The Final Countdown; RAV against KAV

Discussion in 'other anti-virus software' started by Firefighter, Jan 16, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Hi, I made a clean scanning test recently, but unfortunately I hadn't KAV within. But now KAV is strugling against the 1. test winner, RAV in my PC, to detect as many files as possible.

    In this test the both scanners were adjust to best possible scanning mode, in- and outside archives, all files, unpack executives etc.

    No viruses were found and no false positives. I think my PC is clean after those both tests. Thank's to Outpost Firewall Pro.

    Both scanners were updated to this date, all resident scanners disabled and the both av:s were in my PC together (the other one was in the backup state).


    Tests made 16.1.2003

    KAV 4.0.9 Personal Pro (latest scanner engine 4.0.5.37; best possible scans, all files, archives scanning, list packed etc.)

    (total amount of scanned files 132 962, folders 2 148, archives 7 161 and packed 359)
       

    Capable to scan [files] 132 962
    Scanning time [hrs.min:sec] 0.48:25
    Av. scanspeed [files/min] 2 746
    Unable to read [files ÷ ‰ ] 31 ÷ 0,233 ‰ (corrupted 4, I/O errors 27)


    RAV 8.6.104 (all files, archives scanning)

    (total amount of scanned files = 160 492; folders 2 147, archives 6 375 and packed 2 455)
       
    Capable to scan [files] 160 492
    Scanning time [hrs.min:sec] 0.38:10
    Av. scanspeed [files/min] 4 205
    Unable to read [files ÷ ‰ ] 0 ÷ 0 ‰ (corrupted 0, I/O errors 0)


    Regards,
    Firefighter!
     
  2. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    So you are saying that Rav managed to scan your whole system and yet there were no 'unable to scan' fileso_O
    Windows locks many files in its use and I've yet to see a scanner that can scan these locked files;

    for example, pagefile.sys,system32.config etc (on xp)
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Tinribs from Firefighter!

    I'm not absolutely sure what were the end comment's in the "ravwin" files notepad, because there were over 160 000 rows.

    But that was not the point. Everybody knows that KAV is capable to scan all possible archives. So where are the missing packets and files? Maybe I had done something wrong, tell me?

    Here is the copy of RAV's summary report. :eek:



    The scan is finished.

    [General]
    Scan Time      = 16. january 2003 10:22:23
    Unpack exe      = true
    Inside archives   = true
    Scan mail files   = true
    Heuristic scan   = true
    Integrity check   = false
    Scanned files   = ALL_FILES

    [Statistics]
    Files         = 31932
    Folders         = 2147
    Archives      = 6375
    Packed         = 2455
    Scan time      = 26:58.47 (= processing time)
    Scan speed 1    = 19,73
    Scan speed 2    = 1734,87
    Infected      = 0
    Virus bodies    = 0
    Suspicious      = 0
    Disinfected      = 0
    Deleted         = 0
    Renamed      = 0
    Copied         = 0
    I/O errors      = 0
    Warnings      = 0
    Corrupted      = 0
    New (= Scanned files)   = 160492
    Changed (= Mail)   = 188

    Regard's
    Firefighter
     
  4. gabor

    gabor Guest

    Hi

    Maybe I am wrong, but I guess KAV don't scan inside some .cab files
    (for example nor in it's own intstall directory)
    and nor some selfextracting install files (for example at f-secure install exe),
    and I think f-secure for example can scan inside a rar3 archive, thanks for KAV engine
    (at least on W2K,on-demand but doesnt't at on-acess, and on W98SE nor on-acess nor on-demand)
    but report about only one file if I remember aright.

    (And my big disappointment is F-secure, my personal experience is that f-secure is problematic,
    at laest the realtime scan surely,
    a series of error messages in the event log about doesn't able to scan - and not only pagefile.sys or system dats but many others -
    other: the dealer says it scan inside outlook .pst database at on demand, but I am sure it cannot
    and see the numbers of hotfixes for 5.30, or for the 5.40 or what is fixed in 5.41)


    anyway I don't now which scanner is the best
    but I found an interesting site:

    http://www.checkvir.com/index.php?CN=2.3.8&CIE=1

    in this test was only 172 virus, but more tenthousands of files was infected by them
    (maybe these viruses are well known or old, I don't know I'm not an expert)
    and almost every tested scanner knows all virus (except panda)

    but not all files infected by the same virus was detected

    this not 100% detected (some samples found, some not) numbers of viruses in case of RAV: 6
    KAV: 3
    and NAV: 0

    an other point of interest is the disinfection:
    it seems to me at this point the winner is panda
    (if we can believe this test)
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I believe they used 1249 (old and new viruses).
    List of viruses used: http://www.checkvir.com/viriilist0210.txt



    Technodrome
     
  6. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Gabor from Firefighter!

    About KAV, I've seen several tests, where have mentioned that KAV is capable to scan all archives, or I remember wrong again!.

    About Checkvir, I've seen that test too. It was interesting, that in October 2002 the "winners" were Avast32 and Sophos, which both got full "dots". If you looked at the statistics, you could make an other conclusion! :rolleyes:


    Regards,
    Firefighter!
     
  7. maybe

    for example kav:
    :\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB   Archive   CAB   <ce0000.0.11>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/command.com   OK      <cf0000.0.9>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/autoexec.ebd   OK      <cf0000.0.9>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/config.ebd   OK      <cf0000.0.9>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/readme.ebd   OK      <cf0000.0.9>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/setramd.ebd   OK      <cf0000.0.9>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/extract.exe   OK      <cf0000.0.9>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/fdisk.exe   Packed   ExePack   <d70000.0.10>
    C:\WINDOWS\SYSTEM\PRECOPY\BASE5.CAB/fdisk.exe   OK   
    and so on, so it is able to scan cab

    and

    C:\KAV\Personal\CD English\data1.cab   OK      <cf0000.0.9>
    C:\KAV\Personal\CD English\data1.hdr   OK      <cf0000.0.9>
    C:\KAV\Personal\CD English\data2.cab   OK      <cf0000.0.9>
    C:\KAV\Personal\CD English\ikernel.ex_   Archive   MS Expand   <ce0000.0.11>
    C:\KAV\Personal\CD English\ikernel.ex_/ikernel.ex_   OK      <cf0000.0.9>

    and so on

    but rav:

    C:\KAV\Personal\CD English\data1.cab | Ok
    C:\KAV\Personal\CD English\data1.cab->[IShield0000] | Ok
    C:\KAV\Personal\CD English\data1.cab->[IShield0001] | Ok
    C:\KAV\Personal\CD English\data1.cab->[IShield0002] | Ok
    C:\KAV\Personal\CD English\data1.cab->[IShield0003] | Ok
    C:\KAV\Personal\CD English\data1.hdr | Ok
    C:\KAV\Personal\CD English\data2.cab | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0000] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0001] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0002] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0003] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0004] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0005] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0006] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0007] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0008] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0009] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0010] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0011] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0012] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0013] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0014] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0015] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0016] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0017] | Ok
    C:\KAV\Personal\CD English\data2.cab->[IShield0031] | Ok

    and so on

    I'm afraid it show why RAV count a larger number of files,
     
  8. gabor

    gabor Guest

    but prevent from misunderstanding
    my personal favorite is KAV
     
  9. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Gabor from Firefighter!

    Maybe it is in vain to argue, which is the best scanner ever. Everyone has his (her) own system and different needs. I can't use KAV as my resident, because the net surfing stops too often with my cellular phone modem (Siemens ME 45; is 512 MB RAM not enough in my PC?).

    That's why I have installed KAV without resident scanner, as my backup.

    Personally I use now RAV as my resident. The surfing goes without interrupting, hopefully in the future also.


    So anyone have to make his (her) own decisions.


    I did it as below. (not so widely of course)

    Maybe we have to simplify the whole problem to 4 or 5 basic silly questions, which have certain priorities. We have only to find answers to these questions. The main issue is probability, which lies behind all of these talks.

    Questions: Q         Answers: A


    Q 1. Where do we find viruses?

    A 1. I think, that they need a host! What is the host then? Yes, a file.

    So, we need to seek files first.

    Q 2. What is the worst thing to be happened?

    A 2. I think that is to be infected with a virus? From where do I then get a virus? I think it is at those sites where in the Wild viruses lies.

    So, we need clear up in the Wild capability of virus detection after that.

    Q 3. What do you think to be the second worst thing to be happened?

    A 3. I think, that somewhere there is a virus, that none had detected yet.

    So, we need to clear up the heuristic capability of av:s.

    Q 4. How I can be sure, that I am in safe now?

    A 4. I think, if the av has enough large virusbase, to get rid of older viruses too.

    So, we need to clear up in the Zoo capability of av:s.


    I think that here is enough knowledge, to solve a good av for everyone. You can make by yourself some of these tests. A good method is the Cup system, where you take at first let’s say 32 av:s, and rank them according to Technodrome24 (27 av-test) test and/or AV-Test.org tests.

    1. against 32.; 2. against 31 etc. and scan them in your PC.

    After the whole questions and answers, we have sure not a bad result. The resulting scanner doesn't have any really weak features according to detecting viruses.

    The other terms than detecting capability are then an other story!


    Regards,
    Firefighter!
     
  10. Gabor

    Gabor Guest

    Yes, KAV monitor is terrible,

    it's still slow on my W2K, P4 1.4GHz + 512Mb PC800 (RIMM) RDRAM+
    384 kbit/s ADSL
     
  11. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Interesting thread indeed !! ;)

    FireFighter,
    what's the memory usage in regards to RAV ??

    regards,
    bill ;)
     
  12. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Eyespy from Firefighter!

    Just now RAV uses at least 26 Mb. But that's not the whole thing.

    I think, for some reason, I don't know, KAV Monitor stops the surfin all the time! That's why I use RAV now! :mad:


    Regards,
    Firefighter!
     
  13. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    FF,
    the Realtime Monitor of RAV interferes with your Internet surfing ? Is this what you mean ??

    regards,
    bill :)
     
  14. tahoma

    tahoma Guest

    i loved kav for a long time, but now its simply too slow, but i have found a tweak that works for me. open the kav monitor settings, go to expert mode in the left pane, uncheck my computer (everything) in the right pane, and then check individual folders and files. such as 'documents and settings' - will scan al ie cache etc, temp dir, windows temp dir, desktop, downloaded internet programs, your downlaod folder and everywhere anything from the internet gets stored in.

    this method ensures protection against everything new that arrives on your comp, but doesent slow you down at all.

    if u want a good resident av scanner ive ecently moved to drweb. its tiny, FAST and has found everything in my little private virus tests
     
  15. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To der@freestart.hu about yesterday from Firefighter!


    Hi, unfontunately that what you showed doesn’t clear up the difference’s huge amount between RAV and KAV capability of scanning files. Here I scanned for example the C:\Windows\System 32 with both scanners in my WinXP Home.


    KAV 4.0.9 Personal Pro (latest scanner engine 4.0.5.37; best possible scans, all files in C:\Windows\System32, archives scanning, list packed etc.) done 17.1. 2003

    (total amount of scanned files 4 976, folders 178, archives 8 and packed 1:cool:
       

    Capable to scan [files] 4 976
    Scanning time [hrs.min:sec] 0.07:06
    Av. scanspeed [files/min] 701
    Unable to read [files ÷ ‰ ] 0 ÷ 0 ‰ (corrupted 0 I/O errors 0)


    RAV 8.6.104 (all files in C:\Windows\System32, archives scanning, unpack executables)

    (total amount of scanned files=new 5 018, folders 177, archives 5 and packed 114)
       
    Capable to scan [files] 5 018
    Scanning time [hrs.min:sec] 0.03:02
    Av. scanspeed [files/min] 1 654
    Unable to read [files ÷ ‰ ] 0 ÷ 0 ‰ (corrupted 0, I/O errors 0)

    So the difference is elsewhere!

    If we have to qualify an av scanner, the first thing is that it must be a robust product. Kaspersky is the best idea ever, but an idea is far away from a robust product.

    Maybe we can't clear up the difference of scanning capability between KAV and RAV. But we know that RAV could scan at least more (real) files than F-Secure, which is nr 1. in the Zoo scanner in the world and the second best trojan scanner after KAV (the difference is minimal, thanks to Kaspersky engine).

    I made the conclusions according to my first scannig test, where Avast 4 Pro was almost as wide scanner as F-Secure, but RAV could scan so more archives than Avast 4 Pro. :rolleyes:


    Regards,
    Firefighter!
     
  16. gabor

    gabor Guest

    I am in sympathy with Dr.Web too
    (but i guess have to be careful with it, made some false alarm for me)
     
  17. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Tahoma from Firefighter!

    DrWeb is an excellent choise.

    Maybe a little small wideness of scannig, Avast 4 Pro for example is wider.

    DrWeb is absolutely one of the best (with F-Secure) av against new (not detected yet) viruses and also one of the best in the Wild scanners.

    I use DrWeb as one of my backups, only because of that distrust to DrWeb's capability to scan enough wide amount of files! :)


    Regards,
    Firefighter!
     
  18. gabor

    gabor Guest

    to Firefighter

    well, i post the report about KAV and RAV in .cab

    in front of this when i scan only system32 on W2K,
    surprisingly i get this result:
    RAV 4057
    KAV: 4464
     
  19. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Gabor from Firefighter!

    That's what some call good heuristics. Don't let DrWeb do anything about the suspicious but report.

    Scan the suspicious files for example with KAV online scanner later!

    About the second issue! If KAV scans so more files in your system, that's what I call, "every system is a new case".

    But when we are now writing about KAV, RAV, F-secure, Drweb and probably in the future Avast 4 Pro -- who knows because of the new kernel -- the differences are at last minimal, without a purpose to an average consumer.

    The all belongs to the absolute top of scanners.

    Regards,
    Firefighter!
     
  20. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Technodrome from Firefighter!

    Can you tell a little bit more about Technodrome24 AV-rankings, where RAV was ranked the second ever, 4.7/5 points, when the winner, KAV got 5/5?

    I made my own conclusions, that there were no other KAV engine used programs, because there are so many (for example F-secure, which got the best in the Zoo results from the same site and in the av-test.org too).

    Were there other arguments than detection rate, the site says that detection rate was the only what matters?

    RAV was in the Technodrome24 test behind Pc-Cillin in detection rates. Why Pc-Cillin got 4/5 in Technodome rankings?

    I am still very satisfied with RAV, that's why it's my resident, until I get more test results from Avast 4 Pro. :mad:

    Regards,
    Firefighter!
     
  21. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    RAV has good unpacking engines, good standing against ZOO viruses, and very good detection rate in regards to Trojans and Backdoors. It also scored well in regards to heuristics engine testing.

    Correct!

    No! Detection rate was only argument.

    Pc-Cillin lacks unpacking engine, that’s why it scored with 4 out of 5 (4 is not that bad). Pc-cillin was not able to detect some of unknown viruses (due to weak heuristics). Missed trojans and backdoors that were picked by AVP (KAV) or RAV.

    Correction: I misunderstood you question. You are probably talking about test done by VirusP(virii collector)? AV test that included 27 AV/AT tools? If yes, then this test is different from AV test I did. I've never published my results.


    Technodrome
     
  22. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Technodrome from Firefighter!

    I am referring the 27 AV test made by Technodrome24 sites!

    "The truth is out there!"

    Regards,
    Firefighter!
     
  23. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Technodrome from Firefighter!

    Do you think, that I am so safe that money can buy, if my resident is RAV, and my backups are DrWeb 4,29b and Kav 4.09?

    "The truth is out there!"

    Regards,
    Firefighter!
     
  24. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    You will never going to be 100% safe! I hope you are not asking me to say that. But with that weapon arsenal that you got there, I wouldn’t worry a thing.

    Yes indeed!


    Technodrome
     
  25. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi Firefighter. I'm beginning to think that safe is an illusion and an arbitrary concept.
    I went to a site two nites ago, lets say a site of questionable lineage, and clicked on a link to download a file. Something I've done before. Well, about two seconds later, I had a BSOD that locked me up tight as a drum.
    Every program I had running resident was corrupted. My browser would not browse, my email would not mail and my AV was toast. My firewall configuration was corrupt. My wife wouldn't even talk to me. :rolleyes:
    Had to restore an image.
    I have no clue what happened, but it happened in spite of my best efforts to avoid such stuff.
    There is no substitute for a recent image of your drives stored in a safe place. When all else fails, it saves the fresh install route. :D
    I am not belitteling your efforts, just pointing out what has, in the end, saved me more than once.
    BTW, I'm a DrWeb/AVP 3.5 fan. My money is on them for virus/trojan protection with TDS as a backup.
     
Thread Status:
Not open for further replies.