Interesting new AV review by Andreas Clementi

Discussion in 'other anti-virus software' started by -_-, May 28, 2004.

Thread Status:
Not open for further replies.
  1. -_-

    -_- Guest

    Last edited by a moderator: May 28, 2004
  2. ncs_malaysia

    ncs_malaysia Guest

    Look like McAfee hv better heuristic than NOD in some criteria...
     
  3. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    This comparative website could gives an idea to know how the AV protect us...
     
  4. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    sure does:-they are all a bit of a worry!
     
  5. BlueMoon

    BlueMoon Guest

    Splendid test from Andreas(seen a very bad one lately....). Finally someone who knows his stuff. Thumb up!

    Read, folks!

    Blue
     
  6. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Good stuff!

    Though I would like to see KAV 5.0 in the test as they supposedly have update the heuristics.
     
  7. BlueMoon

    BlueMoon Guest

    Any idea how much time and effort it takes to perform a test like this one? Months!

    Besides, looking at the bugs needed fixing, it wouldn't be fair to test KAV 5 right now.

    Blue
     
  8. backfolder

    backfolder Registered Member

    Joined:
    May 25, 2004
    Posts:
    72
    Location:
    Spain
    A lot of thanks Andreas C. !!!

    backfolder.-
     
  9. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    Nice thorough job. Awesome work. Now only to wait another three months. :D
     
  10. -_-

    -_- Guest

    @Technodrome

    Please be informed that "links" and also "deep links" are legal. (By contrast "frame links" etc. may not be legal.)

    By deleting my "deep link" you have unreasonably violated my freedom of speech. Moreover, you unreasonably force people to click and click and click until they have finally found the report.

    But I am not angry about the deletion of my "deep link" since I know that moderators (in particular those of the Wilders forum) are very cautious/anxious.
     
  11. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    You are incorrect. This forum is privately owned and therefore there is no freedom of speech here. The owner and his selected help can censor the content allowed on his forum in any way.

    However, you will find that this is not often the case.

    As to your link - it was removed because of a direct request of the AV tester himself.
     
  12. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Link was removed on request by IBK (test publisher).Direct linking violets their policy, therefore we MUST respect it.

    Please read full explanation on their site.


    tECHNODROME
     
  13. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA

    I'm a bit skeptical of that. Once you have the tests and platform set up, you're ready to roll. I think you're overstating, not to minimize Andreas' efforts BTW.

    Nothing wrong with KAV. Most issues center around usability. Engine itself works fine.
     
  14. -_-

    -_- Guest

    Thanks for confirming that there is no freedom of speech here ;-)

    @Andreas

    Your request not to use "deep links" is unreasonable. You should really think about it. It's like telling your neighbours: "No, no. You must not look at me, my car or my house. Close your eyes. Quickly."

    If you do not want people to see your car ... put it into a garage. If you do not want people to see your test ... do not publish it. I already tried to help you by mentioning your real name (this is good for your reputation) and the web address of your website (this is good for the reputation of the site). But if people do not want to click through your entire web site (e.g., because they already know it) there is no good reason to force them.

    @all

    But let's get back to the test. I believe that it's at least interesting (and definitely more interesting than the ordinary AV tests where every product scores between 97% and 98%) since Andreas Clementi's test shows that there are important differences between the scanners.

    I have not yet made up my mind whether these differences are of major importance. It is difficult to figure out whether the differences are important since I do not know the exact test set. For example, I do not know whether the heuristic/generic detection capabilities of McAfee and NOD32 relate to important/dangerous/new malware samples or to minor variations of well-known samples. In this context it is remarkable that the heuristic detection of unknown trojans seems to be pretty bad throughout the entire range of AV scanners (with the exception of McAfee). Maybe AT scanners would be better.

    Moreover, I have a question: how do you distinguish backdoors from worms and trojans?
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,768
    Location:
    Texas
  16. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Anyone else surprised by the results of F-Prot?

    I would have liked to have seen the latest version of DrWeb tested too :)
     
  17. -_-

    -_- Guest

    Actually, I know what a worm is ;-) But how do you distinguish backdoors from worms and trojans. Many worms include a trojan component. Most trojans have a backdoor component.

    How do you define a backdoor? Is it a program which does not allow the attacker to remote-control the victimized computer (like a trojan does) but still allows the attacker to access the files on the victimized computer (e.g., a hidden ftp client) ?
     
  18. -_-

    -_- Guest

    What's the big difference between Dr. Web 4.3 (which was tested) and the current version of this scanner?
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,768
    Location:
    Texas
  20. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    I guess I thought F-Prot's heuristics would've been able to help the score a bit more.
     
  21. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    This is not suprising at all because to have a proper heuristic engine for detecting backdoor trojan a good unpacking engine is required. This is what most AV programs already miss. :( And when I look now for example at the program with one of the most advanced unpacking engines at all KAV I see that KAV does not have a heuristic for backdoor trojans. :(

    In this context I think AT programs can only score if they have unpacking but at the moment no AT program has really an unpacking engine. For example TDS-3's heuristic scores best when the trojan is already running via memory scan.

    So I think it will still take a while before we see a real good backdoor heuristic. I think most AV programs first will anyhow focus on heuristic worm detection because this is the more important threat.

    wizard
     
  22. _-_

    _-_ Guest

    @Wizard

    The detection of ordinary trojans is super-simple (no unpacking engine required). Andreas "The Terrible" Haak has already provided a few guys/gals like JoJo and me with a component of the a2 v2 IDS.

    You can detect a trojan with the help of a very simple check:

    1.
    Port is opened, program is listening
    2.
    program does not have a visible window

    --> conclusion: very likely to be a standard trojan

    3.
    autostart entry relates to such program

    --> conclusion: very very likely to be a trojan.

    (A similar technique is also used by Port Explorer from DCS.)

    Disadvantage: the trojan is already running in memory. But who cares? Trojans are not logical bombs which immediately format your HD.

    There are also techniques to detect reverse trojans/DLL trojans. (I do go into the details since I do not want to disclose Seltsam's trade secrets.) But certain detection mechanisms are already well-known. For example, most DLL trojans can be stopped/detected because they use CreateRemoteThread function.
     
  23. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Better analysis of SFX CAB files, RAR, ZIP, and MIME objects.

    Though not exactly a professional observation of the change from 4.30-4.31. On my system I have noted at least 8 more false positives (by heuristics) that were not detected in version 4.30. So there is most likely some other changes in DrWeb's heuristic engine.
     
  24. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    McAfee is doing very well compared to the others, at least in these tests...
    now if they can get their security center in operating order or dump that thing all together, they might have a product worth purchasing.
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Job well done, "Insbruck" ;)

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.