AV-C XP Exploit Test Report DEC 2014

Discussion in 'other anti-virus software' started by FOXP2, Dec 24, 2014.

  1. FOXP2

    FOXP2 Guest

    I searched on "tencent" in this forum, got no returns so I'm thinking no one's posted up on this yet. Or not.

    http://www.av-comparatives.org/wp-content/uploads/2014/12/Tencent_Chinese_XP_exploit_AVC_V2_1128_CN.pdf

    I gather it's a WinXP exploit test of seven products within the China totality. Anyone familiar with AV-C reports understands the red/yellow/green charts. And 99% of the Wilders community never actually reads anything anyhow, so what that it's in Chinese? :cool:

    Interesting results of the red bars...

    Cheers.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Interesting, I wondered who sponsored the test, it's not hard to guess. No but seriously, quite surprising that Kaspersky and Bitdefender didn't do too well.
     
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Is the 74% blockage + maybe 18% or so user-dependent not well for you?
    As a note, if it was Vista+ Kaspersky would have earned better score, this is consistent tendency in all exploit tests, maybe because they rely more on AEP than NIPS to block exploit (it's not hard to imagine AEP is limited on Xp).
    About Bitdefender, no surprise at all, they have been performing poor in all exploit tests they attended while they have probably the best BB as well as strong malware signature, heuristics, and URL blocking.
    Contrary to this, Norton/Symantec constantly perform well in all exploit tests thanks to its strong NIPS, while very poor at FDT (I know they're poor too in URL blocking).
    Maybe Tencent spent massive effort to block Xp exploit, but of course this don't guarantee it will perform well in dynamic test.

    I strongly hope AVC provoides English report, since when we interpret this type of test, we have to be extremely careful. e.g. MRG's corporate exploit test were done in unfair condition (you can't directly compare it with NSS' one as they're done in different configuration). And NSS' exploit evasion test were almost meaningless (if you read through the document you'll find why).
     
  4. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    787
    Good post, you're completely right.


    About Kaspersky AEP:
    http://www.kaspersky.com/downloads/...er_automatic_exploit_prevention_eng_final.pdf
     
  5. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    FDT = ?
     
  6. FOXP2

    FOXP2 Guest

    Bitdefender's Active Virus Control, AVC, is in addition to their "malware signature, heuristics, and URL blocking."

    I ponder if these recent tests are of sufficient magnitude and depth to fully determine the efficacy of AVC. Or the exploit detection of any other AV/IS. While "exploit blocked before exploit" and "exploit blocked before malware execution" are admirable results, do these "all exploit tests" actually continue to test while the malware has had chance to, well... behave?

    #36: Read the paragraph beginning with "After passing B-Have" and see the screen shot:
    http://www.wilderssecurity.com/threads/lavasoft-ad-aware-latest-version-threads-merged.364565/page-2#post-2418074
    Actually, you can read the whole post if you want. :D

    #55: I'm convinced of a recent "zero-zero-day" exploit save due to AVC:
    http://www.wilderssecurity.com/threads/lavasoft-ad-aware-latest-version-threads-merged.364565/page-3#post-2438551
    The links were related to significant breaking news, about 2-hours old, and the site belonged to an independent TV news station in the small municipality where the event was occurring.

    Of course, the sophistication of exploits out-pacing that of testing has long been a discussion in this arena.

    Cheers.
     
  7. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    the report states clearly who commissioned the test, in this case it was Tencent.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Unfortunately, that pdf don't gives much detail about AEP. From it reader may conclude AEP is just behavior-based drive-by download protection + forced ASLR (which of course don't make sense in Xp), but actually AEP is more.
    AEP is a general term of anti-exploit technology in KIS/KEP that include e.g. monitoring (call) stack to see if there's unusual data or pattern (kind of memory heuristics), locking down behavior for popular software, special component for java which monitor behavior inside java sandbox.
    I'm not sure if NIPS is included in AEP, but it's just a matter of word or definition.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    FDT = file detection test
     
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    First of all, nobody should regard this type of specific tests as reflection of overall performance of the product, that is the task of dynamic test. IMO, those specific tests (except some, such as phising tests) are only meaningful when reader thoroughly read methodology and have intention to understand how each product works.

    AVC is basically BD's BB, so unless it has behavior-based anti-exploit feature, it's no relevant to this type of tests. Some tests continue to malware execution, but in that case they're distinguished from pure exploit score. AFAIK, BD don't provide any info about if AVC includes behavior-based anti-exploit, your 2nd link suggest it does, but not sure because I don't know details about it.

    And anyway, blocking exploit in earlier stage is better. Once exploit is suceeded, downloading malware is just an option for attacker though it is most preferred method. He might try just steal some info stealthly from victim like FBI's Tor exploit, or, by leveraging the first exploit, try next local exploit to gain admin, system, or possibly even kernel privilege. Some exploits such as application design flaw or kernel exploit can only be blocked by NIPS, though NIPS had its own drawbacks e.g. only protect known vuln and if attack is highly obfuscated it'll fail.

    Moreover, what important for me is, those specific test gives us clue about how each product works, what is each company's strategy, and by combining dynamic test results what funtion or strategy makes difference. You'll see just after Panda employed anti-exploit in v2.2, there score increased in all dynamic tests. Same goes for Kaspersky AEP. Not only product itself, we can also estimate effects of backend improvements. I don't mention recent improvements about Trend as Mayahana already talked, but actually it was already seen around 2012 where they announced backend reconstruction, if you made a graph of Trend's score from around 2010 you'll find what was happening.

    I completely agree with him, but so far we can only estimate from those clues.
     
  11. guest

    guest Guest

    Kaspersky for examples owns a patent which describes a way of detecting the exploitation of software: https://www.google.nl/patents/EP272...&sa=X&ei=E9CdVLawNYWAUcSGgrAL&ved=0CCUQ6AEwAA
    It for example mentions checking whether memory is executable or not. Although the patent doesn't seem to take in account return oriented shellcode ;) :isay:
     
  12. iforget

    iforget Registered Member

    Joined:
    Mar 29, 2012
    Posts:
    15
    Location:
    Riderville, Canada


    I cant speak specifically to exploits, but while playing with malware I have seen AVG Identity Protection, and Bitdefender AVC block and remove a significant amount of malware 30 minutes or more after execution.

    I also ponder if tests allow malware a chance to behave.
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks! I even didn't think of searching in patent, great finding!:thumb:
    Though some exploit tests continue to test malware execution, basically that's out of scope for this kind of test. If you want to know overall protection of a product, go to dynamic test (aka real-world test). If you only installed a security suite, what you want to know would be that. But if you're security enthusiast and having several or more products installed, you'll find those specific tests are quite useful to estimate how each product work and in where the product is strong, thus it help you to decide what products to combine.
     
  14. iforget

    iforget Registered Member

    Joined:
    Mar 29, 2012
    Posts:
    15
    Location:
    Riderville, Canada

    Either you didn't read up to the first comma in my first sentence, or you didn't understand it...
     
  15. FOXP2

    FOXP2 Guest

    I respect your expertise regarding this, that and the other thing regarding BD's AVC and make no argument against the supposition you present.

    However, BD's "basically BB" is B-Have and effected by one system driver and two libraries which is not to diminish their strength.

    AVC on the other hand, several system drivers and at least a half dozen libraries (I dont' care to dig into it right now to come up with the exact numbers) and supported by nine routinely updated databases.

    Two of those libraries inject separately into each and every running process.
    http://www.wilderssecurity.com/attachments/ls-avc_atwork-jpg.244856/

    AVC is anything but "basic" and the word has no legitimacy in its discussion.

    Your viewpoint in that respect needs adjustment. Lest I consider your technical savvy, well... basic. :D

    Thank you. And, of course, Cheers.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes I misread, on second thought, Kaspersky did perform quite well. Too bad they didn't test HMPA and MBAE.
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Maybe my bad English, but I didn't mean "AVC is just a basic BB" by "basically". I meant "AFAIK, 90+% of AVC is BB, though there might be some other function" (in fact some other AV/IS's BB have additinal function such as automatic sandboxing). And actually I think AVC is probably the best BB in industry (I actually said it in #10 too), from what I've seen it is even better than Kaspersky. I hope this addresses your concern. At the same time, if you're native English, I'll be very appreciated if you can explain or illustrate better words for me, as one reason I participate in Wilders is to learn/improve my English.

    AFAIK, B-Have is dynamic heuristics engine which examines file's behavior in emulation, so true BB is AVC only. And that databases is for behavior signature which all good BB uses from around 2011, this is because classical scoring based BB can't catch up latest malware trend where criminals try to bypass BB.


    BTW, I'm not tech savvy. I even lacks very basic knowledge of programming, network, and other IT things. I'm just a guy who search for anything almost obsessively until I get a feeling of understanding when I come across sth I can't make out.
     
    Last edited: Dec 29, 2014
Loading...