New Report, New Website and Greetings from PCSL

Any comment about OAs strange dynamic test result?
Already asked here https://www.wilderssecurity.com/showpost.php?p=1600557&postcount=74 but no answer...

Cheers

 

For those wondering if PCSL is new to the forum, and if the testing came out of nowhere, the previous reports have been posted to the forum on several occasions.

Examples below:

https://www.wilderssecurity.com/showthread.php?t=250333&highlight=PCSL

https://www.wilderssecurity.com/showthread.php?t=244564&highlight=PCSL

https://www.wilderssecurity.com/showthread.php?t=237869&highlight=PCSL

https://www.wilderssecurity.com/showthread.php?t=234721&page=2&highlight=PCSL

https://www.wilderssecurity.com/showthread.php?t=230706&highlight=PCSL

https://www.wilderssecurity.com/showthread.php?t=215232&highlight=PCSL

 

Please check this thread

https://www.wilderssecurity.com/showpost.php?p=1535485&postcount=1

Sorry for my late reply.

 

Hi Jeff,

One thing i would like to know about your test...Have you tested all the AV's in their Maximum Settings or in default settings? Secondly, can you put some light on ESET, Symantec and McAfee..How they performed in these tests, especially in Dynamic Testing... I want to know more about Symantec SONAR...

Please do let us know.

Off Topic:- Jeff, have you heard about Qihoo 360..I guess this company is from your China...So can you please let us know about this product, if you have tested or tried it..

 

If he releases private information, then it isn't private anymore, and those companies who were promised internal testing only, would be quite unhappy.

Internal testing means not for our viewing. Relax, don't worry about it.

 

For test default setting:
In static scan, the AV scan option is maximal setting.
In dynamic test, the AV guard option is by default.

Static malware scan and static fp scan use the same setting
Dynamic malware test and dynamic fp test use the same setting.

 

No problem, but that's a rather evasive answer.

However, do you still use Malware Defender for your dynamic tests, like you have explained at Rokop Security?

http://www.rokop-security.de/index.php?s=&showtopic=19067&view=findpost&p=281934

If so, how do you ensure that there are no conflicts with other (HIPS) programs?

Cheers

 

Not even that, how are you sure that MD itself hasn't let something past?

 

OKAY, just a clear way:

If the hips tell you the behavioral is dangerious, then in malware test, it is a successful malware block(we will use malware defender to check if computer is actually infected.). In dynamic false postive test, then it is a false positive that he say a clean package is dangerous.


If the hips tell you the behavioral is suspicious or just mention you what the hips is doing, then in malware test, it is not a successful block . In dynamic false positive test, then it is not a false positive as it says nothing or the behavioral is just suspicious.


That is why we put two pairs of test in one signle test.

static malware scan test------static false positive test
dynamic malware block test-----dynamic false positive test



We pre test the compatibility of MD and the test software, we have another hips standby, but since now, MD works fine.

We use the latest MD version the and the rules we customized. Also we have some small tools like filemon(with rules) ,process monitor,etc standby.
I will consider to release the rules we used for test later .

 

But according to your strange wording evaluation Malware Defender would fail every test.
Same applies to Outpost, Online Armor and other HIPS...

To pass or fail a dynamic test is still a question of semantics for HIPS or the like.

You just expect that a HIPS prompt is exactly the same like an AV prompt.
Or in other words - do you think your HIPS tests have any meaning?

Cheers

 

There are some premises for me to add a security suite with hips moudle:
first, they should have antivirus moudle within. we do not add a pure hips like md to the antivirus product comparatives.
second, they have some prompt word ,color ranking(dangerous red etc.) and interact with the AV moudle so in some aspects, the hips moudle within security suite had turned away from classical hips.

But the premise is that they include a antivirus moudle withinand their av detection rate is high enough, or I will not test them as it will turn to a hips test.

 

I agree. Classical HIPS aren't supposed to say "This is a trojan, alarm!". They are supposed to let the user make an educated guess on whether what he sees is normal behaviour or not.

Personally i see no point in taking into account the HIPS component with this criteria. Either you don't take into account the HIPS at all or you take it as a "pass" if it prompts after allowing the malware to run at the beginning.

 

Ok, i am not sure i am getting this right.

Let's take Online Armor which is in the test. It has an AV and also a classical HIPS module.

Let's say the AV misses the malware. The HIPS part, after allowing the "malware.exe" to execute, prompts you again (priviledge elevation, dll injection, whatever). Is that a " pass" or a "miss" because it doesn't say "This is a trojan"?

 

I have updated floor 136 and please check again.

 

Ok, thanks. Not including pure HIPS is a good idea. About the rest, i think i understand that the HIPS must show some kind of prompt that will be implying that this is a malware.

Well, at least now we have a more clear idea of how OA was judged.

Thanks.

 

I had no idea !

If I can make the time I may read that.

 

I think I have to ping the person of translating, I have written more details in the methodology.

Sorry to cause you confused, my bad.