Malwaretestlab 9 Killdisk Virus vs 25 Security Software

Funny thing is that didn't seem to be the case - the variant which Kaspersky didn't catch went undetected by several of the tested products.

 

I don,t mean detection by signatures. I mean interception of malicious behaviouir.

 

Are you sure? Why Returnil failed 1 sample?

 

Point taken, but I wonder what guest is wondering too.

 

because it's neither a HIPS nor a behave blocker. May be some thing related to the way returnil protects direct disk access.
Ok. I agree it's good to test more than one samples but the scoring system just hurts the products that had no filter to protect against direct disk access etc.

 

But why did you test some with different settings?
Other products like Mamutu also failed with default settings.
But no second chance.

Cheers

 

i cant test every software with every settings
i tested outpost because, it hasnt got default settings. it ask to user "which want advanced or normal"

Comodo, dont ask. But comodo has a million fan, everybody ask to me "can you retest with tweaked settings".

so i tested comodo with tweaked settings for comodo's fan. I added info about comodo, on my web site. This tweaked settings test only for information

Anyway, Mamutu hasnt got DDA protection. i tested before it with paranoid settings, if you can search forum, you can see. (i tested 4 malware)

 

Hi, i attached default settings and tweaked settings screenshot

 

No offense, but not everyone visiting your website may read all your posts here.

So some may think - Ok, Mamutu failed with default settings, but it will pass in paranoid mode anyway.

I just think, that there should be same conditions for all tested products, or again some may think - Well, some products are more equal than other products.

Cheers

 

In the previous test (by guest), I read back through the read, Mamutu in paranoid mode was more sensitive, but was significantly better, missed one threat out of the four.

Not trying to defend the product, as I have no reason too, use Shadow Defender most of the time, and it passed all, and a-squared AM, and as other users mentioned, the Ikarus engine picked-up all threats. Oh and sandboxie.

Just agreeing with subset, same conditions for all products. I know these tests take up a lot of your time, so just test all products by default, no matter how popular the products are that fail in default mode (Comodo, Outpost, Mamutu).

Regarding 'paranoid mode', I agree previously it was noisy, but I've been using a-squared AM in this mode for awhile, and seen only a couple more alerts in a couple of weeks.

 

@guest

Hi, may be you can test Robodog samples in next test.

 

Today or tomorrow we will release a beta update for Mamutu and a-squared Anti-Malware that includes detection of direct disk access.

All 9 samples of this test will be detected then.

Note: DDA does no longer work on Windows Vista. Therefore the protection aganst these samples will be done only for XP and 2003 Server systems.

 

thaks for the updates, i tested A2Square before againts some rogues antiviruses and performed very well,actually he was the best performer

 

You are talking probably about signature based detection while Mamutu,s detection will be in fact behav base. Also in signature based detection a2squared has so many false positives.

 

Yes, any one can say it( or anything else) just for the sake of argument.

 

Was nice to see Online Armor do so well also.

 

Regarding false positives, I must be some kind of 'happy-clicker' when it comes to testing new programs, as I download a lot of programs and unknown files. I wouldn't say a-squared has a lot of false positives (seen a couple in a few months - but on unknown portable programs - prevx flagged the same ones too). Maybe in the past yes, but seems to definitely be improving.

Depends who you compare them to. Compared to that big yellow company that tops the sales charts week and week out, probably, but compared to most of the others, be much of a muchness. For example, I hear people mention 'Avast' and FPs often. Once again, with the free AV, never saw any.

All depends on the user, their browsing behaviour, and the programs they prefer to use.

But if emsisoft is actively reading Wilders, then making changes/updates to improve the program, rather than being hard-headed like other companies might be, that's a positive for consumers (and for consumers of other products who compete with emsisoft).

 

That's something I'm not quite sure I understand.
Correct me if I'm wrong, How or why would that be classified as a failure?
Didn't Returnal do what it was meant to do ie. restore to the system to its original state after the test?
To me it passed in flying colours, as the test hadn't corrupted the system.

 

Please test KIS, screen beneath is from KIS 2010, but 2009 also have low level disk access protection on Vista and on XP

 

I am just trying out "First Defense pc rescue ISR" for the first time and I like it so far, so does any one know how well it would do against these killdisk viruses?

can some one please pm me the kill disk samples?

 

Don't waste your time, FD ISR + PC Rescue do not protect against this kind of malware.
You will end up with a pretty messed up system.

You can't disable all Blacklist modules from GUI, even if you disable the AV, the signature based Emulator is still active.
But you can delete all signatures, then all files become low restricted in Automatic mode and the results will be rather underwhelming for KIS.
Or you have to modify some hidden stuff, like Anti-Malware.ru did for their HIPS test, but this is questionable.
Maybe someone knows better, I would also like to test the KIS HIPS only.

Cheers

 

FDISR can,t withstand KillDisk as far as I know.

 

Has anyone seen credible figures on the frequency/percent of MBR attacks in the wild? Seems an interesting figure, might find it useful in a white paper.

Cheers,

Eirik

 

Only f-secure (to my knowledge) has tracked Mebroot, the primary vehicle for installing an MBR Rookit, but do not give actual numbers:

Mebroot
http://www.f-secure.com/weblog/archives/00001610.html

MBR Rootkit, A New Breed of Malware
http://www.f-secure.com/weblog/archives/00001393.html

Interestingly, the attacks use drive-by download exploits, so a more realistic test, it seems to me, would be to show how various security measures would prevent the installation of the malware. Your AppGuard would certainly intercept its installation.

Just put a Mebroot sample into a drive-by exploit and upload it to a password protected page on your site for those who wish so, to test!

----
rich

 

yea after trying FDISR out for a short while. I can see that it wouldn't survive killdisk malware.

Good Bye FDISR.