DriveSentry tests

actually if theyve got 5 million sigs (and plz show me where u got this info) PLUS theyve got their amazing heuristics, just goes to show u they have the best of both worlds lol and can combine them well

 

ive used NOD32 and Comodo actually, didnt like Comodo and i was pretty satisfied with NOD. and least with version 8, on the Avira forums the mod wrote that the GUI loads slower because they choose to not have it in run in RAM until u choose to open the GUI, then it unloads from ur RAM after u close the GUI, they do this for performance reasons.

 

im guessing it mainly helps people with less RAM but less processes running is always a good thing, even if it is only a minor performance boost to faster systems, it wuld probly be quite nice for older computers

 

drivesentry was fast here using a xp2

 

If my memory serves me right it was Avast that was referred to as having the 5 million sigs.

 

Then it serves you wrong -- avast has much much less sigs than 5M.

In fact, the fewer sigs the better (provided the product really catches malware) - the worst thing you want from your AV is to identify individual samples as exact matches (1 sig per each sample). This is how AV's worked in 1987.

Vlk

 

lol

 

Well just logic was not that far off then when it is confirmed by a reputable AV specialist.

 

I didn't say that it had 5million sigs just that it was the product that the post in question referred to as having that number so my memory is fine.

 

How would you be able to tell if your AV/AM app used 1 sig per sample, simply by the number of sigs in their databse? Sorry for such an elementary question?

 

Apologies for that; your memory is obviously fine then

It's a hard question, actually.
One way would be to modify the samples little bit and measure how many don't get detected after doing so. But unless you know exactly what you're doing I'd strongly recommend against it.


My point was simply that judging the quality (or detection rates) of an AV product according to the number of signatures is just plain wrong.

Vlk

 

I found this link to a recent test of many HIPS programs (DS included) = http://www.virus.gr/portal/en/content/2009-04,-09-10-april-hips-antiantispyware

The link came from this Italian site = http://www.pianetapc.it/view.php?id=1190

 

According to those tests DS was impressive. It would be easy to duplicate.

 

That's quite ok although I forgot what you're apologising for.

 

I tried these tests on a laptop running XP Pro SP3 and when GW is used with DS, DS passes all these tests. It would be nice to have DS tested alone against a large collection of malware.

 

DS key point is its HIPS, its blacklisting is secondary to it, so really im sure most people use DS mainly for the HIPS part as did i before

 

if ur looking for a traditional blacklisting product i think other AV's might be better in that department alone.

 

Agree

 

Yes

 

actually i dropped DS because of one test that i conduct.

I make program, app.exe which uses cmd.exe to copy an executable to the system32 directory and then execute it. (app.exe is a simple script file not a c/c++ code.)

DS allowed app.exe to do its work because cmd.exe was trusted on my system (i suspect it would be trusted too, for a lot of people).

of course its blacklist is quite huge and nice. i loved the program interface. it is one of the best, simple and ergonomic.


ps. i got the idea for this test by reading a custom rule setting, made by Kees19xx, for Threatfire.

 

Why not block cmd.exe in the DriveSentry access tab?...that's what I did.

 

yeah of course you could do that. but what if the rogue app hijacks explorer.exe ... i doubt you could block write access to it.

basically DS dosent check parent-child relationship (as i gathered) so if a rogue hijacks a trusted app then you could be in trouble.

 

I hear ya. That's why it's good to have a layered approach. I'm currently testing Outpost 2009 Free alongside DS. I disabled the application monitoring in Outpost as DS should cover this. I expect Outpost to protect IE.

 

That is the problem with the DS whitelist/HIPS module. It is not granular, but they promised to improve on that. DS defaults to an allow all to reduce pop-ups, they should appply this when there is only a general folder or regsitry acccess rule specified. As soon when you have specific files or regsitry keys mentioned, this general allow should not be applied.

So for mean staged attacks, the HIPS lacks some granularity. For dealing with the latest malwares (fake AV's etc), it really works ok. I think maybe even better than reputable AV companies. On my machine the score is DS - AVIRA = 1 - 0, DS- Avast = 1 - 0, DS - AVG = 2 - 0. Point is the scores the other way around could be : DS - Avira = 1 - 512, so I can not say anything about its general AV capacitites, just noticed that with trickle feed on it catched some releatively new malware before others do.

Like Matt of Remove Malware, in his You Tube movie tests Avira, AVG, Avast missed one or two out of his "recent (less than a week old)" limited URL tests (say max 10 URLS working) and DS missed non in a test of 20 URL's.

But since no security is 100% it does not say anaything (because the otehrway around AVG, AVIRA and AVAST might find a lot more malwares which DS might miss).

 

yup, in the end it comes down to what you like/are confortable with.