October 2010 15 antymalware 0-day (exploits) test

Discussion in 'other anti-virus software' started by ELWIS1, Oct 18, 2010.

Thread Status:
Not open for further replies.
  1. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Test Methodology:

    1. I used 20 real hazards 0-day (the latest threats, you can meet the
    web pages). I tested only the exploits themselves to potentially secure pages.
    12 exploits from Polish sites, the other from abroad. All anti-viruses were tested on these same samples.

    2. . Due to the difficult to locate the inability to install exploits and many
    anti-virus at the same time I tested at UrlVoid.com because this
    side antivirus use heuristics. The exception here is probably the only
    Panda, which failed to detect any file. However, as we know from the various tests, it is in detecting weak skrypts, exploits.

    3. The test was conducted on Windows XP with Mozilla Firefox 3,6,10.
    He won the one who discovered the most.

    4. Although I tested tens of thousands of malware in my career I am not
    professional.

    Winner?

    1.Avira, Avast 16/20 (80%)
    2.F-prot 13/20 (65%)
    3.AVG 12/20 (60%)
    4.kaspersky 10/20 (50%)
    5.Emsisoft, Nod32, Virus Buster, ClamAV 9/20 (45%)
    6.BitDefender 8/20 (40%)
    7.Drweb 7/20 (35%)
    8.Trend Micro 6/20 (30%)
    9.VBA32 5/20 (25%)
    10.Comodo 1/20 (5%)
    11.Panda 0/20 (0%)

    On the Polish side coped best free Avira, which detected 11 of 12 exploits.
    Surprise to me is the position in + F-prot. One exploit was not detected by any antivirus program.
     
    Last edited: Oct 18, 2010
  2. OlegSych

    OlegSych Registered Member

    Joined:
    Jul 5, 2005
    Posts:
    43
    Location:
    Kiev, Ukraine
    I think 1/20 it's 5%, not 0.05%
     
  3. SergM

    SergM Registered Member

    Joined:
    Dec 22, 2008
    Posts:
    236
    Location:
    Saint-Petersburg Russia
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    No Symantec , e.g. NIS 2011 ?
     
  5. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Always surprises me that the Dr Web team always quote Shadowserver to support the detection rates of their AV.

    After all this is a honeypot site which is well known for their corrupted files and there is also no testing for functionality; problems which they say made them pull out of participating on some of the better known testing sites.
     
  6. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Not only that, the versions of AV engines are quite old.

    Coming back to the topic, Panda scored well in AV-Comparatives. Here it is trailing behind Clam AV!
     
  7. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    377
    Without Norton, this test is not very interesting for me.

    By the way, is this a dynamic or merely an on demand test?
     
    Last edited: Oct 18, 2010
  8. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Oleg Sych Thanks. Yes this 5% :)

    Hawki, Smage:

    I testing Norton previously and reached very good result. Norton and Avira, AVG, Avast best block exploits on site polish. On foreign site best Trend Micro.
    This test ist only on on-demand.

    Arin:

    Yes Panda excellent results in AV-Comparitives, but its problem in detect script.
     
  9. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    VT detect "suspicious file" a on URLVoid at Panda not work heuristics.

    I checked and exploit the 13/10/2010 Panda did not detect anything on the VT

    MD5: 3cefc1ac30357e0265bbd6d635d5bc62
     
  10. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Hmm... looks like it. Panda outscored only K7 and Rising in AV-Comparatives test for detecting malicious scripts. I'm noticing this for the first time.

    As a seperate request, can you please test F-Secure's Exploit Shield, Norman's Exploit Blocking and Trend Micro's Browser Guard?
     
  11. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,447
    Location:
    Mumbai
    Can u test mse too plz :thumb:
    then we will know the position of free av's
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Only 20 tested and they all did like crap. AV industry, you have problems. Regardless of how you break down the testing, it only shows that when it comes to fighting malware, the industry is crying out for a new way to fight it.

    Avira missed 20 percent at best, so if 5000 had been used 1000 would have been missed. That totally sucks.

    What is needed is the ability to isolate all internet facing apps that if needed to write to your pc, are checked in a manner to ensure for no malware. Meaning what writes may be delayed.

    Why oh why do some of this so called specialty malware vendors not join forces. Sandboxie, DefenseWall, Prevx and others, hold the key, but they have got to assist each other in creating the product, then reap the rewards.

    2011, yeah, the year of the malware epidemic I am starting to think. Hold tight to your wallet. More later....
     
  13. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,


    I still don't quite understand the meaning of the so called 0-Day Exploits.
    What's that supposed to mean? Some malware URLs at MDL posted today's date?
    How come AV vendors knowing about those sites that keep updated lists of malicious URLs don't keep on their toes and monitor them constantly for new and undetected malware samples?

    Almost every day I submit malware samples to AV vendors gathered from fresh URLs published on those sites that keep track of those nefarious domains known to distribute malware and, to my surprise, many of these samples submitted go UNDETECTED. Although, doing this doesn't bother me at all, I always ask myself why the heck the AV company[ies] I submit those malware samples to don't spend some time monitoring those lists by themselves if they have the money and the manpower to do so? Is that so difficult to accomplish?

    I will never understand why AV companies with access to those lists fail in a disgraceful way to these kind of tests whereas myself with just tools like a computer, an internet connection and Googling can find things that aren't so hard to find.

    o_O o_O o_O



    Carlos
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Zyrtec

    Hi

    I've often wondered that myself, why they don't ? If they do they aren't making the most of them :(
     
  15. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    This test is meaningless or not very useful, they use old versions of the for many of the av's and only uses definitions and heuristics, what about all the other technologies?

    I'm going to quote what VirusTotal, Prevx and almost any AV vendor thinks about this kind of tests

    http://blog.hispasec.com/virustotal/22
    http://www.prevx.com/blog/106/Why-using-VirusTotal-for-AV-testing-is-a-bad-idea.html

    @ELWIS1 can you send me by pm the 20 websites that you used please?
     
    Last edited: Oct 19, 2010
  16. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,447
    Location:
    Mumbai
    Was avira on high heuristics or normal ?
     
  17. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Dear Lord you're absolutely right about how he thinks Prevx. I think so too, but only if they are infected exe files or pdf, etc.. Here I tested the infected site and you know how hard to locate the file.

    Of course, I would like to test at the same time for 15 machines, but this is impossible. So I tested the Urlvoid where, for example Kaspersky uses heuristics, a on VirusTotal does not.

    What about the fact that Trend Micro block a malicious website or Norton, which is an exploit. How do you get such a file on the flash drive is a good chance that will not detect.

    Parties do not remember. Thanks for your feedback.

    The Champ:

    I don't know, I use UrlVoid. Write to Avira and then you answer:)
     
  18. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    Sorry maybe I was a bit hard, first, thanks for you effort, I guess that this is better than nothing ;)
     
    Last edited: Oct 19, 2010
  19. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,447
    Location:
    Mumbai
    thnx for answering
     
  20. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    And URLVoid uses Kaspersky 9.0.0.736 while VirusTotal uses Kaspersky 7.0.0.125. Kaspersky at VirusTotal detects 3/3 while at URLVoid 0/3.

    MD5: b89da1f4fdf74f88fbd72314c6b3f469
    MD5: 6fd50febbfe6b4b5f396cbb6f0a6f512
    MD5: beb576bfdc3c823edc06079918c58823

    o_O
     
  21. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    URL Void is most likely using a Linux CLI while VT is using Windows. That or they have the engines set up differently.
     
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Possibly because such lists change very frequently. Many of the domains change and so too does the malware. Some domains are even fast-fluxing, meaning they change direction very quickly so by the time an URL is added to an AV's database, it is no longer in use. It is a difficult nut to crack.
     
Loading...
Thread Status:
Not open for further replies.