KAV update hourly = we get fastest protection against Zoo/unknown virus?!?

Discussion in 'other anti-virus software' started by Wai_Wai, Aug 21, 2005.

Thread Status:
Not open for further replies.
  1. attention

    attention Guest

    @Wai_Wai
    You are heavily misinterpreting the terms "ITW" and "Zoo" malware.
    Look here what ITW is: http://www.wildlist.org/faq.htm
    Everything else is usually considered as Zoo malware. Zoo malware is _not_ the term for new/unknown malware, which is used in av-comparatives retrospective/proActive tests.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    Info on the Zotob outbreak. PDF file
     
  3. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Nothing is 100% foolproof, we all have to live with that risk, regardless which AV you have and/or other security apps :)
     
  4. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    But have you tried it with Zoo malware?

    From your above experience, I think yours should be related to as an exmaple of ITW malware test since I think most you encountered should be ITW malware. If so, we should achieve "0" false positive - McAfee & KAV can manage to do that most of the time, while NOD32 will get quite many false positives (eg 5-12).

    However the above experience/fact is not really latest (about 1 year old), so I can't be sure if the situation changes. But I expect it still has some false positive (eg at least 2-4).
     
  5. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Thanks for your information.

    Sorry, but I just wonder why you feel like I heavily misinterpreted ITW & Zoo.

    Not intended to be a self-defense, but just act as a clarification.

    I know Zoo malware is not exactly the same as new/unknown malware.
    By the way they have some direct relationships.
    ITW malware is in-the-wild malware, so they are malware which (is proved) to be spreading in the wild (world). it doesn't need to be widely spread. If it is spreading, they are included in ITW list.
    Not sure if Zoo malware can take it as non-ITW malware, if strictly speaking. It seems wrong since not all non-ITW malware are classified as Zoo malware.

    To simplify the matters and not go into much details, I won't explain much about ITW / Zoo.

    Maybe it is due to my lack of explanation and non-strict use of these 2 wordings, so this misleads the readers. So sorry about that.
     
    Last edited: Aug 23, 2005
  6. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    By the way, it seems we are going off-topic.

    Would anyone who read the article mind giving some feedback on that?

    Do you know already before reading that article?
    Is this article correct/useful?
    Does it help to clear the misconception?
    Or any other comments?
     
  7. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    This is just from my end, others may have had different results.

    KAV will have FPs. I have noted 2 or 3 over that same period with KAV. Seems
    KAV and NOD have about the same.

    I have used KAV or a KAV AV (F-Secure provided by my ISP) from 1999 and NOD starting in 2000. They are both good. I currently run NOD on a game
    machine used by a bunch of teens that don't always practice good computing
    habits and tend to check game cheat and walk through sites from time to
    time.:) So far NOD has stopped all on that machine. Actually NOD's AH was
    the first to detect some stuff prior to KAV on my end. Also, just about all AVs
    will produce a FP from time to time.

    I am really just noting that from a day in and day out, hands on, real world
    running of NOD over a number of years it has had very few FPs over that time
    and about the same as KAV. I don't consider 2 or 3 FPs over a number of
    years much of a problem

    I have to go with my real world, hands on results using NOD where you don't appear to be quoting from any actual experience with NOD.
     
  8. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    As you say, it's not going to be many anyway. Just at the worst cases, if it gets 5-8 FPs, I think you will not mind, right?

    Then the second tihng you may wish to think aobut it is the ITW & Zoo malware.

    In my opinions based on what I read is:
    - NOD32 is worse than KAV in terms of ITW malware.
    - NOD32 is equal or a bit better than KAV in terms of Zoo malware.
    Note: It's very rough descirption. Don't take it seriously.

    I frequently review different anti-virus products once in a while. My impression is NOD32 is getting better. The number of FP is reduced; the detection rate of ITW is increased. However it is still not excellent when comparing with the top AVs.

    As I said, it is expected it will get more false positives when it tries to detect bunches of Zoo malware. But anyway others will have similar behaviour. Either they are going to detect fewer malware but keep lower FP, or more but high. It is easy ot understand why.


    In my opinion, I tihnk one's experience is not representative enough and can be easily distorted if misinterpretation. You know, when you only test, say, 10 samples only (comparing with others which test over 10000), we may get wrong & unreliable conclusions if we simply depends on our own experiences.

    That's why I'm not going to tell my experience but rather quote the independent test results.

    But if you ask about my experience, I will say yes, NOD32 generates more than KAV.
    And you sohuld know "more" here is meant to be relative. The actual different in number is small, in your own value judgement.
     
  9. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Well, my actual experience using both NOD and KAV every day for a number of years means much more to me then any test.:) On my end they both seem to have about the same numbers of FPs.

    They are both good AVs from my results.
     
  10. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    what are examples of "IPS"?

    Thanks,
    Jerry
     
  11. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    The examples of IPS...:
    - ProcessGuard
    - System Safety Monitor
    - Viguard
    - Online Armour
    - and so on

    More infor about IPS:
    http://www.securityfocus.com/infocus/1670

    Hehe... By the way, it seems strange that you ask the question here.
    II tihnk I haven't mentioned IPS in this thread, have I?
     
  12. attention

    attention Guest

    @Wai_Wai
    Well, according to the definition of ITW malware by Virus Bulletin (which is afaik in line with wildlist.org), this is completely false, as Nod32 has won the most VB100 awards (meaning 100% ITW detection) of _all_ AVs in the world. :)
    That said, nowadays almost all AVs usually score 100% against ITW (Wildlist) malware... but that definition of ITW is not beyond any doubt...

    No, it is just the other way around. KAV has always been one of the best "Zoo detectors" (if not the best), while Nod32 mainly focused on ITW malware (this has changed a bit now).
    You already know all the tests which clearly show that (av-comparatives, av-test.org, virus.gr,...). Their testsets may include some ITW samples (a maximum of 1000), but the vast majority can be considered as Zoo malware - and KAV usually has the highest detection rate.

    You are still mixing Zoo malware with new/unknown malware, aren't you? ;)
     
  13. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    Wai_Wai,
    Thanks for the reply. I should have already gleaned that, but I didn't.

    Jerry
     
  14. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I think you might want to do more research on what Zoo and ITW refer to.
    :)
     
  15. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Sorry, but what's wrong about the above statements?
    I think I should have tried my best not to go into technical details, at the same time, not distort their meaning.
    Did I misuse the above ITW or Zoo, if any?
    If so, kindly tell me. Thanks.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Zoo malware = malware in the wild, without being discovered by researchers ?
    (I'm not familiar with this expression and English isn't my first language.)
     
  17. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    Wai_Wai and ErikAlbert: you are both wrong.

    To keep it simple:
    ITW: every sample that is on the official Wildlist.
    ZOO: every other sample that is not on the Wildlist.
     
  18. Does it make any difference whether you are infected by something on the wildlist or zoo?
     
  19. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Sorry that it is seemingly my posts are full of mistakes.
    Maybe I mislead the meanings of ITW or Zoo malware.

    Hmm...
    Let's go into a bit details this time, and express how I understand ITW & Zoo malware (Note: It may be wrong. The following is merely my personal opinions).

    According to wildlist.org which you are refering to:
    So that's what ITW means, althhough the requirements of "two or more" may be arguable. 1 only is also ok in soeme cases.

    As is seen, it doesn't need to wait for all AV to detect that malware in order to call it ITW malware. So it is always a possibility that an AV cannot detect an ITW malware. Surely as time goes by, the ITW malware becomes old, the chance of detecting it is larger. However please remember it doesn't mean an ITW malware, if getting old, can be caught in any AV. If you do think so, it is wrong. But that's another topic, so save it.

    According to the VB site, it seems wrong to say almost all AV can get 100% depending on what you mean by "almost (99%?)" and how many tests you are based on to make this claim.

    And the VB tests are to test a small percentage of ITW malware. If you are going to test many (eg over 10000-20000), you will see it is impossible to socre 100%.


    Maybe the databases we get are different.
    According to websites (which are listed in one of my post), the average results are KAV are (around) the best in ITW malware. NOD32 is, say, worse than around top 10; NOD32 are (around) the best in Zoo malware, so does KAV. Sometimes NOD32 even manages to defeat

    Anyway, feel free to quote your source, so I can read and know more.





    As far as I know, a zoo malware is a malware found only within research labs and has not (succeeded in) moving into general circulation.
    Strictly Zoo malware are not the equivalent to new/unknwon malware, bu the detection of Zoo malware are ususally used to determine the ability of anti-malware software to detect malware not in the signature base. Simply you may consider them simliar to new/unknown malware.
    But if we are going to be a techie, it's surely incorrect.


    PS: After all, the above is my perosnal idea only. Don't treat it too seriously.
     
  20. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    No, they bite equally hard, when they hit you. ;)
     
  21. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    It is no difference. They are all malware by nature which are destructive.
    To me, ITW and Zoo are indeed used (implicitly) to describe the spreading/fame of a malware.
    Simply speaking, you may teat:
    - ITW malware as (well-)known malware by researchers.
    - Zoo malware as little-known malware by researchers.
    - Undergorund malware as malware known by no researchers. They are still infecting our computers in the underground. The term is coined by me. :p

    PS: If we go into details/technology, all the above can be falsified. Tese knwoeldge anyway are ivory-tower knowledge to beginners. Anyway ITW malware are to test ability of AV to detect known malware; Zoo malware, unknown/new/underground malware.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I still don't get it. I thought malware was divided in two kinds :

    1. DISCOVERED malwares by researchers and these malwares aren't a problem anymore,
    because they are removed by at least one or more anti-malware scanners.
    ITW malware seems to me the same as DISCOVERED malware, because researchers know about them already.

    2. UNDISCOVERED malwares by researchers and these malware are still in the wild, infecting computers world-wide,
    because there is no anti-dote yet.
    ZOO malware seems to me the same as UNDISCOVERED malware.
    UNDERGROUND malware is also UNDISCOVERED malware.

    Why making it so complicated and create so many expressions for the same thing ?
    Why making it more difficult for users, who try to understand what malware is ?

    You know or you don't know the malware.
    If you know about it, you do something about it.
    If you don't know about it, you better find it.
     
  23. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ronjor,
    Thanks for the link.
    Now I understand what ZOO malwares are.

    The only type of malware, that isn't listed are "false positives".
    The most dangerous one for ignorant users, who remove them and damage their own computer. :D
     
  25. attention

    attention Guest

    @Wai_Wai
    10000-20000 ITW samples?! Please take a look at the Wildlist to see how much ITW malware actually exist: a few hundred, most of which are variants that can be detected by generic signatures. You see it is easily possible (and, as said, common) to score 100% at ITW tests.
    Furthermore:
    - AV companies share malware samples, especially ITW malware.
    - VB100 award doesn't merely mean 100% ITW detection, but also no false positives and some other things. Most AVs usually do score 100% in VB's ITW tests.

    The tests you quoted (and which I am referring to, too) are (almost) pure Zoo tests. If not explicitely stated, this can be easily seen by the number of existing ITW samples in comparison to the testset size.

    Yes, that's incorrect. ;)
    AVs detect and therefore "know" Zoo malware samples in the order of hundreds of thousands (see av-comparatives on-demand tests) - so you simply can't compare "Zoo malware" to "new/unknown malware".
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.