VBA32

Discussion in 'other anti-virus software' started by shek, Mar 31, 2005.

Thread Status:
Not open for further replies.
  1. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    My only complaint with this app was the slowdown on my PC. I don't really expect noticable slowdowns on a 3.4Ghz machine, so it was disappointing. I'm spoiled by how light Dr.Web is.

    Hopefully, with revisions and improvements, the RTM aspects of this program will be streamlined so applications don't take so long to launch.

    Also, was there a way to turn off sounds? They really annoyed me, and I think I missed the toggle for them.
     
  2. The Maxx

    The Maxx Registered Member

    Joined:
    Aug 2, 2004
    Posts:
    27
    I've been testing out VBA32 for a good 24 hours now, and it hasn't slowed down my PC really at all. It did after the install for a few mins, browser took a bit to load, etc but after that it has went fine. Matter of a fact with Dr. Web or VBA32 my PC runs about the same, notice very little to no difference at all no matter which one I have installed.

    Only had one problem out of VBA32 where it was saying a Yahoo Messenger file was adware. I sent in the file and told them what the file was for (Yahoo email) and they fixed it with todays update.
     
  3. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Thats wierd, why would it speed up unless it caches session files with checksums or something?

    I'm not convinced I want to switch to this from Dr.Web, since i'm not sure what the benefit, if any would be? Its slighly slower than the Doctor, appears slightly less than the Doctor on Jotti's when I refresh it I noticed it missing more. Also, it appears a bit more unpolished.

    Granted, what i've seen, I do like it. But i'm not overly compelled to switch to it from Dr.Web, because quite honestly, the Doctor has never treated me wrong and is just so unbelievably light.

    Perhaps I will re-evaluate it in future versions.
     
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    This is exactly what the RTM and the on-demand scanner do. Check out previous posts 48 and 26 in this thread.
    After caching, on the systems I have tried it on, it is as fast as the good Doctor.

    I agree that it is still a little rough around the edges and I have also found a few false positives. So for now I have only left it on a "test" computer.
    Always stay with what you are comfortable with but IMO this AV is worth keeping an eye on ;)
     
  5. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    I think that some explanations are needed. Beta versions have a new experimental heuristics included (you would not see these heuristics alerts in the official release). In general, it works similar to how spam filters are implemented, we feed two large sets of files (one contains malware, the other contains clean files) to a robot and it builds heuristics records. Heuristics robot finds similarities between different malware and assigns them to groups, also it tries to make heuristics records so that they are not similar to any of the files from a clean set. Fixing false heuristics alarm is simple, we just need to add these files to a clean set and rebuild all. The sources of false alarms are usually various runtime and thirdparty libraries which can be used both in malware and in ordinary programs, also some occasional similarities can be encountered too.

    Official release also has the same heuristics engine but its sensitivity is somewhat lower and also only the most stable heuristics records (those that do not cause false alarms for a long time) get into release, now release version uses about 30% of heuristics records that are used in beta, hopefully after more testing is done, even more heuristics records will get into the release. One of the reasons why beta versions are freely available is the intention to test this heuristics better :)

    Heuristics tries to compare every tested file with all malware groups first (and produces messages like 'suspected of Worm.Mydoom.1'). If it can't similarities to any real group, heuristics tries to compare the file with a virtual group composed of *all* malware we have in our database (in this case alarms like 'suspected of Win32.Trojan.XXX.Y' are generated). These Win32.Trojan.XXX.Y heuristics alarms are much less reliable than 'named' alarms, but they help us to find files for addition to the clean files set (as such files have at least some minor similarities to some malware) and improve overall heuristics stability.

    Also you have found a minor bug in the heuristics of the latest beta version, these Win32.Trojan.XXX.Y alarms were not supposed to be generated at default heuristics settings, it will be fixed in one of the next versions.

    To sum up, these are not quite false positives :) That's exactly what the program tried to report, it is just unsure whether it is malware or not and a more detailed analysis is required. It generates false alarms sometimes, but it finds a lot of malware too (current statistics gives a roughly 50/50 ratio of false alarms/real malware). Maybe some people will find it to be not what is usually expected from an antivirus program, but some people like how it works and would better have a false alarm (that is easily fixable by sending this suspicious file to us) than a missed trojan. And don't forget that it is beta and targeted at advanced users who usually know what they are doing. Corporate users would not like such behaviour.

    PS. Jotti's page uses official release, not beta.
     
  6. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Sounds good. Any comments on the slowdown I noticed on my 3.4Ghz system? In general it seemed everything was a bit slower.

    I like the product, but this slowdown really bugged me after using the ultra-light Dr.Web.
     
  7. Dimka

    Dimka Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    5
    Location:
    Minsk, Belarus
    Is VBA32 the only RTM installed on your computer? May be there is some file-system filtering software, which works OK with Dr.Web, but conflicts with VBA32? Second, as far as I know, Dr.Web monitor in its default configuration scans only newly created and modified files. Files that you already have on your disk are not checked by Dr.Web monitor. This significantly increases speed, but lowers protection reliability (malware could get on your computer before its detection was added to virus databases).
     
  8. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Spoken like a true Dr Web competitor in the AV market place ;)

    Yes, SpiderGuard in Smart Mode is very fast as a RTM and theoretically there is a weakness on Win 2000/XP systems.

    This is because executables are not checked in Smart Mode on NT systems. But as stated many times in this forum as long as frequent on-demand scans are carried out and newly downloaded files are also scanned then this weakness should be overcome.
     
  9. Dimka

    Dimka Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    5
    Location:
    Minsk, Belarus
    :)
    Yes, such strategy is effective for experienced users who pay attention to antivirus protection. And we think about implementing similar (possible slightly modified) technology in VBA32. But most users want "set it and forget it" solution.
     
  10. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    VBA32 is looking even more attractive by the day :D
    Completely agree. Most average users want straight out of the box configuration with automatic updates.
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Even when I was an average user who didnt know too much about malware, I liked to tinker around the settings of my AV - but maybe thats just me :D
     
  12. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Well I am running this AV right now on a vpc of 2000 SP4 up to date, that had BD O/D only, and it flagged the same amount BD did(4) with the Heuristic engine maxed, which is nice IMO, since BD is known for great Heuristics. Seems as though the heurstic training is going well.

    As a side note the, scanners at Jotti's and VirusTotal both missed it, but that was expected as this is a newer version, as stated earlier in this thread.

    Another side note, Fprot and NOD got it at Jotti's/VT.
     
  13. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Most people downloaded/installed the WorkStation version of VBA32 as it was the only version highlighted on their main page.

    However, there is as stated previously a Personal Version which can also be downloaded here.

    It is nearly half the size of the WorkStation download, which is good news for those of us still restricted to dial-up. And further, despite its extra settings for a POP3 Scanner, Script checker and a plug-in for Outlook, it takes up the same amount of VM on this computer as the WS version.
     

    Attached Files:

  14. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Script Filter.
     

    Attached Files:

  15. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    And Outlook Plug-in.
     

    Attached Files:

  16. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    I found an Issue with 3.10.3beta. If you scan a large amount of files which are infected, the memory usage will stay through the roof. Even when completed. I was stuck at 114MB Phys / 117MB Virt. You can see this a bit when you scan say a few pieces of malware, around 1000+, but I put it against my big collection(57,000 files +) and it had a hard time with it. It also took over 4 hours to complete. I still like this program though, because this is not a "real world" scenario. Anyone else see this also?
     
    Last edited: Apr 29, 2005
  17. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    This really looks like a bug. Scanner has different memory requirements when scanning different files, usually memory usage is quite low. But sometimes peak memory usage gets rather high, especially when scanning inside of archives (for example, decompression of some RAR archives can take up to 128MB memory for some compression algorithms, also archives can be nested). But scanner should always return memory to the system after each file is tested.

    Most likely this problem is triggered not because a large number of files is scanned, but because of a few files in this collection (maybe even a single file) that cause excess memory usage or memory leaks when processed.

    We are very interested in finding what causes this problem. It is possible to make a special debug build (most likely on Monday) which monitors and logs memory usage after scanning each file. If you don't mind, we will ask you to run it on your collection to find which files exactly may cause this problem.

    Right now you can try to disable scanning inside of archives/mail bases and scan this collection again. If this memory problem disappears, the bug is most likely in archives decompression code, otherwise it is somewhere else.

    Thanks for testing our program and reporting problems, this really helps to improve quality.
     
  18. Happy Bytes

    Happy Bytes Guest

    Looks like something is messing up the emulator. There exist a few files which are not standard-executables in such virus collections. Means they having oversized/no existing sections in the header. This can result in to much memory allocation and probably not releasing it completely.
     
  19. Happy Bytes

    Happy Bytes Guest

    Recursive scanning technologies could be another thing...
    Archive packed files or multiply runtime packed files are wellknown for such behavior.

    Create 4 testbeds:

    1st: Multiply runtime packed files (from which you know you have static unpackers) with double or more packed versions

    2nd: Mixed SFX Archives (Selfinstaller etc)

    3rd: normal archives with lot's of recursion

    4th: non-standard executables (just patch a few exe in the section and the fileheader)

    Final Step: "Replicate" this testset a few thousend times my copying it into 1000 subfolders via batchfile.
     
    Last edited by a moderator: Apr 30, 2005
  20. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    We have recently released a rather big update for beta version. Here is a part of whatsnew.eng file:
    One of the most important changes is a new mode for antivirus monitor (similar to 'smart mode' from DrWeb) as a lot of users asked for this. It is arguable if it provides an acceptable level of protection. But anyway, some people do not use on access protection at all and manually check all the incoming files with a scanner. This new mode for antivirus monitor is a nice alternative for them as it does all the dirty work of checking new files automatically for them :)

    Also we have reached the final stage in developing our new heuristics engine. It is almost ready for stable release now. As completely getting rid of false alarms is almost impossible (though we have also tweaked the engine to reduce chances of heuristics false alarms in this new beta version) we have decided to add a new heuristics setting (redundant or in other words - paranoid). Using this new heuristics setting is recommended for advanced users only and it provides maximum level of new malware detection at the cost of increasing chances for heuristics false alarms. All the other heuristics settings are tuned to reduce chances of false alarms to minimum. So heuristics in this latest beta is very close to what will be available in the next 3.10.4 version which is due to release in about a month.

    Any feedback is welcome :)
     
  21. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    Sure, we do use such tests for each release (an automated script which produces lots of broken files in different formats and runs the scanner to check them in an endless loop). Also we have a collection of horribly 'mutated' files made for such tests, not every well known antivirus can survive scanning them by the way.

    We have tried to reproduce these memory leaks problems in the past few days but still could not succeed. You never know which broken files can be encountered in the wild. So looks like we will need a help from likuidkewl to find this problem anyway.
     
  22. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Sorry I must have missed this post, I am willing to run the debug build for you.
    I will check on the FTP after this post, just as a note I am still in the process slimming down the collection, but I will still run it against the entire set with all the useless files included, as this will help reproduce this issue as this is how it happened before.
     
  23. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    But this should be okay if as with SpiderGuard in SM, it is supplemented with regular on-demand scanning.
    Good news and it would be nice if one of the major testing sites gave this version of VBA32 a thorough testing of its detection rate.
     
  24. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    At AV-Comparatives , they tested an older version in March's "Special Test".
    I hope IBK and clan will test this some more.
     
  25. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Doh! Sounds like the next version will rock.. Too bad I just renewed my licenses for Dr.Web..
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.