Malware-Test Lab: Antivirus Comparison Report (February 26, 2007)

... ...

 

Well that test that we discussed few days ago from av-test.org is the same thing. Collect that high number of samples for 1 year is very questionable as well as samples-garbage ratio as well

For me testing undetected samples, collected from infected computers, is the most reliable way of testing for detection that apply for area where I live.

 

Update: Just got a PM from one member here in this forum who has asked the guys there about corrupted samples.

Their answer:

Now please forgive me, but that "test organisation" is even worse than i thought before. Can somebody of those trolls there please explain WHY somebody should detect trash? For example only a fileheader? That is just plain stupid. It only makes sense for worms which are known to send damaged executables of itself via mass-spamming. First thing is, such corrupted files are NON-WORKING. And to make it very clear: Most of such corrupted files do not even contain any malicious functionality, for one simple reason: It got stripped off, otherwise they wouldn't be corrupted. So next question is why should we detect something what is not even malicious? That's basically a false positive. If you start doing this you should detect all windows executables as suspicious at least, because IT COULD BE THAT THERE WAS A VIRUS BEFORE BUT HE GOT STRIPPED/CLEANED AND IS NOT PRESENT ANYMORE. Got the message? Good.

Now a bit more tech-talk. Have you guys ever heard that you can have different scan engine technologies? For example AV1 can just simply scan any file for specific patterns or crc checksums. AV2 can try to determine the runtime packer for example and starts emulating the unpacking process. Now, just lets assume the file in question is trash - how will the scan engine even determine that it is a valid windows pe file? According to the file header it should be, but where's the code execution after the entrypoint? Oh it got stripped off. So what should the emulator execute here? Same as the operating system: NOTHING. Because there is NOTHING. The emulator will stop and will return for example _CORRUPTED_FILE_ flags. Such a file will never ever run - as i said before THERE IS NOTHING TO EXECUTE - it is not even malicious! After that entrypoint could be ANYTHING executed, probably even a normal microsoft word. Nobody knows, because it is stripped. And AV's which are detecting this file based on fileheaders or checksums are "entitled" to do so, that's basically only a result of mass-adding stuff. To make it very clear: In most cases they took a CRC or Signature over a non-malicious area in the file, but they know that this specific part will most likely not be the same in other really clean files. Got it? As i said in most cases thats the result of automated mass-added stuff. And if you have added such things you simply don't care if it detected one trash file by "accident". But, and read that carefully, it makes fools out of other av companies when they add exactly this trash file based on one "accident-detection" also into their collection without even having a look at it. To fool most of the AV companies it usually takes 2 companies: One which includes something wrong (eg. includes a clean program as virus) and another one which has no resources and relays on the first company's "findings" and includes it also just because it got detected by it. So it must be something "fishy" if they included that. Now we have already 2 companies which are detecting this. One hour later the 3rd company scans with online scan or their house-intern-testmachines with all other products. Wow, 2 detecting it, so it's very unlikely that this is a false positive. Let's include this as well. Now we're 3 allready.

To sum it up: THERE IS NO NEED AND THERE WILL BE NO NEED TO INCLUDE TRASH. AND EVERY TESTER WHO MAKES SUCH COMMENTS IS - AT LEAST FOR ME - "obsolete" to write it with very polite words.

 

I was just invited to take part in an Antivirus Testing Workshop in April. Maybe it would be a good idea if you guys also take part there.

 

Infants off limits....

 

Who is offering that workshop?

 

Bontchev & Mike.

 

Why do I have the feeling that Vesselin will try to sneak some discussion about malware naming conventions into that workshop?

 

Btw if someone wants to join drop me a PM here. There are already quite a lot of people coming, Bitdefender, ESET, TREND, Clementi, VB, and so on just to name a few. So in case it's somehow of interest for you feel free to PM me.

 

IC, you mentioned for your 2 day seminar, a Bontchev was a host. Is this Dr. Vesselin Vladimirov Bontchev. Spent some time reading about his history today and it is very, very impressive and interesting.

IBK, this will be one workshop it would be a honor to attend with the venue of attendants slated to come. Of course, that includes yourself being on the venue.

 

When I want to read reliable anti-virus/malware test results, I trust AV-Comparatives. I also peruse VirusBulletin. Why bother with anything else?

 

Hi Stefan Kurtzhals,

You captured my curiosity. What happens on the 5th of April, 2007?


"Judgement Day's not coming, soon enough" - 5th of April, 2007

 

i look at VB and av-test.org and av-comparatives, dont really need any other tests, although im always curious to see different results.

 

Maybe its the release date of Terminator 4: War of the machines .....

 

It isn't expected until 2008.

Maybe the date has something to do with this workshop in April?

 

av-test.org

How or where do you find the test results on their website?

 

Don't know from their web site but here are the 3 last ones.

Bots, Trojans & Backdoors in here

Worms, Bots, Trojans & Backdoors in here

New ItW samples test in here

Best regards,
Firefighter!

 

AV-Test.org does not publish their tests as AV-Comparatives.org does.
Usually, PC-WELT releases them to the public.

 

Firefighter & lucas, thanks for the help.

 

I don't think so. Arnold's our Governor. They can't make Terminator 4 without out Arnold.

 

The T-101 (that uses Arnold's model) is not the only Terminator in existence, you know

 

Yeah I know, but a Terminator movie without Arnold just doesn't seem right. Better end this before one of the mods does it for us.

 

You can download sha1 values and scan log files from the following URLs:
http://malware-test.com/attachment/av_scan_logs_for_antivirus_testing_20070226.rar
http://malware-test.com/attachment/sha1_for_antivirus_testing_20070226.rar

If you find we make some mistakes, please let me know. Thanks.

By the way, we HOPE other AV testing organizations can publish these information too (I guess it is impossible), so everyone can verify their test reports.