Discussion in 'other anti-virus software' started by pjb024, Nov 12, 2009.
Physical access I believe.
Then frankly this test is moot.
A virus is not going to grow legs and a arms and start pounding away at my keyboard. the one test Dr-web decides to join is the only one you really cant fail at.
I'm not sure about the details if they had physical access or not, but it doesn't matter. You still shouldn't be capable of disabling the av protection without using the av's "disable self protection" functionalities. The test was about finding an exploit or a way to disable the protection and Dr.Web lasted longer than others.
However, your history at bashing Dr.Web products is well known and you've managed to repeat it once again in 2 seperate threads. Here you are making jokes about DrW being the last in every test and saying it cannot be uninstalled. In the other you are trying to be funny about Dr.Web destroying someone's computer.
The question is: What is your problem with them? I would like to educate myself and try to understand what causes your constant negative attitude against Dr.Web.
My point is if this test was done with physical Access to the computer, then they should be spending more time working on there AV then patting them self's on the back about something as POINTLESS as this is for a AV. AV's need self protection from a virus or a exploit not someone that can sit at the computer and disable it.
If this is somehow to show virus behavior then for any of this to happen without physical access to the computer, The Anti-Virus already failed its job and allowed the infection. Stopping the AV from shutting down is not going to help at all.
The one sitting at the computer who finds the exploit by testing the possible bypass methods against the AV is capable of coding the virus taking advantage of the possibly working exploit.
Viruses and av-disablers don't come from nothing and remotely, ofcourse they are tested directly against the system.
I believe you are missing the point. If you are about to create a virus that can disable the AV you must do testing against it. They just didn't easily find a way to disable DrW
In Windows that's a never ending battle. But again if the AV don't "Detect" the virus as its trying to come in. Then that AV has already failed its self protection is not going to prevent the computer from going CRASH!. Again more time on there scanning engine Less time on meanless PR events like this. Its fine to do self testing for your own product but the AV is there to stop and protect the computer not be the last man standing when the computer dies.
Dr. Web wants PR that's fine every company does. But get the right PR, Detections. Get back in the "real" tests and don't be last best PR of all!
'av-disablers' show just how easy it is to break the protection, but then there is always a way.
Actually, I think I have spotted a potential "flaw" in this test.
Some of the AV tested have HIPS components or similar. If the person trying to disable the AV is gaining access to physical memory etc using a "trusted" or "known" tool, then this HIPS part may not prompt or give any alert on such behaviour, because the application was initiated by the user sitting at the computer. With a malware, it would not be the case. The malware would have to use some unknown file to initiate the "trusted" app to disable the antivirus, in which case the "trusted" app would inherit the permissions of the parent (the unknown file) and therefore there would be prompts for behaviour that would not be the case in this test if there was physical access to the machine. I think that is a very important point to note.
It is good point indeed, but still I think that the av-program must be capable of defending itself in all circumstances. Even if the malware program has been granted "trusted access" from a HIPS component, it should not be able to touch the AV itself.
For example, if I install online armor and select "trust everything on this computer / pc is clean" it will still ask if some program or myself is trying to shut it down. Same with avast!, it will prompt even if it's own uninstaller is trying to remove it.
The AV self-defence should be above all user decisions, except the specific "disable self protection" function.
If that was instigated to the level you're suggesting then disabling your av when you need to(at times you do need to to run some apps)would be nigh on impossible because what would stop any malware wrtten to prompt the exit command if that was left available?
What good would it do if my AV successfully blocks a disabling attempt but can't stop my OS getting attacked?
I admit Dr.Web has good self protection, not only you can't disable the processes but also deleting any related file is harder. For other AVs, you might not be able to disable the processes but you can very well cripple it by deleting some files.
But the question remains, does best self-protection necessarily equates to best system security?
"But the question remains, does best self-protection necessarily equates to best system security?"
"What good would it do if my AV successfully blocks a disabling attempt but can't stop my OS getting attacked?"
If the AV is capable of updating and scanning despite the malware, you have a chance to get it fixed by a definitions update.
People are going to sit there on the internet and risk whatever harm that virus does why they hope a virus update comes ?
If I got infected the first thing to go would be all web access.
Then you boot from Dr.Web LiveCD to eliminate the infection. Many users of other Av's use Dr.Web LiveCD to eliminate infections as it's one of the best and it's free!
Tell me Exactly how this would help if Dr. Web AV don't even detect it ?
Ok This one is After your edit.
That makes no sense we are talking about Dr.Web here. if there main AV don't detect it I would not put much hope in the CD helping. Again if the AV don't detect the threat the Self protection module is going to be about as useful as a paperweight.
Who said Dr.Web doesn't detect it? Maybe it's your AV that doesn't detect it but Dr.Web saves the day!
If Dr.Web doesn't detect it then we would have to wait for an update or use your perfect AV to fix the problem. If Dr.Web doesn't detect it then maybe no AV detects it. Who knows? This is hypothetical so you can't know until it happens. It's also slightly off topic as this thread is about AV self protection not detection.
Information on Dr.Web LiveCD
I also notice you are relying on an AV that is in beta ROFL
Do you even read what this entire topic is about ? or do you just post without reading it.
The first part of that comment made me fall out of my chair laughing. Read the thread you will find out where detection just plays in Quit hitting the reply button for the heck of it.
I started the thread so I think I know what the topic is.
Bottom line is you hate Dr.Web
........ Learn to Read the ENTIRE POST! You would see what we were talking about.
I can't see why you want to speculate on a hypothetical situation where Dr.Web may not detect a new threat. That kind of speculation can be applied to any AV and is not specific to Dr.Web. What will you do if Avast! 5 doesn't detect a threat?
The fact is, as was pointed out by risl, if your AV has good self protection and has not been disabled by this new threat then you have a chance to fix the problem with a future update to the virus database. And I can tell you that Dr.Web makes several updates a day and responds very quickly to newly identified threats.
If, however, your AV has poor self protection then it will most likely be disabled and you may have a bigger problem ... but all this is speculation.
I think you will agree, in going back to the original purpose of this thread, it is an advantage to have an AV that has good self protection. In that respect Dr.Web has shown itself to be better equiped to survive an attack than several other well known AV's.
You keep bringing this up, you seem to think that this is My main setup. Yes I have Avast on one of my computers It's in beta and it's getting tested. Avast 5 is a fine product just like the other 10 or So AV's I use across computers of mine, Not to mention the ones I have on a corporate network. The things in my Sig are Products I'm Trying or testing and its NOT always up to date. Don't assume things you don't know.
Self protection is NOT going to save your computer if the AV cant detect the threat in the first place. Having strong self protection is nice but again being the last man standing waving a flag is not going to do anything when your computer has ALREADY sent out who knows what as you patiently wait for that "Update".
Again it don't matter if the product can protect it SELF from being disabled if its powerless to do anything against what has happened to your computer. Self protection is nice but for it to be useful alot of things would have to fall into place otherwise its pretty much pointless.
Again patting your self on the back that we can survive but your computer is optional is a stupid way of promoting your product. Tho that's just IMO.
Easy way to think about this is simple, To get to the point where you would need self protection. The AV has to fail at it's job first plain and simple.
Fixed minor typo's
That is a very good point! Since most malwares like to spread, they will most probably leave the tcp/ip stuff untouched.
The factor which is out of my control is the malware definition. What if the AV in question does not have a great detection rate?
I'll choose an AV with great detection rate but not so great self protection anytime over an AV with not so great detection rate but great self protection.
The point of my post is to express my opinion on where the AV should focus (detection, not self protection).
I do not wish to hurt anyone's sentiment.
Fajo, I agree that Avast! is a fine product. I have used it myself but I can't use the home version as I run a business so, as I have to pay for a licence, I have looked at several other AV's and at the moment I use Dr.Web alongside OPF which gives me some HIPS protection. I have also recently used a-squared anti-malware and I have a full licence for 12 months and I also have a full 12 months licence for OSS which I like very much but I'm not so sure of the AV component which is based on Virusbuster. I recently tried bitdefender 2010 but didn't like the interface.
You seem to be saying that self protection doesn't matter for an AV but I disagree. The unknown threat you are speculating on may have to disable the AV before it can do any damage to the system and if it can't disable the AV then maybe it will fail to do any damage. I prefer my AV to survive an attack than be disabled and strong self protection is a fundamental requirement from my perspective.
Dr.Web isn't my product by the way. I just use it.
When talking about security, it's a probabilities game. If you have self-protection it _might_ be helpful in some cases. If you have good heuristics, it might save you in some cases. If you have good detection rate, it will probably save you in most cases.
.. and so on. Nobody stated that it's the most important thing in these products, it's just a quality among many others. Dr.Web seemed to do fine in this area which caused some people to be sarcastic.
Like Fajo said: "Self protection is nice but for it to be useful alot of things would have to fall into place otherwise its pretty much pointless."
But since there is a possibility that it might be useful, why not take it?
and "Easy way to think about this is simple, To get to the point where you would need self protection. The AV has to fail at it's job first plain and simple."
Exactly, but if the av gets completely destroyed there is zero probability of recovering by the AV. If the AV is still there, you have atleast some minor chance to get the necessary updates/fixes from the vendor and the av would start cleaning process.
More easy ways of thinking: Small chance of getting things fixed > No chance at all.
But sure, pure detection rates is the most important thing. I think everyone can agree with this. I just can't agree with these "completely pointless" when it should be "probably not needed, but a plus to have"
Detection is very important but many malware threats may attempt to disable the AV first in order to avoid detection.
I think that it is true to say that if malware disables your AV then you won't be getting any detection.
Separate names with a comma.