F-Prot version 6 (beta) has been released

~link removed as per this post....Bubba~

 

Great news!
Any release notes or news?

 

Downloaded it now, kind of fishy though since I can't find any info on the website. Maybe they are being nice and letting wilders have a go before anyone else . Will install it later, need to disable kaspersky real time and all, then time to voyage into the pleasure of beta testing

Alphalutra1

 

FRISK did promise a beta/release candidate before June 2006....

 

I downloaded it but, my current f-prot key doesn't work on the beta. Anywho, here are a few screen shots of the interface.

http://img.photobucket.com/albums/v219/NAMOR/fp1.jpg
http://img.photobucket.com/albums/v219/NAMOR/fp2.jpg
http://img.photobucket.com/albums/v219/NAMOR/fp3.jpg
http://img.photobucket.com/albums/v219/NAMOR/fp5.jpg

 

Hallelujah! http://i2.photobucket.com/albums/y43/christianchr/Emoticons_2/worthy.gif

finally a beta for f-prot; i will try asap.

thanx for the screenies Namor.

 

nice, very polished looking...

 

I will not download it until the weekend so;

1. Memory/CPU usage?

2. Does the RTM now have an exclude and any additional settings? Further can it now deal with malware rather than passing it on to the scanner?

3. On-demand scan speed still fast?

4. Incremental updating?

 

imo: on-demand scan speed very much faster and heuristics etc. improved much

 

See screenshot. CPU time, Memory, VM in that order.

No option to exclude when a threat is found. Possible to exclude files/ folders though. RTM gives option to disinfect file.

 

1.
Initial scan results have been posted here: http://illusivesecurity.pytalhost.com/viewtopic.php?t=141

Please note that a correct interpretation of the scan log requires a thorough understanding of our testing methodology. You must not merely look at the aggregate number of the files detected.

(Example: Surprisingly, F-Prot fails to detect many of our original samples. This makes it much more difficult to detect the variants which are based on such original samples.)

2.
What I really HATE about this F-Prot beta is the following: If you perform an on-demand scan, a detected sample (regardless of whether it's a false positive or not) is automatically deleted. Apparently, there is no option for user interaction ("ask user whether the file shall be deleted or not").

I have noticed a similar behaviour (e.g., unrequested "hidden" scans) with other products.

It seems that the eccentric AV folks have gone completely mad and now believe that they should 0wn everyone's computer because, as masters of the malware universe, they claim the right to decide in their sole and absolute discretion what's good and what's evil. Guess what ... next generation of AV scanners will also include automatic DRM features, eh?

Please correct me if I'm wrong.

 

i think you are wrong. you have to set this option in the task scan, in order that it will not delete the file in an on-demand scan (task). i also overlooked it at first run.

 

Haha, this is so funny! Especially this one "Please note that a correct interpretation of the scan log requires a thorough understanding of our testing methodology.".

Well actually the "tester" does *not* have the slightest understanding how scan engines work, otherwise he would realize what is the "problem" here.

Hey Nautilus, when will you realize that the AV people know for *years* that you can make any malware undetectable by adding encryption/packers? You are a few years too late with this "super dangerous knowledge". So what are you trying to prove? That every AV product requires a good behaviour blocker? Good morning, I hope you slept well.

BTW, nice job @ F-PROT guys

 

well, just test it a little.
Its GUI is very good and it's really fast on scanning. Also it's light in system resources.

ITs options are a little messed-up. It was a little difficult to set its scanners, and also the on-demand scanner hasn't the option: "Ask user" when detecting something. Additionally the on-access scanner has too few options but I like when detects something it also includes a specification whether the sample is functional or not. See the attachement

But anyway, good work guys. Keep the good work.

P.S. Inspector have you implemented your heuristic engines inside this version?
and another question....when scanning something from within the context menu F-Prot finds nothing .

 

Well On-Access scanner is a bit tricky and i already reported the issue.
It sure does work, but not right away as you might be used with avast! or NOD32 for example. Sometimes it will take long to repsond, sometimes it will jump right away, and sometimes you have to doubleclick the file in order to trigger warning dialog.

 

Not yet. There will be anyway no "all at/in once" module, this will be updated daily with virus defs step by step. I found a way how to do that completely with defs so in the case of false positives: instead of adding white listed files i can just adjust the heuristic/generic plugin within the defs which means there is no engine update needed. This also gives enough time to fix each category of detection area before you add more were you might have even more to adjust.
This takes somehow longer than writing direct hardcoded engine plugins, because i have to write a lot of subfunctions and "work arounds" for this detection language which are of course already present in the engine, but not accessable within the virus def file compiler/interpreter. But i simply want it to have it work in this way, it's the most reliable and flexible way to add new things or to change existing things.

 

thx for your quick answer IC. I didn't manage to restart my computer that I've seen your answer.

Hope the next builds will be more and more better and the final version I feel it will be a radical change and a good AV.
It still miss some viri and btw, where can I send samples?

 

Viruslab [at] f-prot [dot] com or in case it's something really important and needs to be added imidently then use Mike [at] f-prot [dot] com.
But please don't misuse the 2nd one until you're really sure it's VERY IMPORTANT. Thanks for understaning this. Oh yes, please compress the files with ZIP and protect them with a password, something like virus or infected.

Thx

 

Samples sent. The most important I think it's Trojan.PWS.LdPinch.ER but I've sent them all to the first address. F-Prot message to this file was: "Could not scan encrypted file ...."

 

Well resend them to Mike [at] av-experts [dot] org.
Today is a free day here so i'll take a look at it from home.

 

Done...
Free day? Wow... u're supposed to work every day( jk ), or it's "coffee day"?

 

@IBK Thanks for the info. I performed an on-demand scan via right mouse-click and there was no way to prevent the deletion of the files.

@Kurzhals

Still trying to play stupid tricks on me? I (not you) told people numerous years ago that compressed malware is a problem. At that time you still called yourself Mr Macrovirus and had no clue about PE executables...

I tested F-Prot because some people claim that the new version will feature an emulation. I wanted to see whether this technology has already been implemented and whether it works well.

Btw.: If you were able to understand the testing methodology you would understand that the test archive does not merely include compressed malware.

 

I would really like it if people could stay away from provocating each other.
Stefan never ever said that runtime compressed malware isn't a threat which shouldn't be taken seriously. Regarding his understanding of PE Executables - he wrote his FWIN Macro Virus Scanner completely in assembly. Now please forgive me, but when you are able to write something in assembly wouldn't you be able to understand it vice versa in a disassembler/debugger? Maybe my expectations are to high, but i would just assume this 'coz this is the case for most of the other av developers as well.

Regarding this "because some people claim that the new version will feature an emulation"
Now that is really funny. Did you know that Frisk/F-Prot was the very first AV Company using emulation to detect polymorphic viruses? In case you didn't know that you know it now. And unpacking results doesn't state anything about a present emulator as long as you do not "lead" the emulator from where to emulate and what to snapshot. Because you have to tell the emulator after emulating the packer/crypter code to STOP THERE and take a look. It's exactly the same with polymorphic viruses - you have to check at sepcial points special conditions and you cannot just emulate until you get a timeout or max opcodes reached to check such things. In technical words thats called "emulator breakpoints". No need to explain this more as it seems that you know more than every other av developer on this earth.

 

"I would really like it if people could stay away from provocating each other."

Well ... tell this Kurzhals. He started this cr*p. And btw., what's the purpose of your last sentence??

"Stefan never ever said that runtime compressed malware isn't a threat which shouldn't be taken seriously."

No. But he posted b*s*. He wrongly indicated that I recently discovered this issue and now make a big story out of it.

"In technical words thats called "emulator breakpoints".

That's why we created the decomp delay samples containing instructions that may cause an emulator stopping too early...you might want to have a closer look.

I seems to me that F-Prot does make an effort to decompress malware packed with the help of executable packers and so on (i.e., not only self-encrypting malware). The scan log indicates that you can already detect and identify many packers. It seems, however, that many unpacking routines are still missing.

" No need to explain this more as it seems that you know more than every other av developer on this earth."

No. I always say that AV developers are generally more knowledgeable than I. But contrary to many developers I do not try to mislead people in order to sell anything. If the developers were prepared to tell their customers the complete truth software tests were more or less redundant.

 

Nautilus, were is the proof that you warned about this problem years ago when macro viruses were the #1 threat? At that time (1995-1998 ), PE malware was far from being wide spread and there weren't that many packers as are today.
Besides, I had wrote PE heuristic back then already - for the handful of PE viruses that existed back then. ;-)

I understand your "testing methology" is something every stupid script kid can do: use patchers/cryptors/packers and other tools (that you don't even wrote on yourself) to modify existing malware. So basically you are creating new malware - we should get you arrested. Because you clearly do it with the intent to bypass security products and have no interest to help them at all. Because I don't see any solution proposal from your side.
If you are such a genius, where is your solution to this problem? Why you don't work for some security company? Well, as a malware "author" (patching script kiddie would be the better term) I guess you are not trustworthy enough to get a job in the security industry - or you simply lack the skills and are not interesting enough. ;-)