F-Protect impression

I was refering to this thread, specially this post:

So, a Win 9x/ME CLI scanner lacks any financial sense, but a Win 2000/XP/2003/Vista CLI scanner would have some market? A fair amount of people appreciate standalone, self-contained and unobtrusive scanners like the good old F-Prot for DOS.

 

No, A 9X/ME GUI version would cost more to develop than it would bring in.

As for a CLI version, it is trivial - I could even easily make a DOS command-line version, using the 4.x engine. However - right now this is just not at the top of the priotity list.

 

Are the home version (Windows) heuristics settings as aggressive as corporate versions? You cannot adjust the home version in terms of heuristics levels, so my concern is that the results at ShadowServer are not the same as a home user would experience. Any information is appreciated.

 

Uh. what do you mean by not being able to adjust the settings in the home version? They are changed exactly in the same way. HOWEVER - in both cases you have only 4 settings, corresponding to heuristic levels 0 (normal), 1 (safe), 2 (normal) and 3 (extra).

In the command-line version there is an extra setting: 4 (paranoid). This setting enables 10 additional aggressive "Eldorado" heuristic rules, but this will cause some false positives, so we generally discourage it.

I know that http://www.virustotal.com is using heuristic level 3, but I have no idea what shadowserver is using.

 

That's OK with me. F-Prot for DOS was my first AV, so I would feel at home seeing a CLI scanner.
I appreciate you taking the time to answer my questions

 

I was not aware that this was a command line function. It is not obvious that the settings are variable or even exist.

 

This is true for the Automatic File Scanner which is "Stuck" on the default heuristic setting; less chance of false positives.

BUT as Friðrik has stated there are a choice of heuristic scanning levels with the on-demand scanner and the CLS.

 

Really? Mine was MSAV.

With CureIt!, Prevx CSI and gigabyte-sized pen drives these days, though, I will have to say that probably the only thing a CLI scanner is good for these days might be nostalgia.

 

My first machine was a 386 with 5.25 floppies. I was very young and only used it for games, so I had no idea of security and everything else. Then, my parents bought a nice K6-2 which included a copy of F-Prot for DOS. I was not aware of it until my uncle recommended me to install an AV because viruses were a real risk, specially if I was going to connect to the Internet. Then, I panicked and began looking for a copy of Norton ) until I discovered a folder named "Frisk" and wondered about it. A friend taught me how to use it and lowered my paranoia level telling me that viruses aren't magic. Then, I became somewhat interested in security.

The big advantages of CLI scanners are automation (batch files) and self-containment. No services, drivers, shell extensions and the like. Just a folder in your HDD. I don't imagine you scanning newly created files (downloads, attachments, borrowed pen drivers) with CureIt or CSI.

 

FPSCAN, is the version 6 of the CLS and included in FPAV 6. Take a look here

##You can either run a Command directly into the Run field; for example an easy one

"%ProgramFiles%\FRISK Software\F-PROT Antivirus for Windows\FPSCAN.exe" /local /disinfect

OR

##You can can create a "fpscan.txt" file anywhere, copy and save the codes into it, modify the path, and finally rename the file "fpscan.txt" to "fpscan.bat". Then to make a scan you only need to double -click on the file.

For example; @echo off
"D:\TOOL\Antivirus\FRISK Software\F-PROT Antivirus for Windows\fpscan.exe" /streams /heurlevel=4 /scanlevel=4 /archive=0 /adware /applications /report /verbose=0 /output="D:\fpRPT.txt" "f:\virus"

 

Heh. Same here, with A: and B: floppies and no hard drive. I started tinkering with it when I was four or five, but my memories of it are kind of fuzzy now. Then when I was eight my parents bought a second-hand 486 with a 40MB HDD and 4MB RAM - I remember the frustration of learning concepts like files/directories, DOS memory management, TSRs, batch file programming etc. Part of this was because I badly wanted to play DOOM, which wouldn't fit in to the memory I had available (I eventually learned how to bypass startup files).

I got interested in security when it became known that the computer was infected with a boot sector virus. We had to drive all the way to the next town, and I watched the repair person work magic with a hex editor. I got hooked.

If you want to scan your computer, why not just do what everyone else does and install an antivirus program? Another alternative, if you only want to scan individual files, are online services like Jotti or Anubis.

I was thinking more along the lines of fixing another infected computer - the times when one would usually want a compact, portable antivirus scanner.

 

Ah, nostalgia, what a feeling, eh?

I do use Virustotal, the Norman Sandbox and ThreatExpert, but you can't always rely on an online service (they can go offline at anytime or they may be at a heavy load) and big files can't be scanned online. With a CLI scanner, I download my files to a specific folders and at the end of the day I update the AV and scan them calling the batch. Lean and mean

When fixing whacked computers, I outsource () the heavy duty to SAS and CureIt. Then, I use the classic tools (Autoruns, Runscanner, a rootkit scanner, you know). I'm thinking of adding Prevx CSI (based on the readings here and elsewhere) to do a scan before and after using the manual tools.

 

At ShadowServer they are using 2 Linux versions. Version 6 is used with heuristics level 4 in the CLS.

So it looks like this may not give the same detection rate as the normal Home Windows version.

 

There will be a *slightly* higher detection rate if the heuristics are set to 4, rather than 3, yes.

Now, as I have said before, I really don't recommend using the "paranoid" heuristics (level 4) for normal users (which is why the GUI doesn't even offer that option. However, as far as shadowserver.org is concerned, the differences are mostly only that "Heuristic-162" and "Heuristic-210" become more aggressive, and a few new rules may get triggered, but they don't seem to show up in the shadowserver.org lists.

 

I'm trying out FProt as a result of this thread and so far I'm very impressed. Although not the lightest in terms of memory use, CPU time is very low which I consider a more important measure (unless of course you're struggling for spare memory on your PC in the first place - these days I don't think most people are).

Sure, AV 'test' performance doesn't put it up there with some of the big guns, but after having run some of the big guns for several years and rarely come across a piece of malware that all of the AVs weren't detecting anyway, I'm not sure of the real value of this extra few % in the published tests anyway.

So far, so good then...and I think more people should be giving FProt a try...particularly as most people on here use a layered security approach anyway. It seems to fit nicely into the layered model.

 

cool scoobs! =) + "the big guns" are normally targeted by malware, so they could be possibly a litle more vunlerble.

 

Don't forget that there is also an official Frisk Forum to visit.

And lots of help/suggestions on the main site as well.

 

One thing about the layered model - as you know, F-Prot is not a complete suite package - in particular we do not include a firewall or a behaviour-blocking program. There are numerous good firewalls available, and I'm sure that readers of this forum can suggest a few. As for behaviour-blocking - I have never been a big believer in allowing potential malware to run, and stopping it if it attempts to do something nasty, but with increased demand for this (from users, as well as testers), we will be looking into including something like this.

No details available now, and no promises as to when this would happen, sorry.

 

Of course malware should never be allowed to run if one already knows what it is, but the problem is that you cannot do that with a 100% success rate using your current (blacklisting) approach.

 

regardless of whether shadowserver is using the paranoid setting which users will not use, id like to see F-Prot improve their spyware/adware detections, is this on the to-do list?

 

Yep. Take a look at on-going thread .

But even at the present time, new users should change the default setting for additional spyware protection. But you need to activate this option;

SELECT Virus Scanners >Advanced>Settings> Other settings, check the “Report possible unwanted applications” check box. This will activate the additional protection for spyware/adware.

 

cheers blackcat, but im staying with my trusted doctor.

but if questions dont get asked, answers dont usually get found.

im curious now, about these different level of heuristics now, because the paranoid setting will show well on tests, but give an amazing amount of false-security fp's, even frisk are saying not to use it aswell.

if tests are using these best 'paranoid settings', the results will also be misleading, and obviously high.

and i dont mean this just for F-Prot, but others such as VBA etc too.

 

IME, "amazing amount" is a great exaggeration for FPAV6, VBA32 and Avira on the highest heuristic setting.

With my own testing, both FPAV 6 and VBA32 showed much greater detection rates on the higher heuristic setting with only a slight increase in the number of FPs. And with FPAV6 I found the biggest increase in detection rate between normal and high, the level below paranoid.

And Frisk just suggest that the average user stay with the default setting and these users remember will have no idea of heuristic level 4 in the CLS of FPAV 6.

Depends upon whether you believe that these tests should only use the normal default setting or give some indication of the maximum protection rate. As you know IBK believes in the latter.

I know Chris. I was not including you in the "new user" category

 

yep, one thread and i already see people jumping on the bandwagon here.

 

But at least worth a trial. After/during which you can make your own decision.