Only 6 Real AV's !

Discussion in 'other anti-malware software' started by CloneRanger, Mar 28, 2014.

Thread Status:
Not open for further replies.
  1. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Great link, the bottom graph with average detection rates actually fits with how I see the various AV/AM programs out there - so it's always lovely to have your biases confirmed :D
     
  2. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Does MBAM/Immunet offer anything more than Appguard alone?

    I've gotten to the point where MBAM is my only resident security product, and only as a "just in case" thing. I've not been able to get one of my machine infected despite having no security other than limited attack surface and a hardware firewall, so I'm feeling as though it's more difficult to get infected with a sensible set up.

    On my current work machine, I've been meaning to set up a config for Sandboxie that won't limit productivity, but I never get around to it as the cost:benefit currently looks skewed. The most I use Sandboxie for is opening up a second VLC window, so I don't lose my place in the first!
     
  3. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Agreed - generally speaking. MBAM is quite fantastic. (1,75... LOL)

    Appguard lowers the attack surface so much, it's probably fine as a general rule, however keep in mind you can still be snagged on installations with it. Given Immunet3 uses under 50mb of ram total - including services, and offers absolutely no weight/drag to the system, I think it's prudent to toss it on as a final opinion layer. I like to use a lot of HTTP/S malware databases, which eliminates a tremendous amount of issues. SOHO Security appliance w/database, Malware DNS, etc. All of those seem to 'dramatically' lower attack surfaces, and offer little to no drag on a system. Adguard's Malware Database alone has snagged 62 potential Malware Sites on my machines here - in the last 14 days.. That's a lot of malware stopped at the gate. That doesn't include the COMMTOUCH logs from my SOHOR.

    Sensible setup wins.. No need IMO to toss 15 security products on a machine.. It gets ridiculous on some of these security setups people run around here, and almost OCD level of compulsiveness. Find a good sensible setup that works, and move on with life. Right?
     
  4. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    212
    ROFL symantec as a real AV! is this posted in funny section?
     
  5. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,292
    Location:
    USA,IA
    Symantec has been around almost longer than most AV's so i'd say yes lol
     
  6. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,751
    Location:
    Toronto Canada
    What about errors in the coding?
     
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Symantec is great. Top tier vendor. :thumb:
     
  8. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    CRDF is unreliable. The way it works is, that they query VT to see if they have seen a file before and if so, get the last scan results.

    The problem with that approach is, that malware or files that have never been seen on VT, won't be included in the results, because CRDF does not submit any files to VT. One could argue that those are the most interesting ones as they are more likely to be new malware.

    If files have been submitted before, no rescan is issued. That means, the scan results they use for the statistics can potentially be days or even weeks old.

    Their sample set also contains a ton of PUPs. I can't talk for other companies, but we specifically asked VirusTotal not to enable the PUP detection. It just saves us a ton of hassle having to deal with PUP companies all day, as most of them just check if their crap is detected on VT. Out of curiosity I downloaded their samples for February and March (12,756 files in total, 1,270 of which aren't PE EXE files) and just judging by the digital certificates and version info alone at least 6,800 of the remaining 11,486 executable files are PUPs.

    We talked to CRDF in the past, to maybe provide some more details in their statistic, but in their opinion these statistics shouldn't be used by anyone, so they have no intention to fix them.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    My opinion as to what is being said this thread: http://www.kernelmode.info/forum/vie...94fa9dfbfdaae9 is that if I wanted to ensure the malware submitted to VT was properly identified, I would used the id given by one of the 6 AV companies mentioned. I can't really fault that since all those companies have large research operations to identify and develop signatures.
     
  10. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Shouldn't you pro-actively go after PUPS anyway? I consider PUP's malware to be honest, and have seen machines taken to their knees with pups. I believe most people want them blocked. MBAM is great against PUPS, which is why I think it is a crucial layer these days. CLAM is actually pretty OK with pups, and Immunet3 seems to be getting better against PUPS.

    I think there is a fine line between malware and pups, and that line becomes very blurry once you start messing with OpenCandy and Conduit crap.
     
  11. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    We do quite well when it comes to PUPs even though we approach PUP blocking slightly different (we usually try to avoid blacklisting setups containing PUPs, as the user may want to use the software the PUP is bundled to and target the PUP installer contained withing the setup only). Doesn't change the fact that if your statistic relies on VT results and your test set contains roughly 60% PUPs we will always look bad, simply because we asked VT not to enable PUP detection :).
     
  12. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Interesting thing I found. Immunet actually allows the 'setup' of a pup laden product to continue after it nixes the pup.. Basically stopping any integration of the pup, while allowing the pup laced application to continue to install. I recently was installing 'free' AVI to MP4 converter programs, and it was laced with FOUR pups, all of them where blocked with Immunet, but the program itself was installed just fine.
     
  13. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I'd include Bitdefender, McAfee, and AVG: All these brands have native engines.
     
  14. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    If you read the reply properly he was talking only in VT results context:
    Only from that AV list,If a AV engine on VT doesnt pick the sample doesnt mean its undetected.VT just uses basic scan engine.

    If AV doesnt detect binary,there are even URL blockers,web protection in a AV which can block URL if its on their blacklist.Alot AV's block URL first and then process the binary because in real world no one cares.They only care about protection.

    There are even on-execution detection technologies like evo-gen in avast which doesnt come up in VT,it only works with full product.Cloud protection!?

    Sandbox,behaviour blocker etc...

    EP_XOFF was just concerned with VT,he was only talking about Scan engines in VT.Not real world.

    Yes alot of AV's copy detections and dont process a sample themselves.I reckon this:
    http://www.theregister.co.uk/2010/02/10/kaspersky_malware_detection_experiment/

    And luckily alot of AV;s fell for the trap.So yes if one detects the other see's and adds detection without processing.Virustotal is unreliable as the source of detection.EP_XOFF was only talking about on VT NOT real products.
     
    Last edited: Apr 7, 2014
  15. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    Recently wired website was infected, Google Chrome was the only browser flagging the website as harmful. I copied the url of the website and pasted in VT and found out that Google Safe Browsing, CRDF, Bitdefender and 1 more were showing the website hosting a malicious script which redirects to another website carrying virus. So those who tell that CRDF is not reliable, I think it is reliable.
     
  16. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Interesting! Which is why I have Google's Scanning enabled under Adguard. It's a good layer, and when something is flagged - I know it's malicious. I have all of the 'extra' scanning options turned on with Adguard, and stacked with the other IP/HTTP/s scanning, it's pretty solid.. Solid enough to not even use an AV? Close.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.