F-Prot version 6 (beta) has been released

Discussion in 'other anti-virus software' started by Lordman, May 24, 2006.

Thread Status:
Not open for further replies.
  1. Lordman

    Lordman Registered Member

    Joined:
    Mar 12, 2006
    Posts:
    67
    Location:
    Spain
    ~link removed as per this post....Bubba~
     
    Last edited by a moderator: May 25, 2006
  2. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Great news!
    Any release notes or news?
     
  3. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Downloaded it now, kind of fishy though since I can't find any info on the website. Maybe they are being nice and letting wilders have a go before anyone else :D . Will install it later, need to disable kaspersky real time and all, then time to voyage into the pleasure of beta testing :D

    Alphalutra1
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    FRISK did promise a beta/release candidate before June 2006....:)
     
  5. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  7. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    nice, very polished looking...:D
     
  8. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    I will not download it until the weekend so;

    1. Memory/CPU usage?

    2. Does the RTM now have an exclude and any additional settings? Further can it now deal with malware rather than passing it on to the scanner?

    3. On-demand scan speed still fast?

    4. Incremental updating?
     
  9. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    imo: on-demand scan speed very much faster and heuristics etc. improved much
     
  10. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    See screenshot. CPU time, Memory, VM in that order.
    No option to exclude when a threat is found. Possible to exclude files/ folders though. RTM gives option to disinfect file.
     

    Attached Files:

    • fp6.PNG
      fp6.PNG
      File size:
      1.3 KB
      Views:
      879
  11. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    1.
    Initial scan results have been posted here: http://illusivesecurity.pytalhost.com/viewtopic.php?t=141

    Please note that a correct interpretation of the scan log requires a thorough understanding of our testing methodology. You must not merely look at the aggregate number of the files detected.

    (Example: Surprisingly, F-Prot fails to detect many of our original samples. This makes it much more difficult to detect the variants which are based on such original samples.)

    2.
    What I really HATE about this F-Prot beta is the following: If you perform an on-demand scan, a detected sample (regardless of whether it's a false positive or not) is automatically deleted. Apparently, there is no option for user interaction ("ask user whether the file shall be deleted or not").

    I have noticed a similar behaviour (e.g., unrequested "hidden" scans) with other products.

    It seems that the eccentric AV folks have gone completely mad and now believe that they should 0wn everyone's computer because, as masters of the malware universe, they claim the right to decide in their sole and absolute discretion what's good and what's evil. Guess what ... next generation of AV scanners will also include automatic DRM features, eh?

    Please correct me if I'm wrong.
     
  12. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    i think you are wrong. you have to set this option in the task scan, in order that it will not delete the file in an on-demand scan (task). i also overlooked it at first run.
     
  13. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Haha, this is so funny! Especially this one "Please note that a correct interpretation of the scan log requires a thorough understanding of our testing methodology.".

    Well actually the "tester" does *not* have the slightest understanding how scan engines work, otherwise he would realize what is the "problem" here.

    Hey Nautilus, when will you realize that the AV people know for *years* that you can make any malware undetectable by adding encryption/packers? You are a few years too late with this "super dangerous knowledge". So what are you trying to prove? That every AV product requires a good behaviour blocker? Good morning, I hope you slept well. :rolleyes:

    BTW, nice job @ F-PROT guys :)
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, just test it a little.
    Its GUI is very good and it's really fast on scanning. Also it's light in system resources.

    ITs options are a little messed-up. :eek: It was a little difficult to set its scanners, and also the on-demand scanner hasn't the option: "Ask user" when detecting something. Additionally the on-access scanner has too few options but I like when detects something it also includes a specification whether the sample is functional or not. ;) See the attachement

    But anyway, good work guys. Keep the good work. :thumb:

    P.S. Inspector have you implemented your heuristic engines inside this version?
    and another question....when scanning something from within the context menu F-Prot finds nothing . :doubt:
     

    Attached Files:

    Last edited: May 25, 2006
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well On-Access scanner is a bit tricky and i already reported the issue.
    It sure does work, but not right away as you might be used with avast! or NOD32 for example. Sometimes it will take long to repsond, sometimes it will jump right away, and sometimes you have to doubleclick the file in order to trigger warning dialog.
     
  16. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Not yet. There will be anyway no "all at/in once" module, this will be updated daily with virus defs step by step. I found a way how to do that completely with defs so in the case of false positives: instead of adding white listed files i can just adjust the heuristic/generic plugin within the defs which means there is no engine update needed. This also gives enough time to fix each category of detection area before you add more were you might have even more to adjust.
    This takes somehow longer than writing direct hardcoded engine plugins, because i have to write a lot of subfunctions and "work arounds" for this detection language which are of course already present in the engine, but not accessable within the virus def file compiler/interpreter. But i simply want it to have it work in this way, it's the most reliable and flexible way to add new things or to change existing things.
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thx for your quick answer IC. I didn't manage to restart my computer that I've seen your answer. :D

    Hope the next builds will be more and more better and the final version I feel it will be a radical change and a good AV.
    It still miss some viri and btw, where can I send samples?
     
  18. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Viruslab [at] f-prot [dot] com or in case it's something really important and needs to be added imidently then use Mike [at] f-prot [dot] com.
    But please don't misuse the 2nd one until you're really sure it's VERY IMPORTANT. Thanks for understaning this. Oh yes, please compress the files with ZIP and protect them with a password, something like virus or infected.

    Thx
     
  19. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Samples sent. The most important I think it's Trojan.PWS.LdPinch.ER but I've sent them all to the first address. :) F-Prot message to this file was: "Could not scan encrypted file ...."
     
  20. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Well resend them to Mike [at] av-experts [dot] org.
    Today is a free day here so i'll take a look at it from home.
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Done...
    Free day? :eek: Wow... u're supposed to work every day( jk:p ), or it's "coffee day"? :D
     
  22. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @IBK Thanks for the info. I performed an on-demand scan via right mouse-click and there was no way to prevent the deletion of the files.

    @Kurzhals

    Still trying to play stupid tricks on me? I (not you) told people numerous years ago that compressed malware is a problem. At that time you still called yourself Mr Macrovirus and had no clue about PE executables...

    I tested F-Prot because some people claim that the new version will feature an emulation. I wanted to see whether this technology has already been implemented and whether it works well.

    Btw.: If you were able to understand the testing methodology you would understand that the test archive does not merely include compressed malware.
     
  23. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    I would really like it if people could stay away from provocating each other.
    Stefan never ever said that runtime compressed malware isn't a threat which shouldn't be taken seriously. Regarding his understanding of PE Executables - he wrote his FWIN Macro Virus Scanner completely in assembly. Now please forgive me, but when you are able to write something in assembly wouldn't you be able to understand it vice versa in a disassembler/debugger? Maybe my expectations are to high, but i would just assume this 'coz this is the case for most of the other av developers as well.

    Regarding this "because some people claim that the new version will feature an emulation"
    Now that is really funny. Did you know that Frisk/F-Prot was the very first AV Company using emulation to detect polymorphic viruses? In case you didn't know that you know it now. And unpacking results doesn't state anything about a present emulator as long as you do not "lead" the emulator from where to emulate and what to snapshot. Because you have to tell the emulator after emulating the packer/crypter code to STOP THERE and take a look. It's exactly the same with polymorphic viruses - you have to check at sepcial points special conditions and you cannot just emulate until you get a timeout or max opcodes reached to check such things. In technical words thats called "emulator breakpoints". No need to explain this more as it seems that you know more than every other av developer on this earth.
     
  24. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    "I would really like it if people could stay away from provocating each other."

    Well ... tell this Kurzhals. He started this cr*p. And btw., what's the purpose of your last sentence??

    "Stefan never ever said that runtime compressed malware isn't a threat which shouldn't be taken seriously."

    No. But he posted b*s*. He wrongly indicated that I recently discovered this issue and now make a big story out of it.

    "In technical words thats called "emulator breakpoints".

    That's why we created the decomp delay samples containing instructions that may cause an emulator stopping too early...you might want to have a closer look.

    I seems to me that F-Prot does make an effort to decompress malware packed with the help of executable packers and so on (i.e., not only self-encrypting malware). The scan log indicates that you can already detect and identify many packers. It seems, however, that many unpacking routines are still missing.

    " No need to explain this more as it seems that you know more than every other av developer on this earth."

    No. I always say that AV developers are generally more knowledgeable than I. But contrary to many developers I do not try to mislead people in order to sell anything. If the developers were prepared to tell their customers the complete truth software tests were more or less redundant.
     
  25. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Nautilus, were is the proof that you warned about this problem years ago when macro viruses were the #1 threat? At that time (1995-1998 ), PE malware was far from being wide spread and there weren't that many packers as are today.
    Besides, I had wrote PE heuristic back then already - for the handful of PE viruses that existed back then. ;-)

    I understand your "testing methology" is something every stupid script kid can do: use patchers/cryptors/packers and other tools (that you don't even wrote on yourself) to modify existing malware. So basically you are creating new malware - we should get you arrested. Because you clearly do it with the intent to bypass security products and have no interest to help them at all. Because I don't see any solution proposal from your side.
    If you are such a genius, where is your solution to this problem? Why you don't work for some security company? Well, as a malware "author" (patching script kiddie would be the better term) I guess you are not trustworthy enough to get a job in the security industry - or you simply lack the skills and are not interesting enough. ;-)
     
    Last edited by a moderator: May 25, 2006
Loading...
Thread Status:
Not open for further replies.