AV Hueristics & rambling

Apparently you don't understand that these were some simple examples of my sarcasm. So they were taken as a joke of course!

Best regards,
Firefighter!

 

Have I said something else? Probably only that DrWeb has the second best one!

You have the full freedom to believe that, but so have I also the full freedom to believe something else!

Btw, how should you think about my tests when NOD is the winner?

Probably the same, but at least you have any need to reply!

Best regards,
Firefighter!


PS. I'm too from one of those lands of Vikings, but I'm only a lot older relic one and a real offspring of Vikings, and officially just from the same origin as you what's concerning my roots.

 

Those questions were for clearing what you said FP, people should know it is not idea of an analyst.

 

Back to the topic. DrWeb is actually very close to NOD in heuristics according to those my own 1016 samples were checksums were checked by IBK.

Look at my post 47. in here.

https://www.wilderssecurity.com/showthread.php?p=570279#post570279

Actually, DrWeb's results were within the error margin to be as good as NOD.

Best regards,
Firefighter!

 

So you're basically saying here that Andreas Clementi "approved" your "testset"?

I think he will be very happy to read such ridiculous comments from you.
Even if he told you "you have to remove this and that" this doesn't mean that the rest is clean.

 

I could only check things if I would get them in order to analyze them. By checksums only some old and known garbage can be sorted out. So, no, you can not say I approved your test-set.

 

In my tests, Dr.Web scores around 10-30% detection with heuristics while NOD32 has 50-80%, in a few collections 90%.

But it is not a fair comparison in my opinion, because the high detection rate of NOD32 is achieved with variant detection and not by the heuristics alone. Not that a user will differentiate between the two detection methods, but oh well.

 

No Idea about the rest but VBA32 scans are run with 'paranoid heuristics', I run it about twice a month using those settings and it always comes up with all kinds of FPs (about 10-20). To their credit though, when I send in the files, they update it and remove it within a week. Though there are always new ones. Of course, they also don't recommend anyone run with paranoid heuristics.

I would be very suspicious of VBA32 results, particularly, if it is the only one of the batch to detect malware.

 

MY OPINION:

I emphasize that heuristical (of Nod32 or Dr.Web) does not substitute update of database (Kaspersky and other). I receive viruses every day in my e-mail account... Trojan downloader variations, new viruses, trojan banker... and MY Kaspersky detects MY infected files much more times than NOD32 (of the computer of my friend). The files that I receive are not NORMALLY detected by NOD32 (friend's computer), while are detected by Kaspersky (my computer). Both databases always updated and heuristic active (NOD32). It's a pratical result that I can see and that can't be ignored. In Jotti's test and virustotal test normally my virus samples are NOT detected by NOD32 and are detected by Kaspersky, Dr.Web, BitDefender and other... I can show a big number of screenshots of it.

 

Well, I can show a big number of screenshots that nod32 detects and KAV does not detect...

Just a few exemples:

http://img460.imageshack.us/img460/8910/jotti147gr.jpg

http://img460.imageshack.us/img460/9205/jotti123aw.jpg

http://img460.imageshack.us/img460/1756/jotti65mm.jpg

http://img460.imageshack.us/img460/5841/jotti17wp.jpg

http://img460.imageshack.us/img460/6320/jotti217eb.jpg

Jotti´s screenshots doesnt mean anything..

 

I'd suggest that you submit them to the vendors of AVs that "missed" your samples. Also, I'm sure an independent tester IBK would be glad to have a look at them. It could be the samples were corrupted or non-functional so it'd be fair to get them analysed first before making any conclusions.

 

Yet your friend sticks with NOD. It would be interesting to hear from him.

 

You call that "big" number? I wouldn't get excited if the test set has less than 10.000 samples. The test set I used has 160.000 samples, only malware from 2005.

 

http://antivirus.nafoto.net have old results... this does not benefit NOD32, Kaspersky and other AV software... The files used are not false positives.

 

Some time behind I sent for all they... However, I perceived that the majority ignored my archive and did not add to the database, or added weeks later, when the viruses already could multiplied. Then I gave up and started to send only to the AVs that really added to the database: Kaspersky, Avast, Antivir, Norman, Arcavir...

AND if we send a sample to Jotti, theoretically the sample will be sent to AV companies, right?

 

This will not be possible, therefore he is not AV aficionado, but nobody needs to believe that what I'm saying here is truth.

 

-Screenie from POS-
http://img460.imageshack.us/img460/9205/jotti123aw.jpg
I think this is actually an F/P thet Eset and other vendors hasn't removed yet.
It is a trainer, made by a cheat engine and it monitors your keystrokes so it can enable the cheats on a game.

 

nothing to fix...

 

Imo it should be classed as "not-a-virus" or "riskware"...

 

But is it really a trojan? No ...
Is it riskware? Keylogger!.. Not really, unless you plan spying on yourself..
Does it install crap? No not really, only a dll to monitor your keys when the app is active.

 

Exactly. mIRC is also perfectly clean app and almost all detect it as riskware.
It's clean but what it CAN do is questinable.
This dll is nothing else. File itself is completely clean. What it does may be questionable. It should be tagged as riskware not as malware...

 

http://img390.imageshack.us/img390/6404/vir9vc.jpg

The infected files that I receive by email are NOT detected by NOD32 heuristic, normally.

I believe that we can create a topic only to post detection results, from Jotti, VirusTotal and other...

 

Did you actually test that file? I've got tons of postcard.gif.exe files with irc scripts detected by NOD32 after extraction.

 

Other infected file that I received by email today. My eScan detected and results of Jotti are:

http://img163.imageshack.us/img163/972/vir24of.jpg

VirusTotal results:

http://img163.imageshack.us/img163/6939/vir32zx.jpg

 

I´ve reicived an e-mail with an infected file too, and the jotti´s result is:

http://tinypic.com/idi2r9.jpg