I searched on "tencent" in this forum, got no returns so I'm thinking no one's posted up on this yet. Or not. http://www.av-comparatives.org/wp-content/uploads/2014/12/Tencent_Chinese_XP_exploit_AVC_V2_1128_CN.pdf I gather it's a WinXP exploit test of seven products within the China totality. Anyone familiar with AV-C reports understands the red/yellow/green charts. And 99% of the Wilders community never actually reads anything anyhow, so what that it's in Chinese? Interesting results of the red bars... Cheers.
Interesting, I wondered who sponsored the test, it's not hard to guess. No but seriously, quite surprising that Kaspersky and Bitdefender didn't do too well.
Is the 74% blockage + maybe 18% or so user-dependent not well for you? As a note, if it was Vista+ Kaspersky would have earned better score, this is consistent tendency in all exploit tests, maybe because they rely more on AEP than NIPS to block exploit (it's not hard to imagine AEP is limited on Xp). About Bitdefender, no surprise at all, they have been performing poor in all exploit tests they attended while they have probably the best BB as well as strong malware signature, heuristics, and URL blocking. Contrary to this, Norton/Symantec constantly perform well in all exploit tests thanks to its strong NIPS, while very poor at FDT (I know they're poor too in URL blocking). Maybe Tencent spent massive effort to block Xp exploit, but of course this don't guarantee it will perform well in dynamic test. I strongly hope AVC provoides English report, since when we interpret this type of test, we have to be extremely careful. e.g. MRG's corporate exploit test were done in unfair condition (you can't directly compare it with NSS' one as they're done in different configuration). And NSS' exploit evasion test were almost meaningless (if you read through the document you'll find why).
Good post, you're completely right. About Kaspersky AEP: http://www.kaspersky.com/downloads/...er_automatic_exploit_prevention_eng_final.pdf
Bitdefender's Active Virus Control, AVC, is in addition to their "malware signature, heuristics, and URL blocking." I ponder if these recent tests are of sufficient magnitude and depth to fully determine the efficacy of AVC. Or the exploit detection of any other AV/IS. While "exploit blocked before exploit" and "exploit blocked before malware execution" are admirable results, do these "all exploit tests" actually continue to test while the malware has had chance to, well... behave? #36: Read the paragraph beginning with "After passing B-Have" and see the screen shot: http://www.wilderssecurity.com/threads/lavasoft-ad-aware-latest-version-threads-merged.364565/page-2#post-2418074 Actually, you can read the whole post if you want. #55: I'm convinced of a recent "zero-zero-day" exploit save due to AVC: http://www.wilderssecurity.com/threads/lavasoft-ad-aware-latest-version-threads-merged.364565/page-3#post-2438551 The links were related to significant breaking news, about 2-hours old, and the site belonged to an independent TV news station in the small municipality where the event was occurring. Of course, the sophistication of exploits out-pacing that of testing has long been a discussion in this arena. Cheers.
Unfortunately, that pdf don't gives much detail about AEP. From it reader may conclude AEP is just behavior-based drive-by download protection + forced ASLR (which of course don't make sense in Xp), but actually AEP is more. AEP is a general term of anti-exploit technology in KIS/KEP that include e.g. monitoring (call) stack to see if there's unusual data or pattern (kind of memory heuristics), locking down behavior for popular software, special component for java which monitor behavior inside java sandbox. I'm not sure if NIPS is included in AEP, but it's just a matter of word or definition.
First of all, nobody should regard this type of specific tests as reflection of overall performance of the product, that is the task of dynamic test. IMO, those specific tests (except some, such as phising tests) are only meaningful when reader thoroughly read methodology and have intention to understand how each product works. AVC is basically BD's BB, so unless it has behavior-based anti-exploit feature, it's no relevant to this type of tests. Some tests continue to malware execution, but in that case they're distinguished from pure exploit score. AFAIK, BD don't provide any info about if AVC includes behavior-based anti-exploit, your 2nd link suggest it does, but not sure because I don't know details about it. And anyway, blocking exploit in earlier stage is better. Once exploit is suceeded, downloading malware is just an option for attacker though it is most preferred method. He might try just steal some info stealthly from victim like FBI's Tor exploit, or, by leveraging the first exploit, try next local exploit to gain admin, system, or possibly even kernel privilege. Some exploits such as application design flaw or kernel exploit can only be blocked by NIPS, though NIPS had its own drawbacks e.g. only protect known vuln and if attack is highly obfuscated it'll fail. Moreover, what important for me is, those specific test gives us clue about how each product works, what is each company's strategy, and by combining dynamic test results what funtion or strategy makes difference. You'll see just after Panda employed anti-exploit in v2.2, there score increased in all dynamic tests. Same goes for Kaspersky AEP. Not only product itself, we can also estimate effects of backend improvements. I don't mention recent improvements about Trend as Mayahana already talked, but actually it was already seen around 2012 where they announced backend reconstruction, if you made a graph of Trend's score from around 2010 you'll find what was happening. I completely agree with him, but so far we can only estimate from those clues.
Kaspersky for examples owns a patent which describes a way of detecting the exploitation of software: https://www.google.nl/patents/EP272...&sa=X&ei=E9CdVLawNYWAUcSGgrAL&ved=0CCUQ6AEwAA It for example mentions checking whether memory is executable or not. Although the patent doesn't seem to take in account return oriented shellcode
I cant speak specifically to exploits, but while playing with malware I have seen AVG Identity Protection, and Bitdefender AVC block and remove a significant amount of malware 30 minutes or more after execution. I also ponder if tests allow malware a chance to behave.
Thanks! I even didn't think of searching in patent, great finding! Though some exploit tests continue to test malware execution, basically that's out of scope for this kind of test. If you want to know overall protection of a product, go to dynamic test (aka real-world test). If you only installed a security suite, what you want to know would be that. But if you're security enthusiast and having several or more products installed, you'll find those specific tests are quite useful to estimate how each product work and in where the product is strong, thus it help you to decide what products to combine.
I respect your expertise regarding this, that and the other thing regarding BD's AVC and make no argument against the supposition you present. However, BD's "basically BB" is B-Have and effected by one system driver and two libraries which is not to diminish their strength. AVC on the other hand, several system drivers and at least a half dozen libraries (I dont' care to dig into it right now to come up with the exact numbers) and supported by nine routinely updated databases. Two of those libraries inject separately into each and every running process. http://www.wilderssecurity.com/attachments/ls-avc_atwork-jpg.244856/ AVC is anything but "basic" and the word has no legitimacy in its discussion. Your viewpoint in that respect needs adjustment. Lest I consider your technical savvy, well... basic. Thank you. And, of course, Cheers.
Yes I misread, on second thought, Kaspersky did perform quite well. Too bad they didn't test HMPA and MBAE.
Maybe my bad English, but I didn't mean "AVC is just a basic BB" by "basically". I meant "AFAIK, 90+% of AVC is BB, though there might be some other function" (in fact some other AV/IS's BB have additinal function such as automatic sandboxing). And actually I think AVC is probably the best BB in industry (I actually said it in #10 too), from what I've seen it is even better than Kaspersky. I hope this addresses your concern. At the same time, if you're native English, I'll be very appreciated if you can explain or illustrate better words for me, as one reason I participate in Wilders is to learn/improve my English. AFAIK, B-Have is dynamic heuristics engine which examines file's behavior in emulation, so true BB is AVC only. And that databases is for behavior signature which all good BB uses from around 2011, this is because classical scoring based BB can't catch up latest malware trend where criminals try to bypass BB. BTW, I'm not tech savvy. I even lacks very basic knowledge of programming, network, and other IT things. I'm just a guy who search for anything almost obsessively until I get a feeling of understanding when I come across sth I can't make out.
