[Thread split]MRG Flash Tests 2012

Re: MRG Flash Tests 2011

Bluepoint is back after withdrawing last year. I guess they ironed
out the bugs.

 

Re: MRG Flash Tests 2011

Thanks.
You can choose the engine for the free version?

 

Re: MRG Flash Tests 2011

You can choose Clam-AV for off-line detection. If you don't, you just have cloud-based protection.

To increase detection rate for the free product, they mention that you can install another AV alongside their product (the free version), from this list:

http://support.immunet.com/tiki-read_article.php?articleId=4&highlight=companion prodducts

 

Re: MRG Flash Tests 2011

I think you are wrong, look up Bitdefender in the list and you will see it has 13 misses, compared with SourceFire (Immunet) 3 misses.
I guess the 10 in between is the Immunet Cloud doing it´s job.

/E

 

Re: MRG Flash Tests 2011

I don't get how Ikarus failed when it's also included in Emsisoft; surely the same fail would show up?

 

Re: MRG Flash Tests 2011

Isn't Emsisoft 2 engined?

 

Re: MRG Flash Tests 2011

Ah yes. So the Emsisoft engine detected Qhost in this instance. That's good to know.

 

Re: MRG Flash Tests 2011

Emsisoft is strong with 2 engines.

 

Re: MRG Flash Tests 2011

Does this Flash test take the behavior blocker into account as well? Then Emsisoft would have even more of an edge over Ikarus.

 

Re: MRG Flash Tests 2011

Helpful hint for any newbies out there- for any that may change their current security solution to one rated highly by these tests please keep in mind your desire to be protected against true zero-day malware (malware just released for which no signature has been yet written). Products that solely rely on detection via signatures would lead to a time frame during which you would not be protected, and although a detection signature may be soon in coming the damage will already be done.

Although generic signatures do exist, any malware writer worth her salt will verify prior to release that the new baddie will not be detected in this way (not that I would know).

So get to know the product and make sure that it has a method of protection over and above just straight signatures.

 

Re: MRG Flash Tests 2011

Perhaps a new thread could be started, "MRG Flash Tests 2012", given that we are more than half way through 2012.

 

Re: MRG Flash Tests 2011

The Emsisoft engine complements the Ikarus engine, which means Emsisoft "tries" to cover/detect all other threats the Ikarus engine misses.

 

Re: MRG Flash Tests 2011

This is not completely accurate. You can (and we do) write adaptive signatures that can quite accurately predict what we will see in the future based on what we have seen in the past. The vast majority of the detections you see in these tests involve definitions written days or even weeks before the samples existed.

You can split hairs on '0-day' and break it into 2 families. 1. new mutation of an existing threat and 2. a new threat not based on any existing malware project. Even in the case of malware that is 100% new you can still write a signature that can predict certain aspects of the trojan ahead of time.

 

Re: MRG Flash Tests 2011

Thanks I never knew this, Good to know

 

Re: MRG Flash Tests 2011

Sounds kind of like when your wife knows you did something wrong...she may not know what it is or if it's the same thing as last time but she can pretty much tell and thus you're gonna be quarantined in the doghouse regardless...

 

Re: MRG Flash Tests 2011

NoSirrah- Although what you say is accurate, please note that I had already implied that (albeit in a backhanded way) by recognizing that generic signatures do exist.

However a good malware writer will conduct what amounts to a beta test to ensure that neither the original malware file nor whatever daughter programs it spews out will be caught by the "catch-all" generic sigs. If this was not the case there would be no zero-day malware at all! All would be D-day (meaning a valid definition is already in existence) and any good signature based AV would have a 100% detection rate all the time.

I think you would agree that something like that will happen concurrent with hearing "Oink Oink" overhead.

 

Re: MRG Flash Tests 2011

There are too many moving targets to spend a lot of time on this. Sure they pick a handful of high usage vendors to bypass but the name of game is speed. They know that they are not going to get by everyone no matter how smart they are as countermeasures are not static. They have automated programs that spit out morphs trusting that a good number of them will get by a fair number of vendors. A good adaptive signature will get all of the morphs through creative prediction.

I rarely see anything that gets by everyone, it almost never happens.

All AV labs are run differently so this could not possibly be true. You could give every lab the same pile of samples all pulled from the web within a 48 hour period and then test those sources again after a day and you would see a broad spectrum from fully detected to hardly anything detected. How good they did on the future unknowns based on the recent knowns would be a very good measure of how predictive their technology/researcher creativity is.

Generic is not really a good way to describe how adaptive signatures work BTW. Adaptive definitions often force a malware author to make major changes to bypass while generic definitions are easy to break with little effort. This manifests itself in our intake. We look at something called the "unknown to us yet still detected" ratio and over time this has grown as our technology has improved. Generic detections are often broken by the changes that put samples into this category while adaptive signatures hold firm, sometimes for months.

 

Re: MRG Flash Tests 2011

Great explanation, thx for the knowledge bruce

 

Re: MRG Flash Tests 2011

Sounds like a stone cold winner to me!

 

Re: MRG Flash Tests 2011

Bruce- Please note that my post was directed to those that may be new to computer security pointing out that no definition based product would be 100% effective and a layered approach is advisable. Although I've found that simplicity is advantageous to those desiring to learn, I do thank you for expanding the topic.

However from your follow-up it is easy to infer that a well written and maintained def based AM will provide total protection against all threats. The authors of my current favorite malware, FLAME, would beg to differ as it is estimated that it has been floating around for about 2 years before it was detected.


(Note- In all probability none reading this post need to worry about FLAME (also known as sKyWIper) as this is a targeted attack. But it is very cool- in addition to stealing passwords, auditing almost any service, file, or application installed on the PC, logging account information/credentials for all Microsoft Outlook profiles, etc., there is also a DLL dropped that will scan the registry to see what security software is installed. Subsequent attacks can then be tailor made to bypass such protection. Sorry for the digression!).

 

Re: MRG Flash Tests 2011

Excellent idea. The first 2012 post on this 2011 thread was way back here. Maybe the thread could get broken off and a new one started?

 

Re: MRG Flash Tests 2012

very nice results
im running GFI, im happy

 

Re: MRG Flash Tests 2011

Noob...I came back this week...EAM seems lighter than I remember it being say 6-7 months ago.

 

Re: MRG Flash Tests 2011

Yeah, the only part where EAM is a hog it's when it does huge updates, specially for older hardware.
But if the system has hardware from the last couple years then it can handle EAM easily. There will be some huge changes for v7 so stay tuned.