Malware Research Group Rogue Software Infection Prevention test

See last link on the page - a .rar file so you can use a portable app like peazip to unpack it.

Being a rogue test, I'd imagine it shouldn't include rootkits etc.

Say though, you take 24/30 is a solid effort for example, Prevx, Ad-aware, Panda, G-Data, Comodo, Nod, Kaspersky, a-squared and Online Armor, all would hit that mark.

Others with a few user tweaks (Avast, Avira) would do better. With viruses/rootkits added, these two for example should be near or at the top.

 

It is the kind of test that will make a lot of people happy about their choices. Testing malware applications is fast becoming similar to a tournament in soccer: who's going to win the next match?

 

Forgot to add, you can also use 7-zip for .rar files.
http://portableapps.com/apps/utilities/7-zip_portable

 

This has to be one of the most unprofessional posts I've seen on Wilders from a software developer. MBAM did well on the test and SAS didn't. Live with it, SUPERAntiSpy. Nobody is bashing you.

 

I think that is why everybody here and those who just visit here, will all agree a layered approach is the best defense peroid. No one product works 100% all the time, as we who been here know this is true.

 

Agreed. With the number of samples we (and every other vendor) see daily, there is no way ANY single product can catch everything on a given day. Products like SAS and MBAM work great alongside an anti-virus application without slowing down your system.

We have many resellers and vendors who are now providing packages such as SAS+MBAM+NOD32 (or AVG, etc.) and it seems to be doing well for the users.

Bottom line : A Single Solution is NOT Enough

 

Just another note - before uninstalling and installing another product (just like I've noticed with the giveawayoftheday offers and so on), some should ask:

>> have you read up about the security product you're about to install?
>> do you know how to use the program for it to function properly?
>> is it compatible with your other software?
>> once it's functioning as it should, how long do you intend to keep it? (one week/month/year, until it misses malware, till the next test shows a better product)

And in the last question, if you're focussing on the last two (missing malware, test showing a better product), then keep in mind you'll be changing programs very often.

My two cents.

 

For me it was the other way around - removed InternetSecurity 2010 from my Brother's computer using MBM first and then SAS to clean up.

 

Nick,

Are both SAS and MBAM realtime?

Ian

 

Yes, both of our paid versions provide real-time protection - and they don't conflict with each other

 

Got it today.
Very nice results.

But i think that rogues are very old.
I daily check for new type of rogues and upload it to virus total.But always the result came as 0/40.

MBAM got full marks in this test. There is no surprise in that.
Gr8 work

 

use a proxy site. im also getting this.

 

You are right! I'm using SAS Pro, MBAM Pro with G Data Internet Security and i like it.

 

Downloaded pdf yesterday no problems. Today I get MBAM warnings-
This is MBAM paid version.

 

This is strange, I just attempted to DL the PDF with MBAM turned ON and there was no problem. We are looking into the cause of the warning you got.

 

Sorted in the next update , there was a set of factors that came together and hit this heuristically .

 

Thanks for reporting that. I run MBAM Pro too. So far no problems reported by the Protection Module. Is your database version 3685? Was a log file produced for that warning?

Edit- Just saw Bruce's post.

 

Why did quarantine fail? This was Google Chrome browser. Also what's error code 2 ?

 

Yes, I too find this aspect of the test methodology disappointing: “where the antimalware application in question has real time on-access detection, this is disabled to allow the sample to be copied to the system without detection.” That procedure is not in alignment with the experience of a user in the real world, in which the anti-malware application is enabled and active whenever any file is downloaded or copied.

 

Agree. And it is so obvious, one wonders why testing is done in this manner.

 

The reason for this section of the methodology being like this is because in this and other tests, we prepare the VMs as much as possible beforehand. For instance, this test used 720 VM's in total, so it was important to get all the VM's ready, with malware in place before we start testing.

If we just copied malware samples to the VM's with their protection active, there is a possibility it would be blocked or detected. This would be problematic as firstly, we would have to start recording detection results whilst setting up the test and secondly, it would mean that we would be testing the detection capabilities of the AM's at different times.

We test Cloud AM's and local signature based AM's in a set time frame / window, else the results are meaningless – as you can’t freeze cloud AM's in time.

You should also note that if an AM would have detected the rogue installer on access when it was being copied to the system, it will then logically follow that it will detect it when it is accessed to be executed, so the outcome is the same and our methodology does not alter the outcome.

No methodology is perfect and we are looking at using live URLs for a future test so as to allow IP blocking etc to be tested, of course then there will be the issue with applications that don't have IP blocking, On-Access scanning...

 

Actually, I believe you can -- with a caching proxy and a web replay system. Please see the methodology used by Dennis Technology Lab.

This is not necessarily true, especially for polymorphic malware in which nearly every instance is unique. A reputation based system might warn that a file’s trustworthiness is low or unknown and recommend waiting to download it until there exists more community-based insight. That’s an important first-line of defense that isn’t captured in the MRG testing procedure.

 

The point of this test was to block installation, as we used a virility of applications we had to create the methodology which would suite all of them.
In creating methodologies there are almost no limits, we can always add more or less to them.

 

The above is why the free version of SAS is usually a pretty good addition as an extra on demand scanner. Its focus is on detection and removal as opposed to prevention. But it usually does pretty well at its job in the detection/removal arena.

 

Skokospa...maybe try to use proxysite or other free proxy site?
Edit: advise post factum