Discussion in 'other anti-virus software' started by Tommy, Mar 1, 2008.
Because there isn't a reliable way to determine the unpacking abilities of an AV without knowing the inner workings of the engine.
Some food for thought here
Equal scores for Kaspersky & F-Secure
ifs, buts and maybes.....
im glad there are other tests rather than 'mainly' just detection.
its nice to hear things from packers, keyloggers, self protection, rootkits and many of the other different things.
Testing of detection rates is very reliable, you detect or you don't. We can discuss the quality (it's a real virus or it's garbage) or importance (is a zoo, in the wild, rare virus?) of samples, but not a positive or negative detection.
Stefan's opinion on testing of packer-based detection.
thats regarding virusinfos test and how they label their results, nothing else.
Testing for the sake of testing is useless. Claiming that AV xxx supports packer aaa and AV yyy don't is very unreliable.
i very much doubt the test will state such things,
they usually work and calculate using a point system, and then relevant awards are given out.
the work over at Anti-Malware are being recognised even more now, with Avira already adding the awards to their own website.
and drweb giving them a mention, here: http://info.drweb.com/show/3161/en
its another test to the list, whether people like them or not
they have taken my suggestion of a testing schedule and will post it as soon as one has been worked out
We'll have to see, but I doubt very much that the conclusions of the packers tests will have some relevance.
Yes, too much balanced but the Balance is in the favour of viruses.
Because a packed malware is detected, you cannot say the product does support unpacking this packer.
Because a packed malware is not detected, you cannot say the product is not able to unpack this packer.
So how you want to test if a product does actually perform unpacking? Some products have detailed scan logs which indicate which packer they unpacked. But even those sometimes choose not to unpack a sample because it would be too slow.
To get back on topic, if a polymorphic virus detection is not 100%, it's a failure. Imagine a system infected with a polymorphic virus, thousand of files infected. The virus scanner only detects (and cleans) 99%, leaving 5-10 infected samples behind. The user will not be able to locate them - and will keep reinfect her/his computer again and again.
So, 99% for polymorphic viruses doesn't matter, it's not any good!
But also keep in mind, that replicating polymorphic viruses and creating a *good* set for testing is not a trivial task. Alot of the polymorphic viruses are buggy and destroy files during infection or create non-working decryption loops. So when some of the scanners in this test did not detect 100%, it may be that those samples are not working at all.
And yes, AVG 8 made a very big jump in detection of polymorphic viruses from version 7.5.
Nope, you can't. But if you observe a scanner over a period of time against specific families and variants, or have ever explored its weaknesses in order to bypass it, you can usually get a reasonably good understanding of how it fares against this packer or that.
Still doesn't mean it's a scientific test, though, unfortunately...
I have to concur. They made a very big jump in detection is almost every type of malware, as far as I can see, and they seem to be quickly improving on script/exploit detection as well. A far cry indeed from the AVG 6/7 days, when it was worth exactly what you paid for it.
An aberration to be sure.
Kudos to Avira, as always.
The premise of the importance of after the fact is flawed. If you don't get infected in the first place, the rest is irrelevant. Avira has the highest probability of keeping malware off of my system- and that is what matters most to me.
The fact that Avira manages to top or come near the top for almost all tests thrown at it speaks volumes about the commitment of the Avira developers. In the end, not getting infected or being alerted to any malware is what a good AV is all about and in that regard. Avira rules.
Separate names with a comma.