Anyone heard of mks_vir 2004?

Discussion in 'other anti-virus software' started by tazdevl, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    With a little more testing, MKS just outright has a problem with Outpost. A time syncer didn't work, F-prot updater. After checking the logs, for the ones that are blocked, it is listed as SYSTEM instead of the application. Once I manually made rules for those, I no longer had any block messages, but other apps still did not work. (disabling Outpost does). Whatever MKS does, it is hooking into something I'm not quite sure. But it takes a reboot (after uninstall) to get rid of the problem. What is the e-mail for support?
     
  2. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To everyone from Firefighter!

    A bit more about MKS_VIR 2004 heuristics compared to NOD with AH. Some detection numbers were corrected concerning MKS.

    Heuristics detected/Missed without heuristics = Detection percents:

    _86/298 = 28.9 %---MKS full collection


    __14/69 = 20.3 %---MKS trojan like

    __14/30 = 46.7 %----trj
    ____0/6 =_0.0 %-----tdp

    ___6/66 = _9.1 %---MKS riskware


    _66/163 = 40.5 %---MKS viruses

    __35/56 = 62.5 %-----BAT
    __13/42 = 31.0 %-----worms
    __16/33 = 48.5 %-----Win32
    ____2/7 = 28.6 %-----mcr
    ___0/24 = _0.0 %-----ovr

    =============================

    115/466 = 24.7 %---NOD full collection


    __5/122 = _4.1 %---NOD trojan like

    ___1/77 = _1.3 %----trj
    ___4/21 = 19.0 %----tdp


    ___4/87 = _4.6 %---NOD riskware


    106/257 = 41.2 %---NOD viruses

    ___0/29 = _0.0 %----BAT
    __13/86 = 15.1 %----worms
    _76/101 = 75.2 %----Win32
    ___8/15 = 53.3 %----mcr
    ___9/24 = 37.5 %----ovr

    trj = backdoors & trojans
    tdp = trojandroppers
    BAT = BAT viruses
    worms = I-, IRC-, P2P-, mIRC- and Win32-worms mainly named by Kaspersky
    Win32 = Win32-viruses
    mcr = macro viruses
    ovr = other viruses

    MKS seems to have VERY good heuristics against the most common nasties, TROJANS, but not at all heuristics against TrojanDroppers. Also superior heuristics against BAT viruses.

    Best regards,
    Firefighter!
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    FF,

    No offense intended - but all: please consider this as a small private test for the authors personal use only.

    regards.

    paul
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    NOD32 configuration is so wonderful that you can shutdown the signature scanning to test the heuristics. but i guess this is not true for MKS. i don't care much for BAT heuristics. its easy to pick up from some wellknown DOS commands but when the BAT virus has only the DEBUG scripts its gets harder. well then the signature scanner kicks in.

    regarding your test i have some suggestions.

    1. use the bugs which are missed by both scanners without heuristics. this way it'll be a better comparative. if this way the number of bugs get small then the database is not enough.

    2. it'll be nice to point out which bugs are ITW or were ITW.

    3. in case of trojans, mention the component e.g. server or client.
     
  6. 0--0

    0--0 Guest

    It seems to me that there may be a misunderstanding regarding NOD32's AH and mks_vir's heuristics:

    AFAIK, NOD32 AH includes not only a heuristic scan engine but also an emulation (to be confirmed by Eset). In other words, NOD32 AH features a generic unpacking engine which is quite a rare thing. (Ewido Security Suite also uses an emulation. Wayne has indicated that TDS-4 will feature something like an emulation.)

    If you compare my scanlogs for NOD32 AH ( http://boardadmin.funpic.de/viewtopic.php?t=13&sid=aa0bd60307a146f9ea650864930a96e6 ) and mks_vir ( http://boardadmin.funpic.de/viewtopic.php?t=21&sid=aa0bd60307a146f9ea650864930a96e6 ) you will see that NOD32 AH can unpack and detect certain compressed malware samples which mks_vir or NOD32 w/o AH ( http://boardadmin.funpic.de/viewtopic.php?t=12&sid=aa0bd60307a146f9ea650864930a96e6 ) cannot detect. See, for instance, the samples contained in the section "Crunch":

    4_Crunch\ (4) 1 059 000
    -----------------------------------------------------------------
    1. CrunchV2.Beast192c.exe 96 769
    2. CrunchV2.NuclearInject.exe 49 153
    3. CrunchV2.OptixPro132.exe 448 208
    4. CrunchV2.Y3Kpro02.exe 464 870


    In summary, it seems that mks_vir uses a pure (and quite good) heuristic scan engine but has not unpacking capabilities. Therefore, mks_vir may be a good scanner for replicating malware (viruses and worms) but not for non-replicating malware like trojans.
     
  7. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    well said my friend. now the worms are also coming with packed body. so unpacking ability is very important.
     
  8. 0--0

    0--0 Guest

    @AMRX

    It does not really matter whether replicating malware is packed or not. Even if you have no unpacking engine at all it's not a problem to create a signature for a packed malware sample.

    The only advantage of the unpacking engine is that you will immediately detect a packed variant of a *known* malware sample (i.e., we are only talking about a timing difference). If a packed worms really starts to spread and becomes ITW malware every AV scanner will detect it within a few hours or days. Therefore, I would call an unpacking engine nice but not essential for detecting replicating malware.

    Things may change, however, if worm writers start to make use of polymorphic crypters (like open-source snipped).
     
    Last edited by a moderator: Jul 3, 2004
  9. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
  10. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear 0--0, same goes true for non-replicating malwares. actually a lot of people don't prefer to get infected and wait for the definations to get updated. thats why unpackers are important.
     
  11. 0--0

    0--0 Guest

    @AMRX

    "same goes true for non-replicating malwares."

    I am not sure whether you got me right. I would say: "This goes primarily true for non-replicating malware."

    a) Replicating Malware (viruses, worms)

    --> unpacking engine is nice but not essential due to frequent signature updates relating to ITW malware (malware will get detected regardless of whether it is packed or not)

    b) Non-Replicating Malware (trojans)

    --> unpacking engine (or memory scan or advanced/behaviour-based heuristics) are essential since no timely signature update for packed variant will take place if malware does not spread and AVs do not become aware of such variant

    @Paul

    The program does not constitute malware. It's a crypter. You may want to call it a badguy's "helper tool". But it's hard to distinguish between legitimate compressors/crypters/protectors and illegitimate crypters. Would you call the very basic, open-source y0da crypt a malicious crypter?
     
  12. Stephan123

    Stephan123 Registered Member

    Joined:
    May 15, 2004
    Posts:
    135
    Location:
    The netherlands
    I have installed on my pc.I had a virusscan with it it found 589 virusses of the 590 in the archive.Very good results
     
  13. Moe

    Moe Guest

    I installed MKS and ran it on a CD with 528 trojans on it and results were interesting.

    MKS_Vir 2004
    Heuristics Off
    623 Files Scanned
    509 Infections Found

    Heuristics Very High
    623 Files Scanned
    584 Infections found.

    eXtendia AVK (Kaspersky + RAV engines both on)
    Analysis complete: 07/05/2004 03:47 PM
    528 Files Scanned
    528 infected files detected

    Pest Patrol
    422 Infected Files Found

    TDS-3
    15:53:18 Scanned 528 files: 233 alarms in 12.375 seconds

    Trojan Hunter Filescan Complete
    No Infections found on Drive (yes it was setup right)

    Ewido Security Suite
    221 Infected Files Found

    This impresses me, the log files showed MKS with Heuristics to very high picking up fragments of the trojan makers handywork on other files within the compressed archives, in addition to the compression files themselves. Interesting to note, avk and TDS only scanned 528 files when I know the total is 693 individual files. Do they skip other files in an archive once an infected one is found?

    Pest Patrol was most impressive to me in this test as a backup to an Antivirus, it seems like an exceptional anti-trojan application. Ewido would probably do much better once its pro version comes out and has archive/compressed scanning enabled.
     
  14. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    How many of the trojans (whole thing) did it miss (MKS)? (Also I don't quite remember, but in my experience I remember AVK only counting each archive as one file)
     
  15. 0--0

    0--0 Guest

    Scanning inside archives is a nice gadget but not necessary if you have a real-time monitor/on-access scanner. This is because any malware contained inside an archive will be unpacked to a temporary folder on the harddrive. Here it will be detected before it can be executed. Moreover, a user can manually unpack an archive and then scan the extracted files. Finally, it should be noted that no scanner can scan inside password protected archives (unless the password is known to the scanner).

    For the above reasons, I believe that an AV/AT's ability to scan inside archives should not be overrated.

    By contrast, run-time compressors decompress a file directly into the memory. Therefore, an unpacking engine (or a memory scanner) is much more important than archive support.
     
  16. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To everyone from Firefighter!

    MKS does have unpacking skills according to these tests below.

    http://boardadmin.funpic.de/viewtopic.php?t=20&view=next

    http://boardadmin.funpic.de/viewtopic.php?t=14&view=next

    http://boardadmin.funpic.de/viewtopic.php?t=23&view=next

    http://boardadmin.funpic.de/viewtopic.php?t=18&view=next

    Even Norton has basic unpacking skills. MKS is a bit below BitDefender, but better than Norton and somewhat the same level as the new AntiVir 6.26 if these tests are the verifying levels.

    In basic trojan detecting, MKS with AH is quite impressive, I don't mean unpacking in this case. So far I have not seen better AV to detect unknown trojans with heuristics only.

    Best regards,
    Firefighter!
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    FF,

    You are referring to Nautilus (guest 0--0 right above) tests. Please read his last comment as well ;).

    regards.

    paul
     
  18. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Paul Wilders from Firefighter!

    That's why I have allways KAV based av as my backup av, KAV 5.0 or eXtendia AVK Pro.

    Unpacking skills isn't the only u need. Enough wide database gives more positive findings among trojans if we compare KAV vs. NOD with AH for instance against numerous trojans, even when those samples were runtimepacked several different ways. U have to had wide trojan database, to be unbeatable among competitors.

    Best regards,
    Firefighter!
     
  19. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Nautilas, got your point alright but my point is unpacker support enables the AV to detect a packed worm before it is installed. also the time difference between infection and the release of new signature is important. show me someone who wants to wait for a new defination all because his AV couldn't unpack the bug.
     
  20. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To everyone from Fireighter!

    Just finished my scan against my new collection of 334 trojans & backdoors. RAV and MKS scored equal, 302, the second best after KAV of course, with single engined av:s.

    Best regards,
    Firefighter!
     
  21. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA

    FF, how did KAV score?
     
  22. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    Might as well piggyback, and ask: how did everything score? :D
     
  23. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To VikingStorm from Firefighter!

    If you really want to know the detectings concerning 334 backdoors & trojans samples. I have to admit that there are only about 10 rebased and/or repacked samples, those rest are in the usual mode.

    Not tested KAV 5.0 just now, because in former tests KAV 5.0 and eXtendia KAV seems to be so close, almost identical.

    317/334 eXtendia KAV & RAV

    315/334 eXtendia KAV

    302/334 eXtendia RAV & MKS with AH

    293/334 Panda Platinum 7.05.07

    284/334 BitDefender 7.2 Free

    245/334 AntiVir 6.26.0.18

    242/334 NOD32 upd 1.805 with AH

    204/334 ClamWin 0.35

    Best regards,
    Firefighter!
     
    Last edited: Jul 8, 2004
  24. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    Hi everyone !
    The MKS_VIR 2004 program is now available to buy online @ www.stormbyte.com . enjoy !

    Tomasz from SolTech Computer Technology, LLC
    Distributor of MKS_VIR 2004 for US and Canada
     
  25. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Welcome stormbyte to wilders.

    Good luck with your distribution of mks_vir. Will you be the main support for the English version of the program and will you provide support for the trial version ( downloaded from the main home site)?
     
    Last edited: Jul 9, 2004
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.