AV-Test: Reaction Times of the latest Worm Attacks

I know they gry to market ThreatSense best as possible,but why the difference?
AV-Test says only 5/6 detected by NOD32 and NOD32 PDF says 6/6.

 

Best thing would be that someone ask for clarification to Marx and ESET. Otherwise it will remain a circle of speculations...

 

I'll trust to Marx as 51% and to Eset as 49% if i couldn't find a clarification.
Becuse, Eset can't be neutral on this subject.
Regards.

 

Marketing stuff guys !
To me AV Comparative is showing that NOD32 detects about 90% of ITW virii, clearly the best of the brunch.
That's enough to me (yes, that's not very scientific to say things like this ),

But I agree I ask for precisions, I wonder how it performs against TruPrevent or BD9...or VBA32 !
Sincerely,
M.J.

 

The one thing that is confusing to me is that those tables show the IRCBOT
detected by NOD as Win32/IRCBot.OO.

Looks like NOD had that detection as of:
NOD32 - v.1.1178 (20050726) Win32/IRCBot.OO

It would seem to me that detection by a generic signature at the zero-hour would be proactive?

 

Yes, I think that too (as it detects it as a variant of). Anyway the date in the table is still confusing, as in the table it looks like it was not detected before that specific date... I mailed now to Marx, maybe he will explain here.

 

It will be fine, thanks

 

I think you misunderstood me, i didn't say that they don't have good heuristics, just that 6 out of 6 sounds better when you market things and lets face it, marketingpeople does have a way of stretching things a bit in right direction.

 

I agree.
I understood you my friend

 

Have you seen this posting by Andreas Marx?

http://marc.theaimsgroup.com/?l=focus-virus&m=112489911518567&w=2

Hello!

You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at <http://www.av-test.org>. Furthermore we have checked how many AV products havn't required an update in order to deal with these threats.

We have covered the following worms and variants:
- Win32/Bozari.A (10 outbreak reports)
- Win32/Bozari.B (1 outbreak report)
- Win32/Drudgebot.B (3 outbreak reports)
- Win32/IRCBot!Var (2 outbreak reports)
- Win32/Zotob.A (4 outbreak reports)
- Win32/Zotob.B (3 outbreak reports)

We used the following rules for the formatting (XLS sheet):
- Italic font = proactive/heuristic detection (in general: a detection without \
updates)
- Bold font = first detection (first name) of the worm
- Normal font = subsequent names used for the worm (e.g. second name, third name...)

Two magazine reviews have been published which are based on this data:
- PC Magazine - heuristic test results: \
<http://www.pcmag.com/article2/0,1895,1850847,00.asp>
- PC WELT (Germany) - response times: \
<http://www.pcwelt.de/news/sicherheit/118264/index.html>

Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management.

cheers,
Andreas Marx
CEO, AV-Test.org
http://www.av-test.org

 

Hello,

someone pointed out that there is some confusion between the PDF report at Eset's webpage and our test results (XLS sheet) at AV-Test's webpage.

Based on our XLS sheet, PC Mag has performed a review which can be found here:
<http://www.pcmag.com/article2/0,1895,1850851,00.asp>

It says: "Nod32: 5 of 6" - and that's also the result you can find in our XLS sheet. Please ensure that you check out the names of the samples used for this test.... then you'll see the differences:

Eset has published a PDF saying, it has detected 6 out of 6 Zotob variants - and if you compare the malware names, you'll see what has happened: Eset has used a different set of samples. Well, they have also selected 6 samples (instead of a higher or lower number) and this caused the current confusion.

Eset has missed (what we were calling) Win32/IRCBot!Var - this one was only detected without updates by BitDefender, Fortinet, Panda and QuickHeal.

Dr Web was the first who detected it at 2005-08-15 / 15:58 GMT as "Win32.Legion", Kaspersky followed later at 2005-08-15 / 16:11 GMT with a detection as "Backdoor.Win32.IRCBot.es".

Eset had a detection in place as of 2005-08-16 / 19:27 GMT as "Win32/IRCBot.OO trojan (variant)" [detection was only available with activated /AH] which was renamed later to "Win32/IRCBot.OO trojan" (at 2005-08-18 / 19:40 GMT) [standard signatures].

Eset has not included this IRCBot variant in their "6 out of 6" detection claim - if so, it would be a "6 out of 7" which sounds a bit worse in case of marketing/PR. ;-)

cheers,
Andreas Marx
http://www.av-test.org

 

Hehe,thanks for explanation

 

Concerning ClamAV proactive detection :

A big difference between ClamAV and the other AVs is that ClamAV will not try to disinfect malware.
This is probably one of the main reason the way ClamAV uses scan strings/signatures is different from the way other AVs use it. ClamAV does not have to identify precisely a malware. It can therefore parse all the files for a given set of scan strings, and decide that the sample is infected if the scan string is found, anywhere in the file. On the opposite, AVs that disinfect files must identify precisely the malwares. Then, it may only look for the scan strings at pre-determided locations of the file. This may also be better for scanning speed.

IMHO, this is the main reason why ClamAV have some "proactive" detection capabilities. By the way, I wonder if proactive detection of some backdoor samples by KAV is due to the same mechanism (for example, detection of some Aphex code snippets that are included in such trojans).

Concerning ESET/AV-test :


I think that writing this :

is just dishonest. And the number of sample (6) seems to have been selected on purpose.

 

Or maybe, some av-vendors are only "bad losers".

Best regards,
Firefighter!

 

First of all, thanks for your explanation. But, there were only six variants in your test if i understood properly. What is the seventh variant? Perhaps, Eset must explain it after your explanation
Regards...

 

Hi,

Sorry that you feel that way, however, there is nothing dishonest in it - as Andreas explained already. Comparing like to like is an important thing - it could just as easily have said that NOD32 detected 5 out of 5 Zotob variants, which would also be true -the IRC Bot was not a zotob variant, but was in the study that AV-Test did because it exploited the same vulnerability, not because it was the same worm. The claim that NOD32 detected 6 out of 6 Zotob variants proactively is absolutely true, and is also true that it is based on the research of AV-Test.org. There was nothing dishonest in any of that. It is no more or less confusing than AV-Test including a non-zotob variant in their study. They were looking at malware exploiting the vulnerability, Eset were looking at the Zotob family. The number of samples was based on the number of Zotob variants that AV-Test had measured NOD32 detecting proactively.

best regards

-AJ
Eset LLC