Video AV Tests...

New test... I was a bit "surprised" by NOD32..

ESET NOD32 Antivirus 4 - Prevention/Detection Test


These are just quick tests... I will do some more thorough ones (on demand, removal) and try some more AVs (next are A-squared, Comodo and MSE).


@NoIos: I use Camtasia Studio

 

wow, thats is pretty bad.

 

It's always good to test the product, then a month or so later, test again. See how it handles a new batch of samples.

I'd say the system was still 'recoverable' from that thrown at it. Good job though Alex in taking the time to post these.

 

By disabling the Web protection in NOD you didn't only disable IP blocking, but advanced heuristics on PE files as well (not present in Realtime protection, at least not to such extent). Note that upon reboot Web protection was automatically re-enabled and that's why it blocked the last links (Heur or not...).

 

a-squared Anti-Malware 4.5 - Prevention/Detection Test

 

If A-Squared detects the file as being a trojan why does it still give the option to allow? Doesn't make sense. It should just block it.

 

yes, and also the behaviour based detections didnt make no sense to me,

especially if these were packed with known-trusted programs, people would just allow them.

i guess everyone is a professional AV-tester now?

i respect what the OP is trying to do, but grabbing some links and waiting for detections doesnt mean they are infact malicious, how has he checked these files?

 

Thank you Alex. Very nice work.

 

The 1st test with Vipre...the #12 link where you specify that it failed...is not necessarily true. If this .exe was meant for XP and not Vista or vice versa...then windows will display this message....

"name of .exe" has encountered a problem and needs to close"

The file cannot perform any action as it was targeted for a different OS than yours.

 

There will be some errors. Regarding how you know the files are malicious, both avast and a-squared reported all as malicious.

 

Right, chances are Vipre did not have a definition for that file but its HIPS might have reacted had the file actually performed any harmful action.

 

Alex

You are using OLD malware!! Of course you see SO MANY AV catches. Out of the hundreds of AV videos I have seen, your videos are catching 95% of the malware. Compared to 60-70% that others catch with the same programs.

Meaning you have OLD malware URLs!!

.

 

Or put it simply, antivirus vendors have realised that people are using links from malware domain list and making videos on youtube. So they are simply adding these malware first to make ther AV look good in these self made tests.

 

Toby75, The HIPS from VIPRE has limited functionality, as it only protects against code injection. And I've never seen it in action..

PC__Gamer, I've never claimed to be a professional AV-tester nor that these are definitive tests... At least some people seem to be interested, and I do this for them. And I personally want to see how AV's stand against in the wild malware and how they improve over time.

 

No, he just has not done his research where to find virgin malware links to better represent a truer real life surfing experience in fresh malware. Spend some time researching were to find virgin malware. Otherwise, you do a good job at presentation!

 

I would suggest adding the links to ur tests in the first post. Would be easier.

 

dont mis-understand my comments, im not dissing your videos

just want to know how your checking your samples first before you run your tests.

 

agreed. I tried downloading the first file in the list from the video, which was not blocked in the video, and it is detected:

06/03/2010 15:52:01 HTTP filter file hxxp://xxxxxxxxxxxxxxxxxxxxx/0.exe a variant of Win32/Spy.Zbot.NJ trojan connection terminated - quarantined xx/xx Threat was detected upon access to web by the application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe.

 

Another flawed testing methodology. You should always re-image after a successful infection. Once a threat gets through you can't trust the state of the machine and all subsequent tests may fail because the machine may be rootkitted by that first threat.

These random AV tests are becoming a dime-a-dozen. Its good that people are taking the effort to test this stuff, but if you do, please read the AMTSO guidelines for testing. It will make your tests a lot mor defendable.

 

Nice. N360v4 got a 100% detection on the test http://www.youtube.com/watch?v=oWv6hc09pFw&feature=related

 

I don't know whats the point of disabling web acess. Web acess is a component of the antivirus, and its on by default. For example, in NOD32, web acess is enable by default with advanced heuristics on. The on-acess is enabled by default with advanced heuristics off. So, if you disable web acess, you are testing nod32 without advanced heuristics.

 

I agree. Product should be tested with all default options.

 

It makes no sense when people disable features of an AV and test it!

In order to cope with zero day malware, AV companies have introduced new technologies and thus provide multiple layers of protection. So how can one disable these additional defenses and expect the AV to do well?

The definition of AVs has changed, they can no longer be confined to only file scanners.

 

I have to agree. It makes sense to test products as they are installed by default IMO.

 

it makes sense but please people don't argue about how the test was performed, there's perfect value in also testing how the actual virus engine deals with the threat.

I suggested that start by using the webshield and then disable it if it blockes the page. However I like these test and they seem well enough done and I'm thankful for the effort on behalf of Alex. However to keep the test short I'd prefer the webshield be disabled.. so many tests out there just using defaults.

About webshields, they might slow down your web experience as the shield always has to query AV Home base before an URL is opened. Personally I don't like them.

Again don't argue too much about the little things and control your emotions and be reasonable - it's not a perfect world.

Simon