[Thread split]MRG Flash Tests 2012

Right. I thought the 'joking' referred to Amin' post.
Sorted.

 

DefenseWall's core technology is not whitelisting, it's a sandboxing-style HIPS system. Whitelisting is used only run run known as good software installation files as trusted automatically.

 

^I'm not gonna argue with you about your own program oc. Point taken.
Better put would be perhaps a distinction between signature and non signature based progs (although EAM and Bluepoint are both a mix of whitelisting/behavioural blocker and signatures oc).

 

Yeah, thats exactly why I am not sure what MRG tests are "detecting". I haven't used your product, but from your description, I would assume that either
a) the product alerts on every suspicious behavior OR
b) the product silently sandboxes all changes, in which case I would assume they would need to test False positives to get a complete picture of the effectiveness to ensure you aren't sandboxing EVERY app including good apps. its very easy to sandbox every app and break many in the process.

In case of a) above I dont consider that a "detection", I consider that an "alert" which forces the user to make a decision which could be wrong.

So what does DefenseWall "detect" to get a 100% detection rate ?

 

Not all but most of the changes. That is the main trick used by Avast or DefenseWall. It is very important to evaluate false alarms on execution also!

 

Nope.

Nope.

There are no "false positives" in your terms. DW runs new software installation files, known as good, as trusted automatically (in case whitelisting on), other case prompts you if you want to install new program trusted or untrusted.

 

New results 8/24/12
Zero Hour, 6h Later + 12h Later...
http://www.blog.mrg-effitas.com/

 

I like Kaspersky, but I am starting to have a hard time believing that they can get 100% detection on zero hour malware like that all the time, especially with KAV that doesn't have the HIPS that KIS does but has to rely mostly on signatures.

 

Thanks LoneWolf. Another mediocre performance from Eset.

 

Thanks LoneWolf.....Kaspersky and Emsisoft always there.

 

Look at SAS. It sucks.

 

I have to agree King Grub. As interesting as these tests can be, sometimes I get the impression things are not always 'above board', but that is just me. Kaspersky is good, but nothing is 100%. Even if it actually was possible to achieve 100%, I would not personally use KAV/KIS, or BD for reasons I have stated many times, they can be monsters on ones system and are far from perfect. Testing is good, certainly, but it does often appear there is a slant towards some, but again, that is just my opinion.

Thanks for your thoughts

 

When I was running KAV 2009/2010, it had HIPS. Did they remove it from later versions of KAV? I have also been wondering how much of a factor HIPS has been for KAV and EAM's stellar results. I recently discovered that the latest version of EAM isn't giving me conflicts with MD, so I've been running with EAM for a couple weeks now. It has been very impressive so far - light on my system and it downloads signature updates more frequently than anything I've ever used before.

 

KAV never had HIPS, it has a complex PDM which now (2013) has been integrated into SystemWatcher.

Nobody said that, if we look we can find samples that even pass KIS. But it has an impressive cloud detection and many proactive features.

Unfortunately MRG tests have not much details, to see what is so effective. Another point is the source of MRG's few test samples. Maybe KL watches the same sources, also KL has many honeypots...

Emsisoft and Bluepoint also deteted all until now - here no one wonders? I think for those relative small vendors it's even more impressive - or confusing.

 

Good points SLE, thank you I would lean towards more confusing LOL

Have a good day!

 

Emsisoft has a good behaviour blocker so I'd expect that to stop a lot. Which it obviously does, since Ikarus has a number of fails.

I don't know much about Bluepoint and how it detects and stops stuff.

 

What is a PDM?

 

These tests are missing details on how each AV passed the specific 0 hour malware sample. Was it their heuristic definition? HIPS? Cloud detection? Saying what technology helped in blocking the sample will be more helpful to people then just saying PASSED.

I mean the point of these tests to help people decide what AV to choose I assume right? And as is it doesn't help any at all.

 

If I'm not mistaken that would be "Proactive Defense"(module).

 

This information used to be provided. Not any more.

 

what's wrong with SAS

 

Vapor-Lock. It really is stunning this time...not sure about SAS.

 

Why was it taken off?

 

That's a question for MRG.

 

It just has a high level of sucktitude.

Did you see the SAS results --- even 12 hours later?

http://www.blog.mrg-effitas.com/



Nuts.