Test of AV's for the detection of contemporary polymorphous viruses

Discussion in 'other anti-virus software' started by Tommy, Mar 1, 2008.

Thread Status:
Not open for further replies.
  1. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    eh?

    whys that? ;)
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Because there isn't a reliable way to determine the unpacking abilities of an AV without knowing the inner workings of the engine.
    Some food for thought here
     
  3. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,641
    Location:
    Sneffels volcano
    Equal scores for Kaspersky & F-Secure :rolleyes:
     
  4. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    ifs, buts and maybes.....

    im glad there are other tests rather than 'mainly' just detection.

    its nice to hear things from packers, keyloggers, self protection, rootkits and many of the other different things.
     
    Last edited: Mar 20, 2008
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    :doubt: o_O
    Testing of detection rates is very reliable, you detect or you don't. We can discuss the quality (it's a real virus or it's garbage) or importance (is a zoo, in the wild, rare virus?) of samples, but not a positive or negative detection.
    Stefan's opinion on testing of packer-based detection.
     
  6. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    thats regarding virusinfos test and how they label their results, nothing else.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Testing for the sake of testing is useless. Claiming that AV xxx supports packer aaa and AV yyy don't is very unreliable.
     
  8. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i very much doubt the test will state such things,

    they usually work and calculate using a point system, and then relevant awards are given out.

    the work over at Anti-Malware are being recognised even more now, with Avira already adding the awards to their own website.

    http://www.avira.com/en/company/awards.html

    and drweb giving them a mention, here: http://info.drweb.com/show/3161/en

    its another test to the list, whether people like them or not :D

    ----

    they have taken my suggestion of a testing schedule and will post it as soon as one has been worked out ;)
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    We'll have to see, but I doubt very much that the conclusions of the packers tests will have some relevance.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Yes, too much balanced but the Balance is in the favour of viruses. :thumb: :D
     
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Because a packed malware is detected, you cannot say the product does support unpacking this packer.

    Because a packed malware is not detected, you cannot say the product is not able to unpack this packer.

    So how you want to test if a product does actually perform unpacking? Some products have detailed scan logs which indicate which packer they unpacked. But even those sometimes choose not to unpack a sample because it would be too slow.

    To get back on topic, if a polymorphic virus detection is not 100%, it's a failure. Imagine a system infected with a polymorphic virus, thousand of files infected. The virus scanner only detects (and cleans) 99%, leaving 5-10 infected samples behind. The user will not be able to locate them - and will keep reinfect her/his computer again and again.
    So, 99% for polymorphic viruses doesn't matter, it's not any good!
    But also keep in mind, that replicating polymorphic viruses and creating a *good* set for testing is not a trivial task. Alot of the polymorphic viruses are buggy and destroy files during infection or create non-working decryption loops. So when some of the scanners in this test did not detect 100%, it may be that those samples are not working at all.

    And yes, AVG 8 made a very big jump in detection of polymorphic viruses from version 7.5.
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Nope, you can't. But if you observe a scanner over a period of time against specific families and variants, or have ever explored its weaknesses in order to bypass it, you can usually get a reasonably good understanding of how it fares against this packer or that.

    Still doesn't mean it's a scientific test, though, unfortunately...

    I have to concur. They made a very big jump in detection is almost every type of malware, as far as I can see, and they seem to be quickly improving on script/exploit detection as well. A far cry indeed from the AVG 6/7 days, when it was worth exactly what you paid for it.
     
  13. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,751
    Location:
    Toronto Canada
    An aberration to be sure.;)
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Kudos to Avira, as always.:thumb:
     
  15. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,136
    Location:
    Las Vegas
    Agreed. :thumb:
     
  16. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,136
    Location:
    Las Vegas
    The premise of the importance of after the fact is flawed. If you don't get infected in the first place, the rest is irrelevant. Avira has the highest probability of keeping malware off of my system- and that is what matters most to me.
     
  17. Arup

    Arup Guest


    The fact that Avira manages to top or come near the top for almost all tests thrown at it speaks volumes about the commitment of the Avira developers. In the end, not getting infected or being alerted to any malware is what a good AV is all about and in that regard. Avira rules.:thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.