PC Doorguard

Guys, please don't rate the effectiveness of an AT (or even AV) against trojans by those "Trojan-Simulators" or "GAV-Testfiles."

If a scanner detects those test files _only_ depends on whether the AV/AT vendor has added signatures to their databases, or not. That's it.
And since these two tests are relatively new and far from being as 'recognized' as e.g. "eicar-test", it is absolutely understandable, that most ATs (and AVs, of course) do _not_ detect the files.

Of course, it would be nice if more vendors would include those tests to their sigs, so that someday there might be another 'eicar-test'. But at the moment, there is no meaning in testing AT/AVs with those tests/simulators.

 

I can only come up with three.
But these 3 are good enough for me.

 

From many folks view you probably do have valid point; however I totally disagree that it’s meaningless, using the Trojan Simulator done by MISCHEL aka Author of TrojanHunter (who I think highly of even though I don’t use his Anti-Trojan product) I was capable of determining many issues and getting something done about it. Also it offers others the capabilities of testing/exploring and increasing their kn0wledge.

 

@Ph33r_

Pehaps you misunderstood something: I also like the idea of Magnus' trojan simulator. And yes, you can learn _a bit_ about trojans by it.

But _at the moment_ it is of no real use, when testing AT/AVs (as I explained before.)

 

Yes I had misunderstood you, thanks for clearing that up though…

 

I hardly would say this Trojan Simulator relatively new considering it has been existing at least since Wednesday, January 1, 2003. And considering Mcafee has this in it’s definitions that’s telling you something! And also so far my likeable Anti-Trojan Systems has this thing in its definitions too, so I guess it’s all about being slow and not getting around, to know things like these exists…

Again I disagree totally as I used the Trojan Simulator to find fault in Anti-Trojan product and reported it and succeeded in getting something done by it…

 

Well, eicar-test has been around for several years now _and_ it is published by an independent AV research organization - not by a specific AT vendor, like TrojanSimulator, which was published only few months ago.
That's a bit different, isn't it?

Kaspersky and 'slow' with trojans?

Nice to hear. I've never doubted, that you might be able to find some functionality issues in an AV/AT, which has TrojanSimulator in its sig database.

But actually, I was talking about 'comparison tests', which lead to questions like: "Are PC DoorGuard and Tauscan after that totally useless?" (quote: Firefighter; page three of this thread.)
For tests like this, TrojanSimulator is in fact "totally useless".

 

Hey _anvil

I didn’t mean any disrespect.

 

To everyone from Firefighter!

Hi again! Because I am so new using AT:s, what are the folders where for excample Trojan Remover or PC DoorGuard have to make their scans?

I have WinXP Home and my hard disk is divided to two partitions, namely C:\ and D:\, but the Windows is in C:\ and all other programs too?

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Right click on its shortcut and go-to Properties in the menu and view “Target:” Field…

 

To everyone from Firefighter!

I don't know if you understood me right! My purpose was to say that which folders should an AT check, when you have a WinXP Home system?

Not the whole PC, if I have understood a bit of this kind of software ?


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

1) regular checks of process memory (if AT does not support unpacking)[*]
2) all folders that are not restricted by the user account

or just the same folders as you check with your av program.

[*]I just want to mention here the importance of these feature again. These days the chances that you'll find an unprepared (packed/crypted/or whatever) (backdoor-)trojan server ITW is rather limited.

wizard

 

To Wizard from Firefighter!

Thanks a lot!

Despite of that I have a Kaspersky engined AV (F-secure 5.41), there are occasions when I'm going to try an other, like BitDefender or RAV, as my resident scanner, so I thought it is good to have some AT:s on the background!

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

If you use a KAV-based AV than the only AT program that could add benefits is TDS-3. Anything else would be just one program too much.

BitDefender and RAV are both on the way to be fine AV (and partly ATs also). But both are not as good as KAV yet. My advice go for RAV and skip BitDefender if you are unsatisfied with F-Secure.

wizard

 

To Wizard from Firefighter!

I'm not disappointed to F-secure's detecting rate. I think, there is no AV in the market that has better malware database than F-secure! Only sometimes I'm so tired to F-Secure's interface. I think it is one of the worst ever!

If RAV has in the future the same detecting rate as F-secure has now, there is my goal in the AV-market!


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

So why don't you than give AVK 12 pro a try. It features KAV and RAV engines behind a nice more home user orientated interface?

wizard

 

To Wizard from Firefighter!

I tried AVK Pro 12, but it was only a german version.
I have not found an eXtendia AVK Pro full install program anywhere to try free, so I'll use my F-secure untill I get that eXtendia AVK Pro!

Besides, for some strange reasion, F-secure has been much better in VB tests than AVK! I can't understand that!


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Does KAV detect Girlfriend 1.35?
see NOD32 beta thread

 

Eugene don't cares if you buy F-Secure or AVK - but he will be happy if you only buy KAV

 

To Xor from Firefighter!

KAV is OK, but not in my WinXP Home system!

I have KAV some months ago, but too often my system was paralysed by KAV. I couldn't find the reason, my system was all up to date! I have 1 GHz Celeron, 512 Mb RAM and 20 GB hard disk, but too slow with KAV!

Besides F-secure has a bit larger (not very much) virusbase thank's to KAV and F-Prot engines.

I had no difficulties in net surfing with F-secure, that's the main reason!


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Not looked yet into the NOD32 threat but KAV picks up GF1.35 for sure (I have a sample of that one in my collection )

wizard

 

To everyone from Firefighter!

Hi everyone. If you have not seen my comments on the other anti-virus software section about the VirusP 5-2003 AV-test, where also 12 AT-programs were within, so here are the results from that test.

Anti-Trojans detecting rate against 8 943 trojans and backdoors.

1. 73.42% - Digital Patrol 4.0.65

2. 55.17% - TDS version 3.2.0

3. 41.55% - AntiTrojan Shield version 1.0.0.16

4. 37.20% - Trojan Remover version 5.0.3

5. 36.21% - PC DoorGuard version 3.0.0.6

6. 32.01% - PestPatrol version 4.2.0.33

7. 30.75% - Anti Trojan version 5.5.408

8. 22.89% - Tauscan version 1.6.0723

9. 19.53% - The Cleaner version 3.5.3517

10. 15.87% - Hacker Eliminator (former LockDown Millenium) version 1.2

11. 7.31% - Trojan Hunter version 3.5.707

12. 6.79% - IP Armor version 5.40.0112

It isn't very important, how many percents the best AT-product detected, because those 8 943 trojans and backdoors were originally identified by at least 1 of 4 different AV programs, either Kaspersky, McAfee, RAV or F-Prot randomly. I think it is only the ranking, that matters.

What was very new to me, that AntiTrojan Shield 1.0 was on the third and Trojan Remover 5.0.3 on the fourth place. But the biggest surprice was of cource the winner, Digital Patrol 4 !!!

When I looked inside the AntiTrojan Shield 1.0, it wasn't any surprise at all. AntiTrojan Shield 1.0 has almost the same interface as PC DoorGuard 3.0 and all inside files have the same name. So for me it seems to be so, that AntiTrojan Shield 1.0 and PC Doorguard 3.0 are the same program, like there where plenty of Kaspersky clones!

It has happened very often, that one of those clones had a different detecting rate as an other one in some test, for some strange reason.

When all those backdoors and trojans were unpacked, how we can explain TrojanHunter's very poor result?

"The truth is out there, but it hurts!"

Best Regards,
Firefighter

 

Anti-Trojan v5.5 Build: 408 | 9661 Trojan Signatures / May 12, 2003
-
Digital Patrol v4.10.5.739 | 25417 Trojan Signatures / May 18, 2003
Anti-Trojan Shield v1.0.0.16 | 7501 Trojan Signatures / May 11, 2003
The Cleaner 3.5 Build: 3517 | 6203 Trojan Signatures / April 30, 2003
TrojanHunter 3.5 Build: 707 | 2509 Trojan Signatures / May 16, 2003
PC DoorGuard 3.0.0.6 | 7507 Trojan Signatures / May ?, 2003

Maybe the answer is within the above Info :/

 

Or probably they tested not only with trojan servers (the "real" trojan), but with trojan clients and editors as well. TrojanHunter is one of the few AT's, which only scan for servers...

It wouldn't be the first test with such a bad testset.
But that is only speculation, not more...

 

I find those results to be very curious indeed, but I do not have enough information to make sense of it.
On the only VirusP site I am aware of the last test listed is from Dec of 2002.
Where is this test result and information located?
I agree _anvil. Not enough information to know if this is a bad test set or not.