AV Update Frequencies - Important?

Discussion in 'other anti-virus software' started by JerryM, Jun 13, 2006.

Thread Status:
Not open for further replies.
  1. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    I'm going to give you a realistic scenerio here and i'm looking at it in the view of all computers users, not just the ones that have BOClean or Ewido running in real time along with APP/REG Defend, SSM (HIPS), etc.Your average user who wants protection for their system but doesn't know alot about security.The average user who just returned from his/her favourite electronics store with an AV product to protect their system.Now this product releases definition updates every 10-12 hours and they're 'Quality Updates'.So this AV gets installed and has all the latest updates which includes the last one released 30 minutes ago.Now, over the next 10-12 hours, a trojan and 3 new malware varients are discovered.This average user will be exposed to possible infection for the next 10-12 hours.A KAV user however, likely will have been updated against some or all of these new discoveries sooner than the average user above because KAV users would have received multiple updates in the time.Which means less risk of infection.And KAV hasn't reached the standing it has now by releasing updates that don't contain 'Quality.
     
  2. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well update frequency is also "quality" that not all AVs posses it...
     
  3. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    Couldn't agree more there.If an AV's detection rates aren't that good to begin with, frequency of updates will have little effect.
     
  4. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    No, updates were not MISSED. They were late that is all. Why only have 4-5 updates every 24 hours when set to check once an hour but if set to check every 5 minutes you get an average of 12-18 updates every twenty four hours?

    I had read a post by Don Pelotas over at dslreports about KAV updating 18 times approximately every 24 hours and he said sometimes he got 5-6 updates in one hour and I never saw KAV update more frequently than every 4-5 hours when set to check once an hour. I found what Don was saying puzzling so he gave me a link to a french site where they keep statistics and show the number of times KAV updates each day. In May the number of updates per day ranged from 10-20 with an average of around 15-18. Don suggested I set KAV as he has it set to check every 5 minutes. I did that and began to get 15-20 updates a day. Yes, I could wait and have them bunched together once every 4-5 hours...but why should I do that? Especially when KAV doesn't have very strong heuristics? I would do that if I was using NOD32 but I am using KAV and its strength is in signatures. If KAV couldn't handle the queries every 5 minutes then I'm sure that would not be an option.

    http://www.idepro.fr/kaspersky/esac/kav_virlistd.asp
     
  5. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    I do not see an option to set the update frequency. Options mine shows are Auto, Daily, and Manual. How do you set the frequency to 5 minutes?

    Thanks,
    Jerry
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Here is where you set it:
     

    Attached Files:

  7. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    Mele,
    Thanks. I am really dumb, I had trouble finding it even with pictures.:D
    I am pretty well satisfied to leave mine in "auto" but wanted to know how to change it if desired.

    I appreciate the help. Remember the thread where we talked about the difficulty in finding how to do settings? I still have the same problem. I have to do it several times to remember it next time.o_O o_O

    Jerry
     
  8. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    Mele20

    Thanks for explaining that for us.The only thing i would disagree with is this.

    As good as Nod32's 'Heuristics' are, 58% 'Heuristics' detection is a far cry from 99% 'Signature' detection.I wouldn't deviate from an obvious strength until 'Heuristics' rates improved much more.No disrespect to NOD32 however, excellent AV!.
     
  9. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    reading this, i think that you do not fully understood the results. :doubt:
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, 58% is too good. It,s not easy to achieve this number. These are Heuristics not signatures!!
     
  11. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    I completely understand the results.My point was this.

    'Signature' detection rates are still much higher than 'Heuristics' detection rates.So what will catch/prevent more malware - 58% heuristics or 99% signatures.Obviously 'Signatures'.And while NOD's heuristics are good and widely considered the best, at 58%, you still have to count on your signatures and your program protecting you by getting updated with them.Heuristics are a bonus level of protection but aren't strong enough 'yet' to rely on if your signature updates are slow and less frequent.Hopefully one day, heuristics will become so strong, that relying on signature updating and frequency won't matter that much.That way, we would not always be playing the 'catch up' game to the malware creators.
     
  12. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    keep in mind 2 things:
    a) heuristics help you to catch things BEFORE an update is released. in case of NOD32 it means that _at least_ 58% of new malware is detected in advance without having to wait for a signature. "At least", because also heuristics are improved over the time.
    b) all AV do also use signatures (yes, also NOD32), so how you can compare the 58% of heuristics with the 99% of signatures? they are 2 percentages from 2 completly different tests and test-sets.
     
  13. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    IBK

    I think your still misunderstanding me.I'm saying that at this point in time, an AV's strength and the way they protect the best is with signatures and updating them correct.Not heuristics.If you use NOD and turn off the updater which means no more signature updates, Nod will catch/prevent 58% of new malware based on using it's heuristics..Correct.That means 42% not detected.So relying on heuristics alone to save your butt at this point in time, is not a good idea.Correct.Take away NOD's heuristics and use it's signature detection and it catches 95+%.That's what i'm saying.Users still have to rely/count on signature detection as their #1 defense and hopefully heuristics will continue to get better and reach a point where relying on signature updates won't have to be as important.I'm just trying to say that users shouldn't discount the importance of signature updates and frequencies until heuristics rates get much higher.I hope you understand me now because i don't know how else to word it.
     
  14. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    tobacco,
    I think it is you who is misunderstanding the purpose of heuristics. I seriously doubt there will EVER be an AV that relies entirely on heuristics. The purpose of heuristics comes down to part of the layered approach, they work WITH signatures not instead of. Kind of like a safety net if you will. The point is this, no matter HOW FAST a company puts out definitions, a heuristic detection will always be faster. That means that as soon as the AV saw it, it was stopped. No update needed, Instant protection. So yes KAV will stop 98-99% with signatures, while NOD stops 95-97% with signatures PLUS 58% of UNKNOWN threats (that there are no signatures for) with heuristics. Get it now?
     
  15. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well now you're saying BS. KAV behavior blocker got 99% detection too.
    So whats beter 97% + 58% or 99% + 99% ? Sure conditions weren't exactly the same but they certanly show how AV is working against malware.
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Kaspersky got 24% in proactive detection and NOD32 got 58%, check AV Comparatives. ;)
    Based on your way of calculation, it should be 94% + 58% for NOD32 and 99% + 24% for KAV.
     
  17. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    UH, where do you get your facts from to say I am Bullshitting? NOD catches between 95 and 97% on demand at IBKs site correct? In retrospective tests NOD got 58% correct? Where is this BS you accuse me of saying?

    KAV6 is not using heuristics they are using a behaviour blocker. The problem with behaviour blockers is they require to much knowledge from the user. If you recall, Norton and McAfee used behaviour blockers way back when and then abandonded them because unknowledgeable people allowed actions that were dangerous and then would complain to tech support about why the AV didn't work. You are trying to compare apples to oranges.

    Thanks TheTOM, sorry nod caught 94%, I know it doesn't really work this way but it is the only way I saw to explain it to tobacco. Now RejZor accuses me of bullshitting.
     
  18. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    NOD32 is ~98/99% accoring to the February test.
     
  19. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    Thanks IBK, I was relying on memory. Care to chime in with your view to help tobacco grasp what some of us are trying to explain?

    Kepp up the excellent work by the way. It is most appreciated.
     
  20. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    I'm talking about special KAV6 test that was done later. And even if NOD32 was using 3 months old updates i really doubt it'd detect 99% of stuff from that sample base.
    I don't care if it's just On-Demand test, half of KAV potential was simply left out because testing methology was selected to do just on demand.
    Well i don't give a **** about that. I'm not running KAV6 just on demand on my PC. And thats what IBK is warning about all the time. Learn to read the results. There are however minor differences but they're still comparable with each other.

    And from what is see half of people here don't even have clue how KAV behavior blocker even works. No it's not throwing hundreds of popups in your face. I hardly even know it's there. Lots of knowledge? Apart from Quarantine and Delete button when it detects something i don't think you need MIT education to use it. But sure, if you crank everything sky high, then you might get few more warnings. But i don't see any need for that atm.
     
  21. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    How was IBK's KAV6 behaviour blocker test done? Did he use the max settings?
     
  22. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    done on-execution (= not on-demand and not on-access; on-execution). Yes, max settings.
    On-execution is the last chance, when on-demand and on-access found nothing. As soon as a bad behaviour triggers the rules of v6, it will warn the user and most time the roll-back function will roll-back the changes. But if something is done by the malware before something gets triggered, it could theoretically be possible that your PC get harmed before you get the warning and other actions (that triggered) get blocked. Other thing that maybe should be considered is that when something gets detected by signature or by heuristics, the user have not much to do and consider it as malware. When you finally found on the net a program that sounds very cool to you and you can't wait to launch it and a warning appears if you want to allow action xy, maybe first time you click deny, but after you see that the cool program does not work when clicking deny, the second time you may click allow (if you are a user that has no clue). At least could happen, dunno. It is just my personal opinion as PC user, not as tester. Its just an additional layer: first you had only an AV, then you got AV+FW, then AV+FW+Anti-Spam, then AV+FW+ASpam+Anti-Spyware, etc... and now you have also a behaviour-blocker: all in one product (or at least AV+BB) from one vendor. Which leaves also the possibility to use e.g. only AV without BB but with a BB or VirtualBox from another vendor.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi IBK, BTW, I tried this proactive defence against WinFixer and SpyAxe and It failed to stop the installation of exe installers, all it did was just to prevent their start up registry entry.
     
  24. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Seems to me it would be better if the Proactive Defense On-Execution behavior blocker could emulate the execution of an application in a type of sandbox like some AVs heuristic analyzers can do now. Looks like that would reduce the chances of a PC being effected in bad way before a warning. Also, that would appear to me to be a cleaner approach and reduce the chance of leaving malicious files on a PC even after something is blocked and
    using a roll-back function.

    Or is this just not possible with the type of KAV Proactive Defense On-Execution behavior blocker?
     
  25. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.