as soon as you see them.

[treehouse786]

Quote:

Originally Posted by PrevxHelp

If this was tested with WSA, we would score 100% every time (not to mention the generic identity security which also blocks threats from stealing information in the meantime - a surprising number of threats in these AV-C tests are Zeus Trojans which are generically blocked from doing any harm by WSA).

so your saying that WSA protects you from every Zues variant? bold statement.

what about file injectors like Sality? so if all my pictures got infected with an undetected Sality infection then WSA could return all the pictures to normal? and would it also decrypt my data folder should a rogue encrypt it? 100% my bum

i will test an undetected new varient of sality against the repair capabilities of WSA and if it cleans all data files then i will donate £10 to charity in WSA's name.

someone as knowledgeable as you should know better than to use phrase "100%" on a security forum

[PrevxHelp]

Quote:

Originally Posted by treehouse786

so your saying that WSA protects you from every Zues variant? bold statement.

what about file injectors like Sality? so if all my pictures got infected with an undetected Sality infection then WSA could return all the pictures to normal? and would it also decrypt my data folder should a rogue encrypt it? 100% my bum

Yes it would. Ransomware infections are fully reverted, as are file infectors. Zeus' attacks are blocked generically, as are those of Carberp, Silon, etc.

[PrevxHelp]

Quote:

Originally Posted by treehouse786

i will test an undetected new varient of sality against the repair capabilities of WSA and if it cleans all data files then i will donate £10 to charity in WSA's name.

Sounds good - if we don't detect it, you can use the Manual File Cleanup feature to add a local override for it.

[treehouse786]

@PrevxHelp

cheers for replying, although making a 100% statement is crazy in my eyes, it does mean you have massive marbles

[PrevxHelp]

Quote:

Originally Posted by treehouse786

@PrevxHelp

cheers for replying, although making a 100% statement is crazy in my eyes, it does mean you have massive marbles

Ive also tested it against Sality and Virut myself so I already know the results And yes, 100% over time is logically likely not possible, but we've seen what these tests have covered and have tested them ourselves.

[TonyW]

While some of us discuss the claims and validity of one vendor, let us not forget that many new samples remain undetected by other vendors, even after a few hours. This has been clearly shown by Nossirah on the Malwarebytes forums in two simple tests he conducted to demonstrate this point.

[kdcdq]

I am very pleased that the excellent Webroot support staff have already posted not only the AV-Comparatives testing methodology but why their WSA product did not do well in this test.

[Blackcat]

Quote:

Originally Posted by kdcdq

I am very pleased that the excellent Webroot support staff have already posted not only the AV-Comparatives testing methodology but why their WSA product did not do well in this test.

I wonder if Ahn Lab have similar unique detection techniques to explain their relatively poor score?

[SLE]

Quote:

Originally Posted by The Seeker

A detailed explanation can be found here.

Much marketing...

"Of the 68 misses, 34 of the files were seen for the very first time during the test".
So what? 34 were known but no protection at the moment of testing and other products detected more, over months, as the results show. Have other vendors better monitoring systems, better sources and/or even a "greater" cloud?

We have 2012 - many other vendors have large cloud systems, urgent detection and analyzing systems, cloud based behaviour detections etc. - so what makes WSA unique?

And a rollback hours later...nice but also nothing unique. And sometimes too late.

[PrevxHelp]

A great deal of this is down to geography - WSA is still not officially launched into European countries so we tend to see threats from those areas later than other vendors simply because they didn't affect our users. To us, it isn't as important to just block a random file if it hasn't been seen by our customers. Other vendors have very strong user bases in these areas and will therefore have customers affected by these threats far earlier than us, giving them more lead time to block the threats.

[Rompin Raider]

Quote:

Originally Posted by PrevxHelp

Sounds good - if we don't detect it, you can use the Manual File Cleanup feature to add a local override for it.

He speaks the truth...and you don't have to experience "hardening of the arteries" because the system is so slow as is the case with some of those "leaders".

[MeAgain]

So does this mean free products with BitDefender and Kaspersky engines would do well too? Particularly Roboscan for Bitdefender, and Zone Alarm Antivirus with Firewall Free 2013 for Kaspersky. I'm not sure they have some of the other protection offered by paid versions like behavior blocking and heuristics. Thanks.