[Thread split]MRG Flash Tests 2012

[Thankful]

Bluepoint is back after withdrawing last year. I guess they ironed
out the bugs.

[fblais]

Quote:

Originally Posted by Brandonn2010

Free version "can" use ClamAV if you choose, paid version uses BitDefender, which is the only reason it did as well as it did.

Thanks.
You can choose the engine for the free version?

[King Grub]

Quote:

Originally Posted by fblais

Thanks.
You can choose the engine for the free version?

You can choose Clam-AV for off-line detection. If you don't, you just have cloud-based protection.

To increase detection rate for the free product, they mention that you can install another AV alongside their product (the free version), from this list:

http://support.immunet.com/tiki-read...on%20prodducts

[Esse]

Quote:

Originally Posted by Brandonn2010

Free version "can" use ClamAV if you choose, paid version uses BitDefender, which is the only reason it did as well as it did.

I think you are wrong, look up Bitdefender in the list and you will see it has 13 misses, compared with SourceFire (Immunet) 3 misses.
I guess the 10 in between is the Immunet Cloud doing it´s job.

/E

[TonyW]

I don't get how Ikarus failed when it's also included in Emsisoft; surely the same fail would show up?

[The Hammer]

Quote:

Originally Posted by TonyW

I don't get how Ikarus failed when it's also included in Emsisoft; surely the same fail would show up?

Isn't Emsisoft 2 engined?

[TonyW]

Quote:

Originally Posted by The Hammer

Isn't Emsisoft 2 engined?

Ah yes. So the Emsisoft engine detected Qhost in this instance. That's good to know.

[Amit]

Emsisoft is strong with 2 engines.

[King Grub]

Does this Flash test take the behavior blocker into account as well? Then Emsisoft would have even more of an edge over Ikarus.

[cruelsister]

Helpful hint for any newbies out there- for any that may change their current security solution to one rated highly by these tests please keep in mind your desire to be protected against true zero-day malware (malware just released for which no signature has been yet written). Products that solely rely on detection via signatures would lead to a time frame during which you would not be protected, and although a detection signature may be soon in coming the damage will already be done.

Although generic signatures do exist, any malware writer worth her salt will verify prior to release that the new baddie will not be detected in this way (not that I would know).

So get to know the product and make sure that it has a method of protection over and above just straight signatures.

[RJK3]

Perhaps a new thread could be started, "MRG Flash Tests 2012", given that we are more than half way through 2012.

[Noob]

Quote:

Originally Posted by TonyW

I don't get how Ikarus failed when it's also included in Emsisoft; surely the same fail would show up?

The Emsisoft engine complements the Ikarus engine, which means Emsisoft "tries" to cover/detect all other threats the Ikarus engine misses.

[nosirrah]

Quote:

Products that solely rely on detection via signatures would lead to a time frame during which you would not be protected, and although a detection signature may be soon in coming the damage will already be done.

This is not completely accurate. You can (and we do) write adaptive signatures that can quite accurately predict what we will see in the future based on what we have seen in the past. The vast majority of the detections you see in these tests involve definitions written days or even weeks before the samples existed.

You can split hairs on '0-day' and break it into 2 families. 1. new mutation of an existing threat and 2. a new threat not based on any existing malware project. Even in the case of malware that is 100% new you can still write a signature that can predict certain aspects of the trojan ahead of time.

[Breakfastofchumps]

Quote:

Originally Posted by nosirrah

This is not completely accurate. You can (and we do) write adaptive signatures that can quite accurately predict what we will see in the future based on what we have seen in the past. The vast majority of the detections you see in these tests involve definitions written days or even weeks before the samples existed.

You can split hairs on '0-day' and break it into 2 families. 1. new mutation of an existing threat and 2. a new threat not based on any existing malware project. Even in the case of malware that is 100% new you can still write a signature that can predict certain aspects of the trojan ahead of time.

Thanks I never knew this, Good to know

[Blues7]

Quote:

This is not completely accurate. You can (and we do) write adaptive signatures that can quite accurately predict what we will see in the future based on what we have seen in the past. The vast majority of the detections you see in these tests involve definitions written days or even weeks before the samples existed.

You can split hairs on '0-day' and break it into 2 families. 1. new mutation of an existing threat and 2. a new threat not based on any existing malware project. Even in the case of malware that is 100% new you can still write a signature that can predict certain aspects of the trojan ahead of time.

Sounds kind of like when your wife knows you did something wrong...she may not know what it is or if it's the same thing as last time but she can pretty much tell and thus you're gonna be quarantined in the doghouse regardless...

[cruelsister]

NoSirrah- Although what you say is accurate, please note that I had already implied that (albeit in a backhanded way) by recognizing that generic signatures do exist.

However a good malware writer will conduct what amounts to a beta test to ensure that neither the original malware file nor whatever daughter programs it spews out will be caught by the "catch-all" generic sigs. If this was not the case there would be no zero-day malware at all! All would be D-day (meaning a valid definition is already in existence) and any good signature based AV would have a 100% detection rate all the time.

I think you would agree that something like that will happen concurrent with hearing "Oink Oink" overhead.

[nosirrah]

Quote:

However a good malware writer will conduct what amounts to a beta test to ensure that neither the original malware file nor whatever daughter programs it spews out will be caught by the "catch-all" generic sigs.

There are too many moving targets to spend a lot of time on this. Sure they pick a handful of high usage vendors to bypass but the name of game is speed. They know that they are not going to get by everyone no matter how smart they are as countermeasures are not static. They have automated programs that spit out morphs trusting that a good number of them will get by a fair number of vendors. A good adaptive signature will get all of the morphs through creative prediction.

Quote:

If this was not the case there would be no zero-day malware at all!

I rarely see anything that gets by everyone, it almost never happens.

Quote:

and any good signature based AV would have a 100% detection rate all the time.

All AV labs are run differently so this could not possibly be true. You could give every lab the same pile of samples all pulled from the web within a 48 hour period and then test those sources again after a day and you would see a broad spectrum from fully detected to hardly anything detected. How good they did on the future unknowns based on the recent knowns would be a very good measure of how predictive their technology/researcher creativity is.

Generic is not really a good way to describe how adaptive signatures work BTW. Adaptive definitions often force a malware author to make major changes to bypass while generic definitions are easy to break with little effort. This manifests itself in our intake. We look at something called the "unknown to us yet still detected" ratio and over time this has grown as our technology has improved. Generic detections are often broken by the changes that put samples into this category while adaptive signatures hold firm, sometimes for months.

[blasev]

Great explanation, thx for the knowledge bruce

[Page42]

Quote:

Originally Posted by nosirrah

A good adaptive signature will get all of the morphs through creative prediction.

Sounds like a stone cold winner to me!

[cruelsister]

Bruce- Please note that my post was directed to those that may be new to computer security pointing out that no definition based product would be 100% effective and a layered approach is advisable. Although I've found that simplicity is advantageous to those desiring to learn, I do thank you for expanding the topic.

However from your follow-up it is easy to infer that a well written and maintained def based AM will provide total protection against all threats. The authors of my current favorite malware, FLAME, would beg to differ as it is estimated that it has been floating around for about 2 years before it was detected.


(Note- In all probability none reading this post need to worry about FLAME (also known as sKyWIper) as this is a targeted attack. But it is very cool- in addition to stealing passwords, auditing almost any service, file, or application installed on the PC, logging account information/credentials for all Microsoft Outlook profiles, etc., there is also a DLL dropped that will scan the registry to see what security software is installed. Subsequent attacks can then be tailor made to bypass such protection. Sorry for the digression!).

[Page42]

Quote:

Originally Posted by RJK3

Perhaps a new thread could be started, "MRG Flash Tests 2012", given that we are more than half way through 2012.

Excellent idea. The first 2012 post on this 2011 thread was way back here. Maybe the thread could get broken off and a new one started?

[ronjor]

This current thread split from older thread. > http://www.wilderssecurity.com/showthread.php?t=291818

[Pablo87]

very nice results
im running GFI, im happy

[Rompin Raider]

Quote:

Originally Posted by Noob

The Emsisoft engine complements the Ikarus engine, which means Emsisoft "tries" to cover/detect all other threats the Ikarus engine misses.

Noob...I came back this week...EAM seems lighter than I remember it being say 6-7 months ago.

[Noob]

Quote:

Originally Posted by Rompin Raider

Noob...I came back this week...EAM seems lighter than I remember it being say 6-7 months ago.

Yeah, the only part where EAM is a hog it's when it does huge updates, specially for older hardware.
But if the system has hardware from the last couple years then it can handle EAM easily. There will be some huge changes for v7 so stay tuned.