Anti-Virus database

If anti-virus got smaller database than the other does it means anti-virus with less database will offer less protection?

 

This is a very loaded question. Some people will say that it really doesn't make that big a difference. But I believe that the larger the sig. data base the more that it will be capable of detecting. Huerestics will help some but it will not replace a large sig database.

bigc

 

In my opinion the answer is " NO "

So what makes an AV programs are different in terms of protection in real-world scenario? in my opinion it's not about the total number of virus/malware detected, it's mainly about two most important aspects

1. efficiency of scan engine (unpacking engine, heurictics)/functionality (IDS, HTTP scanner, content-attachment filtering)/stability of the program

2. response time to the new malware, the duration between malware are released, your AV company releases a new database and your antivirus is able to update for new database in order to detect those malware

 

I like to be protected from the new and old viruses
I am using Dr. Web,because I have only 256mb of RAM Dr. Web Is the only chose I have tryed Norton and it's slowed down my PC by %80

 

I think your av-protection is good, i also believe that DrWeb has a lot of signatures that can detect more than one in a virus family, so the actual number is greater (please correct me, if i'm wrong).

Oleg, do you know about the "beta-testing of a special base allowing to detect spyware and adware" , read about it here: http://info.drweb.com/show/2583, you can sign up at bottom. Just place the two files (nasty+risky) in DrWeb folder and reboot and you of. It will add around 3000 files as of now.

 

At the present time, Dr Web has about 69,000 records in its database. But these are not exact signatures.

But some of these records can contain 10-100 virus signatures. Therefore, the total malware database is probably on par with KAV and F-Prot.

A large database and good heuristics would be the ideal scenario.

There are, however, a number of problems in trying to compare the actual relative sizes of AV "databases".

1. In most cases we do not know the actual number of signatures in the database, as for example with Dr Web.

2. It may also depend upon what protection you are looking for. For ITW protection, a huge database may not be needed and some AV companies concentrate mainly on ITW threats. However, if you visit a lot of high-risk sites, the kitchen-sink approach of KAV for example will offer better protection than an AV with a much smaller database.

3. The relative composition of the database. The relative numbers of trojans,virus signatures etc may be important. For example, those AV's with poor unpacking engines may have to build up a considerable signature database for trojans. F-Prot and Command for example have pumped up their trojan databases considerably in the last 12 months or so to compensate for their relatively poor unpacking engines.

 

large database+good heuristics = ArcaVir.

 

Depends what you take as large database. For example:

Kaspersky would contain only 5 generic signatures which can pick 99,9% off all malware that is covered by those generic signatures.
Some other AV has 30 signatures for separate samples and can detect only 75% of those recorded in database. Do you see the difference?
It's not all about signatures.

If you can unpack nearly all packers in the world you need only 1 signature to catch all malware that is covered by that signature.
If you don't,you need many separate signatures to detect those that can't be unpacked and there is still a big chance that some other packer would mess everything and you miss the sample. Thats why Kaspersky can detect like 99% of all stuff in nearly all tests.

 

RejZoR beat me to it!

 

As far as I know Kaspersky probably has the best unpacking engine that supports many more type of packers than any other AVs.

If Kaspersky has 1 signature for some worm/trojan, if this worm/trojan has been packed by 500 different type of packers that supported by Kaspersky's unpacking engine so Kaspersky may detect them all by that 1 signature while other AVs that have poor unpacking may need to produce separate signature one by one in order to detect that 500 variants.

 

Exactly. And there is a very big chance that AV with poor unpacking will miss many of the same samples.

 

But then, some AV's can overcome the file packer limitation by scanning in the resource area/section of the file.....