Interesting new AV review by Andreas Clementi

Main Site: http://www.av-comparatives.org
No direct link to the report!

 

Look like McAfee hv better heuristic than NOD in some criteria...

 

This comparative website could gives an idea to know how the AV protect us...

 

sure does:-they are all a bit of a worry!

 

Splendid test from Andreas(seen a very bad one lately....). Finally someone who knows his stuff. Thumb up!

Read, folks!

Blue

 

Good stuff!

Though I would like to see KAV 5.0 in the test as they supposedly have update the heuristics.

 

Any idea how much time and effort it takes to perform a test like this one? Months!

Besides, looking at the bugs needed fixing, it wouldn't be fair to test KAV 5 right now.

Blue

 

A lot of thanks Andreas C. !!!

backfolder.-

 

Nice thorough job. Awesome work. Now only to wait another three months.

 

@Technodrome

Please be informed that "links" and also "deep links" are legal. (By contrast "frame links" etc. may not be legal.)

By deleting my "deep link" you have unreasonably violated my freedom of speech. Moreover, you unreasonably force people to click and click and click until they have finally found the report.

But I am not angry about the deletion of my "deep link" since I know that moderators (in particular those of the Wilders forum) are very cautious/anxious.

 

You are incorrect. This forum is privately owned and therefore there is no freedom of speech here. The owner and his selected help can censor the content allowed on his forum in any way.

However, you will find that this is not often the case.

As to your link - it was removed because of a direct request of the AV tester himself.

 

Link was removed on request by IBK (test publisher).Direct linking violets their policy, therefore we MUST respect it.

Please read full explanation on their site.


tECHNODROME

 

I'm a bit skeptical of that. Once you have the tests and platform set up, you're ready to roll. I think you're overstating, not to minimize Andreas' efforts BTW.

Nothing wrong with KAV. Most issues center around usability. Engine itself works fine.

 

Thanks for confirming that there is no freedom of speech here ;-)

@Andreas

Your request not to use "deep links" is unreasonable. You should really think about it. It's like telling your neighbours: "No, no. You must not look at me, my car or my house. Close your eyes. Quickly."

If you do not want people to see your car ... put it into a garage. If you do not want people to see your test ... do not publish it. I already tried to help you by mentioning your real name (this is good for your reputation) and the web address of your website (this is good for the reputation of the site). But if people do not want to click through your entire web site (e.g., because they already know it) there is no good reason to force them.

@all

But let's get back to the test. I believe that it's at least interesting (and definitely more interesting than the ordinary AV tests where every product scores between 97% and 98%) since Andreas Clementi's test shows that there are important differences between the scanners.

I have not yet made up my mind whether these differences are of major importance. It is difficult to figure out whether the differences are important since I do not know the exact test set. For example, I do not know whether the heuristic/generic detection capabilities of McAfee and NOD32 relate to important/dangerous/new malware samples or to minor variations of well-known samples. In this context it is remarkable that the heuristic detection of unknown trojans seems to be pretty bad throughout the entire range of AV scanners (with the exception of McAfee). Maybe AT scanners would be better.

Moreover, I have a question: how do you distinguish backdoors from worms and trojans?

 

Anyone else surprised by the results of F-Prot?

I would have liked to have seen the latest version of DrWeb tested too

 

Actually, I know what a worm is ;-) But how do you distinguish backdoors from worms and trojans. Many worms include a trojan component. Most trojans have a backdoor component.

How do you define a backdoor? Is it a program which does not allow the attacker to remote-control the victimized computer (like a trojan does) but still allows the attacker to access the files on the victimized computer (e.g., a hidden ftp client) ?

 

What's the big difference between Dr. Web 4.3 (which was tested) and the current version of this scanner?

 

I guess I thought F-Prot's heuristics would've been able to help the score a bit more.

 

This is not suprising at all because to have a proper heuristic engine for detecting backdoor trojan a good unpacking engine is required. This is what most AV programs already miss. And when I look now for example at the program with one of the most advanced unpacking engines at all KAV I see that KAV does not have a heuristic for backdoor trojans.

In this context I think AT programs can only score if they have unpacking but at the moment no AT program has really an unpacking engine. For example TDS-3's heuristic scores best when the trojan is already running via memory scan.

So I think it will still take a while before we see a real good backdoor heuristic. I think most AV programs first will anyhow focus on heuristic worm detection because this is the more important threat.

wizard

 

@Wizard

The detection of ordinary trojans is super-simple (no unpacking engine required). Andreas "The Terrible" Haak has already provided a few guys/gals like JoJo and me with a component of the a2 v2 IDS.

You can detect a trojan with the help of a very simple check:

1.
Port is opened, program is listening
2.
program does not have a visible window

--> conclusion: very likely to be a standard trojan

3.
autostart entry relates to such program

--> conclusion: very very likely to be a trojan.

(A similar technique is also used by Port Explorer from DCS.)

Disadvantage: the trojan is already running in memory. But who cares? Trojans are not logical bombs which immediately format your HD.

There are also techniques to detect reverse trojans/DLL trojans. (I do go into the details since I do not want to disclose Seltsam's trade secrets.) But certain detection mechanisms are already well-known. For example, most DLL trojans can be stopped/detected because they use CreateRemoteThread function.

 

Better analysis of SFX CAB files, RAR, ZIP, and MIME objects.

Though not exactly a professional observation of the change from 4.30-4.31. On my system I have noted at least 8 more false positives (by heuristics) that were not detected in version 4.30. So there is most likely some other changes in DrWeb's heuristic engine.

 

McAfee is doing very well compared to the others, at least in these tests...
now if they can get their security center in operating order or dump that thing all together, they might have a product worth purchasing.