VB100 April 2010...

I was just going to answer something very similar. Thanks dw426

EDIT: I would add to dw426's comment that malware today (and also the malware being tested here) *also* depends on the Internet. So there's not much point in testing Internet-driven malware in non-connectivity, isolated labs. Products today are very complex. They look at and evaluate entry vectors, communication with the outside, different heuristic levels per vector, behavioural analysis also depending on traits including Internet communication, on-access drivers include more dynamic checks than the on-demand, etc. Testing in an offline environment only looks at a small portion of what a product really is capable of.

I am sure that, as more AV products add cloud-scanning to their mix of detection & protection technologies, these types of methodologies will evolve as well.

 

VB's RAP (Reactive and Proactive) testing provides deeper insight into products' ability to keep up with the flood of new malware emerging around the world, as well as their proactive detection capabilities - putting heuristic and generic technology to the test.

I know, this wont help a much.

Virus Bulletin is RIPPING 150 dollars for subscription (one year)!

 

I agree. But i don't think so that database definitions are too much big...that they will fill up your HDD enormously. What in case if somebody loose Internet Connection after getting hit? Then surely offline signature will come in effect, but if you don't have proper signature database then you will surely gonna affected.

 

Its always been like this. Guess people only really scrutinise the tests when their AVs do bad. Actually, didn't Norton Pass this one?

I think what the real concern with these results are that they should be detected on-demand regardless of other proactive measures as they are ITW (so removal may also be important).
Of-course, Panda is a different case.

Overall, I still not a fan of this test and never care about the results.

Old/Normal VB100 test - On-Demand/Access tests against the Wildlist sample - sample of apparently the most prevalent malware on the internet. 100% detection and 0 FPs required to get the pass and sticker.

RAP - On-Demand/Access (might be done on different operating systems throughout the year, not sure) and checks proactive/reactive detection. Very different to VB100. See here for explanation. I'm not 100% sure about all the details of it either, but is a better test than VB100 IMO.

 

In the vast majority of the cases you would be connected when getting hit (except for network/usb type of infections, for which we have offline cache and other measures). But if you look at Internet-driven malware, as most of this test does, you would need to be connected to be infected in the first place.

Here you're talking about a different thing. This is more related to disinfection. These types of routines are included within the local cache, so it shouldn't be much affected.

 

Hi dawgg!

Yes , Norton and Symantec Endpoint protection did pass the test . But in order to to pass their test , it is only necessary to detected on-access all in-the-wild samples and get no FP on the clean sample . For the big vendors , this is an easy task.

For the first time in the history Symantec includes Norton Antivirus , too . They have always included just Endpoint Protection (the business product) because VB magazine is generally read by technical people.

I was talking about the trojan and worm test (an extra part which results are not counted and is different from the in-the-wild detection) . I was saying that in offline environment where there is just on-demand and on-access scan - with no on-execution , no in-the-cloud , no HIPS or behaviour analysis , products like Norton Antivirus 2010 and Panda 2010 can't shine . No internet with old updates is no real-world . The current strategy actually works fine for Avast , for ESET and for Symantec EP , but not for Norton , Kaspersky , Panda . As you see Norton's and Symantec's results are pretty much the same but Symantec EP has no in-the-cloud , for example.

 

Norton Insight and so on don't detect threats, that is just reputation based. So I quite understand the way of testing. The fact a system is not infected doesn't mean (in this context) that Norton detected a threat.

 

It looks like Checkpoint got the highest overall scores on the RAP test according to the chart. So what product is that? Is it ZoneAlarm Antivirus, or is it a business product? If the latter, how did ZAAV do? I believe it uses the Kaspersky AV engine (or used to).

 

NO they are not the same test, wich is why I started this thread but it got closed by JR unfortunately .
https://www.wilderssecurity.com/showthread.php?t=270022

 

No quite right .

When I was writing Norton Insight , I meant Norton Insight Network .



No , it is not true that it is just a reputation system . Insight Network gathers reputation and just like Panda's Collective Intelligence can make definition automatically based on some factors. If you are active malware hunter or tester and you actively test Norton , you'll see than some threats are detected by Norton only when the Insight Network scan is performed (a.k.a cloud-scanning) . When file with known Bad reputation is detected , it is called Reser.Reputation.1 and this is only Insight Network detection not present in the defintions. When Norton detects threat as Suspicious.Cloud , it tries to connect to Norton servers for further cleaning information. The conclusion is that products with modern innovative technologies based on cloud computing can protect the computer when offline but their protection/detection capability is dramatically improvent when the computer is online

 

It's ZoneAlarm Antivirus exactly. ZoneAlarm used Kaspersky AV engine in ver 7.0. I don't sure about newest version of ZA because I stopped using ZA for a long time ago.

 

Well, in my case, I don't quite understand this way of testing:

"The fact a system is not infected doesn't mean (in this context) that Norton detected a threat."

Isn't it what is this all about?. Isn't it the real point of antivirus protection: not being infected?.

When you run a full scan of your computer and your antivirus tells you "four trojans", is it a victory?. No, a detection on a full scan is only the testimony of a security system's failure. Why is it still the most important part in most of the antivirus test?. It should be the less important one.

Having top detection at full scan is good and all the antivirus that make it high at the ranks deserve recognition. But the testing companies deserve a good spank for insisting on this.

What's the point in testing stripped down versions of security software in artificial enviroments. Not updating for weeks?. Come on......who cares. Who cares if detections are reactive, proactive, reputation based........I pay for a CLEAN system and that's all that I want.

 

Testing AV: Why VB Tests are still relevant

 

The award is similar to av-comparatives a snapshot of current builds.
RAP seems to me an average of the last 6 month - so it has more meaning for
me than the award.
RAP was mentioned here earlier so why not discuss it here?

 

So, basically, because some AVs fail and those are the ones to avoid. That's why those tests are useful. But, why are (or have been) they the most important?. Maybe because they are the less difficult to perform.

 

i do not see anywhere the words "the most important".

 

I was speaking in general, not criticizing the article.

 

As Brummelchen pointed out, RAP results have more importance and should be discussed.

To Emsisoft's defence, IDS was obviously switched off (which would have blocked the threats). Just checking their forum, a moderator posted that the text of the results also state:

 

It seems the April 2010 RAP results look good for Vipre: http://sunbeltblog.blogspot.com/2010/04/vbs-rap-on-vipre.html

http://www.sunbeltsoftware.com/alex/gblog/rap_detections_2_thumb1.jpg

 

What I don't understand, Ikarus is a top rated product in RAP report Oct-Apr but scored with 0 Success / 8 Failure in VB100

 

FP's my son. FP's.

 

It is Zone Alarm Security Suite. Yes it uses the Kaspersky engine. Same as Kaspersky enterprise editions that is currently the same engine as 2010. Impressed by ZA indeed... Both ZA and Kaspersky fails the April VB100 on XP due to 1 wildlist miss.

Wonder what makes ZA better... probably the HIPS (called ZA OS firewall)?

Fax

 

The old Kaspersky engine failed.
Kaspersky's new engine which Kaspersky v2010, corporate workstations (possibly also other corporate products) and ZA uses (may depend on version) passed.

Also, VB's does not look at other antivirus abilities such as HIPS.

Reason why ZA failed and Kaspersky 2010 passed could be because of ZA version used or default settings. Other than that, I do not think there is a time-lag between when Kaspersky releases updates and ZA does, thought they were pretty much the same.

 

Indeed.

In my earlier post I referred to the average RAP, but they seem to have made much progress.

Perhaps, just perhaps, they will be tested in av-comparatives ...

 

As far as I know, that is currently the plan. We had been waiting for the VIPRE 4.0 release before entering and we should be in one of the next tests.