New Real World Test AV Comparatives results are out!

Like already mentioned in this thread. If a product's URL web filter is up to date enough they can score really high with some test organizations by just blocking the URL's for the webpages the malware resides on. Their AV engine could actually be horrible, and not be able to detect a single sample. I believe in real life this offers considerably less security. If your AV engine has a signature for a particular threat then it can block that threat on any page it resides on. That particular threat could be on many thousands of pages across the internet. So if a threat has infected.. lets say 80,000 pages across the internet then your AV would need to have all 80,000 of those pages included in it's URL blocklist to be sure that everyone is being protected against that particular threat. The chances that any AV is missing a large number of those infected pages in their URL blocklist is very high. If an AV engine has a signature for that threat it can effectively protect everyone no matter how many pages has been infected with that threat. There's a huge difference in protection offered with these two different methods. That's not to say URL blocking is not needed. It definitely is, but it's best to have some sort of signature with your AV engine whether it be heuristics or another type of signature. URL blocking is very beneficial when blocking phishing sites, or blocking an infected site that contains a newly discovered threat while a signature is being developed. It would be ludicrous to rely more on URL blocking than signatures to provide protection against infected websites. Testing should test the AV engine separate from the URL blocklist to give an accurate picture of the quality of an AV. Do you understand now?

 

The miracles of HIPS.
I <3 HIPS!

 

@Cutting_Edgetech

You are missing the other side of the sword completely. If a location has malware coming from it there is no guarantee that the malware is static and often it is quite the opposite. If you kill a source off it no longer matters what mutations/new malware come from it, its all DOA. A big part of protecting a user involves blocking malware that you do not know exists, blocking sources is an important part of that equation.

 

Hi I understand what you are saying, yes. And fair enough, I can see that for you me and the average Wilders member, these kind of things are interesting. I still think though that it's not much interest to the 'typical' user who installs and leaves their AV settings at default. They no care which modules good or bad in the AV, just if it stops the majority of what is thrown at it - if that indeed what you or others were suggesting, i forget now!..... I guess by looking at file detection tests would give you a decent idea of the performance of the AV sigs module of an AV alone ie without web shield or similar?

http://chart.av-comparatives.org/chart1.php?chart=chart1&year=2013&month=3&sort=1&zoom=2

BD not no1 there, but still very good protection ie 99.x%.

Here's a thought. If we have AV # 1 which is regularly no1 in 'real world tests' (ie 99.x%) but if you disable the 'web shield', typical protection falls to 89% - so big reliance on the web shield for overall protection, no so good sigs, and AV # 2 regularly scores 90-92% in 'real world tests', but in file detection tests often is no1 scoring 99.x%. Assumption is excellent sigs, poor 'web shield'. Which AV, #1 or #2 would offer better protection for the typical home user?

 

July AV-C real time protection test

http://chart.av-comparatives.org/chart1.php
- Bit Defender and Kasperky 99.9% and Trend Micro 99.8%
- Avira 97.1% not exceptional 2nd month in a row
- McAffee, Fortinet and Qihoo also doing very well

 

I never disabled the websield. I downloaded the malware in a password protected archive.

 

Excellently put

 

Web protection is often more important than the actual engine. Having said that congrats to Forticlient for doing quite well again. I have decided to switch from Avira to Forti.
@mods, thank you for combining the two threads.

 

Agree,of course no AV web filter will block everything so there will be considerable amount of blocks from other components in the sample set of 1000's

Besides,who will download a few malware samples from random malware collection sites in real world.90% of today's threats come from malicious URL's or some exploit or some redirection.

Stuff from removable drives are really well detected.

 

congrats fortinet, one of the best free solution

 

Here are some adventages of Web Filter that you overlooked:
1) It blocks entire domains so it doesn't have to have granular signatures for each malware
2) It's the first line of defense so it will prevent infection in the first place. While you may have signatures for malware, it is much better to prevent an infection instead of dealing with the clean up afterwards.
3) Both malware and domains change. So while URL blocker will not get all URLs neither will signature cover all variants of the malware.

 

URL Blockers are great, but so are HTTP Scanners (those that don't slow you down )

 

Really, I thought you were someone who likes KISS SweX, so why do you see the need for HTTP Scanners? What can they detect that's not already covered by Real-time Guard and URL Blockers? How can something so inefficient not slow you down?

 

An example, I visited a Korean weather site around 6 months ago, the site was not blocked by the URL blocker so I was able to access it, but there was a malicious ad on the site (or some kind of script, I dont' remember exactly) and ESET's http scanner detected it and terminated the connection.

So in this case the Korean weather site was not yet on the URL blacklist, but there was still malicious content on the site that was detected because the content was scanned with the http scanner.

That's the difference, for the URL blocker it's either Green (OK to access) or Red (blacklisted for various reasons) The URL Blocker/s doesn't scan the content of the site like the http scanner.

So I must ask you, why do you feel that http scanners are ineffective ?
Also, what do you mean by "who likes KISS" ?

 

He means he thought you like to keep it simple, the KISS approach.

 

POS - piece of ****, and KISS - keep it simple, mhm two new "short for" words in one day

 

Malicious content or not, I don't really see how you could be infected with real-time guard on since you have the signatures. Maybe in some kind of rare phishing scenario, but still not worth the resources.

I've had bad experiences with them slowing down the browser and messing up firewall rules. They never detected anything URL blockers or real-time shields didn't. Just stuff that the real-time shield would've found anyways.
KISS means "Keep it Simple Stupid". That looks like your policy and security setup, at least in my view.

 

That's the thing, ESET's http scanner is effective, and it does not slow your browser speed down as much as I can feel or see it happen. And that's very important. But there are good and bad examples of course among all the vendors that actually have an http scanner, far from all.

How could the http scanner mess up your firewall rules?

What's detected by the http scanner may not always be detected by the on-access scanner, and vice versa. A fact that was posted on Wilders long time ago so I can't find the source for it now unfortunately.

Yes my sig shows what i use in real-time and then I got the usual on-demand stuff that most people on Wilders use of course.

 

Browser speed may be fine, but it's more likely to interfere with downloads and streaming. Not just the speed, but quality may be affected. I remember corrupted and unfinished downloads a few times.

They act like some sort of proxy that all port 80 traffic goes through, browsers included. At least that was the case when I tried them.

I've heard of that, but never seen it in action or a detailed explanation describing exactly how they differ in detection.

Everyone seems to be leaning towards that these days, but I'm too much of an enthusiast not to continue trying new things.