MRG PUA Test Results - Jan 05 2011

http://malwareresearchgroup.com/malware-tests/

Wow. Check out Immunet. Who'd uh thunk it? Considering BitDefender didn't do as well, Immunet's cloud engines took the lead.

Let the qvetching begin...

 

Those chat logs are hilarious.

SAS didn't detect a single sample.

 

Live chat transcripts are a great addition! Overall interesting test. The results from Prevx and OA++ don't really surprise me but Immunet has kicked this year off remarkably well. Apparently Avasts sandbox didn't work; or maybe MRG considered it a fail if it was not detected but was still sandboxed.

 

Neither did MSE.

Edit: After scrolling down I see they did get 1 lol.

 

These fake companies that pretend to offer free chat help are becoming more and more "popular" . I have once found one and chatted with them , it is all fun , you should try it

 

I wonder how many people fall for these fake apps. I don't remember where I saw it (it may have been Wilders) but I read one of those conversations with a fake company a while back and it was hilarious.

 

A Nano sighting! Also, F-Secure did a lot better than Bitdefender. Don't they share a same engine?

 

I don't think many do because it asks them pay . If it was cheating them in some other way , may be it would have been more successful.

 

Yes, but F-Secure has their own engine(s) as well, plus several other methods of detecting malware, including Deepguard if connected to the Internet.

 

Indeed, lol @ the chats. I don't think they used Avast sandbox at all, there's no mention of it. And automatic sandboxing of unknown/suspicious files will come in v6.0, I'm more curious if they enabled PUP detection in realtime shields.

 

Nice test

 

SAS is completely overrated Well done MBAM

 

Thanks for share Interesting results

 

Great job Vipre!

 

Vipre is really getting better ..Gr8 job guys

 

We shouldn't loose track of the fact this was a test about detection of PUAs and only those. SAS and MBAM tested were Pro versions; the free versions wouldn't have done squat. I just mention that because the norm is to say "MBAM" or "SAS" and leave the reader to judge which version, MBAM/SAS or MBAM/SAS Pro, is being reference within the context of a posting. This is a technical forum, after all. Not yoo toob.

True, MBAM Pro cleaned SAS Pro's clock in this detection test, but both free apps have been acclaimed to shine in the cleanup of compromised systems. And while on this slightly off-thread post, Malwarebytes still doesn't market a portable free version - not a slam, just an observation.

While I can agree at this point in time, SAS Pro may be overrated (v5 is on the horizon) I don't believe there has been a head-to-head test of its Pro version vs. MBAM Pro against a broad spectrum of threats. Tho against MBAM Pro, SAS Pro didn't fare well in MRG's Flash (zero-day) project...

Disclaimer: I do run MBAM Pro.

 

I don't remember SAS Pro ever doing well in any test, I'm not sure their "real time" protection is anything of benefit- except for the money paid to the developer who certainly deserves to be compensated. But the Pro version may give a person a false sense of protection.

 

Can I use Immunet as an on-demand scanner only?

 

Good question. I turned off the three protection settings which generated a "protection disabled" icon balloon tip.

I ran a scan and it completed. So, without input from Immunet/Clam staff to correct me, I'd say "yes" to the on-demand.

However, closing the UI (iptray.exe) doesn't stop the service (agent.exe).

 

I also have the same behaviour...

And if you change the service to Manual start, Immunet doesn't work, because the GUI doesn't start it...

 

SAS 5 will be much better.

 

Let's hope so...

 

We specifically don't detect those products due to their aggressive "legal threats" towards many companies. We have chosen to go after the trojans, rootkits, password stealers and applications that actually HARM your system and steal information. As you notice Microsoft has also chosen not to detect the same threats.

We may add a category such as the "Potentially Unwanted Application" as others have done to indicate to the user that they may wish to do their own research as to why these applications may not be desired.

 

But, what is a potentially unwanted application? In my book, anything that installs without me wanting it, it's an unwanted application.

For example: Imagine I install XYZ application, and this one comes with some toolbar/browser to install (as some very legitimate apps do). They come with such install selected by default... This is an unwanted application. Would this be a fair assumption?

Regarding those rogue crap... again... if somehow I'm lead to believe I needed it, and therefore deliberately installed it, then am I making a fair assumption that such is a wanted application, rather than an unwanted application? I'm leaving legitimacy aside.

I do understand why some security vendors decide not to target such... But, I believe something like that could be easily worked around by allowing users to make use of known domain blacklist sources. Sure, not the ideal solution, but would it resolve the "legal threats"? You wouldn't be directly targeting them, rather allowing your users to block whatever domain(s) they would like, and even suggest known blacklist sources...

Anyways, I got too much caffeine inside... lol

 

Yes. Before you open the GUI, you have to first start the service in Services. You can simplify the latter by making a bat file using net start. Create a shortcut for it and place it above the GUI lnk in the Start menu. Repeat that for a net stop bat file if you want to stop the service later.

Immunet is not alone in that behavior; ignore control of the service is the developer's option. On the other end of that spectrum is complete control. I can change Malware Defender's service, mdservice.exe, to manual. When I run the GUI it not only starts the service but reverts it back to automatic.

Whether or not you personally endorse a developers' choice is where you can exercise your own: use it as is, bend it to your needs or don't use it at all. You can let the developer know what you want, too.