Matousec: Proactive Security Challenge 64 (bits)

Solarlynx · Oct 21, 2013

vojta said:

If by 'dangerous' you mean that some of them they can destroy your system, yes they are. But more in the sense of poorly written, buggy software: You execute it knowing the risks.
Click to expand...

hell, i tried to run their suit

ifacedown · Oct 21, 2013

hawki said:

I asked a similar question on the Bit Defender Forum (firewall section) without specifically mentioning Matousec.. I had a generic statement to the effect that it had done very poorly on a recent test published on a website that is fairly well known for testing firewalls. I also noted that some posters on a security website I frequent were surprised at the BD results and that they could be described as a failure.

They deleted my question. LOL

Truth hurts I guess.

There are numerous posts on the BD forum about the 2013 firewall being shut off with no warning. The forum moderators claim that the problem has been fixed in the latest edition ("2014" though unnamed). Wondering what version Matousec used.
Click to expand...

the 2013 16.30.0.1843 version

fax · Oct 30, 2013

http://www.matousec.com/projects/proactive-security-challenge-64/results.php

Latest news

2013-10-29: A new response from Comodo Security Solutions, Inc., the vendor of Comodo Internet Security Premium, has been added.

2013-10-27: A single product update:

Comodo Internet Security Premium 6.3.297838.2953

COMODO - Proactive Security - This configuration turns CIS into the ultimate protection machine. All possible protections are activated and all critical COM interfaces and files are protected.This is what Comodo's online help states and we have to admit that the latest version of Comodo Internet Security really is the ultimate protection machine. From its previous 92 % Comodo Internet Security jumped to today's 97 %, and is now very close to the perfect result. Comodo Internet Security raised the bar again and blocked many of the most complex attacking techniques that Security Software Testing Suite 64 offers. Comodo now leads the challenge 7 % ahead of Outpost. Great job and congratulations!

2013-10-18: New results have been published for:

ESET Smart Security 6.0.316.0

Jetico Personal Firewall 2.1.0.13.2471

VIPRE Internet Security 2014 7.0.6.2

Only minor updates have been released to ESET Smart Security and Jetico Personal Firewall. No significant improvements have been implemented and this is why their overall performance in Proactive Security Challenge 64 remains on the same level (58 % for Jetico, 55 % for ESET this time). Both these products provide similar level of protection, far ahead of most of the tested products in our challenge, but still far behind the best. Jetico still suffers from its problems with "indirect relativeness" protection which does work sometimes but could cause major headaches to its users in case of malware infection of the protected computer. Unlike ESET Smart Security, it does not seem that Jetico Personal Firewall is under a very active development. This is evident from its release notes.VIPRE Internet Security also keeps its level of protection, but unlike the other two products, its proactive protection is really one of the worst in our challenge. 2 % again for VIPRE Internet Security.

Click to expand...

co22 · Nov 25, 2013

http://www.matousec.com/projects/proactive-security-challenge-64/results.php

Latest news

2013-11-25: New results have been published for:
avast! Internet Security 2014.9.0.2008
Kaspersky Internet Security 2014 14.0.0.4651
SpyShelter Firewall 2.7

avast! Internet Security, what happened? With the version 8 of avast! it seemed that it started to take proactive host protection seriously but now the new version 9 went back again. 32% to 8% score is a progress in the opposite direction than we would appreciate.

Kaspersky Internet Security 2014 improved a little bit over its 2013 version and went up by 2 % to 88 %. Good job. However, the new version comes with a great reduction of information provided to the user in its pop-up dialogs, which makes it sometimes very hard to correctly understand its queries and subsequently make correct safe decisions on whether or not to allow certain actions.

SpyShelter also improved by 2 % to current 87 % and is very promising for the future. Very well done here.
Click to expand...

fax · Dec 22, 2013

http://www.matousec.com/projects/proactive-security-challenge-64/

Latest news

2013-12-20: New results have been published for:

FortKnox Personal Firewall 10.0.505.0

McAfee Total Protection 2014 12.8.903

Panda Global Protection 2014 7.01.01

All three products tested this time belong to a group of products that perform poorly in long-term and there are no indications that this should change in the foreseeable future. All these products reached the same score as their previously tested versions – FortKnox Personal Firewall 5 %, McAfee Total Protection and Panda Global Protection 3 %. We will retest these and similar products only when new major versions are released, and someday we will hopefully see a progress. Have a nice end of year 2013 and good luck in 2014!
Click to expand...

MrBrian · Feb 3, 2014

Rasheed187 said:

Plus it would be nice if you had a separate page with a quick description of all leaktests used.
Click to expand...

See https://www.wilderssecurity.com/showpost.php?p=2336261&postcount=20.

MrBrian · Feb 3, 2014

Examples of real-world malware bypassing outbound protection in firewalls: https://www.wilderssecurity.com/showpost.php?p=2336361&postcount=22.

MrBrian · Feb 3, 2014

As guest said, this is a test of HIPS, and also spying/leaking.

From http://www.matousec.com/projects/proactive-security-challenge-64/:

Here is a list of the defined types and their goals:

Leak-test: Leak-tests attempt to send data to the Internet server, this is called leaking. Most of the leak-tests from Security Software Testing Suite 64 are configured to use a script on our website that logs leaks to our database by default. For such tests, you can use the My leaks page to see whether the test was able to transmit the data. For leak-tests that do not use this script, we use a packet sniffer in unclear situations. In order to pass many leak-tests, the tested product has to implement various host protection features.

Spying test: These tests attempt to spy on users' input or data. Keyloggers and packet sniffers are typical examples of spying tests. Every piece of the data they obtain is searched for a pattern, which is defined in the configuration file. These tests usually succeed if the given pattern has been found.

Autorun test: These tests attempt to install themselves to the system in order to ensure they will be started again. The most common goal of autorun tests is to survive the reboot. Such a system infection is typical for almost all kinds of malware. The tested product fails the autorun test if the test is able to ensure that it, or its part, code, or action, will be started in the future again.

Self-defense test: This category of tests include various attacks against the security product itself. Termination tests are the first subtype of tests that belongs in this category. These tests attempt to terminate or somehow damage processes of the tested product or their parts. The termination test usually succeeds if at least one of the target processes, or at least one of their parts, was terminated or damaged. Besides processes and threads, the security software usually relies on various files and registry entries. Tests that attempt to remove, destroy or corrupt these critical objects for the security product also belong to this category.

Other: Tests that do not fit any of the previously defined types are of this type. For example, tests that maliciously modify the system can be found in this category.
Click to expand...

You should use caution when using these tests on a behavioral blocker. A behavior blocker may notice Action 1 and Action 2, but only alert after seeing both of those actions performed by the same program.

IMHO the testing level methodology used is demonstrably awful. For example, consider ZoneAlarm Free AF. On test #1, it scored 90%; on test #6 it scored 40%. If the tests in test #6 had been performed first, then ZoneAlarm Free AF would have flunked the first level and ended up with a very low overall score.

justenough · Feb 3, 2014

MrBrian said:

As guest said, this is a test of HIPS, and also spying.

From http://www.matousec.com/projects/proactive-security-challenge-64/:

You should use caution when using these tests on a behavioral blocker. A behavior blocker may notice Action 1 and Action 2, but only alert after seeing both of those actions performed by the same program.

IMHO the testing level methodology used is demonstrably awful. For example, consider ZoneAlarm Free AF. On test #1, it scored 90%; on test #6 it scored 40%. If the tests in test #6 had been performed first, then ZoneAlarm Free AF would have flunked the first level and ended up with a very low overall score.
Click to expand...

Because of the arbitrary methodology of the cut-off points of their levels their final results seem misleading to me.

MrBrian · Feb 3, 2014

justenough said:

Because of the arbitrary methodology of the cut-off points of their levels their final results seem misleading to me.
Click to expand...

I agree. Levels might be ok if the first levels are the easiest, but I haven't seen evidence that that is the case.

MrBrian · Feb 3, 2014

Follow-up to post #58:

The types of tests are defined for information purposes only. They do not determine the process of evaluation of whether the test was passed or failed. Each test implements one or more attacking techniques that can be used for various malicious purposes. A test implemented as a leak-test may use a more general technique that can be used to permanently infect the system.
Click to expand...

MrBrian · Feb 3, 2014

Here's an alphabetized list of all the techniques used:

binary planting
code injection
COM interface exploitation
DDE exploitation
direct network access
disk location exploitation
DLL injection
file/directory manipulation
graphics API exploitation
in-process data substitution
indirect network access
keyboard API exploitation
network API exploitation
network management API exploitation
parent process control bypassing
registry key/value manipulation
registry location exploitation
remote process handles manipulation
remote process manipulation
remote process memory manipulation
remote thread creation
remote thread manipulation
system object manipulation
system service exploitation
trusted process manipulation
windows clipboard API exploitation
Windows Filtering Platform API exploitation
Windows Management Instrumentation API exploitation
windows messages exploitation
windows/event hooking exploitation

MrBrian · Feb 3, 2014

Here is a good introduction to leak testing from 2007. I haven't found a good newer reference yet.

ance · Feb 4, 2014

Wow, still the same useless tests. If you have enough money your application can be retested again and again (until it's number one).

fax · Feb 4, 2014

Yeap, main weaknesses of these tests have been discussed at lenght many times in the past 4-5 years. There are several long threads about it including comments from experts. So, good to make a quick search on "matousec" to find them to avoid opening this can of worms again and again.

Log in or Sign up

Matousec: Proactive Security Challenge 64 (bits)

Solarlynx Registered Member

ifacedown Registered Member

fax Registered Member

co22 Registered Member

fax Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

justenough Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

ance formerly: fmon

fax Registered Member

Log in or Sign up

Matousec: Proactive Security Challenge 64 (bits)

Solarlynx Registered Member

ifacedown Registered Member

fax Registered Member

co22 Registered Member

fax Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

justenough Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

ance formerly: fmon

fax Registered Member

Useful Searches