Now What ?

Discussion in 'other anti-trojan software' started by TouchuvGrey, Jul 22, 2005.

Thread Status:
Not open for further replies.
  1. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    In discussions of the relative capabilities of AV various programs, many posts suggest that KAV is superior to NOD32, but http://www.av-comparatives.org/ tells another story, one in which NOD32 stands head-and-shoulders above all the rest.

    For the record, I have used TDS-3 and NOD32 for one year. When I first installed TDS-3, a program I have liked very much as well as the support from DiamondCS, one Trojan was found… probably a hold-over from before I installed NOD32. Since then, TDS-3 has found nothing more and NOD32 has not reported anything in over ten months. Maybe I'm lucky; maybe my ISP, Cox Communications, is behind my good fortune. I just don't know, though I'm sure that having a router and a software firewall are part of the key.

    Since the demise of TDS-3, I have happily installed RegDefend, which, I believe, is hugely powerful, especially in conjunction with Process Guard. Port Explorer is also a must-have.

    Question: If TDS-3, with its history and success, threw in the towel, on what basis can one hope that Ewido will not be forced to do the same?
     
    Last edited by a moderator: Aug 11, 2005
  2. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
  3. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Forgive me for talking to myself, but after posting the last message, it occurred to me to check the dates of each reference. The first is three years more recent than the second… in PC time that's an eternity!
     
  4. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    I see, "stands head-and-shoulders above all the rest".

    Do you refer to the proactive test were Nod had a ITW detection of 90% (46 of 51 samples) Kav 35% (18 of 51 samples), or are you referring to the on demand test where Nod had a detection of 95.50% (368746 of 386104 = 17358 missed), Kav detected 99.65% (384743 of 386104 = 1361 missed)?

    Well, just because a two mann operation, which were trying to maintain/update four softwarelines abruptly decides to discontinue the most timeconsuming product, doesn't mean that everybody else will, Ewido hasn't spread it personelresources thin doing several softwarelines (not yet at least). Could it be that DCS was being squeezed by newcomers getting better & better, who knows? I do know that there is one less vendor in a market which probably doesn't grow a lot. :)

    Edit: Can't go away from the pc for even a little while i see. ;)
     
    Last edited by a moderator: Aug 11, 2005
  5. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Help me find a reference to the on-demand statistics to which you refer.

    I did find this link, http://www.av-comparatives.org/ , but it too gives higher marks to NOD32 than KAV.

    Ultimately, isn't it in-the-wild performance what counts?
     
    Last edited by a moderator: Aug 11, 2005
  6. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    We are not allowed to link to the tests, only the site itself, Av-comparatives rules. You will find it under comparatives: http://www.av-comparatives.org/. :)
    Yes, it's important, how much is debatable, i have never been hit with any so called "Zeroday malware", what i do get hit regularly is trojandownloaders, trojans etc, it will depend on a lot of stuff, your ISP maybe covering this already etc.

    Btw. You should also look at the fine print under the proactive test, it says (among other things):

    P.s. Kav will have a proactive defense module in version 6.0, due in oct/nov.
     
    Last edited by a moderator: Aug 11, 2005
  7. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Thanks Don Pelotas (I laugh every time I see that name and wonder how many people get its humor) for pointing out that I should not have done what I did; count on my not knowing it was a violation and that I did not do it on purpose.

    At the end of the day, I wonder how best to combat Trojans now that I can no longer count on TDS-3.

    Does anyone know whether ewido is really any better than KAV or NOD32?
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    In my experiences, Ewido has never stopped anything it real-time, that KAV may have missed. The Ewido scanner does pick up some minor types of malware that are not part of KAV's database, such as tracking cookies. Both products are extremely reliable - i.e. minimal amount of FPs. In contrast, the latest version of CounterSpy gave me many FPs.

    If you have KAV, you probably do not need Ewido, unless you feel better with a bit more backup protection. If you want some additional anti-spyware protection (e.g. tracking cookies), then I would recommend Ewido for this purpose.

    Hope this helps,
    Rich
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    And I'm willing to bet PG and RD haven't stopped anything either - but that doesn't mean you should take them off!

    Ewido is extremely good at finding and cleaning what is there, but you can't really expect it to find what is not there! For me it is a valuable additional layer; for others, who are prone to infection, it would be even more desirable.

    I don't doubt there are some people who could surf quite safely with just XP FW and infrequent demand scans from Clamwin; but that set up is not for me!
     
  10. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Me neither, i would have an extremly slow pc in a matter of days..... ;) :D
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi TopperID,

    Realistically, this is the situation:

    KAV 5.0 already stops about 99% of the malware out there - so it is going to be very difficult for any product to add significant incremental protection, especially if it is signature-based. There are AV products out there that do not have KAV's extensive database, and Ewido can probably add some reasonable incremental protection to those configurations.

    Ewido is stronger in certain areas than KAV, and I have mentioned that. But, if I had KAV and nothing else, I would probably add some HIPS protection (e.g. ProcessGuard, Online Armor), before I purchased Ewido, since HIPS provides a "different" kind of protection, that in a way overlaps with KAV, but is also quite different (behaviorally-based).

    I purchased Ewido, before I purchased KAV and ProcessGuard, and have always been exceptionally happy with the product. But in terms of priorities, I think a KAV user can do other things to a system that may provide additional protection in a different sort of way. However, I would not dissuade anyone from purchasing Ewido, if they felt it was the kind of security product that they wanted - i.e. memory process scanning anti-malware software to backup KAV or any other AV.

    Rich
     
  12. dog

    dog Guest

    Rich as a previous user of KAV how can you possible say KAV has a minimal amount of FPs, with the extended DB KAV flags many items as 'riskware' that it shouldn't, and I'm not referring to things like mIRC which should be flag with this accordingly, to make the user aware of the risks. But for example what about last month when they flagged every 'unwise uninstaller' :rolleyes: ... it was detections like this that prompted me to uninstall KAV and put me off for good - I got tired of masking all these entries. They don't seem to know when to draw the line sometimes. :doubt: I'm not in anyway saying KAV isn't a good product, it is one of the best on the market ... but IMO they need to be more discerning with what signatures they add to the DB and not add detections for the sake of adding them.
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi dog,

    I am a current user of KAV Pro 5.5. Are you referring to the standard, extended or redundant database?

    Are you saying that KAV is incorrectly labeling certain modules as "riskware"? I agree, that KAV's definition of riskware may not be clear to users, and could certainly create unneeded concerns amoung users who are not familiar with KAV's notion of "riskware", and why certain modules may be being flagged as "riskware". I think this goes into the rather iffy ergonomics of KAV - which I believe is its weak point.

    Rich
     
  14. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Thank you Richrf for your many comments and for pointing out to all of us the existance of Online Armor,a program that strikes me as a must-have line of defence.

    Questions: 1. Can Trojans operate without using the registry? 2. If not, why wouldn't RegDefend be among the best approaches to combating this plague?
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi NormanS,

    I think that registry defense software such as RegDefend are good security defense measures, since they protect the operating system from trojans that wish to "instantiate themselves" (permanently install themselves) on a given system. However, a piece of malware can do lots of damage before it ever gets to the point of installing itself in a registry (or other places in a system), and there are types of malware that do not even try to update the registry. So, whereas, I really like the protection that RegDefend provides, I think that it may still be "too late" at times.

    I hope this helps answer your question. Others will probably have their own perspective on this matter, which I am also looking forward to hearing.

    Regards,
    Rich
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    In order for a trojan to cause damage it needs to 'run' and install itself. If it doesn't run it is just another useless file; if it does install itself it will make Registry changes.

    If you have Process Guard (full version) you can stop the trojan before it ever gets going - it therefore has no opportunity to change the Registry.

    RegDefend is in that case unnecessary. However RD will be helpful if you browser settings are not tight enough and you hit a maliciceous site that tries to force changes on you. PG is not designed for that sort of thing - but with the right browser settings RD is not as valuable as PG.
     
  17. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    What you say, TopperID, contradicts what Richrf said, doesn't it?

    We would all benefit from a dialogue between you two to get a better handle on Trojans; meanwhile, I have downloaded Online Armor.

    By the way, with respect to PG, I have not checked the Execution protection on the grounds that it complicates life, or so I recall having read. Is not to checking Execution Protection an error?
     
  18. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    What is the effective difference between running Process Guard with Execution Protection and Online Armor?
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For malware to work, it has to be run (and rerun every time the infected computer is restarted). Therefore most malware make Registry changes to ensure that they are run on startup (see the Registry Monitor comparison thread for details on the many different ways in which this can be done).

    However it is also possible to run a program on startup without touching the registry either via the legacy win.ini/system.ini files or by modifying an existing file normally run on startup (e.g. userinit.exe) to include a copy of the malware. RegDefend would (obviously) not cover these but other security software would (e.g. System Safety Monitor does check the .ini files and will also give an alert if a program has been modified - Process Guard will also alert if a program has been modified with Execution Protection enabled).
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi NormanS,

    Here is Mike Nash's (spokesperson for Online Armor on this board) answer to a similar question that I posed on the Online Armor thread:

    I am not sure whether Online Armor has implemented the same rootkit and service/driver protection as ProcessGuard. What I do very much like about PG, is its "transparancy and configurability". Ditto for RegDefend. That is, I can add or subtract protection through the PG interface, as is warranted. Mike has indicated that in future version he may add this transparancy/configurability via an "Advanced User Interface". Also, ProcessGuard (as the name implies), protects programs from unauthorized termination (though many security programs nowadays are self-protecting).

    I should also add, that dll's and exe's are but some of the ways that trojans and other malware can access a computer. Another way is via scripts. So I have WormGuard running on my system to protect against unauthorized script execution. Other users on this forum have discussed other ways to protect against scripts.

    Regards,
    Rich
     
  21. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I feel that the supplementary protection offered by OA is far less valuable to me than the powerfull protection offered by PG and RD. So, at the moment, OA is not for me.

    I run Zone Alarm Pro, which blocks scripts, active X, java etc, and that, together with my browser settings and KAV's script blocking potential, means I feel absolutely no need for WormGuard - you can't put on everything can you! (I use browser based email BTW).
     
  22. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Steve, i don't know long it is since you used Kaspersky or what version, but as a present user of Kaspersky i have had one detection of the kind you mention with the extendedbases, a component of Spy Sweeper called MadCodeHook this one along with a number of other of these detections have been moved to the redundant (formerly the supersecurebases) these bases are not available to the public anymore despite many users wanting them, which is good, they are totally useless to the homeuser.

    Another thing is that if a user in fact had a riskware detection, then in the later versions of Kaspersky you can add these to the exclusionslist directly from the riskware-warning, but as i said, i have only used it once.

    So Rich is in fact correct when he says that the FP's from the extended is minimal and riskware detections too and i'm also sure that no one forced you to use the extended, when you used Kaspersky, the standard would have been more than adequate, if this was really what annoyed you to the point of replacing it.

    I guess it a matter of temperament. :)
     
  23. dog

    dog Guest

    Sorry Don, I'd have to disagree ... I was just talking about the regular 'extended' DBs, (BTW it's been less than a month - which I thought would be clear as I did say in that original post - "... for example what about last month when they flagged every 'unwise uninstaller'" ) ... I think it's clear what I believe the issue is in my original post, but again I'm not saying KAV isn't a great product it is ... but they do need to be more discerning of what they add to their database. An experienced/advanced user won't have any issue with taking the appropriate action with these detections, but will a more novice user? ... Wouldn't it be a mess if they in fact for example quarantined those installer/uninstallers, which by default are deleted after 30 days ... causing unnecessary grief and work to remedy the issue, should they (a novice user) need to uninstall those apps. That signature should have never been added to the DB, the fact that they removed that detection after the matter just isn't good enough. To me they seem too concerning with adding detection, rather than properly discerning what should and shouldn't be added.

    Steve
     
  24. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Sorry Steve, but i have to disagree too. ;)

    Maybe i'm a little slow (quite possible :D), but could it not be that you had just read about the 'unwise uninstaller', which btw was a mistake/FP, i'm quite sure that your present choice of AV has a number of these every year too.
    I use a number of AV/AT's (altough almost only Kav as AV) and every single one of them has detections they shouldn't have detected, they are then removed, and that is "just isn't good enough"?

    As i see it you learn from your mistakes, & you correct them.

    Most novices don't even use the extended, because they don't know it's there, the standard is default and if a novice should happen to find them, he/she is then confronted with a warning that some applications may be flagged as "potentially dangeous" and that they are adviced not to use auto cleaning/deleting when using the extended.

    A riskware detection warning will have these options:
    http://img360.imageshack.us/img360/7302/259th.png

    Now if they choose to delete it, then they can restore it from backup very easily.

    I agree they should /are, they may to you be adding to much, but again you are not forced to use the extended, it's an option that you choose to use or not use.

    The standardbases is more than enough for a user with "normal" surfing habits they contain 134800 sigs ATM, the extended will add 8300 sigs of adware/spyware and the riskware detections you refer to.

    Over a 1000 were btw removed a short while ago and immediately some users were complaining & wanted them back, so being "more discerning" as you put it can be difficult when you want as many users to be happy as possible. :)
     
  25. dog

    dog Guest

    No I've never read anything about it ... I experienced it. ;) I also know it was corrected ... again this is first hand knowledge thru my experience. The reason they added this signature was flawed, as well as their flagging of other various re-boot tools some installers utilize.

    You seem to think I'm trying to slag KAV, I'm not. It is an outstanding AV, in my books one of the top two/three. I'm only saying the one thing they could really improve is their selection criteria. In all honesty you know KAV detects things no other AV chooses to - for proof all you need to do is submit files to other vendors that KAV has flagged and look at what results. :doubt: With that said, I recommend KAV to many people as well as the other two that make the top three in my books ... it has great unpackers, the largest DB, frequent updates ... it's a very good product. But bumping the signature count shouldn't be a focus, to merely increase the number. There's already the cat and mouse game of modifying the code of malware to slip it past detection and the counter move to add signatures for them as they appear, which KAV does do very quickly. If the user base wants these detections, that's still KL's choice to add them or not. To me, I see this as a con not a pro thats all. ;) It's just my constructive criticism, nothing is perfect.

    I'm not a fan boy of any AV product, their all quite good. The products I like are based on personal experience ... I never take anything that's written about anything at face value, I always investigate things further both thru experience and also considering the knowledge of various sources from both sides of the coin. I won't ever spout popular opinion for the fact it's popular ... I'm no sheep. ;)

    Best Regards,

    Steve
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.