VBA32

Hm,VBA32 locked when tried to test with EICAR from my page www.security-ops.tk or www.security-ops.co.nr

Works fine if i try from official,but IE6 locks if it's from my mirror (EXE EICAR samples). Disabling and enaling Monitor again fixed the issue.
System is VirtualPC 2004 using Windows 98 (non SE) and Internet Explorer 6.0.2800.1106

EDIT: Oh and action on virus found doesn't save correctly even after i click Apply. I set to Ask and applied,but when i came back,it was again auto set to Block.

 

Actually, if we have ONLY 3...4k of RANDOMLY picked samples, we can have the real detection rate with 2 % error margin with every av we have met in the av producer community. This is a statistical truth that is universal. I'm not saying that my 3663 infected samples are REALLY randomly picked ones, because almost all samples downloaded from the web are verified as infected by Kaspersky. That's why we are actually verifying those other av:s against Kaspersky more or less.

Best regards,
Firefighter!

 

@Firefighter: just to remind the bias that can arise from small test-sets -> http://kaspersky-esac.org/index.php?PageID=9

 

BS! Do you know how many trash kaspersky detects? How do you make sure that your samples able to run and in case of fileinfector viruses able to replicate? KAV detects also a lot of dead samples as infected and you're gonna blame then other AV's for not detecting this crap.

There are enough KAV-Emulator dumps - yes excactly, Dumps(!) from polymorphic viruses in a lot of so called 'virus collections'. Of course only kaspersky will flag such Dumped binary files!

HB

 

I'm only using those methods that Quality tools are offering to us. If we have to make decisions about ten thousands delivered components that we have new in our production, we don't need to check them all, as shooting all produced bullets we have in our factory, but checking some RANDOMLY picked part of those components to make sure that all the rest are acceptable.

Best regards,
Firefighter!

 

But they are not really randomly picked samples what you use. Additionally, if the samples are not analyzed at all if they really work, the error level in a small collection grows and is flawed in favour of e.g. KAV.

 

And here we have the proof of such a damaged sample.

Firefighter, as a antivirus tester who gives statements and advices you know for sure why this sample wouldn't even run.
If not, i painted a big red border around it.

And this sample is for instance detected by a lot of AV's.
Not detecting this sample DOES NOT MEAN THAT THE SCANNER WOULD BE UNABLE TO DETECT THE WORKING SAMPLE!

HB.

 

I FULLY agree with this statement. I have hundreds of samples KAV detects as real threats with signatures, that are absolutely the most stupidest trash you'd ever imagine. One of them is a 2 line batch file that can't even execute. I should try to dig it up to post it here, its funny.

 

Don't do it! FF would collect it!

 

Thanks, I like this forum and also hope to stick here

No estimates right now, too many undecided factors.

Usually at least once a day. More often when needed (urgent update when a dangerous worm is spreading in the wild for example).

 

i've sent him stuff.. mostly trojans, downloaders, backdoors, bots etc for use with tests
those samples are real, tested and whats most important those are in the wild samples.. most of them retrieved from infected users around the world

while KAV may detect a lot of trash, it also does detect genuine malicious files
that no other scanner does..
i see it every day

 

Please stop bashing Firefighter. He already said that

Every test should be taken with the proper amount of scepticism. I don't think that there even exists a completely statistically correct AV test.

The more independent tests done, the better it is, at least we can compare and discuss their results

As for statistics, there is a funny example, just imagine an Internet poll with a question "Do you use Internet (yes/no)"

 

thats a big part of the fun

 

do not call them itw samples if they are not on the wildlist. call them zoo viruses (even if some companies will say that all zoo viruses exist ONLY in labs, which is not true). Many people think that the samples they use in their tests do work, but usually that is not true. Most collections I got from users where full of garbage, non-working samples or harmless files, even if they thought to have a very good collection.
KAV of course does also detect very much malicious files, but we are talking about KAV which does also detect trash and if used as reference, the test is biased in its favour when compared with other AV which does not detect the trash.

 

With any luck we might be able to get those answering no to get in a chatroom and talk things over...

And let me extend my welcome also Siarheika! Glad to see you here.

Lastly, testing and testing protocols are certainly a controversial area. I'm sure we can all agree on that. We can, cant' we? Of course!

As a practicing physical scientist I can say with reasonable authority that comprehending the results of an experimental program starts with understanding not only what the experiment can tell you, but what it either does not or may not tell you. Tests such as the one described above tell us about performance against a somewhat uncontrolled subselected group of samples. It is uncontrolled because, while all samples have been flagged (by KAV), they remain unvalidated as operative as far as I understand. It is subselected since the group tested is smaller than all known viri. The impact of invalid samples is unknown. The performance outside the bounded group examined is unknown. Within the boundaries established by these two qualifiers, the test results are what was observed, no more, no less.

These statements are true for any tests of this nature. For users reading this thread, it is important to try to gain an appreciation of the precision (or imprecision) of the measured relative rankings of performance. Naturally, this is tightly coupled to the caveats of the test protocol employed.

Blue

 

There are not real ZOO infected samples in my test bed. Why, in the real Zoo the animals are in the cage. If my samples are Zoo samples, how I could get them from that cage which is always closed?

The official ItW list has not the most common nasties, trojan like malware. But there is also one big error in those ItW tests we have seen. They are testing against 2...3 months old ItW list when there are already 40...60 newer ItW viruses that will be in the current ItW list when it is published. To test samples that we already know is an other story that some may call as a joke.

Best regards,
Firefighter!

 

It's a shame that you can't do more than this. Here are some test results from my "Common PC Protection" level and some other test results about the same category level as mine but from quite good reputation tester that we have seen sometimes. So, what's the big difference?

-FF------ Other
test------ test

97.6 % -- 99.4 % -- eScan Free -- Kaspersky 5.0
94.1 % -- 95.1 % -- McAfee VSE 8.0i -- McAfee VS
90.3 % -- 88.3 % -- BitDefender 7.2 Free -- BitDefender Pro
90.1 % -- 86.4 % -- AntiVir 6.30 -- AntiVir
90.0 % -- 86.0 % -- TrendMicro -- TrendMicro
88.2 % -- 88.6 % -- Command AV 4.92.8 -- F-Prot
86.7 % -- 91.9 % -- NOD32 with AH -- NOD32 with AH

Yes, now I got it, it is the difference with NOD's results, which were not so good as usual only because quite poor detections against worms and partly against script like malware too. Even Ewido was capable to detect 96.2 % of my worm samples, so there are not so much room to KAV crap samples.

Btw, my brother has a NOD licence and he is using that proggie as his resident av but still I don't hate him.

Best regards,
Firefighter!

 

You know, I totally agree with you about this , I just say that calling ITW something that is not on the official Wildlist is wrong. The term ZOO sounds misleading, but this is the term used for all the other things that are not on the wildlist.
BTW: do not take the comments as an attack against you or your test, it is just a little discussion about possible points without direct valutation. BlueZannetti is right with his comments.

 

Then explain to me why you have in your testbed for instance lots of so called virus construction kits? Starting this programs does NOT infect your machine - only the OUTPUT/RESULT might and once again - not detecting such creators does not mean that the created virus is not detected!
According to such things should be COMMAND.COM/FORMAT.COM detected too cuz it's possible to format the harddisk with it?!
It's nice to have detection for such Generators, but it has no priority! Period!

Speaking about trojans/worms - i'll PM you cause i would like to have a look at it. Is this ok with you ?

 

That's why they are in the riskware category in my test and NOD was very good in there comparing to most other av:s I've tested except Kaspersky engined ones of course. The "Common PC Protection" level results are the main comparing level in my test, the rest is only a "nice to see" level.

Best regards,
Firefighter!

 

Oi vay, I just love the eset mod with the rabbit ears making trash talk about FF's tests.

NO test is perfect, is it? If my favorite AV ranks real high -- the test is pretty good. If my favorite AV ranks low -- then the test is garbage & the tester is a rascal with a plot to destroy civilization as we know it.

I am very happy to see VBA coming along so fast, plus their willingness to post here is very gratifying. I am also happy that FF posts his test data here from time to time. It's much better than someone just saying "X antivirus is the best. I've used it for 2 years & my computer is just fine."

 

As NOD is good in detecting constructors according to FF, you see that the comments of HB are not because the NOD scores, but that his comments/opinions are correct and general for other AVs too.

 

I think we are all gratified for that bellgamin.

I did take a quick look at VBA32. What I saw, coupled with Siarheika's comments, are encouraging.

As might be expected, there will be a short bump in false positives as the typical group of applications this AV sees evolves as it starts to see usage in the Western market. I seemed to get a flag from MWSnap. The follow message was seen:

I also noticed that a molecular weight calculator I use was flagged:

Both of these examples are unambiguous false positives.

I did not perform a comprehensive system scan, so there may be more examples. All settings were at their default value. I expect this type of result, so no surprises here.

Overall, I liked the very clean and spare user interface. The only comment that I'd make is that the virus alert window is too similar to a normal dialog box. No use of color or alert symbols to visually indicate that the user should be really paying attention to that box. This should be changed.

I went to a couple of genuine bad sites, and the program performed as it should, flagging malware attempting to download. My initial impressions were quite favorable given the pure beta level of the product. Obtaining a steady diet of samples from Jotti's site will improve detection and increased usage in the Western market should decrease false positives.

Blue

 

i call them in the wild viruses because they're out there in the wild spreading and infecting victims computers

you obviously didnt read what i posted, see the part "retrieved from infected users around the world"!! these are no malware that you can download from the author's sites..

it means that i spot a suspicious file in a hijackthis log, ask the victim to send it to me for a closr look, etc. thats how it goes.. does a virus have to be on the wild list to be spotted on a log.. gee i wonder what those viruses then are ....
undetected, yes.. in the wild= infecting and spreading, yes..on the ITW-list, no..


perhaps those might be on next months ITW list, but that doesn't really help the victim who's infected now..

 

@illukka: you do not get the point.