AV-Comparatives - File Detection Test - March 2013

Quite a few big vendors now use USB scanning technology.some form of HIPS software would be useful too.
Perhaps your colleagues and neighbourhood need some education on practising safe computing habits.

 

Well, this is part of the service industry. One cannot expect people with varied backgrounds to know everything there is about security - it is the developer's job to ensure that things are as easy to use as possible and that the customer has to worry about nothing else. If you advertise a product that claims "complete security", and then advise them to use "HIPS" and "tighter security measures" when an incident occurs, think they'll use your product again?

Sad but true, you have to cater to the lowest denominator of user effort when designing software.....

 

No matter how hard you try to educate people on safe computing...
You know, my friends have friends and those friends have friends It's really incredible the speed the malware spreads among usb sticks.

 

Don't try to educate them - give them a link to Autorun Eater and this will stop

 

What is "semi-cloud" for you? The APC is not just hash checking, it is about performing the actual detection in the backend and no longer on the local machine - for obvious reasons.

 

That's good to prevent autorun infections, but I was talking about detection of malware inside the media, you better be using a reputable AV solution (av-c tested, desirable ) if you don't want headaches...

 

Got infected several times in the past via USB. Actually as far as I can remember I got infected more with USB than with any browser.

 

I guess the topic has switched to whether getting infected by a USB key is valid or not. Of course it is, however, that is not what AV-Comparatives is testing now are they.

I am still looking for a good argument on why someone feels that a static scan is a good real-world test. What real-world behavior does this represent ?

 

You must be in school/college ?

 

Another totally BS comment, that doesn't justify what real-world user behavior a static scan behavior mimics. It certainly doesn't mimic a user inserting a USB now does it, because doing that, means you would have likely have an autorun.inf on the USB possibly pointing to an exe. AND the EXE will run. That is not the case with a static-scan test.

Its amazing how little long-time poster know about malware behavior and how its introduced onto a machine. They seem to be still stuck in the old world of static-scan tests.. Either that, or they work for Norton's competitors

 

At current stage, I think the so-called and fancy "only focused on web based threats" is just an excuse for av vendor's lousy performance on signature based detection. Yes web threats are important therefore behavior based detection is important, but signature based detection is at least equally important, if not more important, because the basis of anti-virus today is still signature based. Pursuing fancy "new detection technology" without a solid basis is not the way to go right now, at least before new theory emerges that makes behavior based technology as reliable as signature based detection today.

 

Are you kidding me? What do you think real time scanning does? The whole idea of testing file detection rate is to see how powerful an AV can recognize the string of malicious code before the virus can even execute itself. What's wrong with that? If an antivirus software can prevent a virus from running in the first place by real time scanning/manual scanning, I think it's 100 times reliable than relying on a behavior blocker, because you never know if the virus is blocked 100%.
Now I understand signature based detection won't work on new viruses, where heuristics/behavior blocker comes into play. Due to the relatively fast response to new viruses by av companies, in reality, most new viruses will become known viruses very quickly and be detectable by scanning, either real time or manual scanning. So if you don't have a good detection rate by signatures, chances are you will be infected by these relatively new viruses, but ppl having an av with good detection rate will be safe.
Now, let's put it this way, for anyone who despise file detection rate, why don't you just disable virus definition update in your av, and only use behavior blocker? Go ahead, do that, and good luck!

 

You keep arguing how people see these results as real-world test results but afaik no one in this thread has.
Arguing about the merit of this specific test is something else, I for one don't consider these results as 'The Guiding Principle'.
If Symantec participated in the AV-C real-world test, everyone could be happy.
Then again, flagging unknown software as malware-by-default perhaps negates the need for testing at all.

 

Like I said earlier in the thread, AV-C doesn't allow companies to participate JUST IN THE REAL-WORLD TEST. And just to be sure we are talking the same language, when I say 'Real-world' I mean infecting the machine just like users in the real-world get infected. This includes the following list
- Downloading an exe from a browser
- Drive-by exploits via a browser
- Infections via a USB key
- Infections via email attachments
- Infections by download exes from P2P clients
- Injections over the network exploits

Symantec participates in the real-world tests, because it covers some of the above. So why should they participate in the static-scan tests that does not add anything to the above list of scenarios. Since they don't want to participate in the no-value static-scan test, AV-C forced them to pull out of the RWT as well.

 

Yeah, you guys keep saying that, and yet Symantec has the highest score in the USABILITY category, a big portion of which is FALSE POSITIVE testing.

Check out http://www.av-test.org/en/test-procedures/award/2012/

If their FPs were so bad as you all claim, how would they get the usability award (which btw is a sucky name, it really is for FPs and performance than anything else).

The results speak for themselves.

 

Again, another very uninformed comment. What does 'only web-based threats' have to do with 'signature-based detection' ? Symantec's position is that it wants real-world testing, and it doesn't really matter what engine detects the threat, whether it be signature-based or heuristics, or reputation of whatever. What AV-C is doing here is NOT real-world testing with their static-scan test. Its synthetic outdated testing that may have been OK 10 years ago but not any more.

 

There is plenty wrong with that. The test doesn't even exercise the IPS. By blocking an attempt to exploit a vulnerability through network scanning, you don't even have an exe in the first place So I would argue that Network IPS scanning (which static-scan doesn't even test), is 100 times better than your AV-file detection You do know that most exploit toolkit servers serve up a new polymorphic sample each time you visit the site, correct ? How is your AV going to catch that. I'd take a network IPS signature on the exploit used by a BlackHole toolkit any day over your award winning static-scan test product.

 

All the scenarios you mentioned are monitored by real time scanner of all AV programs. And real time scanning is thorough reflective of static on-demand scanning. So what in your world is a real world test that no real time monitoring is involved?
You reply shows you have no knowledge how a modern AV program works.

 

LOL. Just disable your av virus definition update and use only your IPS scanning, please. Please go back and read what is real time scanning and how it works in a modern AV, and how real time scanning related to static on demand scanning.

 

AV-Test is money oriented.

 

And AV-C is running a charity right ? That is the joke of the week. All these guys are doing this for the money. If you think otherwise, you are just kidding yourself.

 

The attached image shows the results of Nod32 (at the time I was using Eset, April 2007) in action in five days of very infected USB flash drives. Detection of malware was done off line. Nowadays flash drives don't tend to be so infected as IMO most people use an antivirus and Windows Vista/7/8 are proactively more secure than XP.

I still find infected flash drives occasionally, but hardly any detection in 5 years on the Internet (Avira detected something twice during this period).

 

Fair enough, they are all businesses. Somehow in my impression it appears av-c is more independent than anyone else. I admit I did not investigate how independent they are.

 

Agree with some of the posts, i have found more viruses through USB Flash Drives than by myself doing my daily activities. Yes, i was in high school and im still in college.

 

+2...I have disinfected so many badly infected USB's using my own Laptop that has avast on it LOL!! and it saves me from these flash drives every month