Testing of Infected computers

Discussion in 'other anti-virus software' started by C.S.J, Sep 18, 2007.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    To understand what is going on here, you have to attempt to cleanup a badly infected machine using a series of different AV's. Pretty much installing one trial after another. Its not the best way, you should really get the install disks for the machine and start from scratch, but they are not always available. (Those who are careless enough to mess up their computer have usually lost the install media.)

    As you go through this process it is very revealing. AV #1 catches bunches if stuff, but cant remove it. AV # 2 gets some more. AV # 3 says everything is OK. AV # 4 finds some more stuff, but it looks to be inactive remnants, possibly from the quarantine areas of AV #'s 1 & 2. Then you notice Windows Update and the firewall are broken.... and so it goes.

    My point is, it is not theoretical. You really have to get your hands dirty to get a feel for what is going on.
     
    Last edited: Sep 19, 2007
  2. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    Thanks for posting this C.S.J. I didn't read too much but the results... But were these done in safe mode? Or would that have caused all of them to be cleaned by the AV's. Just wondering as whenever something can't get removed the first word of advice is usually "Run scan X again in safe mode"
     
  3. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Go NAV.. and its not even the 2008 version.
     
  4. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    The previous active infections treatment test by Anti-Malware.ru was translated and published on website http://www.anti-malware-test.com/?q=node/3
    As I know the latest one will be published there after translation.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Very nice test on termination and tampering Sergey...
    Not sure it was discussed here but interesting!

    http://www.anti-malware-test.com/?q=taxonomy/term/16

    However, I personally disagree on the the ranking....
    I couldn't care less that the junk mail filter in ZASS 7 can be disabled by malware, its not part of the ZASS main defence mechanisms.

    If secondary modules like spam, parental control, etc... need to be included in the termination test, I would expected a weighting system that would give less relevance to these elements while firewall, antivirus and antispyware protection should have higher weighting.

    The above should reflect the extent of damage that real malware could cause on a system. Disabling spam module has no effect on the protection and integrity of my system if firewall, antivirus and main 'security' related functions remains intact.

    Without this weird point system ZASS (and may be other suites?) would have a completely different scoring.

    Cheers,
    Fax
     
    Last edited: Sep 19, 2007
  6. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    no problem, :)

    i did expect some bashing towards myself, as it was i who posted it, but aint too bothered, most people liked it. :)
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I thought, as IBK did, it is a very informative thread and post.
     
  8. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    I agree with you. The ranking system is "too hard", but nevertheless the antispam module in ZASS 7 can be disabled. It's weak and not protected part of the product.

    Nice idea, i hope it will be done in the next text of Anti-Malware Test Lab.
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost

    Yep, but then you should not call it "Antivirus Termination Tests" but "Suite Components Termination test" and have a breakdown by component been tampered.

    And for the aggregated scoring you could use a weighting system according to the importance of the tampered component.

    In any case, thank you for taking up the idea of a different scoring systems.

    Cheers,
    Fax
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi IBK:

    Two things:

    1) Will av comparatives be doing more in the future on removal/cleaning testing?
    2) You mention most cleaning tests, are there any links to other results?


    It's interesting to read the circular logic here by the "fans" and others.

    1) Can't remove what AV can't detect!
    2) Can remove what AV does detect but doesn't!

    What about our previous rants about FP's! (or if you like "fictitiousness".)

    The weight on selection of tools should IMO be on prevention, eg the FW, the HIPS. Virtual PC.

    " an once of prevention is worth a pound of cure" or for the metric guys

    an gram of prevention is worth a kilogram of cure.:D
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    IlyaOS:

    You are right to worry about any security product that allows malware to disable any module.

    It raises the specter of what other modules in it can be undone. Only the developers can know what is protected and what isn't no one here can tell you the answer to this.

    So IMO, the safe bet till it is proven by independent testing is to assume that all modules are vulnerable. It's a matter of confidence.
     
  12. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Yes, they chose them randomly, it seams.
    17 is quite a number for such tests - but you are right, this is a Lab test, not a field test in a real life.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Thank you Severyanin for the follow up...

    This sounds a bit drastic... IMO :eek:

    Fax
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I agree with you IlyaOS.

    But again IMO.

    The opening of spam and their attachments is not a trivial low weight factor. It is still one of the more common way the public gets infected.

    The users of suites hope for one stop security solutions, but are the same users who trust one vendor more than they should and now will get stung by a disabled anti spam module.

    Again, parental controls are NOT trivial protections to get low weights in suite evaluations. Why assign a low weight?

    Kid's have been lured away by lack of parental control, so to label this feature less important is completely .... what word fits... wrong headed. Safety trumps concern for vendor reputation every time.

    Until these features work an ethical vendor would remove it rather than give a false sense of safety.:cool:
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Sorry but known malware will be blocked by your "on access" scanner or e-mail AV scanner regardless if spam module is working or not... the contrary may not be true.

    Of course if your AV module is also down then its another story... do you understand what I mean? Its a matter or setting priority and underdstanding the real effect that malware can have on your system.

    The same applies to parental control.

    But if your base for assessment is not to simulate the damage that malware can do on your system then everything is relative and it would be better not to have aggregated scoring but keep the analysis at component level.

    Everybody will have their value about what is important and what is not. All with their merits and limits. You just need to make them clear at the beginning as part of the methodology you adopt for the testing.

    Of course, always IMO.... :)

    Cheers,
    Fax
     
    Last edited: Sep 24, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.