Future Ewido Suite

Discussion in 'other anti-trojan software' started by Ewido Solution, Aug 7, 2005.

Thread Status:
Not open for further replies.
  1. What is the direction of the Future Ewido Suite? I would like to know the direction because I don't feel comfortable buying multiple products all doing the same thing.

    If future Ewido products include what is all the rage these days, HIPS, then I will probably stick with the Ewido line of products since they seem to develop software at a quite high level.

    Ewido is already a very good piece of security software and it has the potential to continue being one of the best solutions out there.


    Ewido solution for me
     
  2. goodquestion

    goodquestion Guest

    That's a good question. I would also like to know, seeing where TDS flew the coop. I think Ewido has got to be about the best AT available today, and I would hate to see it disappear like TDS did.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Since it's a general malware scanner, I doubt it will. At most I would think it would just get to be advertised more as an anti-spyware scanner, especially since spyware are using trojan tricks more and more.. products like Ewido will probably be the only ones really capable of dealing with them.
     
  4. chaos16

    chaos16 Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,004
    for me ewido only find cokies??
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Well if you only have cookies to find, what would you have Ewido do? Find trojans that ain't there? In your case Kaspersky will find a piece of malware first in 99% of infections (if covered by Kav of course!) and Ewido only steps in after that.
     
    Last edited: Aug 8, 2005
  6. chaos16

    chaos16 Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,004
    so thats why none of my security programs ever get anything??

    coz of kaspesky?
     
  7. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Or maybe because you have no trojans.. ;)
     
  8. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    No, not necessarily, it may be that you simply do not encounter much malware, it's difficult to detect something thats not there. In the years i have used Kav nothing slipped passed it though. If Ewido continue to improve, then i'm quite sure that they will remain in the top 2-3 with regards to detection. :)
     
    Last edited: Aug 8, 2005
  9. maddawgz

    maddawgz Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1,276
    Location:
    Earth
    i love Ewido since TDS infact TDS didnt find alot ewido saved me 4x already! :eek:
     
  10. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Hot NEWS
    Ewido, after anti-spyware-isation, still defeat the top anti-trojan experts:
    - Kaspersky-based family (eScan, AV): detect 32503 trojans, missing 207 (Elapsed time: 80)
    ...
    - Ewido(AS): detect 26891 trojans, missing 5819 (Elapsed time: 64)
    ...
    - A squared(Best AT): detect 19460 trojans, missing 13250 (Elapsed time: 29)

    After this test, we can call anti-trojan experts as anti-nomer experts! :p
    [Hint: Think about the antonym of "nomer"]
    (joking)
     
  11. Why

    Why Guest


    LOL.....these tests mean very little. Ewido strength like boClean's strength is in the memory scanner.

    A2 never claimed to have the best on demand scanner. Their strength is their IDS.

    As for KAV...it has great detection but it can be easily beaten with a little modification. People give KAV the can catch 99% of all malware label because KAV can detect the versions that can be downloaded from your local malware site but can it detect private versions that are designed to evade it?

    See http://illusivesecurity.il.funpic.de/viewtopic.php?t=61



    o_O??
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  13. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    You only pointed the difficulty that KAV faces.
    But you didn't say anything that AT will not suffer from this problem.
    How good can AT detect the private versions?

    And you seems you miss that AV scanners have heuristic methods to detect variants and unknwon/private malware.

    AV are all-round on almost all malware, while AT is only okay (NOT good!) at trojans.

    I don't understand why AT can be treated as effective if a lot of both pulbic and private" troajns can bypass (from the test, their results are much wrose than AV) it witohut detection.

    Would you care explaining what makes AT superior to AV?
     
    Last edited: Aug 14, 2005
  14. why

    why Guest


    First a AT is not superior to a AV. They both designed to do different things. There are some things a AV does well and other things a AT does well. AT's is usually better in detecting malware in memory and removing the malware. The AV is usually best with the on-demand file scan. The AV's are the best at detecting malware on the disk before it is executed.


    The strength of the three best AT's is not in their file scanning, which is what you are using to compare AV's to AT's (Even though the test you cite has dubious results). The AV's are usually the best with on-demand file scanning, their weakness is in that on demand file scanning can be easily evaded using modification, packers, crypters....etc....

    Most of the top AT's strength is in their memory scanning. It is harder for a trojan to evade the memory scanner. All the tricks, all the modifications that fool the on-demand file scanner mean little to a memory scanner.

    A trojan has to unpack, decrypt and reveal itself in memory. This is where the AT can block it and eradicate it before it does damage. Boclean is among the best at doing this. Ewido is at the same level as BoClean.

    Now having said all this, malware authors developed and are developing different ways to beat the memory scanner also. So, they are not perfect either but neither is the AV.

    I really don't believe the KAV can detect 99% of all malware out there. I believe it can detect a lot but nowhere near 99% simply because it is too easy to make modifications to evade the scanner.

    Forget about real hackers, even script kiddies can do things to modify malware so KAV can't detect it. Like I said, I know a website right now that has malware that appears to be useful software for the computer so I know it fools many people into downloading it. This malware can not be detected by KAV, NOD, Bitdefender or any other scanner on jotti's.

    Even Ewido won't detect it on the on-demand scan but if you click on it, I am certain the memory scanner will identify it and block it. Software such as PG might not help you with that particular malware. PG is dumb, in that it can not make decisions on what is good or bad. If you are installing something that you already think is innocent software, you might click through all the alerts and then find out the software is not so innocent and by then it is too late. You will then probably have to use Ewido or Boclean to remove it.

    Do I believe the pure AT scanner is dying? Yes, I do but I still believe that both Boclean and Ewido can provide extra protection for some people because neither one is a pure AT. As a matter of fact, there are few pure AT left.



    Why
     
  15. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    Ok lets get this Topic rolling :)

    I also believe that the top AV's do a better job ;) I can see a perceived need for AT's but I don't see a real need, at least thats a fact on my PC.

    Are there any test on what AT's detect, that compair the AV's against the same samples ?
     
  16. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    This is true. But PG can provide clues. For example, if a program tries to install a driver/service or global hook, PG will alert. It would be much more useful if PG provided more helpful information along with their alerts, to help users make their decisions, as Online Armor does. I am sure this will evolve.

    Rich
     
  17. Why

    Why Guest


    You have excessive misplaced trust in the capabilities of heuristics. Many times heuristics are just as easily evaded as the signature scan. Sometimes, the best one can do is detect it with the memory scanner.

    Why
     
  18. Why

    Why Guest


    AV's do a better job with a on-demand scan on trojans that are posted on blackhats forums. AV's do a terrible job with private modified versions of the same trojans. AT's do much, much better detecting trojans with a memory scan.

    Whether one decides to use a AT or not depends on their risk level. For high risk surfers, a AT might be a consideration. Low risk users can probably get by without a AT.

    As for tests. There are no tests that I know of that will produce decisive answers. Either someone will find the flaw in the actual testing method or the tester will be found not to be independent. If you can find a independent tester that has no interest in the results one way or the other, that has the time to perform the tests and can come up with a satisfactory testing method that would not be flawed then please post where it is. I have been looking for that test for awhile.



    Why
     
  19. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    It's time to do some homework...

    So "why" teacher, you taught me that:
    - AT & AV are designed to do different things
    - AV is usually better at on-demend file scan
    - AT is better in detecting malware in memory and removing the malware.

    First I would like to modify some of the points.
    "AT is better in malware in memory"
    This seems to be an old belief.
    Take McAfee as an example, it will scan the memory when scanning files too. I'm not sure if what it does is different from what AT does since I am not too familiar with AT.

    "AT is better... removing the malware"
    It depends on what kind of malware. It may be true they may be better when removing trojans, but not others generally speaking only.


    So we can see the power of AT when we get infected.
    And in fact, some AV have implemented similar technique (memory scan) too.


    1 AV may miss that, but how about using 14 major scanners (some of them can detect 99% trojans)? there's 1 website which offers us to scan a suspicious file by 14 scanners for FREE at one-stop.
    The first benefit is it reduces much chance that a trojan can bypass the system.
    The second benefit is this "super" scanner can not only help you to detect trojans, but also other malware.
    Remember they do not only used signature to identify malware. They have different heuristic methods to do and the result can be quite good (although not perfect).

    Surely I'm not saying the above method is 100% safe, but this point should not be used to disfavour the use of this "super" scanner. if it were to use, then we should not use AT either.

    What do you think, "why" teacher?

    But do they idenitify trojans based on their own sets of signatures?
    How exactly they can detect these trojans?


    IMPORTANT: Don't read 99% as 99% of all malware!!
    It's a real false illusion if you do think. The reality situation is much worse unfortunately!

    I think you are quoting it from my another post: https://www.wilderssecurity.com/showthread.php?p=531007

    If it is so, the 99% is meant to be ~99% of ITW trojans. Overall it can also get ~99% for ITW malware.

    As to Zoo malware, the result is expected to be about 50% or lower for KAV, but don't think it does poorly. It is already at the top which are shared by NOD32. (By the way, both KAV and NOD32 can even have 1/2 chcance to detect these malware even if they are not in the signature databases. Not bad indeed.)

    And if you compress your file (you shoudln't compress it as *.zip, you should try some other uncommon coom pression extensions, more AV will fail completely).


    True, pure AT is dying.
    There's interesting news that TDS (anti-trojan program) is discontinued. One main reason is the rise of anti-virus programs taking over the anti-trojan markets.
    http://tds.diamondcs.com.au/
     
    Last edited: Aug 14, 2005
  20. Wai_Wai,

    No offense, but someone needs to teach you that posting a novel with each post is unecessary. That's the best way to have your posts go unread, because not everyone has the better part of a day just to read a single post.
     
  21. Why

    Why Guest


    This is true. I am not going to go through that earlier post Wai Wai and talk about every point. There is no possible way too teach so much in such a short thread.

    As, I said before do more research. I gave you links before. Start there and continue on if you really want to learn. Anyone that has been around the malware industry for any length of time can see there are a few gaps in your knowledge base.



    why
     
  22. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Memory scan is flawy too. It depends on your signatures, plus troajns can bypass the scan, plus troajns can modify your AT. A memory lock (offered by PG) is a far better solution. And don't get it wrong that you need to have good knwoledge to use this feature well. You don't!
    Its secure structure (kernel-based) can solve my abovesaid problems too. A trojan can't modify it, or at least very difficult to do.

    Heuristics are not useless.
    Av have good design to stop malware which is not in their signature bases

    See these hard facts:
    KAV managed to stop 43% of Zoo malware, while NOD32 got 49%.
    (http://www.av-comparatives.org)
     
  23. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    You are right.
    Gonna to edit soon.

    EDIT: Done!
     
    Last edited: Aug 14, 2005
Thread Status:
Not open for further replies.