AV-Test: Reaction Times of the latest Worm Attacks

Related link;
http://www.av-test.org/down/ms05-039.zip

2005-08-22
Reaction Times of the latest MS05-039-based Worm Attacks
You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in this Excel sheet (18 KB). Furthermore we have checked how many AV products haven't required an update in order to deal with these threats. All times in GMT.

And results;
http://img387.imageshack.us/img387/5648/av12fc.th.gifhttp://img387.imageshack.us/img387/8493/av23ui.th.gifhttp://img387.imageshack.us/img387/4807/av39so.th.gifhttp://img387.imageshack.us/img387/2029/av40gf.th.gifhttp://img387.imageshack.us/img387/334/av53cn.th.gifhttp://img387.imageshack.us/img387/1196/av64wq.th.gif

And my summary;
http://img399.imageshack.us/img399/7308/avpd3zn.th.gif

Sorry for turkish words on the summary.
proaktif tesbit = proactively detected
tesbit edilemedi = still no detection
date format = dd.mm.yyyy

comments on this test ?

Regards,

 

it's not correct for me. NOD32 has detected Win32/IRCBot.OO trojan with virus signature update not proactively. please be more carefull. again thanks for your feedback.
Regards.

 

Make a google when this signature was added. "A variant" means it's very close to this detection, however not 100% identical from a binary compare of the files.

 

NOD32 - v.1.1178 (20050726)
Win32/IRCBot.OO

 

There's no difference.
it depends on a virus signature database updates but it's not related with proactive detection.
http://img357.imageshack.us/img357/3873/nod32x4sm.th.gif

I'm sure that NOD32 is a wonderful A/V. I'm a NOD32 user too. Don't worry.
Regards,

 

How did you get your NOD IRCBOT!VAR detection date as 16.08.2005 19:27 in your table?

Or am I missing something here?

Thanks,

Stan

 

Please read post #2. Only, IRCBOT!VAR hasn't been detected by heuristic engine ın the test. Finally, it wasn't a big problem. only discussion. by the way it's not my table. I summarized it only. Source is http://www.av-test.org/
Regards.

 

I am still confused.

Your tables showed NOD32 detected Win32/IRCBot.OO trojan
as of 16.08.2005 19:27

However, NOD provided this signature on 26.07.2005
NOD32 - v.1.1178 (20050726) Win32/IRCBot.OO

How did you arrive at the date that NOD didn't detect this until 16.08.2005 19:27 per your tables?

Thanks,

Stan

 

Perhaps, you must talk with Andreas Marx
Regards,

 

BTW, I consider "proactive detection" to be "zero-hour" detection with heuristics, or generic signatures, or other method as long as it provides "zero-hour" detection. That works for me.

 

BitDefender did great!

If we could have NOD32's speed, Bitdefender's Heuristics and Kaspersky's signatures...

 

Strange...why NOD32 did not detecte Win32/IRCBot.OO in this test if NOD32 has the signature?

 

You forgot to add Nod32's heuristics, KAV's static unpacker and VBA32's Generic Unpacker to that setup

 

plus kav's hourly update

 

What would we call this product? Bitpersky32 maybe?

 

KasNoDefender xD

 

"Bitpersky32" and "KasNoDefender" will be the first choice of the A/V world if someone quickly prepare them. by the way, there's a chance to get much more money after than publication of this A/v test.

 

maybe we can propose this "KasNODefender" idea to each company maybe some day thay could merge their AV

 

Another link for same test results;
http://www.pcmag.com/article2/0,1895,1850851,00.asp

Eleven of the products were able to detect one or more of the attacks proactively, without any special pattern update to identify it specifically. Here are the numbers for each of the eleven:

Product - Score
BitDefender - 6 of 6
Fortinet - 6 of 6
Nod32 - 5 of 6
eSafe - 3 of 6
F-Prot - 3 of 6
Panda - 3 of 6
QuickHeal - 3 of 6
McAfee - 2 of 6
Norman - 2 of 6
AntiVir - 1 of 6
ClamAV - 1 of 6

 

I wonder how NOD32/BD are performing against Truprevent...

Is really Panda's software so resource hoggy ?
Regards,

 

Interesting,i wonder how ClamAV detected it proactively without any heuristics (or using what detection name?)...
They do use generic detection though...

 

Perhaps, you can explain it.
http://img98.imageshack.us/img98/4638/x17tx.gif

 

I still don't get it how it could be proactively detected when it doesn't use any proactive methods. Or just a lucky "guess" on signatures...

 

There is one thing that puzzles me...
AV-test states that NOD32 detected only 5 samples,while on NOD32 ESET states that ThreatSense intercepted all 6 variants. Now who should i belive now?

SNAP FROM ESET's PDF...
SAN DIEGO, Calif. * (August 29, 2005) * ESET, a global security software solutions company
providing next-generation anti-threat protection, today announced results from a study conducted by
AV-Test.org that confirm ESET's NOD32 proactively identified all six variants of the recent Zotob
worm. The findings, which appeared on August 22, 2005, clearly showcase the importance of
implementing a proactive anti-threat solution as the industry's major antivirus players including
Symantec, Trend Micro and McAfee did not detect all variants of the worm until after it had hit
systems around the globe

And this is what documents say:
http://img399.imageshack.us/my.php?image=avpd3zn.gif

I also doublechecked all 6 full reports and one is not proactive.
I have nothing against NOD32 policy of advertising their ThreatSense proactive performance,but just makes me wonder...
Thx

 

Thats probably just the marketing department doing their best, RejZor, they also have the "test" from Colby-Sawyer college on their main page as something special.