Dr Web curiosities

Someone started a thread on whether or not NOD32 + KAV 6 was overkill In that thread the quick response of KAV in terms of definition release was given as a pro for them. That got me thinking a little bit about Dr Web in that respect. How good, or bad, is it in terms of threat response (definition release)? How much does Dr Web rely on hueristics and how much does it rely on signatures? These are things I don't know but would like to. I guess this would add confidence to Dr Web users, or make them consider a switch if they are not that good at threat response.

 

When the top 'Heuristics' detection rate ( NOD32 ) is 58%, you better hope 'Dr Web' is relying heavily on it's signatures.

 

I believe I read here on wilders that DrWeb is one of the faster AV's to respond to new threats, but I could be mistaken on that. While the Doctor has improved the heuristics a lot (still not in NOD32 territory yet), they have been very agressive lately at adding a lot of virus signatures so I do not believe that it rely's heavily on heuristics.
So far on the comp I use it on, nothing has gotten by it and I just renewed for 2 years so I have confidence in the Doctor.

 

Actually DrWeb's heuristics were the same as BitDefender's in the latest Av-Comparatives tests, but together with the excellent heuristics and the second shortest update delays ever, DrWeb can compete with NOD very succesfully without those update tricks just before certain av-tests.

No infections and FP:s with DrWeb 4.33.2 so far checked by Kaspersky.


Best regards,
Firefighter!

 

this is a dr web thread so i wont go too off topic - just want to say that 58% is very impressive for heuristic only detection.

 

Well this is all very helpful. I don't believe this has been discussed, though I could be wrong. I'm glad to hear that the doc responds quickly to virus threats. That give me a great deal of confidence.

Their hueristic engine is not updated as frequently as NODs, I believe. But it sounds to me like it doesn't need to be.

 

for me, heuristics isnt just about flagging possible threats but about NOT flagging files that are harmless. Although Dr Web and Bitdefender did score pretty much the same in the overall results, Dr Web had a lot of false positives compared to Bitdefender, which is why it didn't gain the same Advanced+ 'award' as Bitdefender.

Eset release updates to it's heuristics quite regularly, they actually released an update just after the AV-Comparative closing date for testing. They have released at least one other Advanced Heuristic update since the AV-Comparative results were published, so they will be even better now. And yes, I have seen big NOD32 updates before the On-Demand tests, but i think these were pretty much all older threats that although don't pose great current real-world threats, are worth having in the database.

After the last On-demand test Dr Web released some really big updates - there is a thread open for this on Wilders - as far as i am concerned, it's the same thing. Release the big update before the test, or just after the test. One of the methods means you perform better in the test

 

Dr.Web is very fast at releasing new updates to counter new malware. You don't need to worry. Even though one may feel that it only updates 3-4 times a day by looking at the website, Virus Chaser tells me that VC updates up to 7-8 times a day. If Virus Chaser updates so many times, then so will Dr.Web too, since both use the same engine.

Dr.Web's heuristics engine is on par with BitDefender at the moment, but Dr.Web also produces more false positives than BitDefender. Plus, BitDefender updates hourly. And BitDefender has a better GUI for the moment (Although the Dr.Web engine based Virus Chaser also has a very good GUI)

 

I have never had a FP from DrWeb in over a year, I know that it was a problem sometime ago but it seems to have vastly improved on this.

 

This is my experience with Dr.Web heuristic:

Code:

180SAInstaller[1].exe - DLOADER.Trojan -> Trojan.MulDrop.2972
msupdate32.dll - DLOADER.Trojan -> BackDoor.Satellite
sachostx.exe - DLOADER.Trojan -> Win32.HLLM.Sacho
msits.exe - DLOADER.Trojan -> Trojan.DownLoader.5767
loadadv400.exe - DLOADER.Trojan -> Trojan.DownLoader.5766
mm.exe - DLOADER.Trojan -> Trojan.Spambot
setupdrv.exe - BACKDOOR.Trojan -> false alarm, fixed
avz00001.dta - DLOADER.PWS.Trojan -> Trojan.PWS.Gamma
kl.txt - DLOADER.Trojan -> Trojan.PWS.Gamma
COOL.EXE - BACKDOOR.Trojan - BackDoor.Cat.21
UPnPFramework.exe - BACKDOOR.Trojan -> false alarm, fixed
csrss.#xe - BACKDOOR.PWS.Trojan -> Trojan.PWS.LDPinch.766
win2sys.#ll - MULDROP.Trojan -> Trojan.MulDrop.3325
avz00002.dta - DLOADER.Trojan -> Adware.NaviPromo
eeu.exe - BACKDOOR.Trojan -> Adware.AdTraffic
fidpwq.exe - STPAGE.Trojan -> Trojan.Qoologic
lpdpnya.dll - BACKDOOR.Trojan -> Trojan.Qoologic
ipsec.EXE - BACKDOOR.Trojan -> BackDoor.Sunex
advertool.exe - DLOADER.Trojan -> Trojan.Serenta
system.exe - DLOADER.PWS.Trojan -> Trojan.PWS.Banker.2764
UPnPFramework.exe - BACKDOOR.Trojan -> false alarm, fixed