Which anti-virus has a better detection rate?

I am truely sorry for implying your service was faulty. That was not my intention. I actually think its a really good service, actually i'd be lost without it. My only goal was to imply that a person should not use the %'s as a maker of quality for the av products.

 

Yes it’s hidden but it’s harmless and once you open/extract infected archived file it should be detected( assuming av detects it). I am not concerned about archived files butsome people are and that’s understandable.

The point I tried to make was if I submit 50 winrar infected files to compare i.e. KAV and Norman, the detection ratio would be 50:0. What if Norman detects them all in normal executable form? Can we say in this example KAV has better detection rate because its able to scan more archives then NVC? I think not.

There is always room to improvement but they don't lack a lot.
According to http://www.av-comparatives.org/ and my own testing, f-port does a great job. The only thing they need to do is to add a decent unpacking engine and upgrade heuristics engine(which I prefer over generic signatures).



tECHNODROME

 

File inside archive meets the same restrictions as if it would be inside antivirus quarantine. It cannot do anything as long as its inside. When you extract it it will be detected and if you launch it directly it will be detected in temporar directory (file cannot be executed directly rom within archive).
So archive scanning is just a waste of system resources IMO.
Executable packers are something different and are much more important.

Thanks Jordi, for clarification of your statistics. I couldn't find the right words (damn english hehe).

 

hbkh: That's ok I don't take these things personally anyway

That's a good point. You're right. It's not fair to judge detection ratios like that. But I _still_ think AV programs should at least have an _option_ to scan inside those. When I get infected before the AV update and can't find the source that caused it, as soon as I perform a full system scan, I really want to know if my drive has malware lying around or not, right there, right at that moment. Not at the time I happen to extract that particular archive months later.

As long as only a few unpackers are supported, malware will have to be flagged by a signature made from the packed executable. There's a lot of packers out there and so is malware. I just get too much malware undetected (at the time of uploading, they add quite a lot from what is automatically submitted) to concur with this statement. Quite a lot of SDBots/Rbots/Agobots are only detected by KAV, Bitdefender and/or DrWeb, just because they support the runtime packer and have a (relatively) good generic signature. I mean, there's hundreds of those bots.

As for heuristics: I prefer sandboxing. "Advanced" heuristics cause a lot of false positives, where sandbox classifications are mostly right. Mostly. If implemented properly. (I say mostly, because NVC's sandbox is also flagging dozens of VB projects just because it's VB and it matches one little other criterium.)

 

I don't get a "lot of false positives" using AH on a game machine with a lot of teenages using it? Actually I have very seldom seen one. AH has provided some good protection for me. Example: https://www.wilderssecurity.com/showthread.php?t=42010

Also I just noted this on your page.

Scanner Malware name Time taken
AntiVir X 2.69 seconds
Avast X 4.62 seconds
BitDefender X 6.99 seconds
ClamAV X 14.30 seconds
Dr.Web X 9.25 seconds
F-Prot Antivirus X 1.25 seconds
Kaspersky Anti-Virus Backdoor.Win32.Haxdoor.al 8.79 seconds
mks_vir Trojan.Haxdoor.Al 2.76 seconds
NOD32 probably unknown NewHeur_PE 6.93 seconds
Norman Virus Control X 31.93 seconds

 

Basically Sandbox is just a virtual machine. Norman programmers just have to make rules on which NVC flags the files as infected or not.
Like connecting to IRC channels,sending huge numbers of mails and so on.
When some of these rules is matched,NVC gives a warning.
And as i can see from Jordis statistics they make more use of Sandbox then of signatures Might Sandboxing be the future of detection? Who knows
At least it looks a very interesting idea for active file testing.
I also like the output info which describes what that file did in the virtual environment. I mean exact info like IRC channel names,usernames and passwords used to login,IPs and so on. Very interesting.

Second interesting thing is that i have never seen Kaspersky with its heuristics in action hehe. They have nearly everything covered by signatures huh.

 

I have actually had one, but i agree they have nearly everything covered by signatures.

Regards

 

So, what are the main differences between "sandboxing" (Norman) and "emulation" (Nod's AH)? I haven't really been able to figure that out yet.
Even some AV-guy couldn't tell me a _significant_ difference, which would e.g. explain/support Jotti's statement.

btw: I agree with Stan999, regarding Nod's AH as highly effective (I haven't seen Norman's sandbox in action lately, though... it seem's to be quite powerful, too.)

 

Unless you sit down and jaw (that’s if they ARE WILLING to talk about it) with programmers of each product you won't be able to tell "_significant_ difference". We all know the concept but we don't know bits and bytes. To many it would be too technical and confusing anyway.

There is a white paper available on Norman's sandboxing but imho, it covers basic topics about NVC sandboxing capabilities.

The future version of Norman Sandboxing will cover wider range of viruses (so i've been told) but for now its limited to binary email and network worms. I look forward to this...


tECHNODROME

 

"True" comparison!?!? I hope that you aren't implying that all other tests are meaningless? False? Lies?

VB merely tests one relatively narrow, pre-defined category of current malware. It provides useful information, but is by NO means the sole & final authority that some people make it out to be.

 

I agree sir. That’s why I said it might be important to some people.

NOD32's AH and Norman's Sandboxing are quite similar. Both technologies are based on “Virtual Machine environment". Although NOD32's AH besides virtual environment analysis runs additional classic heuristic mode (via code analysis) to determine file status.


tECHNODROME

 

@Technodrome
I see, we think quite the same about Norman's sandbox and Nod's AH (and afair, we already discussed Norman's papers about their technology some time ago at this board.)

Probably Jotti wants to further comment on this topic and his statement, to make things more clear.

 

No, not implying that other tests are false, only that the Virus Bulletin test is respected the world over, therefore a good gauge of the Av programs capabilities.

The posted test that some current AV programs only detect 30% of malware, is to me utter garbage, and should not have been posted, if this were the case then the companies in question would have gone broke a long time ago.

It is common knowledge that AV companies share discoveries between them selves to give us all better protection. So if company A finds virus X, companies B through Z will have updates out ASAP to detect it.

 

To everyone from Firefighter!

Against my 3014 samples the situation seems to be like below. Just added MKS_VIR 2004 to the test table.

Best regards,
Firefighter!

 

To dvk01 from Firefighter!

How I can add my picture as a downloadable attachment here in Wilders Forum?

Best regards,
Firefighter!

 

hey firefighter post results from your 3k samples for kaspersky pro and kaspersky personal.. just want to see the results (extended databases)

 

I imagine that the results would compare to eSan. Since it uses the KAV engine and database... Correct?

 

Zip the pic and add the zipped file as an attachment to a post ?

 

To NAMOR from Firefighter!

I've scanned my samples with KAV 5.0 using extended databases before, but no differencies to mention compared to eScan.

And about zipped attachments, "Valid file extensions: gif jpe jpeg jpg log png txt" here in Wilders.

Best regards,
Firefighter!

 

Firefighter, this collection of yours is zoo samples correct? Or is it ITW samples?

 

To flyrfan111 from Firefighter!

I think that my samples are a mixed one between these you mentioned. And about trojan like malware, I have not seen any ITW list anywhere. Some weeks later from that first scan of my 3k samples, I tested DrWeb again, it detected tens of samples more than before (shown now in my table, also other av:s in my list were scanned again with more or less better results). So, where is the limit between ZOO and ITW of samples?

Best regards,
Firefighter!

 

gdata avk 2005 is using kaspersky and bitdefender engines !
very good detection rate.

 

RejZor, do you really believe in what you posted?
You know that this is discussed a lot: the environment of a test (sensibility, archive scanning, the viruses tested, etc. etc.). I've read from you, a lot of times, that you do not believe in all of these tests

 

RejZoR, I found an example of what I was saying: