New MRG test results

You can still see the details about what has been update in Control panel /windows updates

You are missing the point, I already said like 4 (you should buy a new screen) times that if you are not even able to understand what is the shield dont use an HIPS.
If you dont understand the promps from the HIPS dont use it.
If you dont know that windows have updates dont use an HIPS
If you a not an experienced use dont use an HIPS.

But all this doesnt mean that you have to assume that nobody knows how to use it.
If you dont know how to pilot a plane does not make the plane useless.

If you are testing the speed of a car vs plane, because your dont know how to pilot does not mean that the car is faster than the plane or that the max speed of the plane is 0.

 

Yes, for an average user Panda is better. It is safer, easy to park and cost less than the Ferrari both for buying it and mantaining it. The story just confirms the view that Ferrari is not a good car for normal user. This is why there are few owners of Ferrari around (price is obviously a key factor ).

MRG test confirm that certain solutions do not provide the optimal protection needed for average users (the majority of customers that buy or install security solutions). After all these posts we can confirm with no doubts that it is a test that cannot suite your needs. LOL

 

The blame for that lies with the vendors for marketing their products to every level of user.They should explain clearly that an MCITP level certification would be advisable to use their product.

 

I would agree with you if security softwares would clearly warn the users about the risk involved in using their products. But this is not the case. For example, since you use Comodo (but it applies to ALL products), I just paste their product description:

There is no mention on HIPS and the fact that this product can be used only if you understand HIPS. On the contrary it is described as easy to use and configure.

 

Since I installed CIS in my laptop I have had 3 popups from D+ after the first reboot. (remember that they added the sandbox and the whitelist, they are going to increase the whitle list with 6kk of files more). Not even after install some programs I have had a popup of D+.

So yes, is easy to use and configure.

But dont go offtopic.

 

But you get infected by a keylogger because HIPS do not give you (average user) a clear indication of the potential thread or does not block it automatically. Do you get the all point of this discussion?

 

No because the sandbox and the firewall would be protecting me, assuming that the AV is not able to detect it.

 

That was not unfortunately the case... as you have probably read during all these discussion. Moreover the point we are trying to highlight to you is not about isolation/sandbox or AV signature but HIPS

 

Why? Every app that is not from a trusted site I run it in the sandbox first.
Even if I dont run it in the sandbox and I accept all the alerts from D+ I will get a promt from the firewall.
Are you telling me that an average user dont know how to answer a promt from the firewall?

 

I don't think anything, just looking to the facts and how HIPS can be an inefficient way of protecting average users. Not more not less.

 

Spyshelter Message;

They passed me, They dont want more test with SpyShelter.

 

I quit using HIPS due to the prompts; clear or not. We use a desktop pc and a laptop at my house and there are kids using both all the time. HIPS is impractical for us even if it is well designed.

It would be beneficial and probably more comprehensive for MRG to include real banking malware along with there simulator like what Immunity did when testing SafeOnline.

-info.prevx.com/download.asp?GRAB=IMMUNITY-

Overall its good to see the test administrator active on this forum.

 

Thank you Sveta and MRG for conducting these tests.

I don't know why SONAR would start blocking it. There aren't any changes to the simulator, are there?

 

Following on ALiasEX post above I notice that Mamutu is now level 3 (green) after failing on the first day and that Prevx dropped to level 2 on the third day after level 3 on the first two days.
Are there subtle changes to the way the simulator works on a day to day basis or is there another reason for the variations.

PS: many thanks to LWM for trying to rescue my thread again

 

The wonderful thing about behavior blockers. They learn about bad behavior. Eventually mamutu may have noticed that change in behavior was "bad" or changing.
I believe that the malware samples do change slightly to simulate polymorphic malware that changes its code.

 

You can read the PDF report for more info about that.

 

Have read it properly now since my post. Had been out all day and posted after a quick look at the results

 

Since many producs already detect the MRG tool as a threat what sense have continue testing this products if they are going to detect the MRG tool each time even before to make it work?

 

http://forums.malwareresearchgroup.com/viewtopic.php?p=1528#p1528

I hope MRG disciplines him .

I think he should have said "strongly opinionated"

 

Its been taken care of. We had quite a few problems in the past 24h with bad posts on both forums and main site. Some people get emotional and express themselves in a way which is not appropriate.

Regards,
Sveta

 

All vendors have to do to pass these tests is block, REMOVED, REMOVED and REMOVED based on file names.



Maybe some already are using this method, rather than Real detections and/or Heuristically ?

If i can grab the info, so can others.

I alerted MRG to them allowing the above test file names to be shown via their screenies, TWICE in this thread in post 22 but NO response still ?

We could say, a pass is a pass, but is it ? Depends, maybe !

How do we know what method the vendors that are passing are using ?

 

I don't personally mind the idiot part so much. But an 'outpost'? Wilders is at the centre of the Universe.

 

It amazes me how upset people get when products they use don't do well in these tests. They should instead be grateful that a weakness was exposed before malware exploited it.

 

@Sveta MRG

As YOU posted the screenies publically in your PDF showing the file names in FULL view for ALL to see, including vendors et al, i felt it was right to also do so, and point it out.

What you could have done, and still do, is change the file names ASAP. Then the vendors would have no chance of detecting via file names alone. And then Properly blank out ALL fle names in ALL screenies.

If i hadn't alerted you to this, you might have been none the wiser, and passed vendors who don't detect correctly. Now you can remove that vector

The file names are STILL visable in your PDF http://malwareresearchgroup.com/?page_id=2

I wouldn't expect you to be exstatically happy about the revelations, you allowed to be shown First, but i would have thought you might be just a little grateful i had alerted you to all of this, so you can correct it asap.

I want you to be successful, but making mistakes is often part of the journey. We ALL make them sometimes, that's how we learn. Don't blame the messenger

Regards