AV-Comparatives tests (2006-Q4)

Hi,

as in the period between today and end of December there will be several new tests (apart the retrospective test with the speed-test and false alarm test) appearing on av-comparatives, opened a new thread in the hope that they can all be discussed in it.
Just "explore" the site from time to time or wait until someone detects new reports and tells their presence here .

Thanks,
IBK

 

Thanks !
Since I first learnt about Av-comparetives I like it so much and I am looking forward to all the tests you make . You are great people making excellent and high-quality tests , real tests/results

 

Thanks IBK for the good work!!!

 

Yes good work, another non-biased test.

My main question is why doesn't the WLO distribute these samples to smaller companies, ie. VBA?
Is it due to the fact they are not on the reporting panel?

It is nice to see AV-Comp is distributing its self made Wildlist to all involved bvery fair IMO.

 

no comment from me

 

And the list still contained all viruses mentioned in the main list in here.

http://www.wildlist.org/WildList/200608.htm

Best regards,
Firefighter!

 

hello ibk/others,

nice to test soft with version 2007 (specialy for avk -kaspersky/avast!)

 

That is why I stated it was a good move by AV-Comp. to provide them even if the WLO won't.

 

Does anybody know by which av have these ItW viruses got their names?

http://www.wildlist.org/WildList/200608.htm

Best regards,
Firefighter!

 

you will probably not find any which has exactly those names.
edit: just found those links, maybe they help a bit:
http://www.avira.com/en/threats/section/wildlist_intro/index.html
http://www.fortinet.com/FortiGuardCenter/antivirus/wildlist.html


currently the itw report is down as I will apply some changes - the results remain the same. Will be back online soon.

 

Glad to hear that IBK!

It is always great to read what you, and your team, test...

 

Is it possible to "freeze" those av signatures lets say 2 weeks AFTER the tested ItW list month in the future, just to see how fast those av:s actually are to detect the ItW list of viruses?

Best regards,
Firefighter!

 

yes, it would be possible, it would be like the outbreak tests that av-test.org already does from time to time. As av-test.org has every single update of any time, it is preferable and better that av-test.org does the testing you say (looking how much it takes to add itw malware).

 

IBK, do the AV authors ever tell you whether their heuristics are Petri net based, graph based, goal oriented, sub-goal inductive, design based, etc.? If you have the time, please respond. Thanks.

Dave

 

no, and probably never asked .

 

It would be interesting to know. For example. F-Prot claims neural network heuristics, so do they program in C++ with a sochastic net in mind?

Dave

 

for the tests its not relevant. please try to ask the vendors directly.

 

Perhaps it's not relevant as per the test results; however, such knowledge beforehand would explain to the vendor the reason for the number of false positives as well as the test files missed. With respect to feedback to the vendor, it would be relevant to the test.

Dave

 

Best regards,
Firefighter

 

dw2108:

Somebody that claimed to now how (some) AVs work once told me that they used bayes classifiers and/or sparse markov transducers, but he did not give more details.

By the way, the algorithm used for classifying the malwares is not by itself sufficient to explain or understand false positives or misses produced by an heuristics engine. It is also necessary to understand on which criteria the classification is based.

It could for example be a measure of similarity between the sequence of API calls produced by the scanned executable and a set of typical "malware" sequences, it could involve frequency of occurrence of various opcodes/bytes, it could take into account the contents of the IAT, etc.

I think Daniel Bilar's adressed some of these topics during the Blackhat USA 2006 conference.

 

I wonder if TrendMicro's PC-Cillin or some other new AV vendor be in the list ?

 

no, is not.

 

Thanks, tweakie, it's nice to know that some AVs do run on stochastic nets/automata for their model bases. I wrote some papers on this long ago in: Logic in Quotes, J. Phil. Logic, Vol. 16, No. 1, 1987, and another: Algebraic-Valued Quotational Logics, Communication and Cognition, Vol. 20 No. 4, 1987. I had no idea then that some of my work would be would be applicable in the writing of AV apps!

Dave

 

One for the Inspector to answer.

 

Is it possible to test Fortinet in the future too? At least it was better than McAfee against this year trojans according to this.

http://www.eweek.com/article2/0,1759,2023127,00.asp?kc=EWRSS03129TX1K0000614

Best regards,
Firefighter!