I'm testing AV products against zeroday malware

But that was supposed to be the best one ! chop it and send er back up to the tuuube.

 

It started out fine, but it's getting to be a little much don't you think?

 

Nothing has changed, the show continues, no one got badly hurt from other peoples opinions and life indeed goes on.

 

Either that or you can upload it to another video sharing site (just for this once) like Vimeo

 

Agreed, and well said

 

Whats the limit on photobucket video ? anyone know ? he probably wants to keep it uniform and all in one place, and youtube is usually the best place to do that though.

 

I've already cut it into two 10 minutes and a smaller 4 minute one..

 

If you can't, then you can't.

Edit: Nevermind

 

OK, what's the ETA on YT?

 

Out of all the products today Avast5, Rising Internet Security, and Twister really stood out IMO.. Much more so than Zonealarms 70 dollar product, Fsecure 2010, Immunet, ..

Rising, and Twister provided more mechanisms (nag screens) or settings to make it difficult for an end user to accidentally click one button, and execute malware.. All the reviews are being uploaded.

 

The acronym yt is throwing a blank for me right now

 

46 minutes for Avast 5 right now..

After that

Zonealarm

Then

Rising Internet Security

Then

Twister part 1,2, and 3

 

YT = youtube

 

Sorry, but that statement just shows how little the people really understand how antivirus software does work internally.

There is no simple "blacklisting" product anymore, well at least none of the top products. Don't you think it's possible to update the heuristic, generic, pro-active modules with "signature" files? They just contain another section with scripts and other data beside normal signatures. In fact, updating detection modules by updating product executables is very inefficient because it needs alot more QA testing and has lots of traffic redunancy.

A few script kiddies? You have no idea what is going on, I fear...
You should realize, that even all the other additional protection methods like HIPS, behaviour based detection and sandboxing are actively attacked and bypassed by the malware writers.

There is a good reason why Symantec wants reputation based detection so badly...

 

Anyone getting any video yet? Still no update from what I can find.

 

I am no anti-vi expert, i'm just going by what iv'e seen.Cloud is reputation based technology right ? I assume this is what you mean by rep based.Well there you go then, thats considered new technology.... isn't it ?

But I allready know that most vendors, who have not yet implemented cloud technology, never plan to do so.Those are the ones who need to come up with their own new technology, if they choose not to use this " cloud " tech.

 

Thanks for the testing. I am looking forward to see the test (i can't see the video on youtube yet).

I wouldn't call Twister great yet overall, it has still rough edges, needs some fine tuning and polishing, has some weaknesses in on demand scans, but i 've been telling for the last 2 years that it's a decent - honest antivirus and probably the most underestimated out there against real life infection conditions, where the malware actually executes (unlike on demand tests where the malware simply sits on its ass waiting for your AV to have a signature about it).

I 've done a bit of real malware testing myself and Twister is good against real malware. It does lack still signatures though.

It's still at its dawn, has great potential. And you can't beat the lifetime license.

Yep, you 're right about that... The Registry Protector alone, gives 2 pop ups for every new startup entry or suspicious registry entry and freezes an installation. That's hard to miss even for the most destracted user.

 

Twister Part Three is almost up.. I had to go back and edit all my reviews.. I have started to show in depth most of the options in the programs instead of a quick overview, and then a battering test.. Avast 5 is uploading next, and then Rising Internet Security sutie.

 

In fact, using your logic, we all can say that AV's are being bypassed by malware authors on regular basics, so, it's more useless then behaviuoral-based solutions. Am I right?

 

I just watched all Twister videos, thanks, i really enjoyed it.

Just some observations:

1) The "reccommended" setting for Twister, is default + monitor run key + hi detect registry suspicious (or something like that). Just for future reference.

2) The max settings are very effective (as you saw yourself), but under normal user operation they produce lot of false positives. This can be a problem for inexperienced users, despite the added protection. This is something that Filseclab should tinker for a better compromise in v.8.

3) The "immunized" number isn't number of detected malware. The detected malware during on demand scan, appears in the main window and then you can decide to delete them or trust them. What you saw as "immunized" is a feature similar to SpyBot's immunizing. Meaning, it tries to immunize some important files from being infected in the future. It's a preventive measure, to do before you get infected preferably. If you get infected and then immunize, it's of no use... So basically the 1000+ files that you saw "immunized" weren't malware detections, but files which the antivirus tried to safeguard from future infections (i don't know exactly how it does that, i 've actually never used it because i was afraid of some conflict).

When it REALLY finds malware on demand scan, you get a screen like this (these are false positives, but doesn't matter):
http://img13.imageshack.us/img13/4018/68594506jt7.png
Then you can select them and clean them or if you think that they are false positives, trust them.

4) Setting the scan depth at 8,9 is of little use, only eats resources for no reason. Basically the "scan depth" is about archives. A zip is scan depth 2. A zip inside a zip (zipped zip), is 3 and so on. So if you set scan depth 8, you set the scanner to scan a zip inside a zip inside a zip inside a zip... which is of no practicaly use, since zipped malware can't infect. This just to let you know about what it means that "setting".


Thanks for testing Twister. Amazing how an AV that miserably failed VB performed better than many VB winners out there, isn't it?

 

I've watch your short videos about these programs, I see you ran into the same type of pest, but there is that 500 pest test that stays on a hidden folder on C. Really don't run the pest just let the security tool see if it can detect all 500 pest, which is really over 800 pest. Still if you run Rising Internet Security you need to make sure you have it set.

Clean Virus
Delete Virus
Delete Virus

Check off everything in the custom, that would change the settings from medium to high. Make sure it's on high and all those custom are check. Set the MB to high and deny.

Run your test..

Since you're like me in the IT business enterprise sector have you tested out Symantec Endpoint Protection Enterprise or Standard?

 

Hello bradtech:

Congratulations on an interesting thread. The idea of sharing your "experimental" results in videos shows you are a creative and innovative thinker. As has been seen, some will disagree with not only what you are doing but how you are doing the work. The more threads like yours the better!

IMHO, very few people would do what you are doing, actual work with real products in a real environment then publish! Well done.

As far as AV_ Comparative posts are concerned, the same type of posts precede the next publish result day and continue after, debate about methodology and the meaning of what someone else has done! I look at those results and I will look at yours as well.

One thought I had was rather than throw new ones at these products all the time, let the parasites accumulate say for a week of so, ie increase your sample size, then freeze the sample at say 200-500 and test and publish your results for the "top 5-7 products. This way you have levelled the field a bit. Also, set each product to it's optimum settings so none are handicapped.

For my part, please test Agnitum Outpost Pro Release OSS: 2009 (6.7.1.2983) [24-SEP-2009] it has a FW, and an AV. Ensure the real time scanner is on.

 

QFT...

 

Hello life....

QFT means

 

Quoted For Truth

In other words, I share the same view as you.