MRG Flash Tests 2011

I've always wondered what the problem is with Eset at AV-Test? Are they that much more stringent?

 

This question has floated around for several years and has never been answered by anyone at Eset or Av-Test. It remains a mystery.

 

Or probably a low amount of samples means less generic malware
Who knows

 

Are you positive that neither ESET nor AV-Test.org have ever addressed this “mystery”?

Thing is that neither PCMag nor PCWorld rely on AV-Comparatives to test NOD32 effectiveness against malware, they always rely on AV-Test.org for that. I wonder why?


Regards

 

Good Results One can always count on ESET

 

Even then, I have only seen self-protection entries. Eset supporters claim that there are some hidden rules in automode, but all malwares I tried (with disabled AV part) past Esets Autohips.

 

Automatic mode adds little additional protection. If you want to test the HIPS, use the learning mode followed by the interactive mode. Personally, I'm not a big fan of the HIPS.

 

in interactive mode nod will nail any malware if you know how to deal with the pop ups

 

The longer you leave the HIPS in learning mode, the greater chance additional pop-ups are indicative of malware. You still have to know what you are doing.
This is why beginners should use automatic mode. Unfortunately, currently this offers little extra protection.

 

Eset has fundamentally changed their product from one where little decision making is required to one where decisions are necessary. Even the most experienced user can make an error when using the HIPS. One mistake and you are infected.

 

Agreed. In order to address this, if ESET stick with classical HIPS as an approach, I suspect they may eventually add whitelisting to reduce the need for user response to HIPS alerts when in Interactive Mode. As HIPS is a new feature in ESS/NOD32 v5, it is an immature product and reminds me of how noisy Defense+ was when first introduced in Comodo Firewall v3. Learning Mode only partially addresses the issues that classical HIPS raises for average users.

 

That is true however i guess it was due to public pressure. To be honest i'm fine with it, not only because i like HIPS but also because they NEEDED to improve something IMO.

 

I know that. But you can test different things.
(1) You can test automode (+signatures etc. off), cause the term "automatic" suggests the average users that ESET handles threats automatically then. Even if you see no rules at all, the support claims all the time that there are hidden rules etc. But if we look in reality and test malware: those rules seems not to exist or to be very very basic. Nothing is blocked, only self defense messages in auto mode.

(2) If you turn HIPS in interactive mode (+signatures etc. off) you can test HIPS and all operations it intermits.

Sorry to destroy your illusion: Then test with other malware Try some ZeroAccess samples in an ESET-HIPS only test - Hips in interactive mode will be bypassed, system infected. Or run some TDL samples and look careful at the popups, you'll see ESETs Hips isn't able to warn about the spoolsrv manipulation etc. Others Hips and BB solutions can handle those things.

Or play with CLT...

They must change - definitely. atm Esets HIPS is very bad designed: No whitelists at all - nonsense questions even for signed M$ processes, no possibility to create groups with inherit rules etc.
...ok enough, it's not a ESET thread.

 

without any firewall i installed Webroot secure anyware with max security.

Results with comodo leak test: 130/340 (fail)

http://i41.tinypic.com/rs6asi.jpg

 

I'm surprised we even scored that well - we've whitelisted CLT and intentionally don't try to block leaktests like this as they aren't relevant to a real threat. We could easily pass it if wanted, but there is no benefit in doing so as it wouldn't change the actual protection our users already receive.

 

Latest version of Webroot SecureAnywhere bypassed by MRG Effitas FM Simulator:

http://malwareresearchgroup.com/201...nywhere-bypassed-by-mrg-effitas-fm-simulator/

 

Wow PrevX failed?

 

You know more about your product than I ever will...but I disagree with your post. Taking everything you say as true, there is still a benefit from a marketing standpoint to pass these types of tests. Whether that benefit is real or perceived is up to the consumer. But IMO it's a lot better to pass these types of tests (especially since you can) than it is to explain to the consumer why the tests and your product results are not relevant. Passing is much better than mitigating doubt with explanations.

 

I think that by could easily pass he meant creating a signature for it but not really implementing any kind of HIPS into the software

 

There already is a very full-featured HIPS in WSA but it uses the cloud as well to reduce popups, which is why CLT isn't flagged.

 

Oh really, i didn't know WSA had a HIPS module built in

 

Latest MRG test for SuperAnti-Spyware. Ouch!

http://malwareresearchgroup.com/category/malwareproducttesting/

 

At least it got 50%+

 

I think 44 % would be true

 

Is there a break down test result somewhere that says what was caught on access and on demand, etc?

BTW- you have to excuse SAS for poor results as they have been working day and night lately trying to get out that SuperAdBlocker update that's been promised for years.