I'm testing AV products against zeroday malware

Perhaps this:
http://netforbeginners.about.com/od/forumsandlists/f/whatisQFT.htm



edit: sorry too late....

 

No your not, the link provides a much better explanation on the meaning of QFT.

 

@ Brad

Supplement: When it asks you to upload it to Twister, it actually scans it online at Twister's server. If you click the globe (earth) icon on the tray, you will see the result of the online result. This is useful because the server has the latest definitions which possibly you haven't downloaded yet.

You can also submit missed samples, directly from the GUI , up to 2MB size each (from the menu on top). You can also email them of course.


Also note, that all "blue" and "orange" alerts, are NOT signature based, but behaviour blocker based. Which was practically what was happening there all the time. When Twister detects based on signature, you get a red coloured popup.

Which shows the value of the behaviour blocker against zero day malware.

For CLEANING already infected machines, i would actually NOT reccommend Twister, because there only on demand scan works. Twister is best for prevention, with the behaviour blocker and registry protector catching the malware upon the act of execution. Signatures are its weakness, so i think other AVs would be better for cleaning something already infected. Not that it can't detect by signature, but from my tests, it's not the best for that out there (for that Avira is your choice).

 

Try testing non-signature av/am software such as Shadow Defender, Returnil 2010, et al. You would run these without a blacklisting scanner or real-time scanner of any kind in the virtual environment and then scan the real system to see if anything "got through".

Another type of testing that I haven't seen is usability testing. What I mean is this: setup a clean image, load 10-20 new mw links as shorcuts perhaps, and then have an average (non-technical) user run each link. Then you will be able to see one of the weakest links in the security chain and that is the user responding to what the security app displays. I think you will see some of the "feature-rich" apps get bypassed due to user error (or perhaps the av/am wasn't clear enough with what it is asking the user).

This is why I use MSE and Shadow Defender on the laptop that my kids use. There is a greatly reduced attack vector from the users ignorance.

 

Thanks guys I learned a new to me item!

 

well I guess this thread need this............http://www.acronymfinder.com/

 

Well I guess the RAV in RIS 2009 has stand out along with Twister AV. Too bad RAV not updating.. I know you didn't update RIS 2009 during your test. If you ran MBM you'll notice that RIS didn't catch everything and again you didn't change the default for finding a pest. So it wouldn't just say ignored. If you had changed the settings to Clean Virus, Delete & Delete nothing would remain. Also if you download AVI and it's a Fake the RAV in RIS would remove it off the system before it could do harm.

 

In case it was missed, my request is "test":

 

I watched Avast: Impressive, i like the new looks and i suppose it nailed them by signatures?

I also watched Rising, which was exemplary behaviour blocker. Yet another case of non-signature based detection, but its bb is actually better than Twister's.

 

Brad's avast partII hung at 4:54 when I tried to view it.

 

ALWIL has definitely improved Avast! a lot. Very impressed

 

I am thinking of running some tests off of Vista instead of an XP image.. Had an emergency today so I am just getting back in.. Microsoft, PrevX, Geswall Pro, are some of the products I can remember that have been requested without browsing back..

 

I was also impressed aside from the voice over speaker

 

Agnitum Outpost Pro Release -added-
Norton 2010 -added-

 

Watched Twister and Rising 'review' and what you get from them is knowing how their GUI looks etc ... I give you that, o.k. ... but if the reviewer has unfortunately no clue what he is doing in the moment at all (just clicking around under heavy time pressure it seems, other reviews in the pipeline) and is not reading (at all what's going on when prompted by program for example!!) then there is no point doing such 'test' or 'review'. Or is there?

Twister simply blocked *every* write attempt! Rising obviously did the same!? There was no av detection or protection involved at all I think and this is really not hard to see or understand if you FOCUS at least a tiny BIT!!!

So what's exactly the point running malware and then not allowing it to run, never to read anything and afterwards to praise the 'great' product and how very well it protects you? - Right. There is no point. - At least this is my opinion. O.K., if you have to kill some time this might be a great way, yeah. Playing with some sort of anti-executable and fooling yourself all the time ... like ... hmm ... young dogs chasing their tail.

Btw. that's the weakness of all those youtube 'tests' I see here so far. People are throwing malware links they found at some av and that is what it all is about. - The most importing thing is for sure *NOT* to understand what's going on (how the av-program works, what the reviewer is doing while wildly clicking through the prompts and options without any reading and comprehension etc.) ... BUT ... yeah you won't believe that but it's true I guess ... that the video isn't too long for uploading at youtube!!!

Frankly I'd suggest you 'testers' make yourself familiar with those av-programs *before* doing a video or taking much more time while doing it else you might not be looking very good afterwards. Especially if you consider yourself being a malware 'expert', tech-guy or whatever. - Those videos simply destroy your reputation if you had any and any grandma could see this ... having her glasses on or not, sorry!!!

But who knows maybe it's enough for you to copy and paste links into IE of a virtual machine and pressing save/run? - But then is my question why do you have to run always changing av-solution at the same time if it's all about copy&paste and clicking malware? - Instead just install as many malware as you can and then let us watch how the system is dying. *THIS* could be fun if popcorn is availabe and smoke is involved!

But please do not call such thing 'av reality test' or anything like that. - Until you read (!) and then understand at least rudimentarily what's going on at your screen. - Thank you very much.

 

It's a pretty simple concept, I put in a link, hit enter, and see if the program detects or what mechanisms involved happen.. I'm not a professional tester, nor am I taking the time to know the specifics on each program. Take it for what it is worth, and if in your opinion nothing then that's fine I really don't care.

 

Also I am paid to be an enterprise AV Admin over three products.. In the end it comes down to a very simple thing of whether it detects the stuff or not.. After a machine is infected, in the real world we just simply reimage it.. Knowing every single aspect of the product I am showing people about is not going to be an option for me because I work 8-10 hours a day, and then in my free time I enjoy trying to find other products, and see what mechanisms are going on to stop one thing infection.. I have learned more from the people on here telling me what all the options are for the products they specialize in, and recommend me review. I know Symantec, Kaspersky, and ESET products inside and out..

 

I think most here are on XP and 7. But your shop is XP correct? Pretty much get the sense of what's not working and what works from your testing.

So far Twister AV and RIS 2009 stand out from the rest then Avira PE close 3rd.

 

Avast 5 was very impressive..

 

XP here, and GeSWall Pro test would be excellent!

 

What version?

http://www.onlinedown.com/detail/4155.htm

Is the link I am finding to download it.

 

The best program can do nothing if the man at the keyboard and mouse doesn't care where he is clicking and isn't reading any output from av-solution!

That is obvious. And a shame. - I am not talking about 'studying' programs, knowing every bit and piece. I am unfortunately talking about the most simple thing: reading the output of an application you want to 'test'!?

If you don't care how to operate a program properly why don't you do tests blindfolded then? Or do you? - Really, there wouldn't be much of a difference. Look at your twister 'test'. It's amazing what you don't see while ... sorry .. babbling about this and that.

Yet! - Exactly *this* was what I meant with 'be careful with your reputation'. - But you don't care ... I see .. fine for me!

Well .. you like it VERY simple ... no doubt about that.

 

He already stated that he is doing this for his own good/interest and just wanted to share it with others. Read the thread...

There's no point in you complaining (for no logical reason) either.

 

Fortinet now has made their Forticlient suite free. It is getting pretty bad reviews across the board- false positives and missed malware. Could you test it to see if it is as horrible as most people claim?

http://www.forticlient.com/

From what I read, it seems those that tolerate the product have the heuristics off.

 

You win congratulations. You have demonstrated in this thread you are better than me, and the alpha male of Anti Viruses.. Now I will continue to "put on a blind fold", and ramble on aimlessly, and with a lower intelligence than you.