Whole Product Dynamic Test May 2012

Probably just an inactive left over or false positive. Next time keep in quarantine so it can be checked. Relax, sit back and enjoy.

 

If you are concerned, do weekly scan with an extra program like Hitman Pro, Malwarebytes, Comodo Cleaning Essentials, etc... If Webroot is missing something, one of the on-demand scanners would most likely catch it.

 

My friend told me Qihoo is using 4 engines and is very light. Avira, Kaspersky and I don't know.

 

I just did a scan with superantispyware, it shows I have two trojans on my system.

Here is what the log says:

Trojan.Agent/Gen-Decay
C:\PROGRAM FILES\ADOBE\READER 10.0\READER\READER_SL.EXE
C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\68AB67CA7DA73301B744AA0100000010\10.1.0\READER_SL.EXE

How do I know if these are indeed trojans, or FP?

 

You can upload to virustotal.com to verify.

 

How do I do that?

Downloading a free trial of NIS 2012 to see if it picks up the so called trojans. I did not remove them from the superantispyware scan because I want to test other products to see if they can catch it. If norton catches it and I figure out how to check it on the site you gave me and it's a trojan WSA is gone, but if it's a FP or Norton doesn't catch it either than I don't know.

 

I have two computers, desktop, and a laptop, I just installed superantispyware on my laptop, so far it had claimed to have found the same trojan on the laptop. What are the odds I have the same virus on both computers.

At this point I'm now thinking false positive, also norton didn't pick it up either on the laptop if it is indeed a real trojan.

 

Go to virustotal.com. The site is easy to use.

Also, instead of installing the full suite of NIS, just download Norton power eraser. It can be run without an install.

 

Avira continues to disappoint me. Although not terrible I would not choose it at this time.
As for SAS results, I suspect they are FP.

Jerry

 

dont fret it Jerry, Avira is getting ready to start gaining ground again. They will make us both proud again.

 

I can't find the file to scan on that site, but after searching it seems the file:
C:\PROGRAM FILES\ADOBE\READER 10.0\READER\READER_SL.EXE is a FP after looking on superantispywares forums, not sure about the other yet, but i assume it's also a FP.

I have to assume at this point WSA must be working as Norton also just ran a clean full system scan...

 

If you have any doubts, feel free to write into our customer support inbox and they'll check your logs for you. From what you've posted, it looks like you have FPs from SAS rather than missed infections.

The same issue applied to both tests - I posted about it one week ago which was after AV-C ran their monthy tests: https://www.wilderssecurity.com/showpost.php?p=2069649&postcount=202

 

OK, I am resting in your confidence, and inside information.
Thanks,
Jerry

 

I feel pretty good they were all FP, I used 5 different products today and only SAS picked up the files as a trojan. Since the other 4 didn't pick up any issues either WSA has done it's job protecting me, or all the products don't work either, I'll go with the first

I used NIS 2012, WSA Complete, Bitdefener online scanner, SAS, AMWB, again only SAS picked up anything other than cookies. I would say of the 5 I used today I would depend on SAS the least.

I know you can't always depend on these test results, and most of us would never run across most of the stuff used in the testing process, but you can't help but feel better about a product with better scores.

My one complaint about WSA complete would be the lack of email protection with windows mail, and outlook the other suits offer.

 

Its not visible but WSA also check your e-mail channels.

 

That's good to know, it doesn't state that on the website, and there are no setting for spam/email, so I just assumed it did nothing! Thanks fax, nice to know I'm fully protected

 

Many people describe the "Whole Product Dynamic Test" as being the real veritable test. Let me just state some of my thoughts about it. We are talking about 464 malicious URLs being tested which have been culled among known websites distributing malware.

My first question would be, what are the odds of landing on one of such infected URL? In 4 years I've only run once into one of these infected website, and one should consider the built in security of say Chrome and IE9 which is quite effective.

In the last 3 weeks in my work environment, Avira and MBAM (mostly Avira though) caught more than 30 real malware from around 120 USB flashdrives, my computer was without a connection during these operations, can you imagine what would have happened using an AV that relies heavily on cloud scanning?

Back to the results of the "real test". Let's take 2 examples Avira (my choice) and BitDefender which has had excellent results lately.

Avira caught 97.8 % of 464 malware items, that is 453 out of 464
BitDefender caught 99.1 % of 464, that is 459 out of 464
We are talking about a difference of 6 pieces of malware in one month looking specifically for malware. BitDefender caught 6 pieces of malware more than Avira.

Let's take a look at the last "On demand Detection test" March 2012.
Avira caught 99.4% of 300,000 malware items, that is 298,200 out of 300,000
BitDefender caught 98.6% of 300,000, that is 295,800 out 300,000

Avira caught 2400 pieces of malware more than BitDefender. Readers should draw their conclusions about these tests.

I'd like to point out that I'm comparing results of two companies as an example to comment on the methodology of tests. It is not intended as A versus B, as a matter of fact most companies had better results than Avira.

 

As others have pointed out it's nice to see ESET above 99%, wich afaik is the first time in the dynamic tests.

And the other 99% performers are going strong as usual

Webroot...I know it's a great product. And I hope so much that the June testing will finally show that, now when the quirks have been fixed.

 

Osaban, still the real world/dynamic testing is more relevant than the static on-demand tests.

Of course it is good to catch as many samples as possible, but is a user really better protected when you add detection days, weeks later after the initial deployment of the malware?

Also the on-demand tests don't include all protection features modern AV software has to offer. You can block the URL the malware is coming from, you can catch the exploit that does the download, you can use behaviour blocking to catch the malware during installation in your system, you can combine all this information and add global statistics from your cloud to have reputation based protection.

For me, the most important question is: Can the AV solution detect/block the malware when it is new and the sample was not yet processed by the AV company (= pro-active protection)? If not, how fast can the AV company process the sample and update/deploy it's detection and protection components? But the later means that the first 10, 100, 1000 users with this malware would get infected.

That being said, I think that the real-world tests from AV-Test and AV-Comparatives are still too "slow", the used URLs and samples are already too old and the AV companies had already too much time to react. The malware went from zero-day to zero-minute. >= 90% protection with real zero-minute malware? Hmmm...

 

The most wise comment in this thread

Exactly my thoughts. I find funny how the "dynamic" (name says it all? ) results vary from month to month. Only god knows which "malicious links" are being used for these tests. We all know an av vendor which has been beaten heavily enough by av-c lately so... was this the time to pay them back their "credibility"?

As far as I'm concerned, and I've noticed it from years ago, av-c got tired of the "eternal" winners and decided to spice up their tests with these "well balanced" 'dynamic', 'real world', you name it... reviews. This is just MHO.
.

 

@cupcrazy19,
I must begin by saying that i am too more of a learner than expert.

What i have learn though is that test are indicator of how a product has faired against a test sample...and

that the user is most important part of his security setup.

WSA still has 95%+ detection rate, which should be good enough for a safe operator.

 

You're welcome!

 

Thank you Stefan for clarifying the issue, my post was based mainly on the type of exposure to malware that my computers are usually facing in a working environment, without an internet connection. I wonder whether there are statistics about the life expectancy of malware, in other words how long does malware remain in circulation?

 

I have been a loyal user of Avira for the past 3-4 years.

When I submit a false positive sample they say: "Detection will not be removed due to the fact that the file does not belong to a regular piece of software...In case AntiVir can detect this file we will not change or remove our detection."

An example is

Code:

SHA256: 0b93e5752c96fef445ff90a51c614769c4255252eaf3f454744b6c875ece5513

or

Code:

MD5: e4572447b6bd0e32e258dea2148b1d23

When I submitted the file to F-Secure, Kaspersky, and Panda they were removed from their virus definitions, after confirming that it was a false positive.

When I submitted the file to Symantec I got an email stating that it was a false positive; but, they never removed the detection.

When submitted to Comodo and Sophos they responded in a similar fashion to Avira.

Now files like above most probably don't go to AV-Comparatives, AV-Test, or VB100; or if they do, they ignore them. I doubt AV-Comparatives, AV-Test, or VB100 use 'keygens', 'cracks', or 'patches' in their tests.

The comparatives test assume you are a good boy, and not using Quickbooks registration cracks etc. etc.

The AV companies like Avira, Comodo, Sophos, and Symantec don't want to remove their detections to either scare users, or they just don't have the manpower to do it.

 

I have tested Emisoft Anti-Malware for a few days while I had Rollback Rx installed on my computer. After scanning my machine it detected Rollback Rx as a rootkit. When I reported the obvious FP to Emisoft they replied that they won't change their signature as Rollback Rx uses code that is used by malware. In other words to ignore Rollback Rx would basically make the OS vulnerable to some malware. Best thing to do would be to exclude the FP with the antivirus.