Avast! Pro 5 and Kaspersky IS 2011

Discussion in 'other anti-virus software' started by DVD+R, Dec 8, 2010.

Thread Status:
Not open for further replies.
  1. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Firstly let me make this crystal clear this is not a A vs B Thread So forget that.
    What i wanted to do is report what i have found by several tests on how both react should your computer download a Trojan/worm/Virus etc..etc..

    I'll sum this up in easy to understand language and not all jibberish going into Hueristics and codes blah! blah! blah!:isay:

    In short this is how both respond:

    firstly Avast!: On downloading a compresed file known to have malware, Avast at approximately 0.05 seconds to completing the download reacts by alerting you of the danger,and instantaniously aborts the connection, resulting in the file not! acctually reaching your desktop, or wherever you download to on your computer.In short terms Avast says to itself: "Hang on a minute! this file is a bit dodgy :cautious: I'll terminate this rascal before it gets even close :shifty: " The end result will be that you actually downloaded nothing because the transfer was halted by the aborted connection. Your computer is not infected :D

    Now then :cautious: On the other hand we have Kaspersky IS 2011


    The way it responds is similar, but not as entirely thourough as you may think :ninja:
    Kaspersky will abort the connection, and advise you it has done so, but unlike Avast! kaspersky will only abort the connection after the download is complete thus hence you have a compresed file that still contains malware which can be misleading because if you try and extract this file you will notice it wont completely open as an unexpected end of archive occurs (i.e) Kaspersky aborted the connection far to late for the whole file to complete, but just in time (supposedly) to terminate the malware (WRONG!)
    Kaspersky will allow the archive to semi-open and thats when you get done in o_O
    In short Kaspersky says to itself much the same as Avast like hang on a sec this file seems a bit dodgy :doubt: but where as Avast totally kills the download, kaspersky says "OK, so I know this files dodgy, but surely this guy downloading it sort of knows that, or at least knows the risks, so i'll let it download, but its up to him if he opens it":ninja:

    testing showed after scanning with each product that Avast removed the threat before it downloaded but Kaspersky found threats it the C:\Users\Your Name\AppData\Local\Temp



    Do you want that on your system o_O
     
  2. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    avast! do exactly what you have described according to my tests, but KIS 2011 behavior is like this:
    KIS web-av continuously scan streams/net-traffic in real-time. As soon as a threat is found, Kaspersky take action (in automatic mode delete that part of file, in interactive mode warn about the threat) and allow rest of download. Therefore, you get threat free download in this case. Downloaded file can be corrupt or not depends on file you are downloading (compression type, format, ratio, contents, etc.). Kaspersky can detect and repair/clean zip, rar (even password-protected files if you supply password), cab, and many other compression algorithms. If file is irreparable, then last resort is deleting it to prevent infection.
     
  3. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    -It's all due to greater compatibility with browsers that some WebAV components seem to allow some files to appear on the HD because of limited buffering time. You can disable that buffering time (increase it to infinite) in most sec. programs, but expect slower browsing in return.
    -Also, just because a file appeared on the desktop/HD doesn't mean it has malicious/executable code inside anymore. You'll get a "not a valid win32 app" message when the PE file is corrupt because the WebAV component removed part of the programs code on the fly. (i.e corrupted archive in your case), as Boyfriend mentioned.. In some cases the file can execute (shop up as a process) but cannot do anything because its malicious payload was removed.
    In terms of aborting the connection in avast and Kaspersky, I've found that both do not always succeed in breaking the connection due to the first point. When you perform an on demand scan on the .part (incomplete download) file with avast it will sometimes detect the same threat again.
    Opening an archive doesn't execute the malicious code. Have you actually verified that the file can actually execute and do something?

    Edit: It's also worth mentioning, disregarding the case when downloading actual files as described above (because that isn't much of a threat even if the file does download successfully), what is most important for a WebAV component to do is stop the browser from parsing malicious scripts which don't require files to be downloaded on the HD to work- i.e executing directly in browsers memory via exploitable bug in the browser itself; and that's where bot a! and K don't fail.
     
    Last edited: Dec 8, 2010
  4. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    This has also been my experience. Sometimes KIS terminates the connection before the download completes (and no file is downloaded), sometimes it terminates the connection so that the file gets corrupted and in rare cases the malware is downloaded (in the .part file) but removed immediately once something tries to access it.
     
Loading...
Thread Status:
Not open for further replies.