Symantec's new approach in detecting malware

Discussion in 'other anti-virus software' started by Miyagi, Oct 1, 2008.

Thread Status:
Not open for further replies.
  1. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Great reads, Miyagi. Thanks!
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Threatfire related i guess.
     
  4. tiinkka

    tiinkka Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    24
    for someone at the cutting edge of an industry who time has shown to have made some really poor products how can this clown still have a job??

    I like their latest product but everything leading up to it has been really second rate.
     
  5. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    1) Is NAV2009 so Truly improved that
    avast!, Kaspersky, and Avira (my order is accidental) are now behind Symantec?

    2) Why do I get the feeling that someone is trying to put Symantec on the Top
    -Before- the official AV/Testing sites do it?

    Is it marketing? Is it brainwashing? Is it fishy?
     
  6. fried_oyz

    fried_oyz Registered Member

    Joined:
    May 27, 2008
    Posts:
    22
    Well, 2 of the most prominent AV testing sites (av-comparatives and av-test.org) have already placed Norton at the top, or at least amongst the very top.
     
  7. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    i wonder why carey nachenberg is saying malware production outpaces legit software production when a) malware producers are themselves less numerous than legit software producers (ie. how does a smaller group make more stuff than a larger group?), and b) bit9 found that microsoft alone produced as many binaries in a single day as malware had been created in all of history (as of last year)...
     
  8. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    I'm aware of these reports:

    http://av-comparatives.org/seiten/ergebnisse/report19.pdf

    http://www.virusbtn.com/news/2008/09_02

    All I am saying is lets wait to see more AV tests.
    I believe it is -still- too -early- for making NAV2009 the king of AVs.

    Detection of Malware is one issue.
    Have you ever wonder
    -How AVs react when you Turn off their Real-Time/Proactive protection,
    infect the PC (even with some common spyware),
    Turn on their Real-Time/Proactive protection,
    and let them to fight against the infection?
    (by starting a Full scale scanning session).

    You wouldn't believe in your eyes
    how Poor the performance of some 'Big' names is!
     
    Last edited: Oct 3, 2008
  9. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    real-time av isn't meant to deal with an existing infection... real-time av is primarily a preventative control... if you have a system where prevention has already failed (or been bypassed artificially) and you want to use av then you need to be using the non-real-time components, preferably while the malware (and the affected system itself) is not active...

    it doesn't surprise me in the least that you'd see bad results when you use the wrong tool for the job... you can't drive screws with a hammer...
     
  10. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    It really needs it to cover that thing that they call 'detection'
     
  11. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Norton/Symantec has always, for as long as I've been following testing, been at or near the top.

    My wife has Norton 360 on her desktop and has recently renewed the subscription. Reason, it does a better job at protecting than any other she's used on her other computers.

    I use Sandboxie or Shadow Defender and haven't had an AV on my desktop in nearly a year. I recently added Norton 360 (after discovering it can be used on 2 computers). My desktop has only 512RAM. It's running beautifully. As expected with Sandboxie, no malware was found.

    For years, I avoided Norton based on what I read, sort of like I avoided Win Vista based on others comments. I love Vista and Norton is turning out to be a nice addition.
     
  12. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    929
  13. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    Let me explain it better to you, because you got it all wrong,
    and I didn't wrote what I implied (by starting a Full-scale scanning session)
    (I added it to my 1st post to clarify things more).
    "Turn on the Real-Time protection and let the AV fighting the infection means":
    Giving the AV its FULL potentially Back;
    avoiding nasty pop-up alerts about enabling Real-Time/Proactive Detection etc.
    and start Scanning the Infected system.
    I didn't say that Real-Protection -by itself-
    will fight infection in an already infected system!
    No way!
    You have to start a Full-Scale scanning session.

    Some Testers/Evaluators want to know more about AVs strength.
    They simply don't stop/stay to detection ability.
    If under the situation I described,
    you could see your Favorite AV to be frozen/crushed or getting crazy and
    trying to disinfect healthy Windows files and not the -really- infected ones
    while -Other- AVs remained -Stable- and -Effective- against infection,
    wouldn't you care?

    There are many who care about
    the performance of security software beyond the Detection Tests.

    They care about how far an AV can go, before we
    abandon it and start using Malware Cleaners etc.
    Besides, there are AVs that perform better than some
    "specialized" Malware Cleaners even when a computer is already infected!

    Needless to say more...
     
    Last edited: Oct 2, 2008
  14. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    doesn't matter... with the real-time av active you're talking about running the system normally... this is by far a sub-optimal way to do detection/correction because you're leaving the malware active... it's not the proper way to use the tools... either boot the machine from a PE disk or slave the drive in a clean computer and scan that way - do not run code off of the suspect system itself...
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    IMO commercial anti malware solutions are not and should not be designed to clean system from malware but they should be designed to prevent malware getting into the system or prevent malware damaging the 'real' system.

    Once the system is damaged or infested because signature based detection failed or because pro active detection did not stop the thread than it is already too late... and depending of extent and size of the infection the only remedy is often to perform an in-depth forensic and/or a full reset of the machine.

    Fax
     
  16. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    No one said to you that this is the Optimal/Best way to fight Malware!
    Forget the Real-Time/Defense enabled since you focused on it.
    We have taken our tests even further:
    Boot in a Safe Mode and Turn your System Restore off
    before initiating a Full-Scale Scan of the infected PC.

    We haven't noticed such a -Radical- Result improvement, but we did it, too.
    The ones that performed well while scanning with Real-Time Defense on
    were also the top ones while scanning in Safe Mode/System Restore Off!

    Still don't care about how AVs treat an -Already- infected system, ah?
    No problem...
     
    Last edited: Oct 3, 2008
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I dont know, personally I trust in anyone who is Greek.


    Kalimera lol:thumb:
     
  18. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    if you're going to try to determine the capabilities of a product then you must use the product in an optimal manner or your results will be meaningless...

    i'm not focused on it, i'm just using it as an indicator of how you're suggesting to operate the computer during incident response...

    still not good enough - you're still running code off of the suspect system... when i say you shouldn't run any code off of the suspect system that includes the operating system on the suspect system... safe mode isn't actually all that safe...
     
  19. Medank

    Medank Registered Member

    Joined:
    Aug 25, 2008
    Posts:
    102
    Avira and Kaspersky will never be behind Symantec, i am pretty sure on that.
    It's Symantec that will be behind other two AV's ,
     
  20. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    not necessarily;)
     
  21. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    So, to reach a point (if we ever manage to...)
    -What is the proper/optimal way -You- propose/suggest when Evaluating the performance of an AV?
    -Is it Having a Malware Sample (e.g. a Folder of Infected files)
    in a -Clean- computer (i.e. -Always- No Infection present) and then, Scanning to see how many were Detected?
     
    Last edited: Oct 2, 2008
  22. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126
    your way off topic here, there is no perfect way IMHO, of course you could unhook the computer from te internet & not install anything on the computer except what was on it originally but than what fun would that be? ;)
     
  23. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    That's exactly my point, Larry.
    There is no specific/proper way.
    Anyway...
    Sorry for getting you out off topic,
    but it takes two (2) to tango...
     
  24. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126

    it's a computer & I looked around for mine but no rule book came with it so I can't give you the HP method of proper method to remove malware ;) I guess you have to use an AV & just run it.:)
     
  25. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    as i understand it you want to do more than just a sample detection test, so just scanning samples in a directory won't be enough... you want to see how well the scanners can detect the malware after it's been run, that's fine, run the malware and let it get it's hooks into the system...

    but after you do that you need to either boot the system from a PE disk (like the windows version of a livecd if you're unfamiliar with the term) or something similar (you could also try testing out the recovery cds that various vendors make available) or take the hard disk of the compromised computer out of that computer and stick it into another (clean) computer as a slave drive (in other words, not the primary/master drive that that 2nd computer boots from) and scan it that way...

    i have nothing against testing scanners to see how well they perform in the context of incident response, but you need to have the fundamentals of incident response itself down first, and one of the first fundamentals of incident response is to not run code off of the suspect drive/system...
     
Loading...
Thread Status:
Not open for further replies.