Interesting AV stats in PCMag on latest Sober outbreak

Discussion in 'other anti-virus software' started by Peter2150, May 11, 2005.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,224
  2. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Why post the top3?


    I'm more interested in this:

    Part I: Proactive detections:
    AntiVir Worm/Sober.gen
    Dr. Web BACKDOOR.Trojan (probably)
    eSafe Trojan/Worm (suspicious)
    McAfee W32/Sober.gen@MM
    McAfee (BETA) W32/Sober.gen@MM
    QuickHeal Suspicious (warning)
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,224
     
  4. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    It is good to see that some of the AVs detect this stuff at the zero-hour.
    Having to wait for a definition will always be a little too late and some folks will be infected during that time.
     
  5. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    Once again Kaspersky and F-Prot are fast with updating... BitDefender had quick updates too... McAfee detected pro-active (surprising to me)... Too bad no NOD32 results, because I'm curious of their AH would detect this nasty...

    At the end I'm again fairly impressed by the Frisk team with their fast respond times... Anyone has information about avast! on this one?
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    I am sure Nod32 was detecting with Advanced Heuristics.

    Don't think they use Nod in their tests. Shame!

    Please note though that Norman did NOT detect this e mail worm with its sandbox which suprised me!!



    Kind Regards

    Jlo
     
  7. Grumble

    Grumble Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    185
    Location:
    the sunshine state
    Interesting to note also, besides straight 1,2,3.. rankings, that the first two were only 3 minutes apart, and next two only 2 minutes apart. The spread from #1 to #4 is only 20 minutes, and so on down the line... overall it looks like AVs are keeping up in adding defs pretty quickly, at least in this instance.

    1) ClamAV 2005-05-02 16:36 Worm.Sober.P
    2) Kaspersky 2005-05-02 16:39 Email-Worm.Win32.Sober.p

    3) F-Prot 2005-05-02 16:54 W32/Sober.O@mm (exact)
    4) AVK 2005-05-02 16:56 Email-Worm.Win32.Sober.p (KAV-Engine)
     
  8. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    From eset website



    Virus information

    Info: Win32/Sober.O worm
    Risk: Very High



    Date first captured: 2005-05-02 20:31
    Date last captured: 2005-05-11 19:41
    Total stopped to date: 755 792
    Most active month: 2005-05
    Most active date: 2005-05-05
    Infection ratio (2005-05-05): 2.039 %
     
  9. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    Note: All times and dates are in local time (CET)
     
  10. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    NOD32 did detect this Sober variant with the AH heuristics, the test was performed by Andreas Marx (AV-Test) and I think ESET did choose not to participate in his tests.

    BTW, Quickheal does detect *everything* as suspicious that is runtime compressed. Take notepad.exe, compress it with UPX and voila... :)

    I wish I could write a similar .gen detection for Mytob and Kelvir. :-|
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    These results are very interesting. However, they represent only a snapshot regarding a single widespread outbreak. What would really be interesting would be to have similar statistics compiled over a period of time for many outbreaks.
     
  12. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
  13. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Noone seems impressed by the open source effort of Clamav. Well, I am. As a matter of fact, I could point the signature update of our corporate clamav mailscanner within a few minutes, had our updates not been scheduled for once every hour. Very good results for Clamav, and not for the first time!
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,021
    Location:
    The land of no identity :D
    NOD32 regularly appears at AV-Comparatives......

    QuickHeal practically has no real heuristics.

    McAfee was saved by generic detections - Thats good :)

    Good job, Dr.Web :)

    I care more about heuristic detections ;)

    P.S. I think NOD32 did detect this worm heuristically.
     
  15. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,889
    Location:
    SW. Oklahoma
    definitely better safe than sorry. ;)
     
  16. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Quickheal has NO heuristics. The "Heuristics" checkbox in the product is just that, a checkbox.

    My internal tests showed no heuristics, and when I emailed them about it, I was told I was correct. I was also threatened with legal action if I published any test results from Quickheal. (which were in the 20-30% detection range)

    Quite the company there eh?
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,021
    Location:
    The land of no identity :D
    Quickheal's company is based exactly in the city where my cousin lives. If I wanted I could go and enquire a bit about their product but I chose not to. Quickheal does really not have good detection, this much I know. I'm also not quite sure if QH even has an unpack engine.

    MicroWorld is a far, far better company than Quickheal.
     
  18. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    I tested a few collections with the command line version, it has the following
    switch:

    /DNAScan Do a "heuristic" scan of all files.

    This is no heuristics at all, as mentioned before. They simply report all runtime compressed programs as suspicious.
     
  19. Happy Bytes

    Happy Bytes Guest

    Hafta say i'll keep praying... :rolleyes:
    Hopefully they do understand by the time WTF they are doing there :eek:
     

    Attached Files:

    • cat.jpg
      cat.jpg
      File size:
      18.2 KB
      Views:
      433
  20. Optik

    Optik Guest

    Andreas Marx childishly avoids praising NOD32, for reasons that are well known to long-time Wilders readers. He loses more credibility with every test.
     
  21. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,021
    Location:
    The land of no identity :D
    Can you provide me a link? I'm relatively new to Wilders'; and VERY new to NOD32

    I love NOD32 and it has protected me well, but I would like to see these reasons, for expanding my knowledge of course. I've been trusting his tests for so long, I need to get my eyes opened :)
     
  22. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Total nonsense, AV-Test and ESET disagree a little bit on the testing methods, that's all. 99% of the anti virus companies have no problems with the tests from Andreas Marx. There are tests around with much severe flaws, such as VB - and no one complains about them...
     
  23. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    You talk about these tests?
     
  24. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Obviously you have forgot me. Look at my posts 3, 6, 8 and 10 in here about VB ItW tests.

    https://www.wilderssecurity.com/showthread.php?p=419788#post419788

    They are clearly testing av:s in VB against an ItW list that never exists and the newest ItW samples are about 3 months old.

    Best regards,
    Firefighter!
     
  25. Zender

    Zender Guest

    McAfee and Symantec think the tests from Andreas Marx are CRAP! (Ask them!)

    Will you mind explaining those flaws in detail?
     
Loading...
Thread Status:
Not open for further replies.