New AV-Test.org test

Yes. It has all the same features except the realtime protection. But that you already knew.

 

Then I won't trust av-comp anymore <joking>
.

 

ok, to answer my own question, its not yet incorporated the drweb engine.

but it should see an inprovement if bitdefender is doing soooo well.

 

and Sophos

IBK wrote in his blog about a possible delay. Later, he rectified his thoughts.
NOD32 and Dr.Web have the best detection/database size ratio.

 

sophos should be forbiddon to be mentioned on here, the price of it is just disgusting.

and of course drweb and nod32 has the least database, more so for drweb as i think nods detection is mostly heuristics, but we all know drweb do their best to keep it low and user friendly for updates, its practically in their slogan *lol*

 

Firecat's comments on Sophos intrigues me

If Sophos is supposed to be a Corporate AV, FPs shouldn't be tolerated. So, or Firecat is incorrect or .....

 

Packer detection is the norm these days. Every AV program does it by now. Just take a Storm worm, cut off half of the exe from the end and look how many programs still detect it.

Bitdefender even started to add packer detections for packers they can easily emulate. Other AV programs with good emulation/unpacking have plenty of packer detection too.

Aggressive detection for corporate environments? Absolutely ok, they don't want any strange executables! Just look at Webwasher and Fortinet. I think if Webwasher would start to report every file that starts with "MZ" as suspicious, their detection on malware would only go up by 10%...

 

As Stefan's post above explains, aggressive detection sure seems OK for corporate environments. So I think its true.

 

It's the norm, yes, but many AV programs keep it within a reasonable limit and use it the way it's intended: to supplement traditional signature scanning, unpacking and heuristics.

Some programs, on the other hand, might as well start calling themselves antipacker software instead of antivirus software...

 

Just saw this post by Alex Eckelberry at the SunbeltBLOG (click the link to go to the blog and see more info/results). It's a little long but interesting.

 

Which are those "many" AV programs? I would rather call it the last stubborn few that would prefer not to protect their customers to avoid adding of "non-perfect" detections. Name me *one* valid reason why a commercial product should be runtime-packed! Size? Crack-protection? Puh-leez!

Wait another 6 months. The malware authors will eradicate any hesitations to do such detections until then. There is no way you can handle the sheer mass of new malware with idealistic academical approaches anymore. I am the first one to regret leaving that behind - but you have to adapt to the new situation. Adapt or go extinct.

 

I'll believe what I see, and what I see at the moment are that there are plenty of vendors who take the trouble of decrypting packers AND show no signs of going extinct anytime soon. When I purchase an antivirus software I expect it to detect viruses, not blindly whack packers on sight - if I wanted to advocate that approach, I wouldn't be purchasing antivirus software to begin with.

The next thing you know, some vendors are going to start championing detecting malware based on filenames, just because "there's no reason for a file named svch0st.exe to exist in the system32 folder".

 

Can eventually make sense for an individual, as one has the right to download "exotic" files or programs.

But talking about company policies, it is simply BS. It is OK if an antivirus forbids download of file called svch0st.exe. Companies deal mainly with MS Office files. 99% of the time, anything else is not expected therefore has to be denied. It is less risky and time consumming this way, and IT dep. can concentrate only on management of exceptions... Eventually you get to the point antivirus softwares integrate more and more hips or policiy capabilities...

 

HIPS/policy-based approach, yes. Like I said, if I wanted to advocate such methods, then I'd get the software that perform such functions (i.e. SSM or Anti-Executable). However, if I want to buy an antivirus software, then I want an antivirus software, not an antipacker software masquerading as an antivirus software. For the vendors that insist this is an inevitable trend, all I have to say is that their competitors in the field are, for the moment, proving their words completely false.

 

Rule number 1: Don't add blindly runtime packer detection because you see malware using it; Research how many innocent programs are packed by that and if the ratio is ok then for gods sake add the packer detection. If you encounter false positives just add a negative.

Rule number 2: Add *all* cracked runtime packer stubs. There is NO REASON for a legal company to pack their products with cracked runtime packer versions (which might put a specific byte code stamp in the packed file) With this "idea" you'll most likely create "false positives" on so called Cracks or GameTrainers, since the authors used a cracked version of a packer. But seriously who cares if you detect a crack as malware? You shouldn't use cracks anyway. There are SO MANY fp's on cracks. Of course nobody reports them since you would have to admit that you were trying to use a cracked product then. Makes sense does it?

Rule number 3: You have to protect your majority of users from malware as best as possible; ONLY AFTER THAT comes statisfaction for 2 or 3 individuals which are using "very strange" runtime packed files which they could easily obtain non-packed. That applies especially for "clean" files packed with typical "only malware packers". You can produce a false positive VERY EASY for *EVERY* antivirus. So producing false positives is out of question. It's the amount of false positives and their wage (on important files for example) what you should rate.

Rule number 4: If your engine allows to see "more details" then that a file is only runtime packed combine that together. For instance it's more suspicious if something is strange runtime packed AND makes use of internet functionality or tries to copy itself.

Rule number 5: Different AV Vendors might have different customer types. If you provide mainly Gateway solutions it's "ok" to detect more runtime packed files since this speeds up email scanning (no unpacking / emulation needed) and "better" filtering for incoming files.

Rule number 6: Respect all the rules above!

 

Possibly stupid question: what's the difference between this rule and what Stefan advocates (no reason for programs to be packed, to hell with it, just whack the packers)?

 

The difference is that you have several cracked versions of LEGITIMATE runtime packers. That means runtime packers which are used for clean files as well. But Malware authors sharing the cracked version to pack their "creations" without any time limitations or silly messageboxes that the malware was packed by a trial version.

 

So in essence it's the same principle: detect something because the vendor thinks it's not legitimate, the presence (or lack thereof) of malware notwithstanding?

 

I forgot rule number 7.... Don't argue with me

Using cracked programs is NEVER EVER legitimate. No matter for what purpose if it's malware or the newest microsoft office!
Edit: Just think about corporates. As a boss or system admin you would like to know if someone uses cracked software in your corporate right?
Because if that becomes public then you're screwed. So detecting cracked things is perfectly ok.

Edit 2: I've seen "costumers" complaining about a "false positive" submitting it to virus lab. Guess what? A crack for your own Antivirus Program!

 

I'm not. Vendors can do whatever they please, and if they're not going bankrupt then obviously their customers agree with them. I'm just after an answer to a technical problem.

Based on your reply, I'll take it that my earlier presumption is correct.

 

If you have a long street with lots of trees and daily lots of accidents - what approach would you do: Cutting of all trees or putting a speed limit?

If you are half intelligent you'll put a speed limit since this also lowers the accidents without trees involved.

 

Again, as I've previously mentioned, you don't need to convince me you're right. Saving the effort for your customers would probably be a better idea.

 

That's a exactly the type of attitude i "honor". i post here something, you ask a question, i explain it you go on and finally telling me that i "waste" my time here and should do something useful instead. You're prolly right, i wan't comment on any thread in the antivirus anymore. It's indeed a waste of time.

 

Thank you for your answers. I appreciated them. However, as it is, the ones I were really after were the ones you implied and purposely left unsaid instead of the ones you ranted on and on about.

 

I was thinking in corporate workstations, not gateways I should have expressed myself better.

Right. But, this should be done with Group Policies and such, not AVs, correct?