Virus-Test didnt know about this.

edit - copied from http://overclockers.com/articles1260/ - Detox


I know this is off topic but I thought this might interest some of you. I get asked all the time about viruses from my students and clients so three years ago I started doing an IT security workshop with all my classes. One part of it is testing and trying out various antivirus programs. I personnally ran all the tests myself and then the students so we could make sure the results are consistent. So here's in short a hand out they received.
antivirus test:

• Most of the popular antivirus programs found today was used.
• Every antivirus program were fully updated prior to test and set to their deepest scanning settings.
• The exact virus count in the file is unknown but there are over "10000".
• The file contains many types of viruses, trojans, worms etc.
• Scans were done on a P4 2.8c with Windows XP pro sp2.
- 9/10/05 just for some month ago.

Antivirus Viruses found:
McAfee VirusScan 8 9883
Panda Platinum Internet Security V8.05 9985
F-Secure Anti-Virus 5.41 9976
Kaspersky 4.5 9996
Kaspersky 5 9967
Avast.Professional.Edition.v4.6.623 9757
Bit Defender Professional Plus 8 9953
Eset Nod32 v2.12.1 9689
Grisoft AVG Pro.V7.0.143 9507
Trend Micro PC-cillin 2003 9938
Trend Micro PC-cillin 2005 10084
Symantec Norton 2004 10028
Symantec Norton 2005 10028
F-Prot 3.16a 9386 (+549 ‘suspicious’)
Etrust EZantivirus 2005 7.0.6.7 9580

edited to give credit to source - Detox

 

Results:
All the AntiVirus used with the BlackSpear settings.

McAfee VirusScan 8 9,883
McAfee VirusScan 10¹ 10,026
Panda Platinum Internet Security V8.05 9,985
F-Secure Anti-Virus 5.41 9,976 40
Kaspersky 4.5 9,996
Kaspersky 5 9,967
Avast.Professional.Edition.v4.6.623 9,757
Bit Defender Pro 8 9,953
Bit Defender Pro 9¹ 9,953
Eset Nod32 v2.12.1 9,689
Eset Nod32 v2.5¹ 9,707
Grisoft AVG Pro.V7.0.143 9,507 Trend Micro PC-cillin 2003 9,938
Trend Micro PC-cillin 2005 10,084
Symantec Norton 2004 10,028
Symantec Norton 2005 10,028
F-Prot 3.16a 9,386 (+549 'suspicious')
Etrust EZantivirus 2005 7.0.6.7 9,580
Clamwin 0.86.2 9,917
AntiVir PersonalEdition Classic 6¹ 10,086
Arcavir 2005¹ 9,707
Virus Chaser 5¹ 9,790
Norman Virus Control 581¹ 9,765
eScan Virus Control 2.6.518.8¹ 9,937
Drweb-432b¹ 9,832
BullGuard v6¹ 9,966
Virus Buster Pro 2005¹ 9,188
MKS vir 2005¹ 9,706

 

http://www.dslreports.com/forum/remark,14376919

 

Here we go again the old "which AV finds more scenario".How many of these AV's protected against the latest WMF exploit before they updated their signatures or engines.

Not one,a big fat zero.Considering non signature based security like Defensewall,Bufferzone,Sandboxie and others protected the user.

 

And please how should the AV programs have been able to do so? Should the AV companies analyse every known file format and reverse engineer every library/dll that parses those formats in order to find every possible exploit?
I guess you want a solution before the next decade.

The "solutions" you mentioned are incredible slow and impossible to use on gateways. And scanning & parsing every possible file format would make the virus scanners similar slow. Are you sure you know what you are asking for?

And so what? The trojans that were downloaded by the WMF exploits were easily caught by most of the heuristics and variant detections.

 

You missed my point-the AV's can't protect against zero day exploits whereas virtualisation (sandbox) security apps can.

The solutions are here now in these virtulisation security apps.

Using these virtulisation programs on your own pc doesn't slow it down at all so why bring up gateways.

Sure,have an AV and Antispy just for on demand scans.Run your browser through one of the security apps I mentioned and you will be a lot safer than relying on signature based security.

 

Using sandboxing (on-access) doesn't slow your system? You must have a really fast machine indeed.

And what about exploits for file formats that are not handled by the browser but by other applications. You want to run EVERY application on your PC in a sandbox all the time? Sure...

And it will be no problem to find a way around the sandbox, exploiting the sandbox itself, exploit areas that aren't propperly guarded by the sandbox and so on. There is no 100% solution, ever.

 

Nothing fancy. P4,3ghz,1gig ddr.No slowdowns with Defensewall or Sandboxie.In fact since I have turned off my realtime AV and Antispy browsing is faster with Sandboxie or Defensewall running.

Where did I mention running every app,just your browser and Email client,either untrusted or sandboxed.Or you can run your whole system virtualised with VMware or Greenborder.Haven't tried whole system virtulisation so can't really comment.

As for file formats and other apps, can you give an example .

I know the author of Defensewall compromised Bufferzones seurity in 5 mins and that can only make that product better.

And yep,I agree there is no 100% protection but I come pretty close with my ghost images and a clone on a slave.

Anyway I'm still convinced virtualisation is a safer way to go in pc protection than signature based apps.

 

Full virtualization is ultra slow even on top hardware. Very acceptable to run Win9x but way too slow on WinNT for anything else except testing.

 

Ok I Stuffed up.The above quote should have been-"the virtualisation security apps that I have tried don't slow my pc down at all".

 

Hmm, what you do about malware that is programmed perfectly "legal" and doesn't use any exploits to activate?

There was an exploit lately for VMWare that allowed to execute code on the host system.

Any complex file format which requires parsing is possibly a source for exploits. WMF didn't even use heap or stack overflowing, so how did those sandboxes caught it?

And that makes you feel better? Knowning it is so "easy" to find weaknesses wouldn't make me feel any safer about the product.

Again, what you do to protect against "legally" programmed malware?
Or does the virtualization also includes behaviour blocking?

 

Ok,you have the "AV Expert" title. And I don't consider myself anymore than a layman.

Let's try it this way.

Will any AV's protect against zero day exploits-I say-more than likely no.

Will virtualisation (sandbox) security apps protect against zero day exploits-I say-more than likely yes.

Sheesh,where are the authors of these sandbox programs when you need them?

 

We are talking about antivirus software here not about anti-exploit software. Will sandboxie protect you against viruses. Maybe, but LIKELY (not sure just like you) not.


tD

 

Anti-exploit,that's a goodin.OK

 

Well tehnically speaking you cannot define exploited WMF component as legit or dangerous. The coding was done by including that feature.
It's quiet similar if you try to !accuse" explorer.exe process because it can access internet, both ways, access FTPs both ways. Wait, explorer.exe is just interface. Well it isn't... Sandboxes are as smart as rules implimented in them.
If nothing is triggered "by the rules" it won't flag anything. That includes exploits, viruses, worms or trojans.

 

Hi Loqka, please do not copy/paste material diectly without linking to the source from which you got it.

http://overclockers.com/articles1260/

Although I don't see the original author mentioning "Blackspear's settings?"

 

There's a contradiction in your statement. First you say that all programs were fully updated, but it's a matter of fact that NOD32 2.12 is an obsolete one. Version 2.50 was released more than a half year ago and brought generic detection which significantly improved detection capabilities.

Edit:
Oh, sorry, I overlooked that you cited from an article and read only the initial post. Still, I think that the test collection should be shipped to antivirurs vendors so that they check them out and comment on whether it's legit to detect all the samples.

 

THE SKY IS FALLING!!

DEAR GOD, THE SKY IS FALLING!!

 

Maybe a good idea for a new thread?

Topic could be: differences and pro's/con's anti-virus and anti-exploit software

 

i wonder if a sandbox app can survive the buffer overflow caused by the exploit

 

do you mean something like Norman Sandbox or something like SandboxIE?

 

They didn't tecnhically "catch it", but the malware gets executed sandboxed and all the executables and registry entries are not written on the "real" system, so they can all be flushed easily. I know because I've tested it myself.

 

What buffer overflow?

 

thats what exploits often do, cause buffer overflows..

now if you rely on a sandbox, lets say SSM, or tiny, question is can it survive the buffer overflow to stop the malware using the exploit(s)

 

It is sad that apart from the fact that not all AV's where used
with a version of the same date (some versions 6 months + older !!)
that there is not mentioned how many False Positives there where

And:

Have they any idea what they were testing?

Some of them may count Tracking cookies etc as well ..
This is comparing completely different things.

If this was done the correct way, you should be able to see
for every AV how many real virusses it found and how many Virus-FP's

And for every AV how many trojans it found and how many trojan-FP's.

Etc.

Worst case scenario, if you are going to test data that contains
2 virusses and 500 tracking cookies:

And test this data with AV's that differ more then six months.
The one that finds 10 virusses is 2nd best
after the (only one that looks for trackingcookies) that finds 200 trackingcookies and no virusses?

It is rather useless near my opinion...