On-Demand Detection against old malwares

Good job..

I did some mistake in the second set of results. It has been updated. Also I have updates the results for FSB in maximum settings.
FSB AV has a good heuristic.
with low heuristic
set 1: 439, set 2: 2758
medium heuristic (default)
set 1: 444, set 2: 2752
maximum heuristic
set 1: 471, set 2: 2802
only in case of set 2, medium is lower in detection compared to low heuristic (bug?)...

 

You are right Ibrad. FSB has been introduced there.
http://www.remove-malware.com/forums/viewtopic.php?f=20&t=4659

 

What is mean "on demand"?

 

On demand= not launching the malware just scanning the folder which the malware is located.

 

You are right but take a look http://www.infoworld.com/t/malware/four-year-old-rootkit-tops-the-charts-pc-threats-791
"Four-year-old rootkit tops the charts of PC threats" i think that proves the relevance of the tests.

 

AS used concerning SECURITY applications. . .

"On-demand" running contrasts with "real-time" running.

DEFINITIONS
Real-time - - - A program that runs in real-time runs at all times. In the case of security apps, a real-time program is constantly monitoring all computer activities as they occur.

==>In general, real-time scanners seek to detect and prevent installing a malware BEFORE it infects the computer.

On-demand - - - A program that runs strictly "on-demand" will only run when the user specifically activates it. In the case of security apps, an on-demand scan may be activated in order to scan all files (or selected files) on the user's computer. Or it may be activated to scan a single file, such as a new download.

==>In general, on-demand scanners seek to detect and (sometimes) remove malware that has ALREADY infected the computer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

EXAMPLES
Both Real-time AND on-demand - - - Most antivirus programs can be run in real-time (for continuous protection) AND/OR on-demand (for periodic scans of files selected by the user). Examples of *both-ways* antivirus programs include but are by no means limited to Avast, Avira, NOD32.

On-demand ONLY - - - Some antivirus programs can ONLY be run on-demand. BitDefender Free is an example of an antivirus that will run on-demand ONLY. Hitman Pro is another example.

 

Norton tested. I used its latest beta 2011 version. Disappointing results..

Guys please forgive me. I will not be able to publish results for Spybot S&D. It was taking a lot of time to scan a file (about 20-30 sec). Also in the first set among the first 350 samples it detected only 3.

And now I will be taking a break for 12-15 hours. See you then...

 

Yeah disappointing result from Norton indeed BTW how much time did norton took to scan your files?

 

For Set 1 it took 2 hours to detect and remove and for the second set about 4 hours...

 

Well thats is really slow for Set 1 approx 14 Sec per sample

 

Wow, 20-30 second for 1 file

 

@icr: Actually scanning was relatively faster. It took most time for removal. Similar matter was with Ad-Aware free.
Scanning in clean files is a lot faster also.
@CiX: IMO it was checking its whole database for all the files..

 

Yeah actually I forget to specify properly scanning is faster but removal is very much slower

I had a similar discussions regarding this topic earlier

 

Hi sg09,

At one hand I applaud your effort, but at the other hand the obvious question has to be asked:
How do you know that all those files are indeed "malware"?
(ask IBK, the Inspector and others about the issues involved with testing )

 

A very much valid question. I was expecting this...
To tell you the truth... I am not sure.. But I can assure you that after all the tests I will provide the md5 hash for all the 'malwares'..

 

heres a thought. Pick maybe the top 20 here. Create a test bed of say 100 malware, 50 old, 50 new. Run each product maxed out. Then lets see who can really detect on how we set our stuff up, not the average user.

 

Thank you very much for you test. I must admit that I am very impressed, I didn't expect it to get this high, as it is only a very early beta, which contains a lot of bugs. Anyway, if everything goes well version 0.8 will soon be out, which will contain a lot of new features. I will make sure to let all of you know when it is out, because we need a lot of testers.

If anyone want to help submit malware to us, please contact me. I can give you FTP for large collections or an email address.

 

I think you guys and the author author misunderstand that Z-Lob has been with us for 4 years but that the malware code has been modified/updated so many times that what is present today is nothing like when it first appeared.

I fail to see how testing old samples is more accurate and relevent then testing current malware especially when individual malware families evolve so quickly.But then back to the "accuracy" of these tests.

Alarm bells now going off but ok will give you the benefit of the doubt as you on a learning curve and have admitted these are amateur tests.

I hope to help your learning curve as already you have found out from HMP team that they do not scan non executable files on custom scanning).The same goes for most traditional/new antispyware engines but this is the difference between AS and AV engines.

Spybot has always steered away from direct file signatures and is heavily based on in memory footprint identification = they have always scored badly on custom scanning tests as the files are not loaded into memory.

Anyhow comparing apples and pears is not the best test basis as results will be distorted to favour those that operate within the test criteria.

As mentioned many times in recent years that malware dose'nt usually fall nicely into one folder and then sit there inactive waiting to be sniffed.That only happens on basic lab or amateur tests like yours.

To improve your testing curve maybe best to learn about the tested applications as in their differences of operations(apples and pears) and also learn about malware to the extent to know whether any given sample in front of you is 1)indeed malware and 2)viable not broken.

If you cant tick either boxs then whenever posting any results you should publish a very bold disclaimer that your results are not to be taken as accurate.

Feel free to drop me a PM and i will be happy to exchange correspondance to help your learning curve with reguards malware,applications and testing methodologies

 

Thanks a lot for your detailed explanation Dr who. I really appreciate and believe in what you said. But believe me I have no intension in growing as a test lab, I was just doing this for fun and was spending my spare time with pleasure..
As you said that malwares don't sit in a folder to be scanned but a not so expert user usually believes in this type of scanning.
About the non executable files issue, I know there are some antimalware vendors have this limitations. I am telling this a limitation because may be this isn't real threat, because clicking on that will not infect your PC, but they may be there as a part of infected PC.
Lastly about that bold disclaimer: No one took an amateur test as a accurate one. As you know I have already described myself as an amateur and will always so.

 

Sorry for being unclear. I'm talking about the Nictatech v4 engine, the latest is v5.

You can register for a 30-day trial.

http://prosecure.netgear.com/

EDIT: I confused the program version with the engine. eAcceleration might be using an engine older than 4.4.x. You're welcome sg09.

 

Yep, alarm bells got off here too.
Being the bearer of a message is not always what a person would like to do.
I can think of some other questions about the test set.....
Thanks for your input Dr who.

 

@thanatos_theos: Thanks for the link..

 

good test

 

Hi Tesk, thank you... But remember with the highest heuristic, FSB detected 67 malwares in my clean computer's system drive....

@jmonge: Thank you..

 

You said Norton took a very long time to remove your malicious files, but in my case when i have scanned about 51,000 + malicious files it took fairly low time to remove all those files... I am not pointing out the results but what i want to say that it do not took a long time to remove files.