Do You Really Need To Run A Antitrojan Program With Kav?

Thanks for the info Mem, Firecat, and Don. I went to kasperskys website. They don't recommend downloading the super database without contacting Tech support first. I went to the forum and there was a topic concerning the super data base. Some said it increases the chance of false positives, and the only file one said he was aware of that the superdatabase picked up that the extended one didn't was the "trojan simulator"

To me it's not worth the effort to download it. I know it seems like I'm being a kav basher. I'm not. If this were "ANY OTHER" antivirus. I wouldn't have thought nothing about it. And this thread wouldn't have been this long. However, according to tests. Kavs trojan detection rate is 98 or 99% The best in the industry. I know the "trojan simulator" is just that. It's not an actual trojan. However with that said. I was shocked when Trend Micro, Bitdefender, Nod32, and a few others detected it.

Then there were other things that puzzled me about kav. The different databases are confusing. One database picks it up, and the other ones don't. When I started this thread. I had narrowed my choices to 2 antivirus products. "I've trialed quite a few" It basically came down to" kav or Nod32"

Both Run good on my system. It was basically a tie. I didn't know which one I would choose. With that said. Even tough it's a "trojan simulator" and not an actual trojan. Nod detected it. kav didn't. The clincher came the other day. Nod passes all 4 of the eicar tests as configured to blackspears tutorial. Kav failed one of the eicar tests. See screenshot. I'll be uninstalling kav in a couple of days. If I purchase an antivirus..It will be nod32. In the meantime, there is one more antivirus I want to try out. Thanks for all the help everyone.

 

Does GDATA/Extendia AVK detect all the EICAR tests and this Trojan Simulator?

 

Mr2cents, i don't know what you've done , but Kav detects them all on recommended settings. Good luck with Nod.

 

regarding your first post 2 cents I do not believe you need an anti trojan with kav. But I think you will with Nod .

 

Well, FWIW, my 3 XP Pro systems were configured out of the box. The only change I made was to check the "riskware" toggles (which is what KAV identified the trojan simulator as, "riskware"). These two checkmarks might very well activate "supersecure" databases, but I did not make such a "supersecure" download myself. Also, I bought KAV Optimal for Windows Workstation because it gave me the best price on three computers -- I do not administer any network software, per se (other than my Linksys wireless router).

 

What is your signature count, jmschwartz.

28-Feb-2005 / 16:33:21
Standard bases: 112821
Extended bases: 118759
Supersecure: 119762 Supersecure can also be checked here

This should make easy to see which sig-base you have. I only made the "networkadminstrator" remark and provided the link to it, because that's what it says on the downloadpage as you can see below, it was not meant in a disrespectfull way.

If you or other's choose to use Superssecurebases, then a good advice would be to use "Block access prompt user for action", and not use "Block access and perform recommended action" in "Configure real-time protection", because you could loose a programm that you've liked & used for some time, for exampel a program that could possibly have the capability to monitor what you do "in a network-environment".

Btw. I only administer a router too.

Regards

 

Hi Don,

My signature count is 119806 . . . super territory for sure.

The point I wished to emphazise was that I just installed KAV Business Optimal with no tweaks or adjustments other than selecting the two "Configure Riskware Options" choices and the one you mentioned regarding request action instead of default delete. So, any superdatabase of nasty killers was a KAV default in Business Optimal.

Regards

 

OK,

So lets suppose I write a program which is simmilar in behaviour to some Trojans and I call it Trojan Simulator 2. After that I put the signatures to the antitrojan developped by myself, and be victorious with finding a "trojan" which is not found by AV scanners. What does this prove?!
Don't waste any words on the signature bases of AVs, because it is quite normal, and acceptable that the current signature bases are not sufficient to detect a simulator which I made myself the same day.
But it proves that those AV-s, and AT-s which miss this simulator are not triggered by the behaviour of the simulator. And most of them will miss it.
The real difference which a simulator like this should make is between the behaviour-blockers, and the signature-based approach. Behaviour blockers should take a chance stopping the simulator, signature-bases should definitely fail.
Then after I release the simulator to the public, the AV companies spring into action. They do the easiest thing: adding the simulator to the signature bases. This kills the whole purpose of the simulator. The only question will be which AV takes the effort to add a signature for a file which is not even dangerous. After AV-s and AT-s start to detect the simulator by signature, the simulator can be forgot. It is not usable anymore for anything except looking at which AV adds non-dangerous files to the signature-bases!

Conclusion 1: you should test the behaviour-blocking with a non-released trojan simulator, or non-released trojan.
Conclusion 2: you should test the trojan signature base of an AV/AT with real working trojans.

-hojtsy-

 

GData AVK 2005 Professional (KAV + Bitdefender) detects the Trojan Simulator with the BD engine on extracting the zip file. The KAV engine alone does not detect it and lets it install. Shows that two engines are better than one. The KAV engine detects all four EICAR test files on attempting to download them.

 

The eicar.com.txt doesn't work well with FireFox due to the way FF handles the extensions. In IE, the file is not downloaded but displayed and put in the cache where KAV finds it and notifies for deletion. In FF, the file is not placed in cache but displayed. If in FF you 'download' the eicar.com.txt file, then go to File-> Save Page As you will see it comes up to save as eicar.com.txt. If you save to desktop, KAV will catch it.

Since FF does not save to cache and this is not a script, just displayed in FF, it doesn't trigger KAV. Since NOD32 does http scanning (I'm guessing here), the 'download' of the file is caught in FF since there is no cache but there is no security problem with FF yet either.

This is really the way FF works and the fact that no caching (saving) is done from a KAV perspective on this file.

 

Mem,
Yes, the eicar.txt file doesn't 'download' but opens in the browser. When I use Avant (IE shell) KAV detects it then; when I use K-Meleon it is not detected then, in fact the eicar.com file isn't detected before download with K-Meleon either, as it is when I use Avant. Interesting.

 

Here's a screenshot of nod catching this virus. Soon as you click on the file. Nod detects it. The page does open as shown. This is using firefox browser. Same setup with kav...Except kav didn't detect it. I was running kav personal...not the supersecure database, or whatever it's called.

 

But with FF there is no infection route like there would be in IE. What you are seeing is the NOD32 winsock scanner - it identifies a signature over IMON (which I thought was for POP3 scanning) in the data stream to the browser. While that may seem significant, there is no action it can take within FF to infect your PC. If the file is saved to disk, then KAV catches it.

 

i tried the trojan simulator but kav didnt catch it. i tried scanning the archive and the files but kav reported a processing error. did i do something wrong? ill reboot n try again

 

Hi WSFuser. When I was running kav personal. Kav missed it also. Kav also failed to detect it on an on demand scan. I believe you have to have the super data base to catch it. I believe that's what it's called.

 

yes KAV and many KAV clones do not catch the Trojan Simulator unless you use the SuperSecure databases for detection of adware, spyware, riskware and x-files i.e. malicious programs.

 

that makes sense as i was only using the extended databases. I decided to switch back to NOD32 so as soon as it updates ill try scanning testing NOD32. thanx neways