Ewido or A-Squared ?

Hi,
I'm going to purchase one of these programs and was wondering which one you guys think is the best of the two?

I just found out about these the other day when I had some crap in my computer and ewido found and fixed the problem right away.

Now I can't decide which one of the two is the best?

Please let me know what you guys think?

Thanks.

 

A good starting point would be to read the post in here from just a few days ago: https://www.wilderssecurity.com/showthread.php?t=125205 . I have licenses to both and would say they both have good and bad points. They both have huge databases and update atleast daily. Ewido has a strong full time guard and offers a variety of different scans from quick to very in depth as you found out. It does run rather heavy but they are planning to fix this with version 4. I lean towards A squared right now and use it full time because it is lighter on my computer and it has a terrific IDS feature. I don't think you can really go wrong with either one. Another thing I like about both is they have good forums. Ewido has one right here at Wilders and A2 has one on their website. Just my two cents for now...

 

Also, both Ewido and Asquared have freeware versions, with some limitations - but will both do great on-demand scanning - so use the one you choose for real time and keep the other for on-demand.
Both are good apps, and have wisely decided to keep a large customer base happy by giving a free version option. In a forum like this where many members purchase innumerable subscriptions, it can be overlooked that there are millions of potential customers who will become acclimated to their product by making a free version available, and hence increase their bottom line, as well as keeping customers happy over the long run.

gj

 

A2 was almost nothing, when I became a member at SWI (25.06.2004) and now they have about 356,000 signatures in less than 2 years. What will it be in 2008 ?

Trojans.. 206,532
Dialer.... 39,482
Worms..... 65,901
Spyware.... 9,007
Traces.... 34,846
-----------------
Total.... 355,768

A good idea to have A2 as second scanner.

 

I noticed that their detection totals really skyrocketted with the version 1.6.5 release. They may reach the million mark in 2 years eh?...

 

A-squared's sigs are good, but its MAIN power (IMHO) is its 4-module real-time IDS.

 

It shows that A2 is working very hard...so many signatures...I really trust companies like these!

 

Sorry to mention this, but the number of signatures doesn't say much about the detection rate.... it CAN mean a good detection, but in case of A2 tests have shown that it beaten to a pulp by software with even half the amount of signatures.

Signature quality, unpacked signatures, generic signatures and detections... all this is necessary for a good AT or AV. Not raw numbers.

In the end what counts is detection rate, and here is where we can see a2 remains bad.

And please don't say "but the IDS will take care of it!", IMHO an IDS that relies on that many signatures would be useless. I'd assume 95% of a2s signatures are for on demand detection (where it sucks).

And to say they work very hard with this number... uhm... imho that shows the contrary. They have an automated process to create signatures or checksums. There is absolutely NO WAY a one or two men company like the one behind a2 can create that many signatures by hand in any acceptable quality. Automatically generated signatures on the other hand only require the sample, but their quality is generally speaking, pretty bad. To create a good signature an AV / AT specialist MUST look at the malware, if he doesn't he either might miss that several samples are possibly looking different for the same malware (be it semi polymorphic, having trash attached or other slight modifications that cause different checksums etc.)
If the researcher does not do that, this will lead to a large amount of signatures yet bad detection rate. This is what I personally see and conclude from the tests and performance of a2.

 

FRug,
Thanks for showing me the other side of the coin and it makes sense.

 

By your criterion, only the *big guys* (Symantec, eTrust, Micro$oft, et al) have enough manpower to do a good job. Just HOW many staff does your criterion require an organization to employ -- 10? 20? 30? 100?

I think that the BOClean staff is also quite small in number. Are you also condemning that AT?

 

bellgamin: counter question, why do you think the established AV companies have several hundred (sometimes several thousand) people in their staff? For the fun of it?

I'm not saying you need 200 people in the vlab (like TrendMicro, or the ~14000 people of Symantec ...), but 2 people doing the job of 50.... or 100... they are competing in a race where they can never win because thy are simply outnumbered by established competitors. I'm not saying they're crap or useless, but they play in a different league.

 

I'm afraid FRug is quite right. I've sent many examples of malware to different companies in the last two years, but primarily to Ewido and Kaspersky.

Now, Ewido has apparently more signatures than Kaspersky; however, there was always a BIG difference between these two in handling signatures. For, say, "dialer" trojans (very easy to create, and encountered in very large numbers on the same servers), usually one or two samples sent to Kaspersky meant that the next day a whole class (meaning thousands of actual files) was recognized. For Ewido, an actual file sent as a sample usually meant that the same file was recognized as malware, but many (if not all) the similar files of the same trojan were still missed the next day. In fact, for Ewido I always had to submit very big archives, where for Kaspersky it's very rare.

Examples of this? Try download.energy-factor.com/plug/dscert_<NUMBER>.exe where <NUMBER> (NB: it is malware) is a number from 1 to 1000. To get them to be recognized by Ewido, I had to submit the whole archive of files (in fact, I'm not done doing this, I only submitted files from 1 to 250 or something).

 

I keep reading that A squared is a one or two man company. Is that all they have there?. Again, how does BOClean do such a top notch job? and Trojan Hunter?. They have a smaller crew on hand...

 

Counter-counter-question: If one man can build a house in 5,000 hours, then can 5,000 men build it in just one hour?

Aw, I'm just joshin'. I DO get your point, FRug & TNT. Even so -- please respond to my question about BOClean. I know they are quite small, but they also are quite good in the opinion of 99.99% of the forum posts I have ever read.

Soooo...... what about that small little outfit that produces the masterwork known as BOClean? Are their sigs equally schtink because of lack of staffing? If not, why not I wonder?

 

Sorry, I never used BOClean, so I can't judge the quality of this product.

That said, "bigger" certainly doesn't always mean "better". Just look at Symantec or Microsoft.

My point was not really related to the size of the company, but more to the "signature number" count.

 

Both are good, I would go with Ewido if I could choose only one however both have their strengths and weaknesses.

 

bellgamin: I'Ve never used BOClean so i cannot judge it as a product. However as I've read they don't have an on demand scanner. This means that a good test of it's functionality is next to impossible. This is always a problem with all IDS-only products.

I do not know how exactly BOClean works internally, where and when they start scanning.
-Memory scan? When is it triggered? What method? (yes there are quite important differences)
-user mode or kernel mode hooking of APIs?
-Are they using hooks at all?
-What type of rootkit detection? (since they advertise with it)
-How easy would it be to trick its detection?

I could not find any technical data about their implementation of any of these things.

Additonally there does not seem to be any test version, and I'm not going to buy an AT for 40 Eur if I am unsure of it's performance and methods.

Many AT programmers are a tad on the lazy side when it comes to implementation details. Either the memory scan is totally insufficient, or they use user mode hooks for their IDS. Or they simply scan memory on fixed intervals (useless) or on specific user mode hook triggers (can be tricked easily). Or, what is just as bad, they rely on hardawre/software breakpoints to catch the malware after it has unpacked if they detect a certain packer. All these approaches have serious flaws, and if a vendor relies on a implementation technique whichs is flawed by design, I'd be highly skeptical about using the product.

On the matter of user mode hooking: Yes it may work for 80% of trojans, but 80% is not an option in security software when the limit is by design. To do it right you need kernel mode hooks as well, and this is where the fun starts.

I could continue like that for hours, and we haven't even touched the subject of False Positives, Quality Assurance, testing and support. All of this requires a certain infrastructure and a non-neglectable number of employees.

 

The reason why ewido needs more signatures for this particular dialer is that it is packed with exe32pack 1.42 which our engine currently cannot unpack. If it could, one signature would also be enough...

This is totally off-topic and absolutely arbitrary, isn't it?

 

A-Squared Free is fast and great on-demand scanner and does not need service in backround.

 

Hi, testing some product's memory scanner isn't next to impossible, there were somen tests done in the past afaik.
The only AT available where you can speak of an IDS is A² ... and A² as an ondemand scanner too...
You cannot speak of Boclean having an IDS

from the moment a process starts or gets modified Boclean will scan the memory of what's running, but I'm not sure if it would scan the WHOLE memory (I don't know if it scans the VM)

Boclean is at the moment Kernel Driven, finaly and imho the only way to go.

off course they are

you could easily search all Rootkits in their signature database search for *root*
http://www.nsclean.com/trolist.html - I found over 120 items, not only sure if those are all rootkits

I don't know, but from the moment something get's EXECUTED and is in the memory, Boclean would detect it if it has a sig for it, not hard to understand imo. there are some rumours about Virtual Memory Rootkits (stealth by design stuff ) but I don't have indepth knowledge. but I guess it would be hard to trick Boclean for any novice user ... if you have enough resources, money and perseverance probably all programs can be fooled ... there are no perfect programs

you would find if you looked harder (like your question about rootkit detection, you could have easily answered it yourself...)

that's your opinion, and you have the right to do so. I don't have heard any negative comment yet, and true, I would have purchased it three or four years ago if I could have tested it like with all usual trials...

I have a strong feeling you don't know a damn thing of Boclean, cause everyting has been answered before, I guess the thing you need is experience, your own experience with the product and that can only be achieved when you purchase it, and the 30 day refund is outstanding! never heard any issues/problems...Never! Reason why they don't have a trial version is because there isn't any activation needed on our side, once purchased...install Boc and you're good to go.
No activation, key, serial needed ... therefore I guess you won't find a trial version...and it cuts the costs from downloading from their server ... cause there are no update/upgrade fees either except for major releases. (some members here are using Boclean on 4 computers for 3 years now, and they just purchased one licence!

And afaik that is really hard to beat especialy if you want your money back, if you don't like the product, and they do give your money back
I hope these answers will suite you,
Best wishes.

 

I would go for Ewido, immediately. I have used A² for two months and I was mostly impressed with their IDS but I have some other tools that functions as an IDS which I prefered more back then .. the most important thing of an AT is their memory scanner imho
@ Scheinsicherheit Ntl tested a lot of AT's memoryscanners, you could find some outdated info on how the situation was back then (all scanners have majorly been improved since then) but it's worth the reading imho

 

I know that from their website, but that's marketing lingo and doesn't answer my rather technical questions. There is no such thing as permanently watching the memory of a process that gets started. There must be a trigger for the memory scan.

A list of detected rootkits does not show whether their method is a good one. For example there are very cheap ways of detecting the SONY rootkit, but that doesn't say the method is a good one. I can detect it with a batch file to be honest....

First part of this is marketing lingo, as I said there must be triggers. They don't provide satisfying info on their page. About VM rootkits, they are not much of a problem either to detect if you know how to tackle them. I was thinking about far less sophisticated tricks like timing attacks.

 

Thanks. I was not claiming your product isn't good (in fact, I love it, and I do believe it's easily the best antitrojan I've tried).

I was only reminding that the number of signatures doesn't mean THAT much (unless a signature-based product has, like, 100 signatures... which means it probably sucks).

 

FRug's comments were not specifically aimed at BOClean - but BOClean has certainly been guilty of taking shortcuts in the past (using text-based rather than code-based signatures for malware detection and not encrypting its signature database). While encryption was subsequently added, Kevin's reaction (see posts at DSLReports and Scheinsicherheit) to these disclosures was somewhat less than positive Edit: looks like some half-wit named Yusuf has tried to deface Scheinsicherheit - only the title appears to have been changed but visitors should exercise greater caution when visiting this site. Edit 2: Forum has moved, only the old version was defaced - link updated).

Now the issue of signatures (quantity versus quality) is a problem for all scanners - a strong (code-based) one does require more analysis and where resources are limited, a vendor has a difficult choice to make between doing quicker analysis on a larger range of malware versus detailed inspection of fewer items. There is, unfortunately, no way for customers to find out exactly what balance has been struck - and it is non-trivial for even a dedicated tester (without inside knowledge) to determine this.

 

Yes, the guys from Scheinsicherheit have had their forum hacked, and I wouldn't visit the site with IE even under duress. I think it's pretty amusing that those who supposedly flaunt the expertise to review and criticize security software are themselves utterly unable to secure their own web page, even though they have been hacked in the same manner several times before.