AV-Test: Reaction Times of the latest Worm Attacks

Discussion in 'other anti-virus software' started by TeknO, Aug 26, 2005.

Thread Status:
Not open for further replies.
  1. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    Related link;
    http://www.av-test.org/down/ms05-039.zip

    2005-08-22
    Reaction Times of the latest MS05-039-based Worm Attacks
    You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in this Excel sheet (18 KB). Furthermore we have checked how many AV products haven't required an update in order to deal with these threats. All times in GMT.


    And results;
    http://img387.imageshack.us/img387/5648/av12fc.th.gifhttp://img387.imageshack.us/img387/8493/av23ui.th.gifhttp://img387.imageshack.us/img387/4807/av39so.th.gifhttp://img387.imageshack.us/img387/2029/av40gf.th.gifhttp://img387.imageshack.us/img387/334/av53cn.th.gifhttp://img387.imageshack.us/img387/1196/av64wq.th.gif

    And my summary;
    http://img399.imageshack.us/img399/7308/avpd3zn.th.gif

    Sorry for turkish words on the summary.
    proaktif tesbit = proactively detected
    tesbit edilemedi = still no detection
    date format = dd.mm.yyyy

    comments on this test ?

    Regards,
     
  2. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    it's not correct for me. NOD32 has detected Win32/IRCBot.OO trojan with virus signature update not proactively. please be more carefull. again thanks for your feedback.
    Regards.
     
  3. Happy Bytes

    Happy Bytes Guest

    Make a google when this signature was added. "A variant" means it's very close to this detection, however not 100% identical from a binary compare of the files.
     
  4. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    NOD32 - v.1.1178 (20050726)
    Win32/IRCBot.OO
     
  5. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    There's no difference.
    it depends on a virus signature database updates but it's not related with proactive detection.
    http://img357.imageshack.us/img357/3873/nod32x4sm.th.gif

    I'm sure that NOD32 is a wonderful A/V. I'm a NOD32 user too. Don't worry. :)
    Regards,
     
  6. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    How did you get your NOD IRCBOT!VAR detection date as 16.08.2005 19:27 in your table?

    Or am I missing something here?

    Thanks,

    Stan
     
  7. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    Please read post #2. Only, IRCBOT!VAR hasn't been detected by heuristic engine ın the test. Finally, it wasn't a big problem. only discussion. by the way it's not my table. I summarized it only. Source is http://www.av-test.org/
    Regards.
     
  8. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I am still confused.:)

    Your tables showed NOD32 detected Win32/IRCBot.OO trojan
    as of 16.08.2005 19:27

    However, NOD provided this signature on 26.07.2005
    NOD32 - v.1.1178 (20050726) Win32/IRCBot.OO

    How did you arrive at the date that NOD didn't detect this until 16.08.2005 19:27 per your tables?

    Thanks,

    Stan
     
  9. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    Perhaps, you must talk with Andreas Marx :) :)
    Regards,
     
  10. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    BTW, I consider "proactive detection" to be "zero-hour" detection with heuristics, or generic signatures, or other method as long as it provides "zero-hour" detection. That works for me.:)
     
  11. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    BitDefender did great!

    If we could have NOD32's speed, Bitdefender's Heuristics and Kaspersky's signatures...
     
  12. Copper

    Copper Guest

    Strange...why NOD32 did not detecte Win32/IRCBot.OO in this test if NOD32 has the signature?
     
  13. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    You forgot to add Nod32's heuristics, KAV's static unpacker and VBA32's Generic Unpacker to that setup :cool:
     
  14. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    plus kav's hourly update
     
  15. hbkh

    hbkh Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    128
    Location:
    Ohio, USA
    What would we call this product? Bitpersky32 maybe? :D :D
     
  16. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    KasNoDefender xD
     
  17. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    "Bitpersky32" and "KasNoDefender" will be the first choice of the A/V world if someone quickly prepare them. by the way, there's a chance to get much more money after than publication of this A/v test. :D :D
     
    Last edited: Aug 27, 2005
  18. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    maybe we can propose this "KasNODefender" idea to each company :D maybe some day thay could merge their AV
     
  19. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    Another link for same test results;
    http://www.pcmag.com/article2/0,1895,1850851,00.asp

    Eleven of the products were able to detect one or more of the attacks proactively, without any special pattern update to identify it specifically. Here are the numbers for each of the eleven:

    Product - Score
    BitDefender - 6 of 6
    Fortinet - 6 of 6
    Nod32 - 5 of 6
    eSafe - 3 of 6
    F-Prot - 3 of 6
    Panda - 3 of 6
    QuickHeal - 3 of 6
    McAfee - 2 of 6
    Norman - 2 of 6
    AntiVir - 1 of 6
    ClamAV - 1 of 6
     
  20. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    I wonder how NOD32/BD are performing against Truprevent... :rolleyes:

    Is really Panda's software so resource hoggy ? o_O
    Regards,
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Interesting,i wonder how ClamAV detected it proactively without any heuristics (or using what detection name?)...
    They do use generic detection though...
     
  22. TeknO

    TeknO Registered Member

    Joined:
    Feb 18, 2005
    Posts:
    147
    Location:
    Istanbul, TURKEY
    Perhaps, you can explain it.
    http://img98.imageshack.us/img98/4638/x17tx.gif
     
  23. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I still don't get it how it could be proactively detected when it doesn't use any proactive methods. Or just a lucky "guess" on signatures...
     
  24. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    There is one thing that puzzles me...
    AV-test states that NOD32 detected only 5 samples,while on NOD32 ESET states that ThreatSense intercepted all 6 variants. Now who should i belive now?

    SNAP FROM ESET's PDF...
    SAN DIEGO, Calif. * (August 29, 2005) * ESET, a global security software solutions company
    providing next-generation anti-threat protection, today announced results from a study conducted by
    AV-Test.org that confirm ESET's NOD32 proactively identified all six variants of the recent Zotob
    worm. The findings, which appeared on August 22, 2005, clearly showcase the importance of
    implementing a proactive anti-threat solution as the industry's major antivirus players including
    Symantec, Trend Micro and McAfee did not detect all variants of the worm until after it had hit
    systems around the globe

    And this is what documents say:
    http://img399.imageshack.us/my.php?image=avpd3zn.gif

    I also doublechecked all 6 full reports and one is not proactive.
    I have nothing against NOD32 policy of advertising their ThreatSense proactive performance,but just makes me wonder...
    Thx
     
  25. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Thats probably just the marketing department doing their best, RejZor, they also have the "test" from Colby-Sawyer college on their main page as something special. ;)
     
Loading...
Thread Status:
Not open for further replies.