F-Protect impression

Indeed - this is a side effect of using heuristic detection. For example a "paranoid" heuristic rule might detect that a program is a downloader, nothing more, nothing less. Now, there is a whole lot of non-malicious downloaders out there, and this rule will presumably trigger on such programs. If you know that the program in question is supposed to download files, and you have the technical skill to understand what "heuristic detection" really means, fine. The problem is that most users don't have the technical knowledge to evaluate reports generated by such "paranoid" heuristics.

 

My F-PROT impression? Well, it's nice to see Frisk taking more time to answer and visit here. Thank you Frisk (Fridrick)!

 

I, too, appreciate Frisk's presence in the forum and was tempted to give F-Prot a try. One scan revealed about a half dozen false positives and after the computer had rebooted a time or two (Not related to F-Prot), I could no longer get the service to start. When trying, got a popup stating a problem with FPAVserver.exe. So, unfortunately, F-Prot doesn't seem to like my setup and is not for me.

 

I gave up on the program as it started to slow down my machine and it began to use a lot of CPU. The other problematic thing is that you need to do line commands to set the heuristics to a higher than default level. This is unacceptable for a "modern" program. I'll stick with Dr. Web or Avira until proper innovation is achieved.

 

With the on-demand scanner you simply select "Thorough" scan for the higher heuristic level.

Sorry to hear of this and it is unusual as I have never seen F-Prot 3 or FPAV 6 take up hardly any CPU time. Again yet another example of software behaving differently on different systems.

 

Thank you for the response. What is the correlation (if you know) between the on demand scanner set to thorough scan (level 3?) and the results that appear in Shawdowserver?

I have decided to give it another try. I will clean out the registry of all FPAV6 remnants and will reinstall the program and see what happens. Never had a problem in 38 years of using computers I could not fix.

 

Regarding "paranoid" heuristics detection, sometimes I wonder why vendors won't just focus on optimizing their heuristics towards the end of maximum detection with minimum FPs, and offer only one setting to either turn heuristics on or off instead of options for low, medium, high, paranoid etc. heuristics. I'm aware that the ideal heuristics balance isn't easy to achieve at all, but I don't think that tossing the choice of having more FPs or inferior detection to the end user is very responsible either. It feels more like AV vendors are just trying to cover their own arse whenever undesirable things happen by blaming it on "improper" settings.

Just my two cents.

 

I just reinstalled it, and everything is fine. F-Protect at top tier of performance for detecting zero-day exploits according to Shadowserver- that is something I like.

 

Good to hear.

If you look at Friðrik's previous post it suggests that there may not be a big difference between scan 3 and scan 4 detection rates.

Although FPAV 6 now has good heuristics, I am/was surprised that it does so well here compared to some other AVs. Other unexpected results include VBA32 and BitDefender not showing up very well and both of these AVs are known to have very good heuristics.

IMHO, the validity of the testing procedure/test-bed still needs to be clarified at Shadowserver.

 

Perhaps the results are the actual real-world efficacy of the heuristic engines and not what many of us have assumed in terms of effectiveness.

 

Well, I assume that this is exactly the goal of all AV products with heuristic ability. However, you need to distinguish between "narrow" and "wide" heuristics here.

By "narrow" heuristics I mean something like, say...."Swizzor-downloader.gen" - something which detects one group of malware - a clearly defined group where all the samples are closely related. With heuristics like this, you will get very good detection of member of that group, with virtually no chance of false positives. The drawback is that those heuristics will probably not detect at all some other unrelated group of malware with similar behaviour, and as such, they are of limited use for 0-day detection.

On the other hand you have "wide" heuristics, like "Downloader-behaviour". Heuristics of this type will detect a large group of malware - many groups which have certain features in common. Now, you could also use a number of "narrow" heuristic rules to detect the same samples, but the "wide" approach has the advantage of having a high chance of detecting brand new, (but functionally similar) malware - in other words, much better 0-day detection. However, the drawback is the higher chance of false positives.

You see, the problem is that heuristic detection is not only supposed to be good against the stuff that is "out there" (something which a large set of "narrow" heuristics will do really well), but also be good against "new" malware - which is where you really need the "wide" heuristics....but they have the drawback of a higher false positive chance.

 

To be fair, I would not exactly consider the Shadowserver results indicative of what most people consider 0-day detection. Basically, those results show you how the different AV products are doing against the threats that are "out there" right now, with extra weight given to "common" threats, but some of those threats have been around for quite a while, even though the actual samples detected may be "new".

True 0-day detection should really only measure the performance against new threats at the time they first appear.

In the shadowserver results, most of the programs detect 98-99% of the samples. Fine....however, I really, really doubt that those same products (yes, including my own F-Prot) would get more than 75% of new threats WHEN THEY APPEAR.

The shadowserver results are not meaningless - but you need to interpret them correctly. They are also a bit skewed by the fact that some AV companies receive copies of the samples they miss, but others (like we) don't.

 

quick q: any time frame we can expect the release of the next version of F-Prot? The LAN 6.0.7.1 version is kind of outdated with the Internet version already 6.0.8.0...

 

i always liked f-prot.. any chance of a suite any time?? just curious.. most people i know have switched to suites only as they seem to be the way the average consumer is going..

 

Any reason for Frisk missing out on these samples?

Hopefully they will concentrate on more configuration options and producing a bug-free current version first.

Further, Frisk is a small vendor and it takes a lot of manpower to implement a good Suite that works. IMHO, Frisk should concentrate on the standalone AV and continue to concentrate on improving its detection rate as regards heuristics, spyware, rootkits/keyloggers and behaviour blocking.

 

I agree. I for one do not like Suites. I won't use a Suite. I wouldn't be adverse to having a classic HIPS added (because ProcessGuard is getting old) but I don't want all the stuff that gets put in Suites that forces the price up and that I would not use. Avira just added backup capability to their suite. I can't believe they did that with all the things we users have asked for in the new version and we didn't get but we got backup stuff? Geez.... Everybody already probably has Imaging software and if not they have some kind of backup in place. An antivirus vendor has no reason to add stuff like this. I want my antivirus to be the best damn antivirus out there and not have it try to do 6000 other things.

 

A week or two. We have a deadline on Feb 28th anyhow for the next Virus Bulletin test (32-bit Vista), and other versions will follow right afterward.

 

Bumping an old thread. Been testing F-PROT since yesterday, and I just wanted to comment on my being quite impressed with the new Maximus and Eldorado engines. F-PROT seems to have rather poor signature detection with Asian malware, so it was quite fun watching it having to resort heavily to its heuristic engines when I let it loose against my collection. A very satisfactory hit/miss ratio indeed.

Not quite in the same league as NOD32/BitDefender yet, but not really all that far behind either. I might consider purchasing a copy, depending on how much they sell for in Australia...

 

The Eldorodo engine in particular has greatly increased detection rates I found its detection rates were relatively poor before this new heuristic engine was added.

This should have improved since September and will continue to do so as they are being sent LOTS of Chinese/Asian malware each week.

Similar findings to my testing.

I assume the same $29 changed into Australian dollars.

 

Personally, I doubt this. Frisk has repeatedly stated their policy of adding samples in a priority basis, and in my past experience turnaround time is one of the worst for non-mainstream malware. Add that to the fact that they have virtually zero market presence in Asia, and I don't think signature detection rates for Asian malware will be improving anytime soon.

Still, for European/American users in general, it's not a bad choice at all. Rumors persist of subpar ad/spyware detection rates, but unfortunately I don't have enough samples to verify that.

Just my two cents.

 

Yes, not the greatest but they are (slowly) working on it .

 

Had a go again with the latest download, but it still slows my system down a great deal. It's really weird.......there are just a few AV programs that don't influence my system speed! I like F-prot a lot, but I hate AV's that slow my pc down. So......back to Avg Free for now again.

 

Never had it slow down any of my machines. If fact, faster than any other AV I have tested. You may want to uninstall, clean out registry, and install again. It sounds like it is not your machine or the program that is causing the slowdown.

 

I have tried everything, but no go. As soon as I uninstalled F-prot, my pc is back to the proper speed I'm used to. Have the same with Kav, Avg 8.0, Avast. My system stays fast with Avg 7.5 Pro and Free, Avira, Nod32, Dr. Web.
Experience the same thing after a clean install of Windows, so this seems to be different for everyone. No pc is the same, depending on hardware/software configurations.

 

That is true and not true at the same time. I can tell you at least 80% of the time, it is a conflict with some other anti-malware program(s) or remnants of others. What other anti-malware are you running?