IBK On-demand vs PDM

Discussion in 'other anti-virus software' started by JerryM, Jun 13, 2006.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi IBK,

    I may have misunderstood your post in the thread, "Maybe special test in June."

    In that thread you made the following statement.
    QUOTE "do not mix up on-access with on-execution
    some HIPS can block 100%, but require much user intervention. Personally I prefer that something is marked as suspicious on-demand without having to execute the file first and without user intervention. But that depends on users need and preference." END QUOTE

    I am thinking that you prefer heuristics to find malware during a scan to something like the PDM of KAV 6.
    If that is correct, and the top AV in the last Retro test only detected 58% of malware scanning, and later in your test PDM of KAV detected 99.4% of malware, I do not understand your rationale.

    I would consider it better to prevent malware infecting my computer than to find it after it is there. The 99.4% prevention appears to me to be much better than a 58% scan detection of malware. If 58% is found, then 42% are missed.

    Where is my logic flawed, or do I misunderstand what you said? I admit that you said HIPS, and I admit I understand little about that.

    Thanks,
    Jerry
     
  2. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    a) you can not compare the 58% with the 99%, because the PDM rules were up-to-date, while the heuristics of the programs in the retrospective test were not.
    b) a good heuristic with very low false positives will alert you when almost for sure something with the file is wrong. HIPS etc. will alert you more often and ask you how to decide to go further.
    c) a good proactive on-demand/on-access detection will block the malware before it arrives to your PC or before you even execute it. So that malware will not harm in any way your system. The PDM will block the malware only while you execute it, and even if it has a good rollback function, you can not be sure that maybe something (even if just garbage) is still there/left on your PC. Also note that the PDM will not block any kind of malware, e.g. the most obvious categories that were not tested are the othermalware, the DOS category and the otheros category.
    d) the retrospective test shows how good the on-demand proactive rate of the AV's is, the PDM test shows only how good the behaviour-blocker of Kaspersky v6 is.
    e) if you collect some e.g. free applications and you want to burn them on CD to give to your friends or to use on another PC that does not have an AV or uses another AV, the PDM may not warn you, as long as you do not run each program (but the signatures of KAV will probably detect it, if it is not a new sample), while the heuristics will alert you about a suspicious program while you access the files or in an on-demand scan, preventing that you burn a CD containing malware and use it on other PC's. [just an example]
     
  3. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    IBK,

    Thanks for the reply. I do not fully understand, but it is obviously not as straightforward and I thought. I'll try to digest it further.

    Regards,
    Jerry
     
  4. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    JerryM

    As impressive as the newest versions of KAV/KIS with 'proactive Defense' are, the 'Proactive Defense' still leaves the decision in your hands which if you are not careful, could still allow in a nasty.These 3 at a quick glance look the same but are certainly not.

    svchost.exe

    svchost .exe

    svchost.exe"

    So an addition of an 'Heuristics' engine which i understand is coming, would REALLY make this program hard to beat.
     
  5. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    A major problem for me, and I suspect some others, is that I am often asked to make a decision based on "numbers." I do not have a clue as to what they mean. I realize that with google and forums I can generally find out, but that does not help me immediately.

    Usually it happens when I am installing a known application, or right after when it goes to update, but sometimes I do not know. I just don't allow it, but never know if that is the right decision.
    So far my computer has neither crashed nor been infected.

    I would not know a thing about those three entries. I hope I don't "get 'em."

    Jerry
     
  6. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    JerryM

    They are just a simple process example.The first one is legit, the other 2 not.But if your not paying close attention, very slight differences are sometimes the only giveaway that they are indeed malware.
     
Loading...
Thread Status:
Not open for further replies.