I'm testing AV products against zeroday malware

Thanks I will put it in my notepad

 

Lots of people using A-squared antimalware and it seems to get pretty high detection rates. Maybe it would be a good one to test.

 

Mat is right about Twister and Rising. They use a write deny feature when maxed out. I had to use magnification to read the text of the pop ups. This is useful against drive by downloads, but when you do want to run the exe it has no sense blocking it.

This also explains the blue Twister pop ups (never had one). I thought it was part of the paranoid settings that i 've never used, it is, but apparently it isn't behaviour blocking. It's well, like an anti-executable.

The test to be honest should be re-done and i THINK that one must deselect the 2 checkboxes under "Virus Infection Defense". I have the suspicion that one of the 2 is responsible for this kind of blocking. Basically you can leave the rest maxed out, but be sure you can actually download the exe. Then try to run it and see what happens.

I 've no idea about Rising's settings, but it used the same write deny.

The "normal" Twister's alerts were the small ones (registry) and the orange (that's bb for sure, i 've had many).

 

I will redo the test with those settings off

 

where can i see the Zone Alarm video? please

 

I am not 100% these are the settings to uncheck, i do an educated guess. Unfortunately i don't run XP anymore and in x64 Twister doesn't run so i can't review the settings. Be sure you can get the malware downloaded without the blue pop up coming out. That should do it. If you can't find it, just use default settings and tick the registry options (monitor run key, hi prot registry suspicious) and the heuristics. That should provide a good "high" setting without those blue popups.

There must be something similar for Rising's settings, but i 've never ran Rising, so can't help you there.

 

You clearly did not watch the twister videos, did you? - And if my 'complaining' doesnt' change how unconcentrated and in a hurry he does his videos and therefore in vain .. *then* your are right.

Thank you very much. - But hey, you did win also!

... certainly not in terms of selfpity, congrats!

Dear Bradtech, please let us *BOTH* stop that kindergarten thingy, ok?

I don't want or wanted to make you mad about me or sad or whatever. I just have reason to believe your reviews could be *much* better if you wouldn't be always in such a hurry and under time pressure! - That's all and I *really* want to apologize for my harsh words and that I upset you. - Part of the problem is: I don't speak english very well (to few words available) and then it comes out sometimes wrong. Sorry for that!

Please consider my postings being 'positive' (in a weird way ) criticism and NOT picking on you. - Thank you!

 

No problem I was just having fun with your comments. I did take them serious, and I admit I have been in a hurry, and new to reviewing some of these products. Had tons of requests Thanks for your criticisms

 

I just got done demonstrating Microsoft Security Essentials.. Tried going over the settings as in depth as possible. There really isn't a lot to the program.. Let a couple zero days in and didn't find anything with a scan. I showed which products were detecting the variant in the video, and pointed out a trend I notice with which companies I see from my own experiences that are always detecting the variants that get by others!

 

FWIW- Rising also has their free PC Doctor which is supposed to be a HIPS like program. I believe some people use PC Doctor alongside the free av but there is supposed to be some setting to disable the av from detecting the PC Doctor, or vice versa.

http://www.rising-global.com/products/rising-pc-doctor.html

 

Thanks for your patience with me!

And what I forgot: I really like to watch your (and the other guys) videos because I then don't have to install all that ju ... stuff .. on my machine for seeing it in action!

So your work IS appreciated! THX! - Just take your time and don't let the requests overwhelm you!

 

I recommend the developer's site... http://www.gentlesecurity.com/download.html

 

These are the screenshots magnified:

1)Twister:



http://img66.imageshack.us/img66/8536/75595551.png

It basically asks to write executable to internet temp files. Denying is good for drive by downloads, where you surf happily and something tries to execute behind your back. But to test the malware upon execution, it has to go. In the worst case , use default settings + registry + heuristics. It shouldn't appear.

2) Rising:

http://img504.imageshack.us/img504/7176/61685674.png

It's basically the same, with the difference that it allowed the exe to be written and now asks for your permission to run (purely antiexecutable). I SUSPECT that the setting for this is "application control" which i saw in your video. BUT, if you can't make go away this pop up by changing settings, choose "allow execution of this program" (not trust though). I think this should suffice to let test the malware.

 

Microsoft Security Essentials is uploading

 

2.9 has some issues but you should be able to test it out.
Do you have Symantec Endpoint Protection you can get it off Symantec Endpoint site if you don't have it? Seems to detect far more than MBM does I got it running on Server and MBM on Server missed a bunch of malware than SEPE found today!

 

That's very limited works more with IE than it does with FF. I only use to to stop USB threats and OS Patch/Repair. That's free though. RAV not anymore.

 

Some more you might want to try are:

My Anti-Virus Free
http://www.smartpctools.com/free_antivirus/

Moon Secure AV (opensource)
http://www.moonsecure.com/

I have never installed these so good luck with them..

Another one is F-Prot (always was pretty strong on threats detection)
http://www.f-prot.com/

F-prot I had used for years then NOD32

 

I am testing it

Doing a reboot right now

 

Don't stop there. Defensewall might be interesting even though it's not an AV.
Hugger

 

Very interesting results from GeSwall... Very excellent results!!

 

F-prot is very strong, we started out with the DOS version in our shops several years ago for pc's that had bad infestations, that still happened to use FAT32 as their file system type.Then later had the same good results with F-prot for windows.I only switched to NOD32 because it gave more options than F-prot.The F-prot I cross tested against NOD32, and it found some viral activity NOD32 misses.

 

Yep and it detects all of untrusted apps that tried making the harmful entries, and bam you delete them all.. The exe will run in memory but pretty much be gone after a reboot and deleted after a scan for untrusted apps.

 

btw the avast v5 beta doesnt have the behavior shield implemented yet, its just a shell atm.

 

Same here! Still it uses very little resources and didn't let anything attack the system in a sense it block you from allowing the infected code from doing anything!