Dr.Web wouldn’t crack

Dr.Web wouldn’t crack

November 9, 2009

The Dr.Web anti-virus from Doctor Web turned out to be the only one out of 7 widely used anti-virus programs that wouldn’t give in to participants of the International Alternative Workshop on Aggressive under the aegis of the ESIEA.

The first (International Alternative Workshop on Aggressive Computing and Security was held on October 23-25 in Laval, France. As a part of the event seven anti-viruses were tested to determine if their self-protection could be disabled in sixty minutes. Anti-viruses were tested on Windows machines and testers had administrator’s privileges in the systems.

The test showed that self-protection of anti-viruses from such vendors as Kaspersky Lab and Eset could be disabled in 40 and 33 minutes respectively while the defence mechanism of Norton Antivirus would break much sooner, in 4 minutes. The McAfee anti-virus was the quickest to fall and surrendered to testers in 2 minutes. AVG and G Data anti-virus solutions also failed to pass the test. Russian Dr.Web was the only anti-virus that wasn’t disabled in sixty minutes. All vendors that participated in the testing received information about vulnerabilities found in their products.

 

They are so good you cant even uninstall it.!

 

Sysinternals

 

Yes I know about ntunldr aka EP_X0FF. He needs to move on and stop feeling so bitter

That still doesn't address the failure of some other so called top AV's.

 

Really! I have never had any problems and I'm always installing and uninstalling AV's as I test them. Dr.Web uninstalls ok for me.

 

Re: Dr.Web wouldn’t crack

Eh?..did you read the thread

 

was Avira or Avast tested in this?

 

I can kill Dr. Web in less then 8 Sec...... Hit the power button. That's about as valid as that article is lol.

I miss Dr. Web in tests........ Norman has had the last position for to long.

 

Re: Dr.Web wouldn’t crack

Here pdf

 

thx for the link.

 

Actually it's quite funny....on their russian news/pr website, they declare themselves as the only unhackable av in the world....quite funny where there is actually a nice tool called SpiDie that kills in in a few seconds.

If you have admin access then there is no such thing as an "unhackable" av...you can make it harder, but not make it "proof"...

http://rootkit.com/blog.php?newsid=974

 

As a long time Dr.Web user I would like to see news about 64-bit version, quarantine, better user interface and something to improve detection of malware.

They have started to add more signatures. Usually it was around 300-700 per day but now it's regularly many thousands per day except for weekends. I believe they have moved from completely manual analyzing to using an automated system+manual analyzing. This was not mentioned in any news and since they don't get tested anymore we can't see in percentages if it improves anything.

 

Personally, I don't see how this is supposed to be an achievement. In fact, it actually makes me leery of DrWeb.

The right way to protect an antivirus - or any other process/driver, for that matter - is to restrict the privileges of all other non-critical processes, and anything that can entrench itself so firmly into the OS that it can't even be removed by admin users is digging waaaay too deep for my liking.

 

i do have to agree.

 

Nice is not a word I would choose to use for malware even if it is labelled as proof of concept to protect the author. Have you tried it against the latest protection?

 

Yes I agree with you. I can't read the Russsian forums (easily) and there is little information in the English forum. For some reason they don't like to give out much information on where the product is going. When asked about the long awaited new GUI (which I really don't care about) it is always 'coming soon'. I don't see the GUI as an issue, more of a nice to have, but yes it would be good to be able to judge where they are now in relation to detection of malware and how good their heuristics and origins tracing is against zero day. Proper handling of quarantine would be a plus point and that is also 'coming soon' but no committed date. 64-bit is in beta and they already support Windows 7 so something is happening even if they don't like to keep us well informed.

I keep moving away from Dr.Web and trying other products but no other AV ever feels right and I always end up coming back. Maybe when the new GUI is in place I will feel that the product has been spoiled and is much like all the other glitzy looking but irritating products that are out there. But if it keeps its character and doesn't just become one of the crowd then I'll probably stay with it while ever it keeps me protected, which it has done up until now.

 

Malware, come on pjb024.

Actually I was quite surprised DrWeb added to virus database and agree with what EP was saying at sysinternals forums - it doesn't fix the hole.

 

Yes, some vendors will detect it as malware. If the code is automated a bit, then it could well be used as part of a malware package. But in this case the author is pointing out some mistakes in Dr.Web claims that they are "unhackable" and that DrW can be unloaded from usermode with relative ease.

The PDF inside the archive contains additional info, and the exe is harmless unless you are running Dr.Web and do not want it to be terminated. In any other case it will just check if Dr.Web is installed and error out.

Yes, it is crude and contains the usual 1337 hacker BS but the technical info is sound.

 

I agree that if there is a vulnerability that can be exploited then they have to find a way to remove the vulnerability rather than attempt to detect malicious code. Adding to the virus database doesn't fix the underlying problem.

 

Isn't the author an ex employee of Dr.Web?

I do think that it was folly for Dr.Web to claim invincibility as no product will ever be invincible and there will always be some way to circumvent any security system. If they had simply said that they had done rather well in a test of self protection against several other top AV vendors then maybe the claim would have been received more positively. Clearly they are not invincible but in comparison to the other products tested they did ok.

 

Where did they claim anything about being invincible? They only made news about them having success in some test like all the other vendors do.

" If they had simply said that they had done rather well in a test of self protection against several other top AV vendors then maybe the claim would have been received more positively. "

.. I believe this was exactly what they did in the news. I can't find the "invincible/unbeatable" part.

 

Here: http://news.drweb.com/show/?i=678&c=5&p=0 (it probably redirects you to the english ver, but russian ver is below. Title reads "Dr. Web recognised as the only "unhackable" antivirus in the world")

 

Completely different news in English vs. Russian. Nothing "wrong" or aggressive in the English version. It just stated that Dr.Web was the last product standing without any stupid claims.

 

And that was against some high profile competitors, some of who failed miserably

 

This could be a very stupid question, but are they testing what you can do remotely or if you have physical access in the computer?