Anti-Virus Software Test January 2003

Due to heavy international public demand:

http://www.rokop-security.de/main/article.php?sid=494&mode=thread&order=0

wizard

 

That's certainly interesting, Wizard. I wondered before, and the comments on the test seem to confirm that this ability to detect packed malware uses more resources and impacts performance. Is that correct?

I notice that backdoors such as bionet and optix were included. Do the AV.s tested all detect these backdoors when they are unpacked? If not, then it seems that what was tested was not just the detection of malware packed in various fashions (the point of the test it appears) but also the products' detection of trojans, yes? That would rather skew the results, wouldn't it? An app certainly can't detect something in packed format if it can't detect it when it's unpacked.

Also, what are the risks, really? I wonder what would be the detection rates on the unpacked versions of this same malware. (Taking into account not knowing if the AV's tested all include the backdoors in their sig defs.)

I understand people would prefer to catch malware in packed format, just as people prefer to have an email scanner and not just rely on a resident guard to catch email borne badguys. But I'm trying to determine the real risks of not having this ability to "candle" the packed malware vs. detecting upon unpacking, say, or execution as some AV's/AT's do.

 

Nice security site there Wizard. The forum looks good too. Wish I could read german. There seems a lot of interesting info on KAH there, as well as many other contributions.
Good results if you run KAV or AVk

 

Yes that is correct. But IMHO are the usage of more resources und performance still acceptable.

Yes they do. Should be mentioned somewhere in the test as well.

Just an example I always give: There is a new trojan. KAV takes the signature of the unpacked trojan. As KAV can unpack more than 120 different runtimepackers you are with one (!) signature protected against more than 120 possible variants. Another software vendor which uses not an unpacking engine has to add more than 120 single signatures to get to the same level of 'protection'. Of course you can imagine that no vendor is really doing this. That means with KAV you are protected before a packed variant of the trojan hits you while the other programs you have to wait for a new signature update. For me personally an unpacking engine is an important feature which influcences my decision on which AV program I use.

wizard

 

There is a plan to translate more of the content of Rokop Security.

wizard

 

Thanks for your response, Wizard.

Yes, it's a small nit, but it's certainly best to state in the write up that all the AV's do indeed include all the malware in their sig defs. So noseys like me don't question the results.

I certainly have no quibble regarding KAV's performance in the test, as it's performance is shall I say legendary? With all the recent talk of packed/archived files, I've just been wondering what that really means for those of us who aren't using KAV or one of the better performers in the test. And you've helped clarify that for me a bit, I think.

As for Paul's comment, "such an antitrojan should be able to cope with packers," I've seen posts here and elsewhere that suggest that not all AT's do handle packed files equally. I'd be interested if there are anywhere reliable tests that determine how the leading AT's do in that regard.

Thanks again for the clarification, Wizard.

 

Re: are kav 4.09 and avp 3.516 the same in eficiencies?

May i know kav 4.09 and avp 3.516 are they the same in eficiencies to detect the virus and trojan? Since avp 3.516 is the old version, and personally finds this version is more stable and use lest resources. I am running an old low end computer.

 

Vincent you might what to check out this thread:
http://www.wilderssecurity.com/showthread.php?t=6916;start=15


Technodrome

 

To Wizard from Firefighter!

You wrote: "For me personally an unpacking engine is an important feature which influcences my decision on which AV program I use." It's nice to see that I'm not the only Don Quijote on these sites!

When I tested McAfee 7.01.6000 files detectecting capability from my PC in my post "Similarity with anti-virus business and medicine!", and the result was 49 860 and DrWeb's was 99 162, it is hard to believe so good test result with McAfee in that test above. Is it possible that there is a reverse phenomenon that was with RAV, when it actually informs to detect more files that there are on your PC?

As I said earlier, my scanning settings with McAfee were:

Scan compressed, subdirectories, boot sector, for programs, MIME/UUEncoded files, OLE objects. Heuristics macro/program possibility was enabled as the all file extensions.

The only thing that I have to add is that the report file size was 500 kb. I made those McAfee scannings twice, before and after DrWeb scanning.

By the way Avast 4 Pro was able to find some 5 -10 percent more files from my PC than DrWeb, so it could be quite good in that test above too!

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

i really like that rokop site. unfortunately my german isnt very good. can someone recommend and GOOD and updated firewall/anti-virus sites out there (except wilders)? there arent very many good ones that i have been able to find

 

Would a user have to enable any special settings/options in KAV to detect these threats................

 

You mean for the unpacking engine? No, default settings are enough.

wizard

 

I was wondering because of this comment posted above:

"I wondered before, and the comments on the test seem to confirm that this ability to detect packed malware uses more resources and impacts performance. Is that correct?

Yes that is correct. But IMHO are the usage of more resources und performance still acceptable."


So then KAV in general would use more resources than an other AV if these settings are on by "default"........which settings exactly are we speaking about. I have had some problems with KAV and several users have advised me to NOT install the Control Center and in the monitor settings to uncheck everything except the "all infectable" box.....please post your recommended settings.

Thanks.

 

For the resources. The way an antivirus program works is to compare parts of the opened file against a signature database. An antivirus software that uses unpacking techniques has to do the following: check if the file is packed, unpack the file and check it against signautres.

As you see every scanner that uses unpacking techniques has to use more resources and scanning will take longer compared to an antivirus program that does not have these features. For KAV you normally would not notice this except the file is rather big.

For the tips other users gave you: these tips are fine. This will have no negative impact on the scanning result. But as you mentioned that have the feeling that KAV slows down your system you might want to check if you have installed the latest components of KAV: Monitor should be version 4.0.6.0 and CoreComponents should be 4.0.5.31. You can see this information in the ControlCenter on the components tab.

wizard

 

If you don't have the control center installed, where do you see this information at?

"For the tips other users gave you: these tips are fine. This will have no negative impact on the scanning result. But as you mentioned that have the feeling that KAV slows down your system you might want to check if you have installed the latest components of KAV: Monitor should be version 4.0.6.0 and CoreComponents should be 4.0.5.31. You can see this information in the ControlCenter on the components tab"


Also, I downloaded this from the Kaspersky site yesterday....I would imagine that it is up to date.....

 

Yes the site seems to be translated now.
It looks funny as Norman is inverted on the bar graph.
NOD-32 shows as about the second worst AV, next to FP-Win
I am surprised there isn't more comments posted about this test.
I will say YES I think KAV is good but not that much better than Norton as shown here, and that's a fact.
Why is it I still have files over a year old that NONE of these AV's listed catch
We have all had this same discussion on packers and came to the conclusion
zipped, packed files don't do any harm unless unzipped-unpacked and ran.
Oh yea and again Mcafee will never be on my list as a good product. Had way too msny bad experiences with that one...

 

Hi controler!

Can you explaine something more about your bad experiences with McAfee?

I'm really interested in your arguments, because McAfee again scored much better in the most recent Rokop-test then many other so called "well-respected" and "top-notched" virusscanners.

I know, a test is just a test, and is too often a non-reliable, non-real and non-truthfully impression of the real capabilities of a product, x-tests and x-different opinions so what can and must we dummies believe about what all the so called professionals trying to tell us?

Fact is, McAfee scores in almost every test very good, will have a good reason or

 

With the next NAV engine yes. But not now.

You see there any ZIP or RAR packed file ? No.
Archives and runtime compressed files are not the same.

*lol* MC Afee is not a toy to play around. And it's not yellow but at least it does a great job in malware detection.

 

Test beds were packed and NOD32 or F-Prot don't cover these packers. There is nothing to comment about.

"shown here" I don't quite get this. In terms of detection rate, KAV is much better solution then Norton will ever be.

This topic has been covered many times! BTW,Why don't you submit those files to AV developers?

There is a lot of “multicomponent” packed Trojans or Backdoors out there. After installing this type of Trojan, your system will contain junk that no AV software will detect (since its harmless). Trojan will be installed before AV catches it. AV software will detect (if) main part but no all of components. Yes its harmless but still it would bother me. I prefer detection before infection.

Well depends what “good” means to you. But Mcafee has a very powerful engine and a very good virus detection rate.



Technodrome

 

Hmm,
Funny, but I don't think they will ever catch up.


Technodrome

 

Hi all

I won't comment anymore on Mcafee. Use that if you chose to do so.
I will ask this one question again.

What has been the most common form of infection in the past two years? I am going to say e-mail.
Yes you can use a program that does not catch the bugger in e-mail but rather when executed. That is also your choice.
What I want you to do is run your tests with e-mail protection ONLY
and then post back your results. This is the test I really want to see.
The next test would be ,, instant detection of IM's and MIRC.
So now we have e-mail, IM's and MIRC. To add to the list, lets try
script and Java blocking in real time, either by running the program or a malicious web site.

Did I mention I do like KAV and NOD-32 also

 

Hi controler!

IMO (negative) comments are always welcome, has nothing to do with a special product, in this case McAfee, can also concern other AV-products like Norton, Panda, NOD32, etc. etc. etc.

I only like to know why somebody is telling us program x, y or z is "bad business", to give a negative statement without any further explanation why is no good at all