Anti-Virus database

Discussion in 'other anti-virus software' started by Oleg, Mar 24, 2005.

Thread Status:
Not open for further replies.
  1. Oleg

    Oleg Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    407
    Location:
    USA
    If anti-virus got smaller database than the other does it means anti-virus with less database will offer less protection?
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    This is a very loaded question. Some people will say that it really doesn't make that big a difference. But I believe that the larger the sig. data base the more that it will be capable of detecting. Huerestics will help some but it will not replace a large sig database.

    bigc
     
  3. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    In my opinion the answer is " NO "

    So what makes an AV programs are different in terms of protection in real-world scenario? in my opinion it's not about the total number of virus/malware detected, it's mainly about two most important aspects

    1. efficiency of scan engine (unpacking engine, heurictics)/functionality (IDS, HTTP scanner, content-attachment filtering)/stability of the program

    2. response time to the new malware, the duration between malware are released, your AV company releases a new database and your antivirus is able to update for new database in order to detect those malware
     
    Last edited: Mar 25, 2005
  4. Oleg

    Oleg Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    407
    Location:
    USA
    I like to be protected from the new and old viruses :)
    I am using Dr. Web,because I have only 256mb of RAM Dr. Web Is the only chose I have tryed Norton and it's slowed down my PC by %80 :p
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    I think your av-protection is good, i also believe that DrWeb has a lot of signatures that can detect more than one in a virus family, so the actual number is greater (please correct me, if i'm wrong).

    Oleg, do you know about the "beta-testing of a special base allowing to detect spyware and adware" , read about it here: http://info.drweb.com/show/2583, you can sign up at bottom. Just place the two files (nasty+risky) in DrWeb folder and reboot and you of. It will add around 3000 files as of now. :)
     
    Last edited: Mar 25, 2005
  6. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    At the present time, Dr Web has about 69,000 records in its database. But these are not exact signatures.

    But some of these records can contain 10-100 virus signatures. Therefore, the total malware database is probably on par with KAV and F-Prot.

    A large database and good heuristics would be the ideal scenario.

    There are, however, a number of problems in trying to compare the actual relative sizes of AV "databases".

    1. In most cases we do not know the actual number of signatures in the database, as for example with Dr Web.

    2. It may also depend upon what protection you are looking for. For ITW protection, a huge database may not be needed and some AV companies concentrate mainly on ITW threats. However, if you visit a lot of high-risk sites, the kitchen-sink approach of KAV for example will offer better protection than an AV with a much smaller database.

    3. The relative composition of the database. The relative numbers of trojans,virus signatures etc may be important. For example, those AV's with poor unpacking engines may have to build up a considerable signature database for trojans. F-Prot and Command for example have pumped up their trojan databases considerably in the last 12 months or so to compensate for their relatively poor unpacking engines.
     
    Last edited: Mar 25, 2005
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    large database+good heuristics = ArcaVir.
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Depends what you take as large database. For example:

    Kaspersky would contain only 5 generic signatures which can pick 99,9% off all malware that is covered by those generic signatures.
    Some other AV has 30 signatures for separate samples and can detect only 75% of those recorded in database. Do you see the difference?
    It's not all about signatures.

    If you can unpack nearly all packers in the world you need only 1 signature to catch all malware that is covered by that signature.
    If you don't,you need many separate signatures to detect those that can't be unpacked and there is still a big chance that some other packer would mess everything and you miss the sample. Thats why Kaspersky can detect like 99% of all stuff in nearly all tests.
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    RejZoR beat me to it! :'(
     
  10. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    As far as I know Kaspersky probably has the best unpacking engine that supports many more type of packers than any other AVs.

    If Kaspersky has 1 signature for some worm/trojan, if this worm/trojan has been packed by 500 different type of packers that supported by Kaspersky's unpacking engine so Kaspersky may detect them all by that 1 signature while other AVs that have poor unpacking may need to produce separate signature one by one in order to detect that 500 variants.
     
    Last edited: Mar 25, 2005
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Exactly. And there is a very big chance that AV with poor unpacking will miss many of the same samples.
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    But then, some AV's can overcome the file packer limitation by scanning in the resource area/section of the file.....
     
Loading...
Thread Status:
Not open for further replies.