DFK Threat Simulator vs ......

I was about to reimage my drive and decided to infect my system with DFK threat simulator and Martins Keylogger.

Here is the results of my scan.

#1 AVG antispyware (aka EWIDO)
trojan.xshadow.b
martins keylogger
torjan.small
eicar test virus

#2 Counterspy
Vanquishrootkit

#3 SpywareDoctor
eircar test virus

#4 Spysweaper
Nothing.

I have to say I am surprised that the two highest rated programs in the media did the worst. I always run multiple programs, but I have to say that I dont see myself renewing #3, and #4 next year.

 

Just for laughs I reimaged my drive, and this time ran AVG antispywares resident protection before launching the DFK threat.

AVG blocked the trojans from being installed. My new favorite security app.

 

I have to say that I really don´t have a clue if I passed the test or what, I tried to simulate a real attack by allowing only the .exe files to be launched, but I´m not sure if the rootkit and trojan were able to run, and it also seemed like SSM stopped all the shutdown attempts. I also did not get to see the "Own3d" message. I will have to do some more testing.

 

Grisoft (AVG) made a very smart move when they bought Ewido. Their AV is improving, too, from what I see in recent tests. IMO, the AVG suite is now to be *taken verrrry seriously*.

I tried the DFK test earlier, as I reported in another thread. SSM popped-up warnings again & again & again. A person would need to have a death wish in order to fail this test with SSM in attendance. I finally disabled SSM in order to run the rest of the test in peace.

Milli-seconds after SSM went to his room (to sulk, no doubt) Cyberhawk then blew the whistle, and asked to upload the files to its database. I assume that CH will give a much earlier warning now.

 

Of several HIPS I was playing with, DFK doesn't seem to shut down SSM even though it is listed as one of the targetted. All the others fail to either of the two methods used to kill them.

I'm not quite sure why, since there is no reason I can think of why SSM should be immune to the generic attacks used by DFK.

One possibility is that the guy messed up, or maybe he was working with an older version.

 

Actually DFK doesn't kill SSM at all, that is why you keep seeing the repeated popups. Against most other HIPS it takes about 3 prompts (though I think in theory it can be cut down to fewer prompts if he rolled all the functionality into 1 file) to kill the HIPS after which you don't see anymore.

I saw your posting on this forum yesterday, I went to test it, basically i got the same thing as you did, cyberhawk let pretty much everything go, before sensing something wrong and asking me to send the file to them for analysis.

 

Did u tried its rootkit scan?