DrWeb32 review

Discussion in 'other anti-virus software' started by wizard, Mar 21, 2002.

Thread Status:
Not open for further replies.
  1. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Exclusive for wilders security forums. :)

    Last week I visited the German CeBit and of course I took a look for a lot of anti virus companies. One of them was DialogueScience, Inc. from Russia. As a ‘gift’ I got a special trial version that does not have any of the minor limitations of the official trial version which can be downloaded from their website. So I tested it for a few days now and thought it would be a good idea to write a short review.

    DrWeb32 is an anti virus software from Russia that is widely unknown over the internet. The development of DrWeb started in the early 90s and during the mid-90s DrWeb get some 'underground fame' for having one of the best heuristic detection for DOS viruses.

    From 1998 things changed. With more and more windows installations a lot of new viruses and malware were introduced: Of course Windows viruses (Win32), macro viruses, backdoor trojans and worms. During that time DrWeb developed a new version for Windows called DrWeb32. Some of the earlier releases produced a lot of false positives. After another year of developing the actual version 4.27c has become a very strong anti virus solution.

    DrWeb32 consists only of three parts: The on-demand scanner DrWeb32, the on-access scanner called Spider and a scheduler. DrWeb32 works on all Windows versions including WinXP. The software is easy to use for someone to already had experience with other anti virus software.

    The main feature of DrWeb32 is the memory scanning technology which seems to be quite unique: Like most anti trojan programs do the whole process memory is scanned for viruses. So DrWeb32 is one of those anti virus programs that could detect viruses or worms like Code Red without problems in memory. Also viruses or trojans which are compressed with exe-packers could detected. This is a very strong feature but regarding the latest tests from the German test site Rokop-Security DrWeb32 is good but still not as good as an anti trojan software and so I would recommend extra anti trojan protection to use with DrWeb32.

    The other main feature is the heuristic. Famous for good results at old MS DOS times the heuristic of DrWeb32 detects now macro viruses, scripting malware and of course all kinds of Windows viruses. Since version 4.27 two more heuristic modules were introduced. One for worms written in Visual Basic (the programming language not Visual Basic Scripting which is used for worms like the love letter). The other module is for the heuristic detection of backdoor trojans written in Visual Basic.

    One negative aspect and overall big minus for DrWeb32 is that the heuristic found some harmless programs as infected. So the ‘tuning’ of the heuristic still has to be improved.

    So how is the detection of DrWeb32. Regarding the latest tests from http://www.avtest.org DrWeb32 is not the best but comes close to the results of the top products. In the February issue DrWeb32 earned a Virus Bulletin award for 100% ITW detection. Also in that test DrWeb32 was the only program who gained 100% detection of the polymorphic testset. The polymorphic testset that was used in February tests was very difficult because it contains one of the most complex viruses called Zmist. Zmist is a virus that uses instead of polymorphic technologies so called metamorphic technology. The difference between both technologies is that the virus body of polymorphic stays the same but gets newly encrypted every time it copies itself to another file. Metamorphic means that the whole virus code changed each time it copies!

    DrWeb32 uses the same technology for email protection than Kaspersky Anti Virus: it scans the emails and email databases. So a special POP3-scanner is not needed. I could not find out which email programs are supported but it works perfectly with TheBat!.

    Spider the on-access component of DrWeb32 knows three different levels of on-access scanning. The default option is ‘smart’ which optimises the scan speed. But it can be chosen between ‘run and open’, ‘ create and write’ or both. Also Spider allows to scan emails, archives and packed executables. Another point is the option ‘Virus activity control’. This means Spider checks the system and reports suspicious behaviour. So there is another chance to catch unknown viruses. Spider is resource friendly does not need much memory to run.

    DrWeb32 for who? DrWeb32 is no anti virus software for beginner. The reasons are that the support and also the information on their website shows that they are not perfect in English language. Also that the heuristic reports some harmless files as infected can be confusing. An advanced user should not have problems with that.

    Overall I must say that DrWeb32 is becoming more and more ‘secret tip’ for anti virus software. A trial version can be downloaded from http://www.dials.ru

    wizard
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks for the scoop, wiz  ;)

    All in all, Dr.Webb is vastly underestimated in my view. As is ADinf.

    regards.

    paul
     
  3. FanJ

    FanJ Guest

    Hi Wizard,

    Thanks so much for this very nice review !
     
  4. Ledendo

    Ledendo Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    23
    Nice Review, and I would like to add my 0.02. I have been using DrWeb for some years now and am more than just content and I agree with wizard's conclusions.
    There are some points I'd like to add:
    -Updates are frequent, even more than once a day, new sigs are included in very short time when you send a suspicious file to Mr. Danilov and his staff.
    -Update files are very small in size, usually about 3-4kb,  great for users on slow inet lines.
    -The support is great (although it helps if you speak Russian ;) , but they have a contact person who speaks english quite well, too...), even special fixes for unique system setups are no problem.
    -Now with all those Klezes etc trying to shut down common AV programs, spider (the on-access monitor of DrWeb) resists most of these shutdowns.

    The only drawback is the number of false alarms wizard mentioned. Every now and then a file is reported to be infected, but again, I prefer a heuristic that produces some false positives over one that misses new viruses and in all cases new sigs correcting those alarms have been added within hours.

    Overall, DrWeb is a really good choice.
     
  5. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I've tried almost all AV and next to NAV 2001 DrWeb is the only one without any problems except for a minor cosmetic issue. After it has survived some more compatibility testing I will register it and use it as my on-access AV.

    Nice to hear it also support the same email protection as Kaspersky (this option is not available in the eval version). If it works with TB it should also work with Becky.

    There are two DrWeb sites:
    http://www.dials.ru/english/home.htm
    http://www.sald.com/

    If you register from the first you pay $21.95
    If you register from the second you pay EUR 25 for the home version and EUR 50 for the pro version.

    According to the FAQ from http://drweb.imshop.de/index_e.htm the home version doesn't support program updates and this was confirmed to me by mail. The dials.ru english site clearly states the $ 21.95 version includes free program updates for a year. I have had enough dealing with AV companies and I'm not go to try to convice the people from drweb.imshop.de their associates from dials.ru offer the same product including program updates  :rolleyes:
     
  6. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Hi diginsight,

    yes there are two sites. As far I understood the german site seems to be some reseller. I found the german site a little bit suspicios because they want 10 Euro when you want to get informed about new versions. Dials offer the information in their newsletter free to anybody.

    wizard
     
  7. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Hi wizard, the more reason to register through www.dials.ru  ;)

    BTW I forgot to mention there's a third site. When I viewed how to register Adinf there's information about a German reseller that offers the Dialogscience AntiViren Pack which includes both DrWeb and Adinf for only EUR 24.99 @ http://www.mitcom.de/details/detailansicht.php?produkt_id=65 AFAIK it's German only and needs to be shipped. I've have no idea if this also inlcludes program updates.
     
  8. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Hi diginsight,

    I do not know if Mitcom is selling DrWeb anymore. The last time I visited their site (4-6 weeks ago) everything regarding DrWeb was more than one year old and also some links were broken.

    wizard
     
  9. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    I just installed it to try it out,seems ok but it alerted 3 false positives straight away!
    vsdatant.sys-which seemsto be a Zonealarm file
    and two files from my 'script checker' programme,tests with F-Prot,Nod32,AVG,and EZ Antivirus,all updated,found nothing suspicious.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Tinribs,

    As wizard stated above:

    And Ledendo as well:

    Thus, your results should not come as a surprise really   ;)

    regards.

    paul
     
  11. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Ah,that will teach me to speed read posts  ;)
    Having re-read it I accept the warnings.I suppose overly aggressive is better than too laid back (sounds like my missus!!)
     
Thread Status:
Not open for further replies.