Has your real-time anti-trojan ever caught anything?

ADMINISTRATION


be advised that the above post by Whereisthebeef is NOT by me.
For what ever reason that poster wants to use that "nic" its fine with me...the person have have it to enjoy......NO MORE POSTS WILL BE MADE BY ME USING THE "NIC" WHEREISTHEBEEF.......

 

It is ok to comment on any claims made on this or that but commenting on whether I would know details or not is pure speculation.

No one on this board knows me or my background in computing. I could be clueless or I could be highly knowledgeable and faking clueless. I will say that I do probably know more than most people think. In real life, I often fake clueless in order to get knowledge out of people.

I believe these boards should be for information sharing but too often it goes into personal attacks and makes discussions useless for everyone becomes the expert and there is too little listening......and I do listen. I often reverse positions upon acquiring more knowledge about a subject.

One thing I will say about me is that not every subject I talk about, I believe in. Sometimes I point in certain directions to see what knowledge comes out of other people.

I have argued both for AT's and against AT's just to see what the competing considerations would be. I have in the past directly challenged vendors by name but I don't think I ever called out any one Wilders member by name and say they don't know what they are talking about.

Discuss the ideas....not the personality.....



Starrob

 

As to the understanding on the result, sorry to tell you that it appears you misinterpret the result.
The result above is meant to test ITW virus too. (if you don't know what is "ITW", simply read it as "known")
To give you a general idea only, the performances of detecting Zoo (or simply unknown) virus are roughly as follows:
[I only compare good/famous AV only. Other rouge/crappy/underdevelopment AV are excluded:]
- **unsatisfied* famous AV: AVG (5%-)
- below-average famous AV: Avast, RAV, AntiVir (5-10%)
- about-average famous AV: Norton, Trend Micro, F-Prot, Panda, Sophos (10-20%)
- above-average famous AV: {not really} (20-30%)
- ****good**** famous AV: Dr.Web, BitDefender, McAfee (30-40%)
- ***excellent** famous AV: KAV, NOD32 (40%+)

IMPORTANT: Don't treat the above result absolutely. As I said previously, it is used to have a general idea about how different classes of AVs perform.

Ref: http://www.av-comparatives.org/

Anyway, don't feel guilty or unhappy about making a false statement. We, as a human, always make mistakes. What important is we learn from mistakes and avoid making the same mistakes again.


As to your attitude towards the results, yes you are right.
You shouldn't strictly believe those results. What you should hold in mind is they are for reference only. These kinds of results can never be representative enough to make well-solid conclusions.

By the way, it doesn't mean we should discard these results compeltely. We need to know:
- The world is never meant to be perfect
- Nothing is worse than something
- The world is full of uncertainty where we have to bet in many cases based on the limited info provided/available

We need to choose one AV anyway, right? And we wish to bet for the best possible AV. A wild guess is worse than an informed guess.
So if the above result is the only result we can obtain, we should try to pick one which is the best in the result, instead of discarding the result and make a wild guess.

Do you agree with me?
What do you think?


PS:
Note to the thread master/starter (richrf):
I'm not sure if I should reply since it is like I am hijacking the thread. If you do think so, tell me and I will reply to the posts by private messages (or some other ways) only.
Also I will delete the off-topic replies should you wish to.

 

Just a reminder in case if people don't know.
It is a good thing that KAV manage to update every hour or so. However don't fall into the illusion of using this fact alone to conclude that you will get fastest protection on unknown virus, or get far better detection against new Zoo virus.

Their research power/speed matters too. Put it simply, when a new unknown virus come out, it needs to do search (Eg get that virus sample), analyse (eg look into its behaviour), making solution (eg add the signature of that virus) & updating (ie update the packs and make it avaliable to download).

What KAV promises to do is the last part: promise to update every hour or so (if updates are available) on a regular basis. It doesn't automatically mean the first 3 parts are speeded up too.
For some other AVs, it may happen that they have finished analysed that virus. Unless this virus is critical/dangeorus, it may not update its packs instantly. Rather they wait for their next update time to upload all newly-added stuff to their website.
Updating every hour or so (if available) is a good thing. However don't fall into hasty conclusion that it must mean you will get fastest protection on unknown virus, or get far better detection against new Zoo virus.

Hard facts:

Example: Mydoom.A
All AV updates which were released on 2004-01-26:
– F-Prot 22:30 W32/Mydoom.A@mm (the first one to release update!)
– Trend Micro 22:35 WORM_MIMAIL.R
– RAV 23:00 Win32/Novarg.A@mm
– Norman 23:05 MyDoom.A@mm
– F-Secure 23:05 W32/Mydoom.A@mm
– Virusbuster 23:05 I-Worm.Mydoom.A
– AVG 23:15 I-Worm/Mydoom
– Avast 23:15 Win32:Mydoom [Unp]
– Kaspersky 23:30 I-Worm.Novarg
– AntiVir 23:30 Worm/MyDoom.A2
– Symantec 00:05 W32.Novarg.A@mm
– eTrust (CA) 00:20 Win32/Shimg.Worm
– Command 00:20 W32/Mydoom.A@mm
– Sophos 00:40 W32/MyDoom-A
– eTrust (VET) 01:30 Win32.Mydoom.A
– Esafe 01:50 Win32.Mydoom.a
– Dr. Web 02:40 Win32.HLLM.Foo.32768
– McAfee 04:00 W32/Mydoom@MM
– Quickheal 04:00 W32.Novarg
– Bitdefender 04:00 Win32.Novarg.A@mm
– Panda 04:10 W32/Mydoom.A.worm
– Ikarus 08:35 I-Worm.Mydoom

Ref: http://www.av-test.org/
​

Is it true that KAV have some kinds of behavior blocker/hueristics already?

 

I have researched a bit on this subject.
You may be interested to know.

Here's one of the common example where that malware can bypass KAV, but not others.
Code Permutation can bypass KAV, but not some others (eg NOD32)

Based on my understanding and research, it is not true that one can bypass KAV means it can bypass other AV most of the cases. So it also implies:
- the more on-demand AV scanners you use, the higher percentage you are at detecting more malware missed by 1 AV.
- the above statements applies to AT & AS & its like too

 

You are right we all make mistakes, which is why is why I don't trust those results or strictly trust the results of any tests.

All tests can be subject to manipulation (either intentional or unintentional) and also errors. The results of any tests can also be subjected to endless arguments.....

One argument that I have found is the endless argument appearing in the AV forum. Numerous examples of the definition of "In the Wild" can be found there.. It appears that one reason why so many people argue about AV tests results is that one persons definition of "In the Wild" means some determination by some organization while another person's definition is any malware that a person can find on the internet is "In the Wild". This is only just one example of what can cause a "different view" of test results.

Most people can not see the other person's point of view because they start off defining the tests differently on such things as what is meant by "In the Wild". There are many ways of percieving the results of any test and each different perception can give a person different conclusions.

There are many people that take their perceptions and then try to "preach" and convert others to their world view.....but there are many views in the world....some more valid than others at different points in time for a given individual.

Right now, the way you view security could be valid for you at this point in time but maybe not be valid tomorrow. Points of view vary with time, depth of knowledge and also the particular way one decides they want to view things.

I started to realize a long time ago that almost all my ways of viewing things hold elements of truth as well as elements of false....sort of like a ying-yang. This is why I don't feel guilty about most of my statements....I start off knowing that they have false in them.....but they hold elements of truth as well.

When it comes to security I believe that some people don't need a AV, some might only need one AV, and some might need multiple AV's. That also applies to AT's and AS's too. There are different people that might require all different types of combinations of security products and many of the considerations people use are not defined by some "test" that may or may not be accurate..

A test can be a tool but I don't take any one test as gospel.


Starrob

 

Indeed there are quite a few weaknesses PG share and are known.
Eg: PG cannot protect itself from shutting down by means of registry edition.
(it is found on 25 Jul 2005)

Sidenote: Don't be scared & fall into hasty conclusion that this program craps. If you understand more, every security product has its own weaknesses (some may be quite serious). Generally speaking & in my own opinion ONLY, PG is good (suitable for beginners, and protect decent protection). But if you wish to have more decent protection (although harder ot learn), you may think of System Safety Monitor or Viguard.

If you read good product reviews, they will show you the weaknesses.
There are also many articles available which discuss security problems, product weaknesses and so on, so if you do wish to know, it is very easy.

But it doesn't mean you can hack easily. Knowing the weaknesses doesn't guarantee you the knowledge ot hack automatically (with some excepitons).

Yes, I couldn't agree more.

Yes you are right.
AT, similar to AV, provide ease of use - alert-free
To users who favour intrusion portection systems, they have their own reasons why they prefer so.

Generally speaking:
- if you feel convenience and alert-free is of utmost important, you should choose AT.
- if you feel protection is of utmost importance, PG or other intrusion protection system is your pick.
- if you value both, PG is probably your choice since it is designed for beginners: easy to use. Apart from some exceptions, if you don't bother to spend some minutes to read the manual and use Google/forums, you have no problems when using PG most of the time. You don't really need to make any alerts but a few if you use its learning mode properly.

You may be interested to read this:
Comparison of anti-trojan programs and intrusion protection systems when dealing with trojans
https://www.wilderssecurity.com/showthread.php?p=537680

 

I would like to use Ewido(AT/AS) since it can detect 80% of trojans, so it outperformance all remaining AT (the best being 50% only ) in the market in one test.
(Note: I realise anti-trojans are not decided to detect. It may become useful when the trojans are installed and invaded your system. Its memory may detect and stop its activity. But I prefer preventiion in the first place )

However it seems it is not good at anti-spyware (although it claims it can detect spyware, it's rather limited). Thus I can't replace my AS with it.

Also I'm worried about if conflicts occur among AV, Ewido and AS which it will lower my protection level (unknowingly).

 

Even one code can be damanging.

Code:

Format {all drive letters}

Haha...

 

My T/A x 2 has never caught a thing!! NOD32 was always first to react to any Threats that I ever had!!


HTH Cheers,

 

The only problem with product reviews is that some times there is a heavy bias either for or against the product by the person doing the reviewing.

Some times it takes awhile to determine a reviewers bias and sometimes it can't be determined at all.

Even, if you can determine the bias, it does not mean that what the reviewer is saying is not true.

Personally, I try to look at as many sources as I can.....some biased for the point of view....others biased against the point of view and some "neutral" bias.

Personally, for me, the biggest danger is relying on only one source or one point of view. So, I look at things from many different ways and from many different points of view.....it helps my decision making process but it also makes me somewhat of a "heretic" to those that get stuck on looking at things from one point of view for the rest of their life.

It is good that you are out there doing a lot of reading....more power to you!!!



Starrob

 

It seems you have problems when reading results/reports/reviews which may be biased (lightly or seriously). Even worse, you may feel people are biased everywhere and what they write are no longer trustworthy.

Here's what I think. Don't treat my ideas too seriously.

In fact, you don't need to worry too much about that. It is true biases occur everywhere in our daily lives (myself included). It's because we are emotional. Loyality, sense of belonging and so on make use biased in some sorts. But it doesn't hurt much when we know how to deal with biases.

Here's what I think:
- don't make "bias" to digress your logical thinking
- when direct evidence, direct reasoning, provable facts etc. are available, don't discard/distrust them simply because the person-in-charge are biased
- "bias" is one factor which affects the quality/truthfulness of one's claim, but this alone doesn't falsify what he claims (totally). He claims may be still valid (in some ways)
- Final word: Don't make "bias" or othe personal issues to take over your logical judgement!!

Consider this case. In the 1980s, there were very controversial arguments about high cholesterol contnet in foods and its relationhip with heart disease. Within this context, the National Food & Nutrition Board issued a report citing evidence that insufficient connection existed between cutting fat and cholesterol intake and heart disease to make a dietary recommendation. However many members in the medical community who were urging us to cut fat and cholesterol intake condemned this report.

But why did they condemn? It was because 2 scientists on the Board were found to be paid consultants to food companies with special interests in high-cholesterol foods. The chairman of the Nutrition Board received about 10% of his income from Kraft Inc. and Pillsbury, and another member was an adviser/speaker for the American Egg Board and the Dairy Council. Millions of dollars were at stake for these companies. The American Heart Association and other health groups claimed that the report was biased.

However, when someone concluded that the Board's report had no merit or they should discard the whole report completely since they were no longer trustworthy, it is very wrong. True that 2 scientists on the Board had a potential conflict of interest, but even if these scientists were biased, the evidence the report cited could still substantiate the report's conclusion that the connection between high cholesterol foods and heart disease is weaker than previously thought. If you look at the direct evidence in the repot, the relevant scientific studies cited in the report were available and could have been studied and analyzed. The conflict of interest of the two scientists was relevant to the charge of their being biased, but not relevant to the report's conclusion. They could have been right even if they were biased.

If everyone is going to discard any information provided by someone who may be or is biased, we are going to discard a lot of (in)valuable direct evidence, in which I hate to see in my opinion.

Thanks, and I think you are "on the same boat"

 

I simply realize that a bias can influence the results. This is among the reasons why when drug companies test drugs they use "double blind tests" http://skepdic.com/control.html

Double blind tests are used to try to eliminate the factor of "bias" within a test. Many scientist's, over time, have discovered that a bias can distort the results of a test. Even tests that are "real".....tests that involve measuring physical things seem to be distorted by bias.

This is a really crazy subject because some "physical" tests might be even distorted to the point where people think "psychic" abilities are involved. Crazy to think that thoughts might possibly control things in the "physical" world but some believe they can.

That is why I like to know if the observer of the test is biased or not. I like to know because their bias might influence the results of the test and what is "true" for them might not necesarrily be true for me or true for the majority of people.

Sometimes two different testers can come up with two different results, even though they use the same methods.....the deciding factor can many times be their bias.

That is why I prefer to look at information from more than one source. I try not to become the "true" believer in any one source. I don't want to be the one that follows the pied piper over the cliff.....



Starrob

 

I've had BOClean catch 3 trojans that got onto my system. They started to run, it caught and deleted them.

 

Don't know if it's useful in this conversation but this weekend I was @ my friends house...complaining about his pc being slow...

I installed Ewido (trial) and it found immediately 150 pieces of spyware, aurora ****, nasty stuff...hidden dll's whatever...

in total her machine was cleaned in 15min. cleaned over 250 pieces of nasty...

how about that? Real enough?

grtz.

/edit: cleaning the rest with hjt was piece of cake...I realy consider Ewido as a pitbull...and after the first reboot (together with HJT) I had a nice eve with those guys

 

A number of trolling\personal attack\OT posts removed.

Just a reminder of the threads intended subject matter....Has your real-time anti-trojan ever caught anything?

 

What test are you referring to? Do you have a link?

 

So sorry that I forget to provide the link.
It is from http://www.virus.gr/english/fullxml/default.asp?id=69&mnu=69 (the latest test)

To your reference, you may wish to read this as well:
AV List (from top to down) ==========Detection Rate for ITW Trojan
AntiVirenKit(Kaspersky-based, German)===99.80%
Kaspersky Personal Pro===============99.52%
F-Secure (Kaspersky-based)============99.40%
Kaspersky Personal==================99.24%
Panda============================86.92%
McAfee==========================86.56%
Norton Pro========================82.43%
Norton Corporate====================79.83%
PC-cillin==========================73.51%
AVAST===========================71.51%
Nod32============================71.37%
AVG=============================55.58%

AS List (from top to down)===========Detection Rate for ITW Trojan (%)
Digital Patrol=======================54.32
PestPatrol=========================31.52


AT List (from top to down)===========Detection Rate for ITW Trojan (%)
TDS(discontinued on 22 Jul 2005)========54.80
A squared 2========================53.59
AntiTrojan Shield===================30.16
PC Door Guard=====================30.06
Trojan Hunter======================23.65
Tauscan==========================19.22
The Cleaner=======================18.76
Trojan Remover====================18.29
IP Armor=========================10.92
Hacker Eliminator==================10.82
Anti-Hacker & Trojan Expert===========00.01 (how dare you call yourself expert!! You are crap!)

Ref: One test done on the same website (www.virus.gr) on 8 Aug 2004.

 

I cannot see Ewido in your test Wai Wai .. so your link is not valid since you said Ewido outperforms every other player...


anyway...such tests means nothing to me and should be reflecting real life however I cannot see a lot of tests reflecting real life...it's all laboratory stuff...

and I don't got a lab...

 

Hi,

Thanks for replying. Was this relatively recent? Were you using an AV at the time? If so, would you mind saying which one?

Thanks for any additional info.

Rich

 

no kiddin' but it was norton systemworks 2005 brandnew...

he wouldn't uninstall it let him have it

but it was a great eve after the cleaning...

 

I'd be willing to bet your friend has an unpatched system, uses IE, and clicks on everything in sight; does not run a resident antispyware; etc. Not even KAV will protect a box from that, I can assure you, although you guys just love to do this with Norton.

 

Hi Randy,

I personally would hope that you will be respectful and allow each member responding to this thread to simply state the facts. If you have any additional questions then of course it is appropriate to ask . But I think that it would be most helpful if everyone felt free to specify what occurred with feeling that they have to defend their "motives". For example, Blue stated in his feedback that he was probably running NOD32 or KAV at the time BOClean detected and cleaned the trojans.

Rich

 

Yes but Blue wasn't at all derogatory in his remarks concerning KAV or NOD. As SGT. Friday always said "Just the facts Maam." The post Randy Bell quoted was sarcastic not factual. Really richrf you should be more like a baseball umpire here. Warning both sides like when a pitcher throws at a batter.