Interesting Antivirus Results..

[Atomic_Ed]

I came across a thread on another message board where someone got some interesting results.... http://www.planetamd64.com/index.php?showtopic=10788

Check it out and I was really surprised to see that he reports that nod32 didn't detect any of them.

[ronjor]

Quote:

he

I wonder who "he" is?

[Kye-U]

F-Prot, BitDefender, McAfee VirusScan Enterprise v8.0i, Trend Micro PC-Cillin 2005 detected all nine "trojans/viruses".

Very weird...Kaspersky missed 3 and NOD32 missed all...

Surprised that F-Prot would detect all of them.

[Brian N]

Quote:

Originally Posted by He

There seems to be a religious cult around NOD32

LOL, yet another home test.. sigh

[feverfive]

I dunno, but I think that poster states a valid concern. Granted, the "test bed" is comprised of "non-threats", but that's not the point. Shouldn't a highly touted AV such as Nod still be able to find anachronistic malware since its advanced heuristics is supposedly so stellar? Just wondering b/c I am trialing Nod right now and this is at least giving me food for thought.

[Durad]

By topic title its easy to understand that positive result could make him feel bad

[Kye-U]

Turbinehead posted this reply in that topic:

Quote:

LOL, MFM is a REAL hotshot:

-> Brain.A and HLLP.Basic.5120 are MS-DOS-Viri back from the early 90s
-> Butterfly.302 first detected back 03/2001, in the wild infected up to 50 computers
-> Antra 8411 dated back to March, 1994
-> Trojan QScreen3 first found at 09/12/1998

Sorry, but posting such "tests" IMHO just disqualifies the poster.

No hard feelings,
Turbinehead

BitDefender's results and names of viruses/trojans:

Quote:

D:\virtest\ANTRA.EXE Infected Antra.8411
D:\virtest\APRIL.EXE Infected Trojan.Qscreen3.A
D:\virtest\BASICVIR.EXE Infected HLLP.Basic.5120
D:\virtest\BRAINDRP.EXE Infected Brain.A
D:\virtest\COOKIE.EXE Infected Cookie.1852
D:\virtest\DOCUMENT.EXE Infected Butterfly.302.A
D:\virtest\README.EXE Infected Butterfly.302.A
D:\virtest\SPORTS.EXE Infected Butterfly.302.A
D:\virtest\VOICE2.EXE Infected Trojan.Voice2

[Kye-U]

Something I just noticed:

Quote:

Scanning Log
NOD32 version 1.1196 (20050817) NT
Checking CRC of NOD32.EXE: Status OK
Operating memory is OK.
Date: 18.8.2005 Time: 12:18:16
Scanned disks, folders and files: D:\virtest\
Number of scanned files: 9
Number of threats found: 0
Time of completion: 12:18:16 Total scanning time: 0 sec (00:00:00)

0 second scanning time? That's not right...

Notice that it started and completed at the same time.

[Brian N]

Quote:

Originally Posted by Kye-U

0 second scanning time? That's not right...

Notice that it started and completed at the same time.

Well actually it is. It's quite fast

Edit: Added a screenshot

[Kye-U]

Well, then I gotta get me one of those

I currently have F-Prot as my AV, thinking of switching to NOD32 or Kaspersky. But a bit hesitant now, seeing that F-Prot actually detected all 9 files in MFM's test...

[dan_maran]

IMO you should not be swayed by one test of older samples. In my experience with NOD32 it has always averaged above 93% with variable of 2%. I am not stating my simple tests are enough to justify buying it, but by doing more research you will see that NOD32 always seems to have detection rates in the mid to upper 90th percentile. HTH

[BlueZannetti]

Let's think about this for half a second folks. A reasonable testbed, not a complete one mind you, a reasonable one such as used at www.av-comparatives.org contains upwards of 350,000 - 400,000 samples and people are using electrons to discuss results reflective of a testbed of 9(!)

Do any of you see the statistical problem here? Anyone? To tell you the truth, watching this is absolutely depressing. This type of stuff is completely and utterly unsound, heck, I don't know if it even rises to the level of unsound, it's probably something less than unsound, whatever that is.

Cheers,

Blue

[Brian N]

Quote:

Originally Posted by BlueZannetti

Let's think about this for half a second folks. A reasonable testbed, not a complete one mind you, a reasonable one such as used at www.av-comparatives.org contains upwards of 350,000 - 400,000 samples and people are using electrons to discuss results reflective of a testbed of 9(!)

Do any of you see the statistical problem here? Anyone? To tell you the truth, watching this is absolutely depressing. This type of stuff is completely and utterly unsound, heck, I don't know if it even rises to the level of unsound, it's probably something less than unsound, whatever that is.

Cheers,

Blue

I agree, see my first post But currently this is the only active thread that I can join in on

[JimIT]

Quote:

Originally Posted by BlueZannetti

Let's think about this for half a second folks. People are using electrons to discuss results reflective of a testbed of 9(!)

Do any of you see the statistical problem here? Anyone? This type of stuff is probably something less than unsound, whatever that is.

Cheers,

Blue

"Ridiculous"? "Embarrassingly Nonsensical"? "Statistically Worthless"? "Not Representative Of Sanity"? "Pathetic Flummery"?

Quote:

Originally Posted by likuidkewl

IMO you should not be swayed by one test of older samples. In my experience with NOD32 it has always averaged above 93% with variable of 2%. I am not stating my simple tests are enough to justify buying it, but by doing more research you will see that NOD32 always seems to have detection rates in the mid to upper 90th percentile. HTH

older samples or not, shouldn't heuristics pick up at least something?

[dan_maran]

Quote:

Originally Posted by bbb

older samples or not, shouldn't heuristics pick up at least something?

If it was trained to do so then yes.
I think someone wrote a good article on what Heuristics were actually supposed to do, I will try to find it to help clear up this misconception.

[BlueZannetti]

Quote:

Originally Posted by bbb

older samples or not, shouldn't heuristics pick up at least something?

OK, here we go with some math. The last www.av-comparatives.org on-demand test used a testbed of 386,104 samples. NOD32 detected 368,746. Let's subtract: 386,104-368,746 = 17,358 undetected. Let's make it harder. Let's take the top of the heap KAV, it detected 384,743, yielding an undetected population of 1,361. There's plenty of room for a handful of samples.

Given these numbers why would any result under the sun be unexpected? The answer is that it's not. You'll get results with any AV spanning none detected to flagging all and both extremes and the middle are all equally meaningless. Let me repeat - meaningless!

Blue

From what I understand heuristics brings some intelligence into detection rather than relying on signatures - perhaps recognizing behavior or signs of. BlueZannetti, how many of those detections can be detected purely by heuristics?

[BlueZannetti]

Quote:

Originally Posted by bbb

BlueZannetti, how many of those detections can be detected purely by heuristics?

bbb,

I have no idea for the on-demand test. Look at the proactive test to get a sense of that. Same site.

My question to you - why would you maintain that programatic behavioral characteristics of the DOS world are necessarily relevent today?

Blue

[Stan999]

This is not an unbiased test. He specifically targeted NOD.

He posted at the beginning "There seems to be a religious cult around NOD32, so I decided to do a little test with nine viruses and Trojans, of which NOD32 finds _NONE_".

If your purpose is to discredit a specific AV, out of all the samples out there, going back to the 90's, one could pick and choose 9 samples that any specific AV would miss all.

However, what I found interesting, in his endeavor to discredit an AV, is that he could only come up 9 old "non-threat" samples out of all the hundreds of thousands of samples available.

It is sad that a few folks will place some type of value on this type of test.

[Randy_Bell]

Quote:

Originally Posted by Stan999

It is sad that a few folks will place some type of value on this type of test.

No one with a modicum of understanding of AVs and malware will give such a "test" the time of day, Stan.

[Brian N]

- Not to mention the FREE updates you get. You don't have to buy a 2004,2005,2006 version - As long as your license is valid & running you get it all for free

This was to Kye-U

[NGRhodes]

Quote:

Originally Posted by Randy_Bell

No one with a modicum of understanding of AVs and malware will give such a "test" the time of day, Stan.

But he put the time of day on the tests







Hehe

Nick

Quote:

Originally Posted by bbb

From what I understand heuristics brings some intelligence into detection rather than relying on signatures - perhaps recognizing behavior or signs of. BlueZannetti, how many of those detections can be detected purely by heuristics?

Why should a heuristic be designed to target old viruses? Instead of wasting time with detection of old dos viruses via heuristics we concentrate at real worlds problems: Worms, Trojans and the like on Windows Platforms.

Besides, the first sample seems to be a dead sample - corrupted. Meaning some AV's might pick it up via Signature Match, others might not. The next sample is a Joke Virus - it does flip the screen for ONCE and never ever again - until you start it manual the next time. Great Virus Samples - really Crying and blaming AV products ( yes he blames also other av products for not detecting it ) and does not even understand WHAT he has tested.

[SDS909]

PlanetAMD64 isn't exactly a "Bastion" of intelligence. One read of the admins posts and you'll figure this out.

Best avoid it, and any posts there. This test is useless garbage from someone with a vendetta against NOD32 because it slayed his dog.