AT vs AV, a 12 round bout for control of your security.

Discussion in 'other anti-trojan software' started by Jaws, Jul 12, 2005.

Thread Status:
Not open for further replies.
  1. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi All,

    Some of this got touched on in the “what is the differnet between AV and AT ?” thread, but then it got into discussions about suites, conflicts between 2 AVs or an AT & AV, BOClean, PG, layered defenses and the like. I'd like this thread to try and stay on topic.

    Not to diminish the damage that a virus can cause but I believe, like some others that have posted in different threads, that trojans and spyware are the dominate malware on the scene at the present time. Not to mention the fact that trojans seem more destructive ( destroying or altering data, causing computer malfunctions ) and criminal ( collecting personal data, DoS attacks ).

    I'm not forgetting worms, but from what I read, most are spread through files in e-mail attachments, ICQ or IRC messages and p2p. Perhaps we can save this topic for another time since I personally don't use p2p, ICQ or IRC, nor do I open e-mail attachments.

    Therefore I have a few questions that I would like to pose for anyones input. I may be way off base with my thinking, if so, give it to me right on the jaw. Maybe some of these questions can only be answered by the AT developers themselves. Here goes:

    1* Do the current ATs also detect viruses?
    2* If not, why not, considering AV's are getting into the AT business?
    3* Do the major AVs do things that ATs don't? Why?
    4* Would you like to see Jotti's include: A-squared, ewido, TDS3 or TH in its scan?
    5* Does anyone use just a resident AT?
    6* You hear of people using a resident AV and on-demand AT. Why not the other way around?

    The reason I'm asking is I'm thinking of making an AT my resident malware detector do to the sheer number of trojans and the fact that viruses are fewer and far between, and using a few different on-demand AV scanners for virus detection. And yes, I know you can run resident ATs and AVs together without conflicts. As a matter of fact, until recently, I didn't use any resident AV or AT at all because of my cautious surfing habits. I just used on-demand scanners.

    The free ewido 3.5 on-demand scan is almost as fast as the nod32 on-demand scan on my system. From what I've been reading about ewido 3.5 is that the resident guard is not slowing down PCs like it did before. Even when I trialed the full version of ewido 3.0 for 14 days about 2 months ago I didn't notice it slowing down my system while surfing, even with an AV resident too. Also a threat database of 169,584 and heuristics and a decent price would seem to fulfill my needs.

    7* Any opinions?
    8* What about the other ATs: A-squared, TDS3, TH? Better, worse, about the same?

    Please, all the proponents of Kav, don't jump up on your soap box touting the brilliance of their product. I'd like to keep this discussion somewhat on ATs.

    Regards,

    Jaws
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    you're right that spyware/ trojans seem to be the dominant force now, but the categories are shaking as many viruses download masses of other nasties now, trojans can download viruses and bots, bots display pop up adverts etc

    youre wrong if you expect to get infected only because of your actions. many viruses spread through vulnerabilities. you dont have to do anything to get infected if there is a vulnerability on your system..

    see above, many AT's detect certain "crossover viruses"
    but there is the other part removal or cleaning/disinfecting, many AT's cant clean most viruses. if the virus is an executable file, the removal is just the deletion of the file, but if the virus infects files by adding its own code, or is polymorphic etc.. well you need an antivirus to clean it. again most antiviruses, including kaspersky, just cant seem to get some trojans out

    see above, specific malwares need specific tools

    see above

    i personally would

    perhaps someone does. its not a safe practise, its a sure fire way to get infected

    see above, the on demand AT is used as a backup in case the AV misses something or cant clean


    there was a vulnerability which allowed a gang to infect people trough hacked servers. you did not have to go to a rogue website, a family website was enough; if the website was on one of those hacked servers.
     
  3. test123

    test123 Guest

    I think AT's are really just a supplement to a good AV, and they really shouldn't be covering the common viruses that the AV's already cover. If you want to detect viruses get a good AV. If you want to detect some extra malware that your AV may miss get a AT.

    It would be a good idea to include programs like A2, Ewido. Tds3 & TH in the online virus scannners like Jotti's and Virustotal IMO. Or have a different online scan that cover a bunch of the different AT's in one place. Yeah, good idea. Of course there is trojanscan.com, maybe not as good as the group of AT's, but still somewhat helpful.

    I don't think it would be a good idea to use just a resident AT IMO. I'll stick with the Resident AV and on demand AT, or both resident. You may be able to get by with just Ewido (or other AT) as your only resident protection but if you do get hit with a virus/worm you may wish you did otherwise. I don't see why anyone would want to take the chance of having their AT resident and AV as a backup only but each to their own I guess. Good luck. ;)
     
  4. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    the problem with ondemand scanners is that prevention( be it on acces scans or proactive defenses) is a much more efficient way to protection. some forms of malware just cant be removed with on demand scans

    yes indeed, youre going to need it
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jaws,

    I think the differences are primarily architectural and not functional. There are substantial architectural issues which make the commonly known AVs more desirable than the commonly known ATs, but as the functions blur so do the architectures - in the same way the architectures (and functions) of AVs are blurring when compared to functions of some firewalls.

    You can have two products with exactly the same functions (i.e catch viruses, trojans, spyware or what have you - even if they are catching exactly the same malware) and yet yield (in practical terms) substantially different results because of the difference in architectures (e.g., the point of time that the malware is being detected and removed). If you run an AV and AT simultaneously and then introduce random malware, it is possible to see the results of the different architectures in actual practice. This is why understanding the product architectures (as a way of differentiating) is essential to understanding why one of the commonly understood "ATs" may not be a desirable replacement for an "AV" (both nomenclature really being obsolete as far as I can see).

    Rich
     
    Last edited: Jul 12, 2005
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    pffff, the combination would be the best of two worlds:

    try pg, rd (or a mature SafeNSec) with a working memory scanner like Ewido...

    I see Kaspersky 2006 beta be like this: a combination of pg, Kav and antispyware and antispam...that would be good solution imho
     
  7. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi All,

    I must say I'm really surprised that not even one representative of the four ATs I mentioned didn't post at least a comment about questions #1, 2, and/or 3.

    I guess they didn't feel it was important enough to warrant a reply or they think if they put their heads in the sand the problem will go away. In my opinion, if the AV companies continue to foray into AT detection, I'm afraid the AT makers will be left out in the cold.

    I personally think the AT companies are in a good position to wrest the dominant control away from the AV companies. I think their thoughts would be very informative on the direction that they are headed. Maybe I'm wrong about this whole scenario.

    As Rich intimated, the semantic line is blurring between ATs and AVs. But I see no good reason for AT makers not to delve into the AV realm. Well, enough about that. Lets give them more time and maybe they'll post their opinions on whether it's doable or not.

    Who knows, in 2, 5 or 10 years from now, there may be a totally new strain of infections that we'll have to deal with!

    illukka,
    And so wouldn't you think the AT companies have the upper hand in the current environment.

    Then wouldn't an AT catch the trojan first, if they're better at catching trojans.

    I assume you meant: to not get infected only because of your actions.
    Perhaps you missed the sentences were I said: As a matter of fact, until recently, I didn't use any resident AV or AT at all because of my cautious surfing habits. I just used on-demand scanners.
    I should have also stated that I never got infected through the years I did this. But I do feel that now we are living in a more dangerous time. Therefore I now use a resident scanner.

    Well I guess I'm lucky.


    test123
    Why not? Don't AVs detect trojans? And as KAV users like to point out, its' really good at detecting trojans too.


    Infinity,

    Kind of off topic there buddy. I was hoping to stick to talking about ATs.

    Anyway, it looks like this thread is dead right now, but I think I'll be doing some experimenting with ATs only to see if or how long it takes to get infected.

    Regards,

    Jaws
     
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    sorry, I don't know why I posted it. I will locate the question to the answer I gave...it does not make sence indeed.

    hmmm :/
     
  9. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Good topic, Jaws.

    I enjoy discussions like this one....because to me, it's almost like a beauty contest. I think that each individual user has to decide for themself what the best approach to take is. I think the two things that are almost universally accepted by everyone these days is that a good firewall and a good anti-virus are a must. After that, I think it boils down to personal taste. Some people are more comfortable taking a "Process Guard/RegDefend, and little else" approach...while others load up on resident anti-spyware, anti-trojan, and on-demand scanners. For each individal user and each computer, I would think that the results and approaches would vary....and that there probably isn't a "one size fits all" approach to take.

    But to add my two cents to the discussion about AV versus AT....I don't look at them as a competition but more of a combination of compatible team members....striving to do their part to ensure and achieve computer security. I am currently running both McAfee AV Active Shield and TrojanHunter's TH Guard (along with a firewall, real-time anti-spyware, SpywareBlaster, WinPatrol PLUS, MVPS HOSTS File Manager, IE-SPYAD,etc., and am looking at PG, RD, and PrevX), because this is what seems the most compatible ON MY MACHINE! I trialed ewido and some other AS app's and AVs, and have found that my current combination works the best for the overall performance of my machine. Doesn't mean, and I'm not saying that it is THE BEST set-up...because for all I know ewido's resident shield may be more effective than TrojanHunter's. I'm also not suggesting that it is either....because neither has detected anything....but I did feel more of a system lag and noticed more resources being used with ewido than with TH. Of course, newer versions of products usually result in better performance, and I trialed ewido 3.0 and it is currently at 3.5....but for me it's been a long, trial and error process of asking questions, reading, and trying products myself (the key). But personally, I like the "dual or multiple layer" approach....since I figure that what one misses, another one may catch.
     
  10. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Rich,
    I had to read your post several times and I'm still a little fuzzy on your meaning. Are you saying AVs can be good at both virus and trojan detection and ATs cannot? Are they really that different considering both use definition, heuristics and resident moniters? Can ATs not become as good at detecting viruses in the near future?

    Infinity,
    That's funny.

    JR,
    I think you're absolutely right and this goes down to every aspect of computer security. I've read a lot of posts on this and other boards and everyone doesn't always follow the expert crowd. There are people on both sides of the fence, whether it concerns outbound app control of firewalls, IE user and firefox, opera...users and I can probably point you to posts, if I could remember where they are, where people don't use resident AVs or ATs. But I don't want to get off topic here.

    I understand what you're saying about a layered security defense, and I agree, but I'm trying to focus on ATs vs AVs. Their differences and the possibility of ATs to become a dominate player in security considering the predominance of trojans at the present time.

    Regards,
    Jaws
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jaws,

    The way I see it, ATs are competing against AVs for "technology turf high-ground". That is, AVs are able to gain access to and "monopolize" certain important operating system services (don't ask me exactly which ones, because this I do not know), which allow them to intercept and interrogate files before they are able to do harm - and before an AT is able to detect them. That is why KAV usually (in my case always) catches malware before Ewido is able to detect them.

    AVs are able to gain control over these system services because the assumption is that they are absolutely necessary (are already installed on the PC when they are shipped) and there will not be any other real-time AV installed. That is why most AVs will warn that other real-time AV components have to uninstalled before a new one is installed.

    So lies the AT vendor's technological challenge. If an AT (e.g. Ewido) tries to supplant an AV, it must first gain access to the same system services. However, if they try do do this, while the AV is in place, then there will be "conflicts" and users would probably uninstall the AT (remember the AV has the technological high ground". If the AT vendors suggest that the AV be uninstalled which very few users would want to do (since ATs do not have the breadth of AVs at this time). So AT vendors must design their products by "yielding the high ground" and act as a "second layer" of defense. There is no way a vendor such as BOClean will suggest that their software replace an AV. On the contrary, they strongly suggest that their AT is meant to augment the AV and not replace it.

    On the other hand, the AV vendors have no problem expanding into the AT arena, since they already have the high ground (i.e. technologically well-positioned within the operating system environment). You can see this happen in a very real and practical sense as each AV vendor augments their AT detection capabilities very rapidly (recent tests confirm what most users are seeing in actual practice).

    You will notice that as AV vendors try to expand into the network detection arena they are encountering the same problems that AT vendors have, only the AV vendors are conflicting with the software firewalls. At this point the user must decide whether to continue to use the dedicated firewall along with the AV (ZoneAlarm + KAV) or use the AV suite (e.g. KAV IS). There are pros and cons to each approach. Many AV vendors are adopting the "suite approach" in order to avoid conflicts with other firewall and AT vendors as they move into the arena traditionally dominated by these sofware products.

    I see that that AT vendors have a very difficult task, since they cannot easily gain control of the operating services that they need in order to compete against the AV vendors - and therefore must play second fiddle. There may be a market for another "AV" (for example Ewido comes out with a product which does as well as KAV on the AV tests in all categories), but how big of a market is it and will it sell?

    So whereas, the AT vendors did have a niche up until recently filling in the holes in the AV's defenses, it is becoming more difficult to define this niche given the progress the AV vendors are making in shoring up their defenses against all type so of malware. So it is up to the AT vendors to clearly define their "added value" without just becoming another AV, which would surely be suicide at this point from a business point of view. Can products like TDS-3, Ewido, BOClean, A-squred Trojan Hunter, clearly demonstrate a value proposition that allows them to continue to sell into the marketplace without technologically conflicting with AVs on a PC station? .. I think it remains to be seen. I have Ewido running because I enjoy the additional protection without the conflicts (my system is stable). But do I consider Ewido a "must have" technology, as opposed to a "nice to have"? - probably not. There lies the AT vendors challenge.

    Hope this long winded explanation clarifies. It is difficult to explain because AT vendors (as best as I can make out) have both technological and business hurdles that they must simultaneously address vis-a-vie AV vendors and they appear to be very difficult problems to solve.

    Cya,
    Rich
     
  12. James Taylor

    James Taylor Guest

    Not that I doubt your expertise Rich, but may I ask where you got this theory from? Since you cannot furnish any technical details, somone must have told you about this? Or is this based on guessing?
     
  13. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi All,

    Rich,
    Perhaps you're somewhat missing my point of this discussion. I'm saying to hell with AVs (see below). True, AVs right now have the upper hand but does it have to be this way? If AVs continue to add trojan detection a lot of AT companies will be out of business.

    In my, not so expert, opinion trojans are dominating the internet and are a more dangerous threat:

    Remote Access Trojans (RAT's)
    Password Sending Trojans
    Keyloggers
    Destroy and delete files
    Denial Of Service (DoS) Attack Trojans
    Proxy/Wingate Trojans
    Software Detection Killers (ie. firewalls)
    Look HERE

    The other point I'm trying to make is give me a great AT that also is a decent to good AV and I'll be better protected from far greater dangers then what a virus can do. Then I can use a on-demand AV, either on a regular basis or when I think it's needed.

    But like I said before, maybe I'm wrong about the whole situation and in the future some other kind of infection will become an even greater threat.

    Regards,
    Jaws
     
  14. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jaws,

    I would agree with you that if all things were equal. However, let's look at it from the AT's development team perspective.

    1) They know that most machines that are shipped already have an AV running on them (most likely either Norton or McAfee).

    2) These products are already designed in such a way that they are using certain important operating system resources to trap, scan, detect, and remove malware.

    3) Since the AV are known quantities that most users will install or keep installed, the AT vendor's development team operates under the constraint that they must co-exist with the AV. Otherwise the AT will be removed, and not purchased. In other words, from a sales/marketing perspective, the AT must be designed to co-exist with one or more of the leading AVs (e.g. Norton, McAfee, Trend-Micro, Panda, Kaspersky, Eset). However, the reverse is not true. The AV development teams do not have to co-exist with other AVs (they recommend their removal) nor do they have to co-exist with other ATs (it is not a sales/marketing imperative) , especially if the AV can show scan/detection performance that is at least equal if not better than the ATs (this can be demonstrated).

    4) So the AT development team must carve out a niche that will a) allow them to technically co-exist on the same machine and b) demonstrate a clear value proposition. In the past, I think BOClean, Ewido A-squared, and others have sucessfully done this. Many large AV vendors clearly had holes in their trojan detection schemes, and using in-memory processing scanning techniques, that did not conflict with AVs or other ATs, AT vendors were able to clearly demonstrate their value proposition.

    5) However AV technology is changing as AV vendors are now attempting to enter into areas formerly dominated by software firewalls, anti-trojan and anti-spyware specific products. Technically they have the upper hand. They also have an upper hand from the sales/marketing perspective since AVs are viewed as "must have" while ATs are viewed as "nice-to-have".

    6) I am a big fan of ATs. They provide backup protection in a layered defense because no AV is perfect. However, AT companies have to continue to make money in order to sucessfully compete against AV companies who are making tons of money. Going foward, I hope that AT companies are successful in defining their technological and sales/marketing niches, since I think they fulfill a valuable role in personal security defenses. I cannot tell you how many times TDS-3 and Ewido have saved situations.

    Hope this further clarifies, and THANKS for taking the time to read my long-winded replies.

    Cya around,
    Rich
     
    Last edited: Jul 13, 2005
  15. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Rich,

    Following what you postulate to its logical conclusion we can therefore surmise that:

    A* AT and possibly firewall companies will eventually go out of business.

    or

    B* AT companies should change their names to: ewido AV 3.5, Virus Hunter, Virus Detection Suite 3.0, A-Squared AV, ....

    Where they can offer superior AT protection, but still be able to stay in existence because now people will be assured that they are protected by an AV. Sounds ludicrous to me.

    Regards,
    Jaws
     
    Last edited: Jul 13, 2005
  16. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hmm.....maybe i'm reading Rich post's wrong, but i don't see how you can reach this conclusion from reading his post's.

    One thing is for sure though, there won't be many AT's with success left in 2-3 years, i'm still hoping though (have a bad software addiction ;) ).
     
  17. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Don,

    Which of my conclusion don't you agree with A, B or both?

    I've reread Richs' post again I can only conclude that if everything stayed status quo (which it never does) then AT only software will be around for a good while longer. But everything in his posts indicate this is not true especially if you read his post here:

    You yourself state, which seems to corroborate what I said:
    I'm not saying all this will come to pass because I nor anyone else can see into the future. I'm making assumptions from his posts and what I see happening in the here and now.

    As a matter of fact, I wish ATs would take over the lead as far as resident scanners, do to the previous reasons I expounded on. Namely a greater threat and more of them.

    Regards,

    Jaws
     
  18. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Personally, I don't believe that either AVs or ATs are going anywhere.....not as long as people value their computer and internet security, and malicious software writers still exist. While many "security conscious" PC users continue to look for a product that is all encompassing, and covers everything....many of your average PC users will probably feel comfortable being covered by having your basic AV and a firewall (and perhaps an "anti-spyware" program of sorts). But those not feeling as though that is adequate enough will strive for MORE protection, and will also likely use an AT. Whether it changes in the future or not, I believe that most people will continue to live and operate under the assumption that AVs cover and deal primarily with viruses, while ATs do essentially the same thing with trojans. After all, there are several "security suites" that offer firewalls, anti-virus, spam filters, etc., but people still "shop around" and put together an assortment of various different products. I think that the only really legitimate possibility is that we will likely see fewer available products after a period of time...as the "good" or "popular" is sorted out from the "bad" or "unpopular", and some companies sink while others swim.....
     
  19. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Oh, i certainly think that AT's wll stay around longer than that, and perhaps 1-2 will be succesful, but Rich IMO is seeing things pretty much like......well most people want it, which is in one box/suite & thats the way 95-98& of the users want their protection. :)
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    not around here Don ;)

    but some parts can be integrated to have the possibility to use other kernel proggies if you know what I mean.

    Chears.
     
  21. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    JR,
    Sorry, I have to strongly disagree with you. Computer technology is so fluid and changing that who knows where we'll be in a few years. Especially if Don is right and only 2 to 5% of computer users actually use products that are not preloaded onto their computers or come in a suite.

    Don,
    Are 2 to 5% of computer users enough to keep all the AT makers in business and keep them in business? Especially if those 2 to 5% can get trojan defense in their AV.

    Rich, from post #11
    Would it really be suicide? See post #15 B
    My whole proposition is that AT companies could have the upper hand if they touted their products as addressing a far more serious threat that trojans pose. And with AV detection also incorporated into there product they'll be in a far better position that they are now. Granted, it would be a massive undertaking for their sales and marketing.

    Regards,
    Jaws
     
  22. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yes, but the cost is waaay too big Jaws.

    that would make a team of 30 people and ... I think only kav and nod has that capacity in theory every player has it...

    but on short term there will be no profit...that's scary.

    I like layered security. if it doesn't get detected by one, it will by the other... :rolleyes:
     
  23. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Infinity,

    And what would be the cost of going out of business? Unless you're suggesting that security forum members can singlehandedly keep them in the black. I suppose it could be done.

    Everyone seems to gloss over the fact that trojans pose a more serious threat and that AV companies are getting into the AT business by incorporating AT detection with their AV products. If I was in the AT business I'd be sweating bullets because of this.

    Regards,
    Jaws
     
  24. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    the difference is getting too small between the classification of malware I agree Jaws.

    still, it comes down to profit...that's my thought.
     
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    it is you who's stating that Anti Trojans are out of business, cause it will evolve...and the future will be a combination of behaviour detection and signature/memory scanning...

    I think...
     
Thread Status:
Not open for further replies.