New AV-Test.org test

by Inspector Clouseau :

Well, just don't forget that many people are reading these boards out of interest and while they may not always chime in, they do appreciate your comments. Even if you feel that a particular dialogue did not convince someone involved, others here may have gained insights.

 

I second that. I enjoy your posts and have learned a lot in the past, even though you don't always say "thank you for your opinion" be assured that there are enough who are grateful for your quality comments. Of course no one has to agree to anything. But it's nice seeing the arguments.

 

I "third" that.

I definitely enjoy reading your comments Mike and I do learn from them.
Please do stay, please !!!

Warm regards,
Jan

 

+1

and i perfectly understand your frustration when someone doesn't want to understand or lissen...

Fax

 

Inspector.. you have a lot of knowledge to offer so continue commenting as I am one who listens. I've learned a lot from all but I do my own selective weeding.

 

I third that or fourth or whatever, keep enlightening us Mike

 

On topic quoted somewhere by Mark Twain: "There are 3 kinds of lies: lies,damned lies,and statistics."

 

RE: Packers

If an AV (especially one destined for consumer use) is going to detect positive on a packer, it should say so when the warning box comes up, something like "this executable uses an unknown/suspect/cracked packer and has a high risk of being malware, even if we are not sure" the option to permanently ignore the file should be available.

Several above make pragmatic arguments for automatic positives on packed executables, even to the point of saying there is no legitimate reason to pack an executable. That last idea is absurd as some authors want protection against the program being hacked or reverse engineered. Before big hard disks became so cheap, packed executables were quite common.

 

Another question:
How can ClamAV get such good results (relatively speaking) when:
- It had zero financing until some days ago (takeover by Sourcefire)
- Its engine is very weak (file parsing, packers/archives support, heuristics, etc)
- It uses simple signatures (CRC32) and it doesn't have a high number of them.
CA's eTrust looks even uglier considering ClamAV's detection rates.

 

Well, to be really honest, insight is always something that is to be examined from a point of view. When discussing about any issue in particular, you are always going to get more than one point of view. And many times the points that are explained by all the different parties offering different explanations may hold their own merits and demerits. After all, not every person thinks the same way.

While I prefer to keep neutral in these kind of discussions usually, one should always note that depending on the scenario and the needs of the given explanation, a point may hold merit, or it may seem unreasonable depending on the point of view. So one could say that no one is correct, or you could say that everyone is correct.

In any case, if the Inspector wishes to not express his thoughts on any issue from now on, we cannot force him to speak up always - after all, it is his choice ultimately. However, I would definitely like to see him (and others) continue to speak on various topics - differing opinions and interesting information are vital to human life.

 

You're going to become a politician when you get older, Firecat.

 

Ill second that. Fantastic post, Firecat

 

@Inspector Clouseau- Sad to say, it seems obvious that the fellow who was yanking your string is uninterested in arriving at truth. Trying to discuss something with such a person is like trying to carry on a conversation with a tree. IMO, that fellow's goal is to flaunt his little bit of knowledge and "prove" that anyone who disagrees with him is either stupid or has ulterior motives.

In a court of law, defense attorneys who do that sort of thing manifest 2 distinct attributes...

1- Some people are impressed by the attorney's closing arguments.

2- The attorney's clients are always found guilty.

Mike -- illegitimi non carborundum!

 

No offense, sounds to me that you are doing exactly the same thing?

 

I am sure Inspector will be back as he's the technical spokesman for F-PROT. He has already stated the facts. He just needed to loose steam and spend dear time with someone more important. It's a Friday night in Iceland. Time to relax... Most of us already know that the AV Experts here in Wilders are far more knowledgeable and sometimes more humorous.

Remember the All-Time-Rule: RESPECT

 

By the way the thing about packers is interesting because I heard that RunScanner (a autoruns/Hijackthis like tool), was being detected by AVG heuristics because it was using a packer AND it was accessing autostart keys.

It seems that even if the packer is even something as common as upx, it is still flagged.

The author's response was to just remove the packer, so for the newer versions it's now roughly 2.5x times bigger? Not really a big deal, for broadband really, but his site is rather slower, and to save bandwidth, Runscanner now disallows download of the direct executable, but you must download the zipped file instead..

 

And then there are attorneys who go on a tangent, and throw a huff when the jury doesn't agree with them.

In all seriousness, though, I believe it's a simple technical matter. There are vendors who take the effort to develop new and existing technologies alike to pinpoint malware, and there are vendors who declare that the former approach is unfeasible ("will lead to extinction", to paraphrase an earlier poster) and just resort to detecting what they believe are illegitimate code instead of actual malicious software. Not that I'm trying to say who's "right" or "wrong" (if there's indeed such a distinction), us paying customers as a whole will do that nicely in my place. Rather, it's some other people who're preaching their own points of view, and they don't seem quite happy when they don't exactly succeed in clinching the sale.

 

solcroft, so you are saying until we add unpacking for all those cryptors, we should add no other detection and leave our customers unprotected? I start to wonder if you are really on the AV side...

And as I said before, check out those AV programs with good unpacking and emulation. Even they start to add more and more crypter based detection. It's not so obvious, you know, they don't bother to call it Crypt.* or Packer.* sometimes. And there are good reasons for having those detections, but you failed to notice those reasons or prefer to ignore them.
Maybe you should take a more careful look at the most recent malware AND the various AV products before making any claims. Just having a mediocre, unsorted malware collection and performing some pseudo AV tests doesn't give you insight knowledge, after all.

 

Again, I'm not saying this or that vendor is wrong or right. Obviously each will adopt the method they deem best and then try to sell their product as best as they can, and in the end customers will decide. If vendor X feels that detecting packers is the way to go, then so be it. Simple as that.

And yes, I do know that all vendors (at least the ones I know of) detect packers to some degree, and (partially) the reasons they do it. You seem to mention that I'm making "claims". What would those claims be, if I might ask?

 

Does anyone have something to say regarding ClamAV? Thanks.

 

Their engine is weak but:
- There are some voluntary people that keep the signature base up to date.
- My guess is that the relative efficiency of clamav is due to the fact that its signatures are not boud to a paticular position/offset in the executable file. Whereas others AV will try to find known sequences of bytes at given positions in the scanned file, ClamAV will search the entire file (at least, that was the case last time I tried to understand how ClamAV worked). If there are no absolute addesses in the signature, this may give a bit more genericity to ClamAV. On the other hand, it's slower. I hope some experts will correct me if I'm wrong...

 

Thanks Tweakie
That explains the slow scanning speed of ClamAV. Also, doesn't this make ClamAV more prone to FPs (i.e. brute force scanning of the complete file body)?

 

It could. But it also depends on the signatures size. Moreover, there's no risk of heuristic FPs

 

Right.
Thanks again

 

While there is no risk of heuristic FP's (since there ain't any), nothing is immune to signature FP's...