I'm testing AV products against zeroday malware

I was very impressed with G-Data last night btw.. It mirrored it's av-comparative reputation before my eyes last night.. Plus it seemed really light weight aside from the 250 MB download

 

Damn! I forgot to upload it!

 

Exactly. - And if you don't judge anymore (scoring by thinking up a number ) that problem is solved.

As I told you I would wish that your 'demonstrations' showed a little bit more interest exactly in that ... what is this av program doing right now and why did it stop a (let's suppose) threat ...

... hopefully not just because some anti-executable-option was activated.

Your videos could be so *great* as demonstration videos of AV Software (operation, options, use of ressources etc.) if you would take more time to explore the av program instead putting your focus (in my experience with your rushed Twister and Rising 'test') at the malware.

But of course this would take much more effort and time and I completely would understand if you don't want to do that. - However, I know how to take your videos (not as a test even if this word is/was mentioned) and I am glad that I can watch av programs without installing them (or vm) on my machine!

I think this all could be so great if this whole 'testing av against av - in a row' thing would be ended (score etc.). - Of course you can even then throw as much 'malware' at your demonstration objects as you like and to the joy of the crowd!

So please don't stop doing it completely if making some adjustments would be much better. - There is nothing wrong with showing GUI, options and how this program is working, what it is special about etc.! - But that isn't unfortunately done in 5 min. without concentration maybe between 2 postings, you know!?

 

I could not agree more. Keep em coming...

 

Too much restrictions on a pc is like having a virus on it. Wake up people, defending ourselves from the plague is ok but a bloatware is not a solution.
I consider myself a free citizen, I am not going to jail to protect myself from thieves. I like Vipre and I like Nod32, regarding the firewall be content with a router and a dose of common sense while surfing.

Cheers

 

People seem to think as soon as they shut off their firewall, that their PC is going to get just bombarded with worms and stuff like that.I'm going to do an experiment, I'm going to enable the demiliterized zone on my router and open all ports to the PC, I bet I never see a thing come through

I will run without a hardware or software firewall and use the pc for my usual daily activity and leave it this way indefinatly, to see if anything tries to get through my open ports and into the PC.

I wonder what will happen with no firewall and NOD32 running in the background .... Hmmmmmm

 

Lite firewall on your system and a very good antivirus/spyware/trojanware with Malware Behavior monitor is all you really need. Still the router can't do it all unless you get some more hardware rigs for web content filter. Ideal world would be no protection your PC, thus making it run at the max.

 

Before I forget I would like to see Panda Antivirus Pro 2010 demonstrated (maybe a better word than tested? - everybody happy now?) against some zero day threats.

In order of what programs I would like to see demonstrated would be-
1. Panda
2. A-squared
3. ZoneAlarm

thanks for all the good videos

 

I am going to have to redo my ZoneAlarm test.. VM guest got totally destroyed lol

 

In all honesty I think a layered defense is your best bet.. A good Hardware firewall on your router, a nice software based firewall so you can keep track of what is coming IN, and OUT.. I also think a traditional signature based Anti Virus, with the help of threatfire/PrevX would be good to help also.. I have been impressed with the information I am seeing on all areas of PCTool products from their free firewall to now witnessing threatfire/Spyware Doctor combo.. I would be curious to see how it does against the traditional worms, email viruses, and etc that have been the domain of the AV companies before they all started to claim to protect against everything.

 

A couple of off-topic posts removed.

Folks, it's simple - stay on topic or the thread is closed. Your choice.

Blue

 

You would be surprised how often you get port scanned, and services exploited.. I setup a test honeypots with realvnc, rdp, and many other services like DNS.. Saw a lot of attempts to zone transfer, brute force attempts with tsgrinder on my rdp, and common vnc dictionary attacks.. A long time I turned up IIS on a 2000 Server box, and was actually seeing symantec start catching worms on the box.

 

Got it, thanks

 

I'd like to commend the TC for posting these videos as well as handling the "healthy debate" that has gone on in this thread. Giving products scores may have been a mistake but other than that he has been pretty open with how and why he is doing this testing. If users want to run out and change their AV or reassure themselves that they are using the correct one based on the info in this thread, that is the responsibility of the user and not the TC.

One improvement I would suggest to the TC is to test the products you are interested in every couple of days. Even if you use a small sample size that varies day to day, you should be able to pick up a trend over time for each product as long as the samples you use are chosen completely at random. This is basically what a control chart is in statistical process control. Although, perhaps you might have come up with something like this before?

 

You should have familiarised yourself a little with Geswall before reviewing it.
Had you watched mrizos review, you would have had at least had a basic understanding of what Geswall does and how it works.
I was so looking forward to this review, but all it did for me was make me squirm.
I like what you're doing, but take a little more time to get to know the product you are reviewing, for everyone's benefit.

 

Like you, I looked forward to the GeSWall review, but unlike you, I was not squirming... whatever you meant by that. I actually think Brad did a very decent job of explaining this software during the review. The only bone I have to pick, and I'm sure it will sound petty, is that Brad kept pronouncing the word "isolate" like the word "oscillate". It was weird to keep hearing him talk about running the browser "oscillated". To be fair, perhaps I have a hearing impairment. All in all, a nice presentation, in my opinion! Thanks for testing and uploading the results!!

Edit in: I have listened to Matt (from remove-malware.com)'s 25 minute GeSWall review and I found it to be on a similar level, generally speaking.

 

Brad - You will find that is what a lot of us have. Many here also use sandboxes (Sandboxie, DefenseWall, etc.) along with software restriction policies. Although your tests aren't really comprehensive they are still interesting to watch as to how various software products work.

 

With squirming I meant not really being able to fully relax watching this.
Brad was saying "It looks like it got through" , then deleting the entries in task manager (believing it had taken over his system)
Being surprised that Task manager and Geswall were showing the same exe.
I just had the impression that he didn't understand how Geswall works.
If Brad had executed every malicious file he had and 50 malicious programs were running in task manager, it would still not have compromised his system in any way. Simply open the Geswall console and terminate the isolated applications.

 

Will you test Mamutu?

 

I have a 5 part video of using ESET NOD32 4.0.467.0 with PrevX 3.0 Home, and PC Tools Firewall..

 

Sure.. WIll read up on it.

 

Nice! I like that combination.

 

ESET is missing a very bad rootkit that is hiding itself from the Windows API.. PrevX is detecting it but is having issues keeping the machine off.. The series is 5 videos long now, and climbing.. I have introduced malware bytes into the equation to track thsi sucker down and help out.. The video demonstrates how it is taxing all three of these programs, and taking every aspect of a Firewall, Cloud based Malware detection system, and traditional anti virus..

 

The two rootkits are

C:\Windows\system32\SRDA64.exe-vir
C:\WIndows\System32\SEMDPX.sys-vir

Which of course cannot be seen by the Windows API.

 

Part of the bot.exe sample you test with?