Discussion in 'other anti-trojan software' started by c0ltran3, Jan 3, 2004.
Does someone know Ewido Security Suite? I'm interested in its trojan scanner. www.ewido.de
See here ...
http://www.rokop-security.de/board/index.php?showtopic=1180 (including a scan log).
IMHO, it's quite promising. I uses a generic emulation and fuzzy high quality signatures (taken from the code section). Therefore, it shouldn't be easy to outfox this scanner.
Problem: There are not enough signatures yet. A memory scanner is under development.
i can confirm this, i'm currently testing it and the ewido guys have a lot to catch up...detected about 50% of trojans released in december(and i can't even say i have 'em all)...and before you ask, yes i submitted! otherwise it looks very promising, it will be a real contender when it's finished
Well they just recieved about 350 MB of solid packed RAR samples from me . So it would be just a question of time until they are "up to date" .
And remember they are the first AT world wide providing a real powerfull unpacking engine based on real emulation .
That's a nice gesture, Andreas. Florian will be happ no doubt. Di you provide your archive to other AT companies as well, btw?
Hold your horses This might be true as soon as there's a Final Release - in the meanwhile, several other AT companies are working rapidly on real emulation as well (but you surely are aware of that one )
" Di you provide your archive to other AT companies as well, btw?"
Paul, I guess you have DCS in mind (among others). Maybe it would be a good idea if Seltsam would not only share samples but also receive samples from other vendors. Maybe it would be an even better idea if all small AT software producers would share their samples with each other.
On the other hand, searching for trojans is an important part of the business. If you simply share all your samples with your competitors they may not have an incentive to search the trojan sites on their own. And then you are doing all the work for your competitors.
Therefore, it must be ensured that each party benefits from a malware exchange, right?
"This might be true as soon as there's a Final Release"
The current release is the first final release. That's why I published scan results @ Rokop.
Thanks for jumping in for Andreas, Nautilus
I don't have any specific company in mind - actually, all of them . As for exchanging malware databases/samples: I'm fully unaware how and if Andreas has contacts with other companies in this respect. IMO that's an issue between Andreas and other companies only.
Well, you and I know that's not the way it works. Companies will be on a never ending search themselves, regardless wether they receive samples from third parties.
IMHO that's far too straight forward a question. For example, I'll never see the day Eugene Kaspersky throwing in his malware database in exchange for a relatively minor database in exchange: if exchange is an issue, it should be at least a balanced one. And the only way to check out if the minor database offered is really worthwhile is getting it up front, without anything in exchange for starters. The "minor contributor" will have to take his changes wether or not the major party is willing to provide something in return, taking all sorts of consideration into account, one of them being the usefulness from the samples received.
In that case, Ewido did let us down - they've promised us some licenses as soon as the Final would be released
ewido is still freeware. Therefore, you do not need a license. You will need a license for the upcoming modules.
" 24.12.03 Release der finalen Freeware-Version
ewido networks beendet die vor knapp einem Monat begonnenen öffentlichen Betatests mit dem Release der finalen Freewareversion der ewido security suite. Die final Version steht ab sofort via Setup oder Online-Update aus der Software zum Download bereit."
" For example, I'll never see the day Eugene Kaspersky throwing in his malware database in exchange for a relatively minor database in exchange: if exchange is an issue, it should be at least a balanced one."
100% correct. That's exactly the problem. My point is that we should not expect Seltsam to share his comprehensive malware database which each and every competitor. He is not required to treat each competitor in an equal manner. An AT producer will only share his malware database if there is a good reason to do so.
So it's the freeware version - thanks. Actually, those üpcoming modules" are of major interest (I'm sure you d agree).So I will withold from any comment until the commercial version has been released.
That's a rather personal interpretation from my whole comment - which stated something different
Sorry, for misinterpreting you. This was not my intent.
No offense taken, Nautilus
if I use a2 free together with Ewido security Suite how much am I protected?
IMHO: at this very moment not sufficient enough.
Neither a2 nor ewido have a working mem scanner or a comprehensive signature database yet.That's why I agree to Paul.
On the other hand, the signature databases of many AV/AT scanners have been cracked. A few are not encrypted at all. Moreover, weak signatures are frequently used. Therefore, it's not useless to install an on-demand backup scanner. In particular, when it comes for free and has an emulation ...
Thanks for your feedback
Separate names with a comma.