AVs having a real impressive day

Hello,

Samples are executed trjam ? Because Deepguard is similar to PDM, it won't work on signature test, as for as I know?

 

what happened to kaspersky and bit?

 

They are near the bottom for the Weekly and Monthly data. To see if they regress to the mean a little bit, we can look at the Yearly data. On the Yearly, Kaspersky is 8th out of 17 AVs, and BitDefender is 12th out of 17. Not as bad, but not good either. It appears that heuristics (obviously) are critical for Zero-day malware, and the results are an indication of the efficacy or inefficacy of the AVs tested in this context. Of course the settings are critical so as to maximize the power of each AV. I would like to see tests with the "default" settings and most aggressive settings.

I personally have my Avira settings on max everything. And, even with these settings, I have never had a false positive in years of use. I did have a number of FPs with Dr. Web which I still like right behind Avira (at least on my computers). Your experience may be different.

 

yeah, i've seen the yearly result and it look somewhat good to me, however, the reason why i don't like this test is that theres generally speaking no consistency except when you see the long term.

 

I wonder since Avast doesn't have heuristics, (although it does have generic detection) but its detection rate here is very good, if its Web Shield was set to high?

 

Yes, you are correct, but I think that is the point- they are inconsistent (a lot of standard deviation). This means that they all are inconsistent at times which means protection is not a good as most think (at times).

 

the inconsistency is not only due to the AVs. Quite frankly, I don't think that any AV can consistenly get much more than 75% 0-day success (75% of the malware, but perhaps 99% of the samples that are "out there"). What happens is that if a brand new threat appears, and is common/widespread so that it accounts for a significant percentage of incoming samples, some AVs will detect it, and show very good detection rates on that particular day, while other AVs will fail to detect that particular malware initially, and their detection percentage will drop significantly, perhaps for a few days until detection has been added.

Despite those apparent jumps in detection rate, the AV programs may be consistent in that they have, say, 95% detection of malware and 75% 0-day detection over time.

 

Possibly so, but where are they going online or what are they doing to get their samples? In my "real world", I don't come across anything that remotely resembles any of those zero-day samples.

It really does depend on what you do online.

 

What I don't get is, If they are ALL zero day, doesn't that by definition mean they should all be heuristic detections? The vast majority seem to be definition detections which doesn't make them zero day malware, to my understanding anyway.

 

These statistics have been discussed before and Richard from Shadowserver explained how they are generated.
https://www.wilderssecurity.com/showthread.php?p=1160790#post1160790

 

I agree with you in a general sense, but some people do very risky things online and that is the choice they have made consciously or subconsciously. Many end up with problems (look at the posts in this forum) and my original point was that AVs are not necessarily going to protect people especially high-risk people. The data shows there is a lot of standard deviation in the daily/weekly stats compared to the yearly. So my conclusion is that high risk online activity is likely to result in a malware infestation at some point in time with any AV.

 

as far as i'm concerned, avast, strictly speaking doesn't have heuristics, but the generic detection acts something like heuristics, so in a way it does.

 

It could be a pricing issue. If you notice the Linus versions of otherwise reasonably priced AV's is around $200 for a single license. I recall Symantec has a 5 license minimum for the enterprise products, at least SEP.

Anyway, I find the Shadowserver site to be very interesting. Its too bad they do not give 3 month and 6 month statistics as the difference between the 1 month and 1 year charts is startling, in some cases. It could be that a product like Clam AV is maturing, or last month could be a fluke.

 

maybe if you request and 3 and 6 month list, they might add it.

 

If AV Companies like Panda ran around saying Other AV Companies were rubbish, they would be hit so fast with a Law Suit, they wouldnt have enough money to buy the poor Panda any Eucalyptus trees But really! I've never seen that on AV sites and probably never will, so dont be so dramatic drama geek

 

Yes there is a high variance however just looking at daily/weekly stats is probably to small of a sample.

Viruses are collected via honeypots. These are designed to collect viruses and will be 'higher risk' than users.

 

Unfortunately, I see things on users computer that make me cringe... Internet Users vary in skills and in brain power. Some have so many "different" infections they number in the dozens...

Technical types may not be exposed to the same degree as they are however this does not invalidate the reality or the extent of the risks that are latent out there...

 

Looks at bottom of Shadowserver page...

Page last modified on November 12, 2007, at 08:07 PM

So are these results current then?

 

The daily numbers are significantly different every day.

 

It isnt that surprising. Different malware, different detections.

 

Maybe it's just giving the date of when the page design etc. was last modified and not the statistics. The stats are probably generated via a script or something. Perhaps there should be a script to modify the date?

 

Looks like someone at ShadowServer has made a correction. The daily pages now give a proper "Last Updated" time - the weekly/monthly pages still show November 12, 2007 but this will presumably be corrected on their next update.

 

i think the settings also matter. otherwise, how can f-secure detect more malware then kaspersky with the same signature. example:
F-Secure Kaspersky
Virus.Win32.VB.az 102993 84021
Worm.Win32.VB.es 12834 10345

 

+1... as i mentioned here... guess Kaspersky has a very similar result to F-Secure then and should be at a similar level as F-secure has... I wonder what other AVs can detect far more by changing the settings.

 

the one that has continued to impress me over the last month is Eset. I watch this thing daily and they must be adding something.