Malware-Test Lab: Antivirus Comparison Report (February 26, 2007)

Sorry my friend, I stand corrected. Knew I should not have questioned you.

 

fast or slow, doesnt matter as long as you are clean. I mean come on, I knock Kaspersky, but like I said, if I didnt have Avira, they would be my only other choice. And most folks scan at night, when the tooth fairy is coming to visit. So to me, scanning speed means crap. Detection and Protection are the key.

 

Thanks for the clarification. I thought that the speed test was made in a mix of clean and infected files.

 

its definatly done on just infected files in this case, and should be done with clean files as IBK said.

if your going to use avira, it will be fast unless you have alot of malware on your machine, then ... who knows, make a bru?... a meal? *lol*

"waits for IBKS results.........while watching BLADE:The Series"

 

So, who is the best and fastest for those who are really infected.

 

erm...for infected files, probably nod32, it doesnt slow down hardly any.

 

Yep, I could tell, the wind was a changing in your sail.

 

And we both know, as I said a few days ago, Marcos will not take this crap lightly. So if you are currently using Nod, I would stick, because your product is about to get an "infusion".

 

trjam, i really think im right about how they are working out their percentages too.

i think, ,and its just me thinking here... so back off

lets say 10,000 malware samples,

nod scans 35,400 files, and detects 19,400 as malware they would put a percetange as 54.8%

however,

if out of that 10,000 malware pack, only 2,000 are remaining, the obvious percentage would be 80%,

do you see the difference, each AV scans files different, kaspersky will probably scan 60,000 out of the 10,000 malware pack, and if they are making percetanges out of files scanned by the AV, the percentages will be incorrect, i really do think they are doing this..... as ive tried to mention, based on nod32's result.

 

No it makes total sense. I really think only a fool would worry about this last test and question their current AV of Nod. Damn, look at their track history. No, Eset still is the big boy on the block, and it will take more then this to take away their name. Now, about that tooth fairy.

 

Looks like you guys came out of nowhere with some pretty ridiculous statistics, then balk and claim to be experts when people with a clue call you out on your bunch of bull.

What's with the snazzy website and stuff? I swear, there's almost a professional pride in being uneducated n00bs nowadays...

 

Some one still doesn't know the difference between scanning common files and virus samples due to you didn't have abundance of new viruses samples as us.

Avira and some others has a real lower scanning speed during scanning "viruses samples".

This test show the aspect that "viruses samples" are not the same around the world.The tester tested it with samples major found in Asia particular in China.

IBK tested AVs with the samples collection major found in American and Europe.In fact,he can't gained enough samples from Asia particular in China for his localization

NOD32 is an excellent AV,but it has done a very bad job with Asian samples.

Nevertheless,I have been submitting viruses samples to Eset/Panda/F-prot/CA for half a year,and the totals to 15GB .The most of popular AVs has done a bad job with Aisan samples(some one did lower than a percentage of 10 ,and it's a amazing that IBK test it with a percentage of 80 or 90.)

We are interested only in facts not theory.

 

Proll: As a matter of fact i know that the guys from Rising AV are sharing all their samples with some of the other AV companies.

Concerning Avira scan speed over infected files, my tests have shown it is one of the fastest over infected files as well, unless you take some old dos polymorphic viruses which they seem to be emulating for detection. On current malware (Windows stuff) they easily outperform most other AVs, most by at least a factor of 2 or 3, NOD32 or VBA32 even by a factor of up to 40 (in case NOD32 uses advanced heuristics for the samples). However at the moment there seems to be a glitch in the recently intoduced event manager, which slows down the detection speed when using the GUI quite noticably.

You can add the following DWORD value to your Registry to see the full scanning speed of the Avira engine over large collections of samples:

[HKEY_LOCAL_MACHINE\SOFTWARE\Avira\Premium Security Suite]
"SkipEventDB"=dword:00000001

The key path may vary, depending on your package, it might also still be in a HBEDV Reg path.

This will disable the event logging in the GUI (reporting still works of course). Since this glitch isn't really visible to normal customers (they're not affected I guess they'll fix it in their next scheduled major update... probably march or april when i look at their release cycle)

I'd like to see your performance results with that key enabled.

 

For the classic edition, the registry key is:

[HKEY_LOCAL_MACHINE\SOFTWARE\H+BEDV\AntiVir PersonalEdition Classic V 7]
"SkipEventDB"=dword:00000001

Everyone performing malware collection scans should add this key!

 

There are many variation of viruses/trojans in China，Rising can not clen&Delete them，if you are in China，you will know it.

 

Yes, and according to your test, Rising scored higher than Kaspersky, Filseclab and NOD32. And you claim to be from China. Not to mention you somehow even managed to show that Active Virus Shield somehow scores higher than Kaspersky, even though they share the same engines. Some experts, indeed.

I'd challenge you to publish your full malware samples and testing methology for public inspection, but I'll pass because your results have shown that your whole test itself is to be taken with a heavy pinch of salt. No need to waste any more time than we already have, I think.

 

Hi,FRug and Stefan Kurtzhals ,thanks for your pertinent advice.
solcroft :I think you all make a mistake that i'm not the tester of this test,and therefore i couldn't share the datum that you point out.

 

I believe the SHA1 values for all samples used can be obtained from their forum. Also, I believe the test takes place in Taiwan, not China. And maybe the percentage difference between AOL AVS and KAV is because AVS was tested later (as mentioned in the first post, + or - 4.3% differences may occur)...

I don't know enough to comment, the complete nature of samples is not yet known to me. But I will make one comment that many of you will find interesting (I hope you are reading this, Inspector Clouseau ) --- Antony Petrakis of virus.gr finds the test results from malware-test to be strange and weird, and for this reason, does not put much faith into it.

 

Of course i do - how can u questionable that? But i was fair enough not to make any comment to this nonsense test. Wouldn't be a nice comment, so i just read here without posting

 

Well, I thought that maybe you had thought that such threads about nonsense tests were simply not worth reading, as they seem to come up very frequently nowadays. My mistake, sorry...

 

Oh they are worth reading. I do enjoy how others are banging their head against a wall and get upset The test is done completely unprofessional, amateurish and honestly i doub't that the guys which are involved there having some serious AV knownledge, even with the fact that someone seemed to worked for trend in the past. Maybe that's the reason why he doesn't work there anymore?

 

They both use the same signatures so the percentages should be the same.

 

sai7sai

Can you post log files of KAV, NOD32 and Avira?

 

@Inspector Clouseau

Thanks Inspector for bringing such a brilliant and genial analyze of this intriguing and mysterious case.

Regards,

Smokey

 

I recieved the Avira log file. Seems all the files are from honeypots, at least thats what their naming convention indicates. Together with the statement that they did not replicate or correctly analyse the samples for defective executables it's logical to assume that the collection is full of non-working garbage. Even if 5 virus scanners report something that still doesn't mean it's a working sample.

Why does everyone with a handful of malware feels qualified to publish AV tests?