http://virusscan.jotti.org/

Discussion in 'other anti-virus software' started by Bitz, Jun 1, 2005.

Thread Status:
Not open for further replies.
  1. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    For the purposes of this discussion, it would be useful to understand the difference between isolated observations, extrapolated inferences, and facts.

    Any of us can visit virusscan.jotti.org/ and observe the latest results. Occasionally, we'll see an AV which does not flag a file while others do (see example screenshot). That's an observation - Group A flags this file, Group B does not, no more, no less. It is a fact that Group A flags and Group B doesn't. Anything beyond that steps outside the domain of fact unless additional evidence is brought to bear.

    It's an extrapolated inference to state that Group B missed flagging some malware. If it's a nonfunctional code fragment in a temporary directory, so what? If it is similar to some perfectly fine software and therefore given a free pass if examined in isolation, so what? Maybe it's riskware and not flagged under the specific settings employed. A disparity in results is only the starting point of determining whether there has been a failure in one product or another, not the end point as is so casually presumed.

    Facts? Well this depends on what the claim is, but too many folks are confusing inference (which is occasionally very reasonable) with fact. They are different and you do yourself a disservice to not appreciate the distinction.

    Blue
     

    Attached Files:

    • jot.png
      jot.png
      File size:
      32.5 KB
      Views:
      1,117
  2. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    soon i hope, i cant see this thread going anywhere, seems a good place to stop...
     
  3. bre1

    bre1 Guest

    Ofcourse, but one can visit this site very frequently in some longer period of time and find pattern - which is (just check yourself and you will conclude the same):

    NOD fails more than KAV, even with its "superior" heuristics...fact might be that NOD has better heuristics as one component of antivirus system, but in real situation NOD as system performs worse than KAV as system - this is what should be counted, how system performs - not its separate components.
     
  4. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    bre1,

    You still don't get it.

    Let's take it as a given that you believe NOD32 performs worse than KAV. Fine. Lot's of controlled tests will support this contention. Some other tests point to conditions where NOD32 performs better. Examples of both are at av-comparatives.org. I assume you are aware of the differences in the two basic test protocols and what they are designed to probe. Regardless of which side of the discussion you're on, causal inspection of results at sites such as jotti's simply do not provide objective and factual information on performance. That's why running statistical trends don't appear. They are inferred qualitative indicators. The difference is not a polite nicety.

    Before you dismiss the findings at av-comparatives.org out of hand, how about providing a conceptual outline of how it should be done? As with any test protocol, if it's not controlled and can be reproducibly executed, it's not a test - it's winging it. What you are discussing thus far is precisely that - winging it. If you choose to make you decisions on that basis of that, fine. I don't.

    Blue
     
  5. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    further to what Blue has explained, i have been led to believe from reading posts on this forum, that the nod32 scanner at jotti is not configured to its maximum settings, therefore another example of why we cant draw any real conclusions based solely on the statistics provided there.

    the option for scanning for 'potentially dangerous applications' is not available as it is running on a linux platform, and also the spyware/riskware options are not enabled. this is just what i have read elsewhere, and without knowing for sure how the AVs are configured, its pointless comparing.

    Independent tests carried out by people who know what they are doing and who provide details of testing conditions, scanner settings, etc. are informative and can be used to draw conclusions and make comparisons. Hanging out at jotti and adding a point to the scanners that flag potential threats is a pointless exercise, and only seems to be a pastime for users of KAV.

    i said earlier that i think this thread has exhausted itself, and no matter how long it is kept open there is never going to be any agreement between the NODers and KAVers.

    ...next week: my car is faster than your car.
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    KAV is better product than NOD32 and my car is faster and better than your car. :D :) ;) :cool:
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,217
    Location:
    The land of no identity :D
    Not sure, but I think at least one of the two worms were heuristically detected.

    Anyway, the update was released to provide disinfection for those worms

    I sure wasnt expecting that update; because I had got one update already.

    Even one update a day is good enough for me because I can only spend 3-4 hours on the PC anyway (except for holidays) because of school and other classes.
     
  8. bre1

    bre1 Guest

    Could be worldwide spread conspiracy to discredit superior heuristics in order for Government to be able to spy us? :)))))))

    I am eager to see episode "My father is stronger than yours"...please let know when you plan to post it.
     
  9. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    .....
     
  10. bre1

    bre1 Guest

    It went to total offtopic...
     
  11. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    This is what I was saying about NOD users talking up NOD 32 too much and in the end doing it far more harm than good because people are expecting, by the way it's hyped up that it'll pick up 'everything' and no AV is that good, so it would be in the interests of NOD users to be a bit more realistic and use less rhetoric and references to awards and tests when promoting NOD 32 as these are inconclusive and result in unrealistic expectations from prospective customers who exhibit 'great disappointment' even if it misses 1 infection. This is the result of too much hype.

    Dave
     
  12. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,535
    The user of NOD32, like me, can only say that NOD32 have the best heuristics but any AV, including NOD32, can't catch anything...
    It's just impossible...
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,217
    Location:
    The land of no identity :D
    To be very honest - I am not a NOD32 fanboy. I have used many AVs and I just find that NOD32 is great for my PC which is primarily meant for games.

    I never said that the heuristics are the best, that they will save the world from all dangers.

    Its just good enough for me, thats all.

    I bet you dont know about my great "struggle" deciding between BitDefender and NOD32 :D. KAV, BD and NOD32 all have their own special qualities, and at the end of the day, its the protection offered that counts ;)
     
  14. Ajim Rudies

    Ajim Rudies Guest

    Waddup!!!

    Man,do you noe sub7 virus not antivirus im the subseven owner but im suffer cuz it will crush all ur computer but lucky i have PC cillin trend micro n AVG anti virus their both is good n remove virus easily.But if u all wan to be hacker u all go <[COLOR=Blue]Removed>[/COLOR]/url] ...inks to malware on Wilders -- Ron[/I][/COLOR]
     
    Last edited by a moderator: Jun 14, 2005
  15. C.C

    C.C Guest

    @Ajim Rudies

    um...........what?
     
  16. bre1

    bre1 Guest

    Q: Where are the statistics?
    A: I removed them because they started causing too much commotion. And I got tired of
    explaining why these results were different from other tests. This service
    receives a lot of very, very new malware and most people fail to realize that signature
    scanners require an actual signature for these new malware variants, which some AV
    companies provide faster than others. Approximately 2 malicious programs pass this
    scanner, without any AV product noticing anything, every day!

    Somebody, probably from this forum went crying to Jotti and now he had to take the statistics away :D Well I saw what I saw and that was that KAV is superior to any AV by far. :D
     
  17. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Damn jerks :rolleyes: If people would actually read his FAQ we'd still have percentage statistics. Argh. :mad:
     
  18. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,868
    Location:
    Innsbruck (Austria)
    On Jottis site the total statistics are usually always around those:
    Kaspersky ~83%
    VBA32 ~65%
    BitDefender ~63%
    Dr.Web ~63%
    NOD32 ~56%
    AntiVir ~54%
    ArcaVir ~52%
    Fortinet ~48%
    ClamAV ~40%
    Norman ~39%
    AVG Antivirus ~36%
    F-Prot ~35%
    Avast ~34%
     
    Last edited: Jun 15, 2005
  19. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Jotti's heavily favors Kaspersky because many malware sites use KAV to validate their libraries. In addition, KAV detects improper files as malware. For example if a particular malware is a DLL, but also has a 1 byte text file, KAV detects the text file as the malware as well (incorrectly). Other AV's ignore this useless file. (correctly).

    These are a couple reasons, there are others.
     
  20. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    I would think that Jotti would not use KAV for validation since the malware comes from outside sources (internet users) for scans. His library is provided by people submitting malware, then he passes it on to vendors.
    So why would he need to have them validated by KAV when in essence they are being validated by the many scanners?
     
  21. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    There are many reasons why KAV statistics is so good at Jotty's. For example KAV is also able to scan inside of quarantine of some other AV programs. So it gets a bit more points because of this when such files are submitted for online check.

    Also Jotti's seems to favour signature detection. For example, in the case when no antivirus provides exact detection, the result is not taken into account at all in the statistics, though some programs could have correctly flagged this submitted malware with heuristics. After that, this sample is distributed to different AV companies and the one, who updates virus databases faster, has the advantage (and KAV seems to update virus databases very fast). The next time when the same sample is submitted, KAV usually already detects it and earns points (other scanners who still detect it with heuristics get points too, but they have no chance to beat KAV in statistics). I really don't know how Jotti's engine works, so it is only my guess. But if that is true, the better heuristics of other AV engines, the more KAV benefits from it at Jotti's :)
     
  22. bre1

    bre1 Guest

    This is compleat BS, when an AV finds malware with heuretics Jotti shows it in the statistics. I don't know why you have to lie about it. I know Jotti has hurt some antivirus distributors because it actually shows in realtime what viruses has infected REAL PEOPLE, not some viruscollection, REAL PEOPLE. So the AV companies that rely on heavy marketing and image falls flat on the floor, also some that has a good reputation and is tought to be good isnt as good as you might think. The statistics also shows which antivirus pics ups the malvare what which doesn't. The only way Kaspersky has benefitted from this is that Jotti shows that KAV finds the majority of the virus. You can come up with whatever explanations you want about why Jottis statistics doesnt favour your AV but its very simple, the files that is sent in are from people like you and me and the virus that their computers are infected is could infect us. The antivirus that finds the most viruses there will also find the most viruses for you in real life. Jotti can't be fooled and is not sponsored by AV companies like some of the tests that are made with viruscollection. Jottis statistics gave a glimpse from real life and that's whats the most important.
     
  23. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    Is it really? See here:

    Code:
    File:   C3C772C3DAEFFE7B704C4F024DD33E79B3E2DC0D.zip
    Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged 
            as malware by heuristic detection(s). This might be a false 
            positive. Therefore, results of this scan will not be stored in 
            the database)
    
    MD5     d5c7e8b7fec54b53d52214336d59428d
    Packers detected:   
    -
    
    Scanner results
    AntiVir              Found nothing
    ArcaVir              Found nothing
    Avast                Found nothing
    AVG Antivirus        Found nothing
    BitDefender          Found nothing
    ClamAV               Found nothing
    Dr.Web               Found nothing
    F-Prot Antivirus     Found nothing
    Fortinet             Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32                Found nothing
    Norman Virus Control Found nothing
    VBA32                Found Worm.Pikis.1 (probable variant) 
    
    That's a fresh piece of malware that came from Jotty today, it is currently being added to virus databases, but right now our scanner detects it only using heuristics. Some other AV can already detect it. In order to make this experiment and make the file only detectable using heuristics, it was packed in ZIP archive with BZIP2 compression method (luckily no other AV but VBA32 are able to unpack such archives yet :)). Result is here: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database.

    So if i get it right, this result is not taken into account for Jotti's total statistics (it was previously posted by IBK and KAV has scored 83% in it) though this file is definitely a piece of malware. Well, this total statistics is not available for public anyway, so there is no point to complain or requite Jotty to fix it, or change anything :) KAV is an excellent antivirus, but the difference in detection percentage in the Jotti's total statistics between KAV and all the other AV 'might' not be that large if it was calculated a bit differently (not better, not more correctly, but using a different algorithm). As I said before, it is currently favorable towards signature detection and gives less 'points' for heuristics detection. That is neither good or bad, it is how it is calculated. Maybe because there is hard (or impossible) to find a perfect algorithm for the total statistics calculation, this statistics is not available to public at Jotti's page. But as the results were posted here, we are discussing them now :)

    I don't think that I'm the guy who would have to lie or complain about that statistics ;)
     
  24. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    I ahve found VBA32 will find some executables via heuristics that everyone else misses, mainly backdoors. It's all in the way it is trained.

    As a side note has anyone else noticed that Jotti removed the last piece of maleware box from his page?
     
  25. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    I think might have been because so many people are sent to jottis from all the forums and asked to scan suspicious looking files and quite a few of them uplaod then immediately see the last scanned entry & copy that rather than waiting for the proper result

    + the fact that on occasions it gets 20 or 30 files every minute so it's impossible to display the last one properly
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.