Paper that tests various detection techniques of some antivirus programs on both x86 and x64 malware

Discussion in 'other anti-virus software' started by MrBrian, Aug 24, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From One Packer to Rule Them All: Empirical Identification, Comparison, and Circumvention of Current Antivirus Detection Techniques (2014):
    From the paper:
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    I wonder if it would be possible to implement a decent heuristic for detecting unknown packing methods without running the executable?

    e.g. "This program has a small bit of sensible looking code, followed by several megabytes of stuff that won't disassemble properly, but doesn't look like any known compression format. This means it's probably runtime-encrypted, or compressed with an unknown algorithm, and therefore may be malware."
     
  3. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    No internet connection means it puts the whole test in question. This test doesn't represent most user scenarios where an always on broadband connection is present when you get infected.
     
  4. Austerity

    Austerity Registered Member

    Joined:
    Jun 21, 2013
    Posts:
    367
    Location:
    Georgia / USA
    No internet connection, Avira not tested...
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Wait what? Where does it mention "no internet connection" anywhere in the paper? Or am I just failing at reading comprehension?
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Based on my limited knowledge and quick reading of the Paper.
    I've concluded that of all the AVs tested in this Paper, Kaspersky has the best detection techniques.
     
  7. Inside Out

    Inside Out Registered Member

    Joined:
    Sep 17, 2013
    Posts:
    421
    Location:
    Pangea
     
  8. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Interesting reading, thanks!
     
  9. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    786
    Location:
    255.255.255.255
    That was some good explanation. Good writing
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).
     
  11. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    seems the test was specifically designed not to allow the vendors to counteract the threats presented to their products,ie not allowing them to write new signatures and have net access etc,seems rather pointless in a way as its akin to installing any product and assuming the protection offered on install will suffice for the whole period you use that product with no updates at all,you wouldn't do that so why test products in an environment they are very very unlikely to be used in?
     
  12. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    It always seems to come back to Kaspersky being the best overall AV... for like the last decade.

    Too bad it just didn't work well on my system. Maybe I'll try it again on one of my systems one of these days.
     
  13. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Which is a pity because I wouldn't trust Kaspersky with my dog, let alone putting them on my PC with access to all my data.
     
  14. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Well, I don't care. Either N3A or the Russians. I pick the the later for my AV and the former for my OS. Nowhere to hide anywhere in this whole globe.
    Yay!
     
  15. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    You should try it again. The latest v.15.0.1.415 (MR1) is a humongous improvement over previous versions, this particular version corrects and improves the first released build of 2015.

    Another serious contender is the latest F-Secure's FS Protection, currently in beta stage. Speed is its middle name!
     
  16. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    conclusion: kaspersky is the best, as we would expect..
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina

    yep, the beta is very good and light.
     
  18. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Isn't it? It looks like the FS team has really made huge improvements to its code. My old laptop is really fast performing almost every task on Windows 8.1 compared to other AV's.
     
  19. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Kaspersky does not care about your data.


    I just might. Kaspersky just keeps on outperforming year after year. Other AVs come and go, have their 15 minutes of testing fame... and Kaspersky remains on top.
     
  20. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Look for Kaspersky Internet Security 2015 on Youtube. They are doing poorly compared to others.
     
  21. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Somehow I feel like people are missing the point here...
     
  22. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Same thoughts here.

    1. The entire whole purpose is to test the capabilities and highlight the limitations of an AV behavioral analysis against obfuscated malware without relying on signatures. That's the reason for cutting off internet...because it would have distorted the results otherwise.

    2. Instead of acknowledging the evasion techniques (I think that is more likely the main subject behind the paper....after all, it comes from Blackhat not AVC), members here are more interested in the list of AVs tested and finding/declaring the 'best' AV. Totally missed the mark IMO.
     
Loading...