AV-Comparatives February 2007

Correct, more protection against trojans/etc.

Heuristics, I like to know about that too.

 

It would seen it's mainly because of the heuristics that they don't need to add as many signatures. Obviously, if the heuristics weren't as good, I'm sure they'd concentrate more on the signatures.

I do have great difficulty understanding heuristics, and why so many people seem to place great interest in them. Essentially, they're dealing with the unknown, and with that comes false positives. Yes, the heuristics code can be tweaked to correct such anomalies till the next time. So the heuristics are being updated continually - almost like signatures really.

Eugene Kaspersky makes the point well in a November 2005 article:

He does, however, go on to say:

 

Thank you TonyW for that article.

And I think an other reason for KAV to score Advanced+ is the big respect they have for their customers. If you send them a sample you will get an answer within few hours and if it is a real threat they add it at the next signature update.
I've seen vendors very irritated because their clients sent them infected files and expect them to be added within a couple of hours. Of course they want that ! What else ? This is not the right way to do.
Just a personal opinion.

Best regards.

 

Of course, what he didn't say is that those hackers can break pure signature based AVs easier... i don't see the big point here.

 

of course tony, heuristics ARE for zero-day unknown threats, but nod32 are sooooo based on them, i could fill a computer with OLD malware, 2000-2003 and probably half of them are heuristically detected by nod32, i just find this weird, thats all i meant

 

To the modern, professional (commercial) malware autor it does not make much difference to make his (her?) malware undetectable for any type of detection (signatures, generic detection, emulation, behaviour analysis). Some authors already reached a *very* high efficiency in this, alas. Let's hope that this doesn't become mainstream.

 

Stefan,
What can AV companies (specially the small ones) do (in the technology front) to overcome this?
Your post seems hopeless.

 

The "professional" malware authors obviously focused on the "big" AV companies at first. By now, their adaption speed increased so much that they can take care of the "smaller" AV's aswell. As I said, the actual used detection technology doesn't really matter anymore. In the end, every type of detection relies on certain data or behaviour which can be changed to avoid the detection.

 

So, antivirus engines must become "behaviour blockers" or be used in "paranoid" mode?

Well, I´m an ignorant in coding and antivirus technologies, but I partially disagree here. IMHO, malware have very similar behaviour:
-Trying to kill AV/AS/firewall processes.
-Adding entries to the host file.
-Installing drivers.
-Adding itself to startup.
-Using uncommon ports.
-Trying to inject code into legitimate apps.
The challenge appears to be the gap between the detection of suspicious behaviour and the number of FP. Whitelisting is helpful here (at least to some degree).
It seems that the "real solution" is the cooperation with law enforcement agencies?

 

Yes, according to this:

http://www.viruslist.com/en/analysis?pubid=204791915

 

Was it F Prot 6 or 3 used in this test?

 

av-comparatives tested version 6.

 

That is why I love KAV/KIS PDM, it can stop all of that.

 

What's the big deal ? Every independent tester has their own set of test samples, all their tests give different results, they all categorize the programs differently, and yet, over the years long before av tests became such a controversial subject, I have never had an antivirus program that I was using at the time fail to protect my computer when it was exposed to a threat. I just don't understand why people get so distraught over a bunch of numbers and percentages, seems rather trivial to me, anyway, I have a couple of months left to my NOD32 license before I renew and it seems to protect one of my computers as well as AVG Anti-Malware protects the other. Thanks for letting me express my thoughts on what seems to be a touchy subject in this forum. Have a great day eveyone ! and be well.

 

Small percentage differences tend to mean little, yes. I think so too.

But the site being discussed here seems very honest, and clearly shows what methodology was used. For AV's, the samples are big, or as big as they can be, and i expect them to produce more reliable results than any other site out there.

So it can only do you good if you consider it. Your specific case means that you weren't infected, or not much, so it reveals your caution or intelligence ( ), not the capability of whatever AV you used.

 

You don't get it? I'll explain.
If YOUR av gets a 96.83% detection rate, and MINE gets a 97.14%, your av stinks, and mine is much better....
(I believe some people may actually read it this way)

I hear you, and couldn't agree more, but I guess these tests have to quantify their findings in some manner.

Succinctly put.

 

Agreed.

95% Cautioness
5% [choose your favorite AV here]

Am I wrong on the percentages?

 

I realize that the differences between the top AVs is not significant. However, it doesn't make sense to dismiss percentages. Isn't that the reason we have security software, to detect and remove/prevent malware from installing on the systems?

If that is so, then how does anybody except the experts determine which applications provide the best protection? For me it is tests such as IBK's.
There is no argument that detection is not the one and only criterion, but if I am going to use one I want the best that will run well on my system. That translates pretty much to detection rates. If they are not important, then why does not everyone use Clam? I bet those who are saying that detection rates are not important are not using Clam.

As to being hopeless, the AV developers are doing well in my own estimation. I have only had computers about 8 years, but have never had an infection. If it so hopeless, then why are not all our machines wrecked?

So regardless of all the comments that detection rates are not so important, samples are not real world. and such, I am going to continue to watch AVC and base my decisions in a large part on which AVs I believe have the best detection, and get along on my system.

Regards,
Jerry

 

I didn't say that if you're talking about me. Maybe not, it's all good anyway . What i really mean is small differences mean little. You're not going to catch every virus out there. If you catch anything, you yourself probably downloaded it, bundled with something.

To me, above 85% is good, 90% is great. Not fixed numbers, just an observation.

I don't use Clam, but i use another freeware that is much better. When considering an AV for home, best to look at what freeware is available. Avast! or Antivir seem enough to cover by back if i make a mistake. AVG too for that matter, but i know some of you dismiss this product very fast. Saying harsh things of other people's work, offered for free...

If i want more, i won't look for more AVs. I look for something else.

I agree with you on much. I'm just noting some aspects.
You say you weren't infected. Did the AV warn anything? If it didn't, it was the same as not having an AV, having nothing to do with detection rates.

And sample is really not real world. It's a sample , that allows us to infer on the population, with good significance levels if done properly like in this case

 

Hi Someone,

I don't keep up with who said what, whether it is Someone or No-one.

I do agree that there are many who use less than the top AVs without infection.
My main point is that when I choose one, I choose the best that will run on my system to the degree I can determine "best." Detection rates are significant to me. I like KAV, F-Secure, and NOD for those reasons. For freebies I prefer Avast Home, as Avira gave some minor problems, and detection rates of AVG are below Avast normally. Those who use AVG seem to be satisfied and virus free.

Yes I have gotten several warnings of attempts to infect my system, but the AV has blocked and removed whatever it was. I had the most a couple of years ago, and I was using Bit Defender then. I may have had one since using KAV, but am not sure.

Regards,
Jerry

 

I don't get involved in these "my AV is better than yours, nah-nah" type threads. The only time I mention my AV is when someone asks about it. Everyone has a favorite AV--different strokes for different folks.

Also Jerry, you now notice the "F" is back . After finding out that TM considers the Right Click scan a "product limitation" I decided to install the F-Secure Beta. It is bascially just the AV, no anti-spam or firewall modules. Since the final won't be released till May I will have to put up with the WinFirewall till then. Maybe FS is testing in phases, the antispam and firewall will be in the next preview.

 

Hi Midway,
I did notice the big "F."

I was not aware there was a beta, but wouldn't dare to try it at this time. Have you ever tried Kerio 2.1.5? It ran well with FS on my system. I am interested in the rates of the KAV engine AVs.

I will be flying tomorrow, but when I get there I will check out the AVC results. I am also especially interested in NOD's performance. I would not uninstall it as a result, but I admit some surprise and a little disappointment that it dropped. I also want to see the difference between Avast Home, and F-Prot. Avast Home is my favorite freebie. Sometimes I wonder why I don't just install it and forget all this trialling, but it is fun, isn't it?

Best,
Jerry

 

I wasn't going to try the Beta but if I am keeping Vista I have to put something on it. Might as well be F-Secure and I have beta tested AV's before (ironically TM's, lol) so here I go again.

I have tried Kerio 2.1.5 when I had XP but the only thing I didn't like about it was that Security Center didn't see it. At one time I had bought the version after Sunbelt acquired it (4.x I think) and was using it until I got into suites. As of right now the only stand alone firewall I know of that works with Vista is Jetico and I don't really like it.

One noticable difference so far between FS and TM is browsing speed. FS is faster and I have the HTTP scanner turned on.

Have a safe flight and we'll be here when you get back

 

Where can I grab F-Secure beta from?

 

Thanks, Midway. I will have my laptop with me.

Best,
Jerry