KAV 6.0 PDM vs very_bad_rootkit

Discussion in 'other anti-virus software' started by gmer, May 15, 2006.

Thread Status:
Not open for further replies.
  1. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hi.

    I have downloaded KAV 6.0 to check detection of rootkits.


    The movie: http://www.gmer.net/kav6.wmv ( Windows Media Video 9 codec )

    http://forum.kaspersky.com/index.php?showtopic=13895

    Regards.
     
  2. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Can you upload it to virustotal so we can see how other softwares deal with it?
     
  3. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Code:
    STATUS: FINISHED
    Complete scanning result of "very_bad_rootkit.zip", received in VirusTotal at 05.16.2006, 07:07:56 (CET).
    
    Antivirus   Version   Update   Result  
    AntiVir   6.34.1.27   05.15.2006   no virus found 
    Avast   4.6.695.0   05.15.2006   no virus found 
    AVG   386   05.15.2006   no virus found 
    BitDefender   7.2   05.16.2006   no virus found 
    CAT-QuickHeal   8.00   05.15.2006   no virus found 
    ClamAV   devel-20060426   05.15.2006   no virus found 
    DrWeb   4.33   05.16.2006   no virus found 
    eTrust-InoculateIT   23.72.9   05.16.2006   no virus found 
    eTrust-Vet   12.4.2209   05.15.2006   no virus found 
    Ewido   3.5   05.15.2006   no virus found 
    Fortinet   2.76.0.0   05.16.2006   no virus found 
    F-Prot   3.16c   05.15.2006   no virus found 
    Ikarus   0.2.65.0   05.15.2006   no virus found 
    Kaspersky   4.0.2.24   05.16.2006   no virus found 
    McAfee   4762   05.15.2006   no virus found 
    Microsoft   1.1372   05.16.2006   no virus found 
    NOD32v2   1.1539   05.15.2006   no virus found 
    Norman   5.90.17   05.15.2006   no virus found 
    Panda   9.0.0.4   05.15.2006   no virus found 
    Sophos   4.05.0   05.16.2006   no virus found 
    Symantec   8.0   05.16.2006   no virus found 
    TheHacker   5.9.7.143   05.15.2006   no virus found 
    UNA   1.83   05.15.2006   no virus found 
    VBA32   3.11.0   05.15.2006   no virus found
    
    Aditional Information  
    File size: 1317 bytes 
    MD5: f6bb3570fdab9b35d461c9bd7618fee3 
    SHA1: bae0cb076e6efdfbc8e443a38d49d89855978fd6   
    Regards
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    VirusTotal will not be a good comparison at all.
    You tested KAV6 locally and this one remotely therough VT.
    Panda could detect rootkit with TruPrevent, but it can't since it's not even active on VT (it must be on-access, not on-demand).
    Just a thought.
     
  5. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Gmer can you test that with NOD32, DrWeb and VBA32 the same way as you did with KAV?
     
    Last edited: May 16, 2006
  6. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    o_O??
     
  7. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    I will probably. Does trial version of NOD32 detects rootkits ?

    As you saw it was enough for KAV .
    This rootkit is very simple.

    Regards
     
  8. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I think it does, retail has proactive rootkit detection.
    You could download & install it, and tell us the version number (found under NOD32 System Tools > Information)
     
  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Oh and current retal version is 2.51.26
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I think you should submit it to all AV vendors who do not detect it for analysis to make sure that the file should actually be detected.
     
  11. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Indeed, that skull animation is something I used many many years ago.
    Looking old here, but whatever.
     
  12. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    It was just a simple test how strong is new KAV + PDM .
    Now I now .
     
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
  14. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Very nice period .
     
  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, in a way, I agree... 20 minutes? What's the point? 20 seconds I understand, heck, even 2 minutes... but 20 minutes?
     
  16. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada

    This is a beta version...;)
     
  17. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Release version of KAV ( 6.0.0.299 ) has the same problem .

    Mr Sobko is product developer.
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yes, but ever though about overhead made with 20 second intervals?
     
  19. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    gmer, this is the first version of 6.0, it is at the start of it's development and things will be added as it gets moving, new things will be added and the features already there will be improved. I'm at this point perhaps struggling a bit to see what you hope to gain by all these post here, there and everywhere.

    We have listened to you, sobko has responded to you in the thread (he's ill btw and not working 100% ATM), if you really want to help improve the rootkit detection of the PDM, then why not join the beta program instead of posting the same over & over again in different:)
     
    Last edited: May 19, 2006
  20. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    I have made the test, thats all.
    I wrote about this because I think its better to know.

    You can always write to moderator to delete my post ( in Poland it was called communism )
     
  21. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Why would i write to the moderator, thats silly.:)
     
Loading...
Thread Status:
Not open for further replies.