maybe special test in june

True indeed, they seem to have set the standard.
This will be hard to compete against, but should make the
industry a bit more interesting.

 

What about default settings? How good is KAV with default settings?

Did you test PMD and rootkit (hidden) detection?

izi

 

Hi, so u mean to say it might block more than 99% of unknown/ new viruses. I think then no AV can ever reach even near to KAV in this reagrd, even the best heuristics of NOD 32 are far behind.
And I wonder what might be the false postive rate with theses heuristics.

 

Excellent job, KL.
Keep the great job.

 

It would be interesting to test NOD32 in the same manner. I have no idea how it would compare, but would guess that the results would be short of KAV, based upon this test.
Is it logical to say that since NOD32 only detected 58% of the samples during a scan, that it would not do better blocking the same malware? Maybe not, but it would be interesting to see.

Jerry

 

Somehow I feel Kaspersky's upcoming heuristic engine may not be as good as their proactive behaviour blocker....

 

How do the two differ? I am thinking that the PDM module uses much the same method to block malware. What would their "heuristic engine" differ?

Jerry

 

The heuristics engine can also be used for On-Demand Scanning, Proactive Defense cannot. Proactive defense is based on rules defined by Kaspersky for operation of files, while heuristics is coded with a view to catch suspicious virus-like activity in files.

Proactive defense would be good to detect all kinds of malware including Spyware and Riskware, while heuristics is more likely to detect more Trojans, Backdoors and viruses than anything else.

Also, Proactive Defense is not part of the AntiVirus database (it is updated separately), while heuristics is tightly integrated with the KAV engine and database.

 

Firecat explained right, however a shorter explaination might be:

PDM is on-execution behaviour monitor/blocker with it's own set of 'rules'. That's all.

Thanks IBK, I make mistakes after two days of no sleep...

 

do not mix up on-access with on-execution
some HIPS can block 100%, but require much user intervention. Personally I prefer that something is marked as suspicious on-demand without having to execute the file first and without user intervention. But that depends on users need and preference.

P.S.: the internet connection in my room does currently not work, it will be fixed next week probably. So I can not as usual reply fast/much during next days, as I have to migrate to other places/rooms for getting online access.

 

I want to ask wht th AV test used version 5 of Kapersky instead of version 6 in their latest tests.

 

Well PDM module is actually assembled from several submodules.
One of them is Behaviour Blocker (Dangerous Behaviour) in the right meaning of the word. Next one is Keylogger and rootkit detection. All others are additional. Especially Integrity and Registry monitor. They both require lots of user intervention and knowledge.

 

it was a retrospective test, as the name says, with products of the "past". ANYWAY: KAV5 and KAV6 have in all on-demand tests exectly the same results, as the PDM (which is new in v6) only triggers while executing the files.

 

Thanks.

 

Thanks for letting me know the difference, Firecat and others.
Jerry

 

I am really quite amazed that ClamAV/ClamWin, an open-source project, would deny you the permission to test. For open-source, I would have to say that is not very open at all. And being open-source, you shouldn't even have to ask for permission, I would have thought.

Clam AntiVirus (Linux)
http://www.clamav.net/

ClamWin Antivirus (Windows)
http://clamwin.sourceforge.net/

ClamAV for Windows (Windows)
http://www.sosdg.org/clamav-win32/

There are 2 projects going for Windows, both open-source, that use the ClamAV scanning engine. They all use the same signatures.

Which group denied permission?
Did you ask both for permission?

Sorry, I am still just appalled that an open-source project like this would deny you the permission. That honestly makes me change the way I feel about their project(s).

Cheers,
Dave

 

ClamWin would have agreed to participate, if ClamAV (which made the engine) would also have allowed that / agreed. But ClamAV changed its opinion and does not allow anymore - maybe in future. The problem is that i do not test without a written permission, even if it is just a burocratic thing.

 

about Kaspersky Proactive Defence test...
as far as I know This module warns you almost everytime you run a file so it's nothing interesting they've reached 99%. Or am I wrong?

 

You are wrong.

 

wrong, wrong...but why?

 

It's simple, because it doesn't. I'm using Basic mode with selected range of registry monitored entries and i get basically no false positive warnings unless they are actually malicous (for example tempering with HOSTS file or changing security policies). Integrity control is way to intrusive as well as invaders monitoring. But these two aren't the heart and engine of PDM and are just extra layer if for some reason main behavior blocker module fails.
But still, most of the job will be done by primary behavior engine.

 

You're most definitely wrong.

 

to return to the original topic: the report of the special test is currently proof-readed, I think I will put it online within this week (as soon as I get it back).

 

done.

 

Rising's results suprised me.
It's unfortunate alot of vendors decided not to participate though.