KAV update hourly = we get fastest protection against Zoo/unknown virus?!?

Hi.
I wonder if the following statement is true:

It's what I think.
It is a good thing that KAV manage to update every hour or so. However don't fall into the illusion of using this fact alone to conclude that you will get fastest protection on unknown virus, or get far better detection against new Zoo virus.

To name one factor, research power/speed matters too. To see why, here's a brief description of the porcess of identifying and blocking virus:
(Thanks to the replier)
1. New viruses need to be discovered first by researchers &/or AV research teams.
2. After new viruses are collected, the analysis will be done by researchers &/or AV research teams.
3. The solution + testing is done by the AV company.
4. Updating the fingerprint database or anything else, is done by the AV company.
5. Downloading the new update is done by the user.

Step 1-3 takes as much time as required (can be quite long, say even 1 month). Any computer can be infected world-wide in that period.
Step 4 is just a technical step.
Step 5 depends on:
The frequency the AV company update its database
- For critical/dangerous malware, every AV company should update as soon as possible
- For others, AV companies may update depending on their own (regular) schedules.

The user policy
- If the user is online and the updating is automatically, the downloading will be done in a short time.
- If the user is online and the updating is manually, it depends on when the user decides to update, ranging from very short to very long time.
- If the user is not online, the updating isn't possible.


As you see, what KAV promises to do is the last part: promise to update every hour or so (if updates are available) on a regular basis. It doesn't automatically mean other parts are speeded up too.
For some other AVs, it may happen that they have finished adding signatures to that malware. but unless this malware is critical/dangeorus, it may not update it to their websites instantly. Rather they wait for their next regular schedule to upload all newly-added signatures/stuff.
Updating every hour or so (if available) is a good thing. However don't fall into hasty conclusion that it must mean you will get fastest protection on unknown virus, or get far better detection against new Zoo virus.

Hard facts:

Example: Mydoom.A
All AV updates which were released on 2004-01-26:
– F-Prot 22:30 W32/Mydoom.A@mm (the first one to release update!)
– Trend Micro 22:35 WORM_MIMAIL.R
– RAV 23:00 Win32/Novarg.A@mm
– Norman 23:05 MyDoom.A@mm
– F-Secure 23:05 W32/Mydoom.A@mm
– Virusbuster 23:05 I-Worm.Mydoom.A
– AVG 23:15 I-Worm/Mydoom
– Avast 23:15 Win32:Mydoom [Unp]
– Kaspersky 23:30 I-Worm.Novarg
– AntiVir 23:30 Worm/MyDoom.A2
– Symantec 00:05 W32.Novarg.A@mm
– eTrust (CA) 00:20 Win32/Shimg.Worm
– Command 00:20 W32/Mydoom.A@mm
– Sophos 00:40 W32/MyDoom-A
– eTrust (VET) 01:30 Win32.Mydoom.A
– Esafe 01:50 Win32.Mydoom.a
– Dr. Web 02:40 Win32.HLLM.Foo.32768
– McAfee 04:00 W32/Mydoom@MM
– Quickheal 04:00 W32.Novarg
– Bitdefender 04:00 Win32.Novarg.A@mm
– Panda 04:10 W32/Mydoom.A.worm
– Ikarus 08:35 I-Worm.Mydoom

Ref: http://www.av-test.org/
​

Note: Don't try to (mis)interpret the above fact as Kaspersky is indeed always slower than others, or F-prot is indeed the fastest. It's just an example to show you that a promise of hourly update may not guarantee the first place in the update list.


Do you agree?
What do you think?
Comments are always welcome.

 

WaiWai,
I agree with your reasoning and it has been proven over and over again in the past.
Any notorious malware damaged many computers world-wide in spite of all the scanners.

1. New viruses need to be discovered first by researchers.
2. As far as I know the analyzing is also done by researchers.
3. The solution + testing is done by the AV company.
4. Updating the fingerprint database or anything else, is done by the AV company.
5. Downloading the new update is done by the user.

Step 1 upto 3 takes as much time as required and in that period any computer can be infected world-wide.
Step 4 is just a technical step.
Step 5 depends :
If the user is online and the updating is automatically, the downloading will be done in a short time.
If the user is online and the updating is manually, then it can take a very long time.
If the user is not online, the updating isn't possible.

 

Thanks for your confirmation and explanation.
Your explanation is much better than mine, so I replace mine with yours.
If you mind, please tell me and I will delete it.

By the way, as to step 1-2, what researchers here do you refer to? re they independent researchers or else?
AV companies themselves should have their own teams which will do the discovering/research.
What do you think?

 

NOd's Advanced heuristics may be the fly in the ointment for your arguement.
It offers one of the best detection rates for unknown threats. While KAV offers the best detection of known threats. Since your using Av Comparatives site as a reference look at the Retrospective/Proactive test for MAY 2005 http://www.av-comparatives.org/

 

I have read once that researchers are a very closed community and you don't get in that group without a personal introduction of another researcher.
If that is true, I don't know.
I don't work in the security business, I'm an application analyst and that is a total different job, but I'm interested in security for almost a year.

 

If the AT guys are any indication they don't neccessarily All like each other much.

 

But do AV companies have their won research groups?
Or do they depend on third-party researchers you say?

 

I think the answer to both questions is yes.

 

How come you know I use AV Comparatives site as a reference?
Anyway, I have already read this report.
Thanks for your goodwill.
(Note: Indeed if you have any other websites about AV/AT/AS etc. testing, I would like to know as well.)


By the way, you may be interested in the following:

As a sidenote, it is suprising that NOD32 can score such a high score (70%) in that round. It is usually about 5X% or less.

 

I misread the link you supplied in your original post. Anyway hear is another testing site link. http://www.westcoastlabs.org/checkmarkcertification.asp
Here's another http://agn-www.informatik.uni-hamburg.de/vtc/
and another https://www.icsalabs.com/icsa/icsahome.php

 

Thanks although I get all of them.

Here's more:
http://www.av-test.org/
http://agn-www.informatik.uni-hamburg.de/vtc/
http://www.av-comparatives.org/
http://www.virus.gr/english/fullxml/default.asp
http://www.westcoastlabs.org/default.asp
http://www.virusbtn.com/
http://www.icsalabs.com/

 

www.virus.gr does not seem to be well thought of here as I have seen a number of posts that have been negative. Although I do not know enough to say why. I also figured you new about VB.

 

Yes indeed.

As far as I know, one of their complaints are about the methodology of testing anti-trojan. What the author tests is the on-demand detection scan, and that they feel this test does not fully reflect the value of anti-trojans. However the test is fine as far as the capability of on-demand detection scan concerned. So it may be still worthwhile to read.

If you don't concern AT much, you may wish to read the comparisons of AV. They are useful references. And the results of its tests generally conform with others, so it seems the tests have not be distorted (at least at a noticeable level).

Another kind of complaints is they say the author don't listen to their coments/suggestions. And the author later replied them in the forum that he/she is open to hear non-personal comments & suggestions.

If you feel they are not detailed enough, you may wish to read:
- http://www.av-test.org/
- http://agn-www.informatik.uni-hamburg.de/vtc/
They have very good tests, but the only problem is their tests are not up-to-date (since their tests are detailed and thus needs plenty of time to prepare. That is the price you have to pay for)

 

Heh but the AT guys are working in a small pond, many of them are barely out of their teens or early to late twenties at most. You should expect some immaturity.

 

I would'nt draw ANY conclusions on one set of results for one virus, I would like to see a trend made for a dozen viruses, and then for the more dangerous viruses.

But good point about the fact that though a release CAN be made every hour, theres no correlation to the time needed in developing that release.

 

Yes, you are a careful reader and logician.
One example is too small to make any solid/reliable conclusion, or we are falling into the fallacy of hasty conclusion.

I have added a note to prevent people from being misinterpreted or falling into hasty conclusion. Thanks for your reminder:

Yes, that is why this article exists.

 

No it doesn't! NOD32 cannot even detect known threats, as for unknown I wouldn't trust it as far as I can spit to be honest. In a test that I have carried out NOD32 came out the worst for trojan/malware detection out of KAV, Avast Home, AVG, Dr Web and F-Secure. NOD didn't detect one single nasty where as even AVG (pretty much the "dreggs") detected one.

 

Is that this "test" again

 

Home tests mean nothing to me.
I'll bet my money on proactive detection any day, as it has repeatedly been proven to be one of the best solutions to stop newly created threats (not all of them, but most of them).

My 2c.

 

LOL...not the "tested against the 10+ year old viruses which are completely harmless these days" test.

 

All your posts seem negative and that's putting it mildly. There are some things I do not like about NOD also and I use it. But where does the intense animosity come from?

 

Where is the test?
I would like to know more.

Would you mind giving me details?

 

Although I haven't read his test, what he say may not be totally wrong.

Several reports/tests shows, when comparing by itself, NOD32 is better at detecting Zoo malware than ITW malware.

Some hard facts off the cuff:
Detecting ITW malware
- gets about 75-85% on average (virus.gr); the best being KAV / F-Secure / AVK (98-99%)
- rated "advanced" only (av.comparatives); McAfee, KAV etc. can get "Advanced +"

Detecting Zoo malware
- rated "Advanced +" (av.comparatives); McAfee, KAV etc. can get "Advanced +" too
- in one recent test, it can detect 70% of Zoo malware (altho it used to be around 40-50%) while KAV being the second best - 50% or less.
- Unfortunately in that test, it doesn't tell me anything about "false positives". I believe NOD32 will generate quite a few false positives since based on past results in (AV-test; Virus Center VTC), it has higher false positives than KAV & McAfee (they can keep very low).

Note: Don't treat the above statements too seriously!! They are just for references. And they serve to give you some rough ideas only.

For people who would like to know/understand more & make their own judgement, see the following:
http://www.av-test.org/
http://agn-www.informatik.uni-hamburg.de/vtc/
http://www.av-comparatives.org/
http://www.virus.gr/english/fullxml/default.asp
http://www.westcoastlabs.org/default.asp
http://www.virusbtn.com/
http://www.icsalabs.com/

 

I have been running NOD and a KAV AV on different machines for a number of years. I have had only two FP with NOD over that time period. From my experence NOD has very few false positives.

You might try a trial of NOD and scan your drives and let us know how many FPs you see.

 

True.
It's the philosophy of authors who create Intrusion Protection System.

One sad thing is if the software is automatic/trouble-free (ie witohut prompting you for nearly anything), we cannot get higher and better portection.

If you get proactive software, we can get higher and more well-round protection, but it requires some knowledge, willingness to learn, a bit of bothering.

Another sad thing is "your experience may lie". You see your computer doesn't been infected by any malware since your anti-virus or anti-trojan cannot detect any. However it may be just "false secure". It may be that neither your AV/AT can catch that bad guy.

AV's behavior blockers can be bypassed easily by a technique known as tunnelling, code premutation etc.
AT's detection can also be disappoinitng (http://www.trojanproof.org/sigexec.pdf).
Firewall can be bypassed by many leak attacks (eg copycat can bypass all firewalls easily).
AV/AT/AS are aslo subject to intrusion themselves.
Rootkits, driver installation, buffer overflow, mouse/key hooks and all sorts of things pose great challenges to AV/AT/AS too.

Now the situation of what security products face is similar to the situation where a country has to defend against crime. It is impossible to keep all their citizens intact. Even worse, some serious things can happen once in a while (eg suicidal bombs).

It seems to me if a hacker wish to hack/intrude your computer, it is just a matter of time. Sometimes resources are handy that hackers can intrude a computer easily even if that computer has installed AV, Firewall + AS (basic security requirement nowadays).

However don't interpret the above wrongly as something like secuirty porducts are useless, I have just told you about the dark side, but there are the bright side as well, so you don't need to be too optimistic. Try to do your best to secure your computer. If you ask me, I will advise you:

1) Seek help to security software:
IMPORTANT: You need security software to portect you. Don't don't don't rely only on yourself!! A malware can attack you even you do nothing wrong.

What you need to install:
- 1 Anti-virus + 1 Firewall + 1 Anti-spyware (basic security requirement)
- at least 1 Intrusion Prevention System[IPS]. Preferably 2+ since 1 IPS may not be able to protect you from all (major) areas. The major areas which they should protect you from are:
-- malicious scripting/coding
-- new/unknown/private malware
-- rootkit installation
-- driver/service installation
-- process execution
-- mosue/key hooks
-- physical memory intrusion
-- dll injection
-- registry modification
-- buffer overflow
-- attacking/hijacking your security products (ie your AV/AS/Firewall)
-- and so on

2) Do on-demand scans
IMPORTANT: Any anti-virus, anti-spyware etc. cannot detect all malware. They may also give you "false feeling of security". Try to do a weekly to monthly scan to see if there are any missed malware which cannot be caught by your anti-virus or anti-spyware.

To do so:
- you may download any extra AV/AS to do on-demand scans. Remember to turn off their real-time portection or it may conflict your current AV/AS. Remember, don't tihnk that enalbing more than the same knd of real-time portection is of help. The fact is usually the opposite; or
- go to any AV/AS vendor websites. Many have free online scans.


3) Equip yourself:
After all, only you can protect yourself to the fullest extent. Always remember "Security porgrams can never never never help a stupid user!!!"

- Configure your computer by setting higher security!!
- use your common sense and knowledge. If you lack of computing knowledge, don't be afraid. It is not hard to learn. If you try, you will know it is not as diffiuclt as you might think.
- practise safe online browsing

4) Replace potentially dangerous software
- replace Internet Explorer with another safer browser like Firefox, Mozilla Suite, Opera
- replace Outlook Express with another safer mail/news client like Thunderbird, Mozilla Suite

This is my 2 cents.
Feedback is welcome.