New Virus Test by GEGA IT-Solutions (av-test.org)

That example will apply for all kind of top software, if a virus designer wants to attack any top AV your AntiTrojan won't notice that attack because only detect trojans...

 

..but at least you haven't lost all your defenses - which in your case, you will have

xpert

 

I was in the US Marines in the 70s. I was a "Field artillery fire controllman", which meant that I did the mathematical computations necessary to tell the artillerymen exactly how to fire their artillery. I didn't do the computations necessary and then run out to fire the guns. Nor did I do intelligence work. Nor was I a sniper. Almost everything in the military is based on specialization and layered defence. Do your one job and do it to the best of your ability.
Coming to Wilders, I learned that that is the approach of the admins and mods here, and it has served me very well. I have never been caught by a trojan, virus, or any other type of malware. So, I really appreciate their philosophy.

BTW, I don't know if my analogy is valid. It just seems like a good one.

Regards,
Douglas

 

I also agree with the layered defense approach! I thought that was an excellent analogy, Douglas! It reflects my line of reasoning for using the layered approach!

 

RaLX - Let's consider your scenario for a moment, shall we?

The keys here are time-frame, awareness, delivery mechanism, layered secondary defenses and properly set-up email programs.

Awareness - My AV program (among others) runs resident in the SYSTRAY. How long do you think it would take me (or anyone else) to notice that the icon was gone? Or (more importantly) that my AV wasn't firing up correctly at start-up? (This is the primary reason I do not let XP hide "inactive" icons!).

Delivery mechanism - If you're starting with a clean system prior to an attack which knocks out the AV, how is a virus going to get in - AV or no AV? ( we're talking about a totally "security"-patched OS, remember ). Barring "sudden-brain-death-syndrome" (SBDS) on the computer operator's part, the answer is - it's not. Because

your layered secondary defenses are still functioning! AT/Anti-Worm/Hostile Script programs are still up and running. Mailwasher is still there letting you preview your email, Benign is still wiping out anything that you let through in an email that isn't really what you thought it was,

your properly configured, updated - patch-wise/version-wise - non-"Preview" enabled, email program that's running in the "Restricted" Zone is still there doing its' thing.

If you d/l something off the Net, you'll know if something's wrong when it won't scan ( before it's opened and can do any harm).

The layers actually go even deeper - I haven't even touched on "file checking" programs, that'll let you know instantly if something's amiss (changed) - sandboxes, browser add-ons, firewall add-ons/features, host-file use (that'll all help keep you out of trouble should your AV fail).

But I think you get my drift. Pete

 

To everyone from Firefighter!

Maybe it's pure waste to talk about layered defense because too many from here are in the different parties in this issue.

There is still one thing where I want to have our opinion. If you have a specialised av to in the Wild viruses (NOD32 or DrWeb 4.29b etc.), how do you handle those very rarely emerged viruses, which apparently are not in NOD32's or DrWeb's virusbase, but which are sure in Kaspersky engined av:s, McAfee, F-Prot engined av:s or RAV for instance and in this case maybe in Norton's?

PS. To Douglas, you had just the same duty area as I, when I was in the Finnish "Royal Heavy Field Artillery". Navy sucks!

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

I don't have to handle them, Ff - I'll never see them.

If anyone did see them in the wild, they'd be added to NOD's database.

That's why I have the program set to check for updates every hour I'm online. Pete

 

To Spy1 from Firefighter!

As I understood right, someone has infected with the in the Wild virus first, before it has been listed on.

Why then not me?

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

You're the statistician, Ff - Why don't you tell me the odds against either you or I being the one (out of millions) to get hit with a new piece of malware first, before it's deffed? Or even the odds against being one of the first thousand to be affected thusly?

It would probably be more likely that a passing comet would emit a lightning bolt that would hit you while at the top of your golf swing on your birthday. Pete

 

To Spy1 from Firefighter!

Does it make any harm to add those 5000, or something like that, objects in NOD32's or DrWeb's database, then they may be as good as KAV, McAfee, F-Prot or RAV against in the Zoo viruses?

Both NOD32 and DrWeb are still capable to detect at least 66 000 objects just now?

Remember that some 70 % of av-producers are now capable to detect some 95 % of those nasties!

At least that may calm the majority of av-users a little bit!

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Yep. When they are downloading the definitions.

Seriously Firefighter. Adding the ZOO viruses will not protect you against the new viruses.

The truth is ot there, running .... hiding.

Regards,

Pieter

 

To Spy1 from RaLX:

The scenario wasn't proposed by me, I just stated that the multilayered defense proposed have almost same weakness that a single top AV detecting 99%+ malware out there.

To Everyone from RaLX:

Here's a good question that I found on dslreports by "StraitShoot"

The question is good because what makes difference in the behavior of a virus ZOO and ITW?

 

Especially when you consider the track record NOD32 has at detecting heuristically a fair amount of the notorious, now "in-the-wild" viruses like "I Love You", Melissa (spelling?), Bugbear, etc.

Which brings to mind questions:

What exactly is a zoo virus? Do "in-the-wild" viruses in a sense start out as zoo viruses? If so, what makes them behave differently in the wild?-just like RaLX asks.

 

To Firefighter from Optik:

If the world had more *virus experts* like you, viruses would rule the world.

 

Simply put: a newly designed virus - known, but not "available" for third parties. Most of them are offered to antivirus companies - merely for the technique used.

99.99% of the cases: not at all. Those nasty designers who really want to cause havoc, will release their new malware as sneaky as can be. "Zoo" is merely a marketing ploy in this context. Like talking about an existing new car model on shows - it's there alright, but it isn't available at all. Scare mongering. Seems like people fall for this ploy...

sniff

 

The topic has been the subject of conversation for countless years......rarely does everyone agree on the proper approach.

Personally, I could not more strongly agree with Spy1 and the layered approach. Where did the notion come from that an anti virus program is suppose to also be an anti trojan program I certainly prefer leaving "each to their own"

The Snowman

 

To everyone from Firefighter!

Very many in here are trying to say that program's like NOD32 or DrWeb are specialised against viruses.

For me a specialist, like a surgeon, is very accurate in his job. Now it seems to be so that those "specialists" are like cowboys shooting everything that moves and misses a lot. My specialist is a sniper which can recognize the target and is capable to eliminate it.

Because of NOD32's or DrWeb's 4-30 times larger false positives ratings than F-Secure's or McAfee's for instance, an average user of NOD32 (or DrWeb) is forced to check the possible infection from those "common quys", like Kaspersky, McAfee, RAV or F-Prot for example. So who is at last the real specialist in this case?

Among those "usual av-programs" are very good heuristics programs too like F-Secure or McAfee! You can check it from Heureka 2 test. So the heuristics is not the main reason in this case.

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Hi all,

>New Virus Test by GEGA IT-Solutions (av-test.org)

The results are surprising and we are looking into the test methodology.

Thanks for the info.

rgds,

jan

 

To Firefighter from Douglas,

From my own experience with DrWeb (8 months),with heuristics enabled, I've only gotten about 4 or 5 false positives. That's after downloading an average of 4-6 programs a week. They have all been marked by DW as "possible" trojans. So I just use TH to doublecheck.
I know that's not a scientific result, but for me, the average user, it's been no big deal at all.

Thanks for the effort you put into those tables.

Regards,
Douglas

 

More then 2 years of using NOD32 and I’ve never encounter any false positive. Trust me FF I am more then an average user.


Technodrome

 

To Douglas from Firefighter!

You said that those false positives are still very exceptional. You may have right,
but so are finally the real infections too.

Let's assume that NOD32 and DrWeb are on somewhat the same line considering the false
positives. So the fact is that they are both far away that accurance to detect real
viruses that Kaspersky powered av:s, McAfee, F-Prot or RAV do. There are too many false
positivises in those detections the "specialists" are doing.

We have seen 3 recently published in the ZOO av-test now and here is one more to the list.


Virus Test Center (VTC); University of Hamburg

Computer Science Department: AntiVirus Scanner Tests December 2002; Win 2000 (+ Win 9

Published January 29, 2003

Link:

http://agn-www.informatik.uni-hamburg.de/vtc/

AGN in the Zoo test (chapter 17.) is a summary of six categories:

File Viruses - 21 790 objects
File Malware - 8 001 objects
Macro Viruses - 7 306 objects
Macro Malware - 450 objects
Script Viruses - 823 objects
Script Malware - 117 objects

Detected Missed False + Name
(%/38 487) (% / 327)

99.5167          186       2 0,611 % F-Secure
99.3842          237       5 1,529 % Kaspersky 3.0
99.3556          248       1 0,306 % G-Data AntiVirenKit 10
98.0435          753       0 0,000 % McAfee VirusScan
96.9470          1 175       2 0,611 % F-Prot DOS
96.9418          1 177       2 0,611 % F-Prot Win
96.7158          1 264       2 0,611 % Command AntiVirus
95.1048          1 884       0 0,000 % Inoculate AV 6.0
93.9902          2 313       0 0,000 % Norton AV
93.6732          2 435       1 0,306 % RAV
93.5900          2 467       5 1,529 % Norman VirusControl
93.2627          2 593      29 8,869 % DrWeb 4.26
90.1447          3 793       0 0,000 % Avast v.3.0
85.5328          5 568      11 3,364 % Ikarus AV
80.4220          7 535       0 0,000 % Data Becker AV
76.9974          8 853       0 0,000 % AVG 6.0
63.2681         14 137      0 0,000 % Protector AV
17.6163         31 707      0 0,000 % VirScanPlus (R.Roth)
11.6273         34 012      3 0,917 % MR2S


After these 4 tests I am quite convinced about that which AV:s are capable to detect
almost all in the ZOO viruses and are making so few false positives as possible. Only
RAV is an exception in this last test above, but it has got a new scanning engine
after that which you can see in those recently published VirusBulletin's tests
(personally VirusBulletin's tests are not the number ONE available in my opinion,
for pure statistical reasons and lack of NOD32's false positives, but you can make
your own conclusions).


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

No, you can't assume that. NOD32 and DrWeb are 2 totally different products.



Technodrome

 

To Technodrome from Firefighter!

I understand that they are quite different, but now I mean only the false positive rates in this issue, when they were almost equal in the av-test.org test 3-2003.

An other similarity is that they both have not so large virusbase as many other does! DrWeb has
also enough large VB 100 % Awards in a row now, that it is possible to rank as stable process by statistical rules.

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

These files need to be analyzed by AV vendors. After that they should say if they were a false positives or not and why. SOPHOS that uses no heuristic at all had 5 false positives.



Technodrome