Anti-Virus Software Test January 2003

Discussion in 'other anti-virus software' started by wizard, Feb 16, 2003.

Thread Status:
Not open for further replies.
  1. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Due to heavy international public demand: :)

    http://www.rokop-security.de/main/article.php?sid=494&mode=thread&order=0

    wizard
     
  2. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    That's certainly interesting, Wizard. I wondered before, and the comments on the test seem to confirm that this ability to detect packed malware uses more resources and impacts performance. Is that correct?

    I notice that backdoors such as bionet and optix were included. Do the AV.s tested all detect these backdoors when they are unpacked? If not, then it seems that what was tested was not just the detection of malware packed in various fashions (the point of the test it appears) but also the products' detection of trojans, yes? That would rather skew the results, wouldn't it? An app certainly can't detect something in packed format if it can't detect it when it's unpacked.

    Also, what are the risks, really? I wonder what would be the detection rates on the unpacked versions of this same malware. (Taking into account not knowing if the AV's tested all include the backdoors in their sig defs.)

    I understand people would prefer to catch malware in packed format, just as people prefer to have an email scanner and not just rely on a resident guard to catch email borne badguys. But I'm trying to determine the real risks of not having this ability to "candle" the packed malware vs. detecting upon unpacking, say, or execution as some AV's/AT's do.
     
  3. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    Nice security site there Wizard. The forum looks good too. Wish I could read german. There seems a lot of interesting info on KAH there, as well as many other contributions.
    Good results if you run KAV or AVk
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Nice, Roman has performed another test :cool:.

    IMHO it all comes down to the "old" issue: should antiviruses be able to cope with backdoors/trojans - packed or unpacked. And that's what this test is all about.

    Opinions might differ here. I for one prefer a top notch antivirus in conjunction with a top notch antitrojan. And yes: such an antitrojan should be able to cope with packers.
    Personally, I've never been fond of putting all eggs in just one basket - regardless if for example KAV performs well on both viruses and trojans/backdoors. A matter of layered defense ;)

    regards.

    paul
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Yes that is correct. But IMHO are the usage of more resources und performance still acceptable.

    Yes they do. Should be mentioned somewhere in the test as well. :)

    Just an example I always give: There is a new trojan. KAV takes the signature of the unpacked trojan. As KAV can unpack more than 120 different runtimepackers you are with one (!) signature protected against more than 120 possible variants. Another software vendor which uses not an unpacking engine has to add more than 120 single signatures to get to the same level of 'protection'. Of course you can imagine that no vendor is really doing this. That means with KAV you are protected before a packed variant of the trojan hits you while the other programs you have to wait for a new signature update. For me personally an unpacking engine is an important feature which influcences my decision on which AV program I use.

    wizard
     
  6. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    There is a plan to translate more of the content of Rokop Security.

    wizard
     
  7. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Thanks for your response, Wizard. :)

    Yes, it's a small nit, but it's certainly best to state in the write up that all the AV's do indeed include all the malware in their sig defs. So noseys like me don't question the results. :D

    I certainly have no quibble regarding KAV's performance in the test, as it's performance is shall I say legendary? ;) With all the recent talk of packed/archived files, I've just been wondering what that really means for those of us who aren't using KAV or one of the better performers in the test. And you've helped clarify that for me a bit, I think.

    As for Paul's comment, "such an antitrojan should be able to cope with packers," I've seen posts here and elsewhere that suggest that not all AT's do handle packed files equally. I'd be interested if there are anywhere reliable tests that determine how the leading AT's do in that regard.

    Thanks again for the clarification, Wizard. :)
     
  8. vincent

    vincent Guest

    Re: are kav 4.09 and avp 3.516 the same in eficiencies?

    May i know kav 4.09 and avp 3.516 are they the same in eficiencies to detect the virus and trojan? Since avp 3.516 is the old version, and personally finds this version is more stable and use lest resources. I am running an old low end computer.
     
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Vincent you might what to check out this thread:
    http://www.wilderssecurity.com/showthread.php?t=6916;start=15


    Technodrome
     
  10. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Wizard from Firefighter!

    You wrote: "For me personally an unpacking engine is an important feature which influcences my decision on which AV program I use." It's nice to see that I'm not the only Don Quijote on these sites! ;)

    When I tested McAfee 7.01.6000 files detectecting capability from my PC in my post "Similarity with anti-virus business and medicine!", and the result was 49 860 and DrWeb's was 99 162, it is hard to believe so good test result with McAfee in that test above. Is it possible that there is a reverse phenomenon that was with RAV, when it actually informs to detect more files that there are on your PC? :eek:

    As I said earlier, my scanning settings with McAfee were:

    Scan compressed, subdirectories, boot sector, for programs, MIME/UUEncoded files, OLE objects. Heuristics macro/program possibility was enabled as the all file extensions.

    The only thing that I have to add is that the report file size was 500 kb. I made those McAfee scannings twice, before and after DrWeb scanning.

    By the way Avast 4 Pro was able to find some 5 -10 percent more files from my PC than DrWeb, so it could be quite good in that test above too! :D :cool:

    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
  11. tahoma

    tahoma Guest

    i really like that rokop site. unfortunately my german isnt very good. can someone recommend and GOOD and updated firewall/anti-virus sites out there (except wilders)? there arent very many good ones that i have been able to find
     
  12. GuruGuy

    GuruGuy Guest

    Would a user have to enable any special settings/options in KAV to detect these threats................
     
  13. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    You mean for the unpacking engine? No, default settings are enough.

    wizard
     
  14. GuruGuy

    GuruGuy Guest

    I was wondering because of this comment posted above:

    "I wondered before, and the comments on the test seem to confirm that this ability to detect packed malware uses more resources and impacts performance. Is that correct?

    Yes that is correct. But IMHO are the usage of more resources und performance still acceptable."


    So then KAV in general would use more resources than an other AV if these settings are on by "default"........which settings exactly are we speaking about. I have had some problems with KAV and several users have advised me to NOT install the Control Center and in the monitor settings to uncheck everything except the "all infectable" box.....please post your recommended settings.

    Thanks.
     
  15. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    For the resources. The way an antivirus program works is to compare parts of the opened file against a signature database. An antivirus software that uses unpacking techniques has to do the following: check if the file is packed, unpack the file and check it against signautres.

    As you see every scanner that uses unpacking techniques has to use more resources and scanning will take longer compared to an antivirus program that does not have these features. For KAV you normally would not notice this except the file is rather big.

    For the tips other users gave you: these tips are fine. This will have no negative impact on the scanning result. But as you mentioned that have the feeling that KAV slows down your system you might want to check if you have installed the latest components of KAV: Monitor should be version 4.0.6.0 and CoreComponents should be 4.0.5.31. You can see this information in the ControlCenter on the components tab.

    wizard
     
  16. GuruGuy

    GuruGuy Guest

    If you don't have the control center installed, where do you see this information at?

    "For the tips other users gave you: these tips are fine. This will have no negative impact on the scanning result. But as you mentioned that have the feeling that KAV slows down your system you might want to check if you have installed the latest components of KAV: Monitor should be version 4.0.6.0 and CoreComponents should be 4.0.5.31. You can see this information in the ControlCenter on the components tab"


    Also, I downloaded this from the Kaspersky site yesterday....I would imagine that it is up to date.....
     
  17. controler

    controler Guest

    Yes the site seems to be translated now.
    It looks funny as Norman is inverted on the bar graph.
    NOD-32 shows as about the second worst AV, next to FP-Win
    I am surprised there isn't more comments posted about this test.
    I will say YES I think KAV is good but not that much better than Norton as shown here, and that's a fact.
    Why is it I still have files over a year old that NONE of these AV's listed catch o_O
    We have all had this same discussion on packers and came to the conclusion
    zipped, packed files don't do any harm unless unzipped-unpacked and ran.
    Oh yea and again Mcafee will never be on my list as a good product. Had way too msny bad experiences with that one...
     
  18. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hi controler!

    Can you explaine something more about your bad experiences with McAfee?

    I'm really interested in your arguments, because McAfee again scored much better in the most recent Rokop-test then many other so called "well-respected" and "top-notched" virusscanners.

    I know, a test is just a test, and is too often a non-reliable, non-real and non-truthfully impression of the real capabilities of a product, x-tests and x-different opinions so what can and must we dummies believe about what all the so called professionals trying to tell us?

    Fact is, McAfee scores in almost every test very good, will have a good reason oro_O
     
  19. xor

    xor Guest

    With the next NAV engine yes. But not now.

    You see there any ZIP or RAR packed file ? No.
    Archives and runtime compressed files are not the same.

    *lol* MC Afee is not a toy to play around. And it's not yellow but at least it does a great job in malware detection.
     
  20. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Test beds were packed and NOD32 or F-Prot don't cover these packers. There is nothing to comment about.

    "shown here" I don't quite get this. In terms of detection rate, KAV is much better solution then Norton will ever be.

    This topic has been covered many times! BTW,Why don't you submit those files to AV developers?

    There is a lot of “multicomponent” packed Trojans or Backdoors out there. After installing this type of Trojan, your system will contain junk that no AV software will detect (since its harmless). Trojan will be installed before AV catches it. AV software will detect (if) main part but no all of components. Yes its harmless but still it would bother me. I prefer detection before infection.

    Well depends what “good” means to you. But Mcafee has a very powerful engine and a very good virus detection rate.



    Technodrome
     
  21. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Hmm,
    Funny, but I don't think they will ever catch up.


    Technodrome
     
  22. controler

    controler Guest

    Hi all

    I won't comment anymore on Mcafee. Use that if you chose to do so.
    I will ask this one question again.

    What has been the most common form of infection in the past two years? I am going to say e-mail.
    Yes you can use a program that does not catch the bugger in e-mail but rather when executed. That is also your choice.
    What I want you to do is run your tests with e-mail protection ONLY
    and then post back your results. This is the test I really want to see.
    The next test would be ,, instant detection of IM's and MIRC.
    So now we have e-mail, IM's and MIRC. To add to the list, lets try
    script and Java blocking in real time, either by running the program or a malicious web site.

    Did I mention I do like KAV and NOD-32 also :)
     
  23. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hi controler!

    IMO (negative) comments are always welcome, has nothing to do with a special product, in this case McAfee, can also concern other AV-products like Norton, Panda, NOD32, etc. etc. etc.

    I only like to know why somebody is telling us program x, y or z is "bad business", to give a negative statement without any further explanation why is no good at all ;)
     
Loading...
Thread Status:
Not open for further replies.